Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:	setup.msi
Analysis ID:	1589492
MD5:	743fb4a347f2cb18852aa2cb25e62ac5
SHA1:	813a4943c2d176b63d1f51e677c9f517c50d72b7
SHA256:	053cd0f09335110c8b9fdf3f5fe6b220fa91d65e1a9479a10dc796d5113bbd2e
Tags:	LegionLoadermsiRobotDropperstaticmaxepress-comuser-aachum
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

AI detected suspicious sample

Bypasses PowerShell execution policy

Potentially malicious time measurement code found

Query firmware table information (likely to detect VMs)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Msiexec Initiated Connection

Sigma detected: Suspicious MsiExec Embedding Parent

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected AdvancedInstaller

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6996 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7088 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1216 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 02F842FA0A6C6BE670B8D0D8CCB5D4F3 MD5: 9D09DC1EDA745A5F87553048E57620CF)

powershell.exe (PID: 6732 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1196 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat" "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

obs-ffmpeg-mux.exe (PID: 7152 cmdline: "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe" MD5: D3CAC4D7B35BACAE314F48C374452D71)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

createdump.exe (PID: 5720 cmdline: "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)

conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AdvancedInstaller	Yara detected AdvancedInstaller	Joe Security

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 02F842FA0A6C6BE670B8D0D8CCB5D4F3, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1216, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6732, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 02F842FA0A6C6BE670B8D0D8CCB5D4F3, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1216, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6732, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 02F842FA0A6C6BE670B8D0D8CCB5D4F3, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1216, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6732, ProcessName: powershell.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.67.162.17, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1216, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 02F842FA0A6C6BE670B8D0D8CCB5D4F3, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1216, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6732, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T16:37:17.303185+0100	2829202	1	A Network Trojan was detected	192.168.2.4	49732	172.67.162.17	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.8% probability

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5D6904C2-4F69-4F0E-9343-C854009E1C94}

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.162.17:443 -> 192.168.2.4:49732 version: TLS 1.2

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1847233105.00007FF711D48000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: ucrtbase.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source:	Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000000.1849425611.00007FF7EC505000.00000002.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1847233105.00007FF711D48000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: w32-pthreads.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSI9E51.tmp.1.dr, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 4d93ec.msi.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 4x nop then push rbx

10_2_00007FFE003E46C0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49732 -> 172.67.162.17:443

Source: global traffic

TCP traffic: 192.168.2.4:51290 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: staticmaxepress.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /updater2.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: staticmaxepress.comContent-Length: 71Cache-Control: no-cache

Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 00000003.00000002.1795534875.00000000035FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: obs-ffmpeg-mux.exe, obs-ffmpeg-mux.exe, 0000000A.00000002.1852958468.00007FFDF78DB000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: powershell.exe, 00000003.00000002.1798637325.0000000006478000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1796388997.0000000005566000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://schemas.micj
Source: powershell.exe, 00000003.00000002.1796388997.0000000005411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1852958468.00007FFDF78DB000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: powershell.exe, 00000003.00000002.1796388997.0000000005566000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1856458663.00007FFDF9AB0000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: powershell.exe, 00000003.00000002.1796388997.0000000005411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1798637325.0000000006478000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1798637325.0000000006478000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1798637325.0000000006478000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1796388997.0000000005566000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1796388997.0000000005AD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1798637325.0000000006478000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: https://staticmaxepress.com/updater2.phpx
Source: obs-ffmpeg-mux.exe, obs-ffmpeg-mux.exe, 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://streams.videolan.org/upload/
Source: setup.msi, 4d93ec.msi.1.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 172.67.162.17:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d93ec.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9CC6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D44.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D83.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9DC3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E12.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E51.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E81.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB0F1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{5D6904C2-4F69-4F0E-9343-C854009E1C94}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB9BC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB9EC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d93ef.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4d93ef.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9CC6.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FF7EC502EE0	10_2_00007FF7EC502EE0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FF7EC502A10	10_2_00007FF7EC502A10
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003930A0	10_2_00007FFE003930A0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036C1A0	10_2_00007FFE0036C1A0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036A1B0	10_2_00007FFE0036A1B0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036B150	10_2_00007FFE0036B150
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00391160	10_2_00007FFE00391160
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036D210	10_2_00007FFE0036D210
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00367260	10_2_00007FFE00367260
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003A4330	10_2_00007FFE003A4330
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0038F2C0	10_2_00007FFE0038F2C0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036C2F0	10_2_00007FFE0036C2F0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036B380	10_2_00007FFE0036B380
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003613A0	10_2_00007FFE003613A0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003A5350	10_2_00007FFE003A5350
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003A6350	10_2_00007FFE003A6350
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003833E0	10_2_00007FFE003833E0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036B460	10_2_00007FFE0036B460
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036A520	10_2_00007FFE0036A520
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036E4C0	10_2_00007FFE0036E4C0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003824D0	10_2_00007FFE003824D0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003A44D0	10_2_00007FFE003A44D0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00383580	10_2_00007FFE00383580
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003A3560	10_2_00007FFE003A3560
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036D5C0	10_2_00007FFE0036D5C0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036B5C0	10_2_00007FFE0036B5C0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036B6A0	10_2_00007FFE0036B6A0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00410640	10_2_00007FFE00410640
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0038C650	10_2_00007FFE0038C650
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036D700	10_2_00007FFE0036D700
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00361730	10_2_00007FFE00361730
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036B790	10_2_00007FFE0036B790
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036E820	10_2_00007FFE0036E820
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00386820	10_2_00007FFE00386820
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003887F0	10_2_00007FFE003887F0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003928B0	10_2_00007FFE003928B0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003E4840	10_2_00007FFE003E4840
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00394920	10_2_00007FFE00394920
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036B8D0	10_2_00007FFE0036B8D0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036D8D0	10_2_00007FFE0036D8D0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00385980	10_2_00007FFE00385980
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00361990	10_2_00007FFE00361990
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036E9A0	10_2_00007FFE0036E9A0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036D9B0	10_2_00007FFE0036D9B0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003909B0	10_2_00007FFE003909B0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003699C0	10_2_00007FFE003699C0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0040DAA0	10_2_00007FFE0040DAA0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00369A50	10_2_00007FFE00369A50
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036BA70	10_2_00007FFE0036BA70
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003A5B00	10_2_00007FFE003A5B00
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003C2B80	10_2_00007FFE003C2B80
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00363B87	10_2_00007FFE00363B87
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00392B40	10_2_00007FFE00392B40
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003A2B60	10_2_00007FFE003A2B60
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00393C00	10_2_00007FFE00393C00
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00361C30	10_2_00007FFE00361C30
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003ACBE0	10_2_00007FFE003ACBE0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00382BF0	10_2_00007FFE00382BF0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00384C80	10_2_00007FFE00384C80
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00382D20	10_2_00007FFE00382D20
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003A2CC0	10_2_00007FFE003A2CC0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036CCE0	10_2_00007FFE0036CCE0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00392D90	10_2_00007FFE00392D90
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00369D50	10_2_00007FFE00369D50
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE003A1E10	10_2_00007FFE003A1E10
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036BE20	10_2_00007FFE0036BE20
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0037FDF0	10_2_00007FFE0037FDF0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00366E70	10_2_00007FFE00366E70
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE00382F20	10_2_00007FFE00382F20
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036DEF0	10_2_00007FFE0036DEF0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036D030	10_2_00007FFE0036D030
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE0036B030	10_2_00007FFE0036B030
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE1A503AA7	10_2_00007FFE1A503AA7
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE1A504B4A	10_2_00007FFE1A504B4A
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE1A4F68B0	10_2_00007FFE1A4F68B0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE1A4F8DB0	10_2_00007FFE1A4F8DB0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE1A527508	10_2_00007FFE1A527508

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: String function: 00007FFE1A502038 appears 32 times
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: String function: 00007FFE003856C0 appears 288 times

Source: avcodec-60.dll.1.dr	Static PE information: Number of sections : 13 > 10
Source: avutil-58.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: swresample-4.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: swscale-7.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: zlib.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: avformat-60.dll.1.dr	Static PE information: Number of sections : 12 > 10

Source: api-ms-win-core-handle-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found

Source: setup.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameDataUploader.dllF vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameucrtbase.dllj% vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenamevcruntime140.dllT vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenamemsvcp140.dllT vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs setup.msi

Source: classification engine

Classification label: mal72.evad.winMSI@17/88@2/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLC136.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFC379D49BFEEDC7E2.TMP

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat" "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe""

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: obs-ffmpeg-mux.exe	String found in binary or memory: #EXT-X-START:
Source: obs-ffmpeg-mux.exe	String found in binary or memory: #EXT-X-START value isinvalid, it will be ignored
Source: obs-ffmpeg-mux.exe	String found in binary or memory: prefer to use #EXT-X-START if it's in playlist instead of live_start_index
Source: obs-ffmpeg-mux.exe	String found in binary or memory: start/stop audio
Source: obs-ffmpeg-mux.exe	String found in binary or memory: start/stop audio

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 02F842FA0A6C6BE670B8D0D8CCB5D4F3
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat" "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe""
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe"
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 02F842FA0A6C6BE670B8D0D8CCB5D4F3	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat" "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: obs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: avcodec-60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: avutil-58.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: avformat-60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: w32-pthreads.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: avutil-58.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: swresample-4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: sspicli.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5D6904C2-4F69-4F0E-9343-C854009E1C94}

Jump to behavior

Source: setup.msi

Static file information: File size 60682938 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1847233105.00007FF711D48000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: ucrtbase.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source:	Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000000.1849425611.00007FF7EC505000.00000002.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1847233105.00007FF711D48000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: setup.msi, 4d93ec.msi.1.dr
Source:	Binary string: w32-pthreads.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSI9E51.tmp.1.dr, 4d93ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 4d93ec.msi.1.dr

Source: api-ms-win-core-synch-l1-2-0.dll.1.dr

Static PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 10_2_00007FFE0037ED32 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,

10_2_00007FFE0037ED32

Source: vcruntime140.dll.1.dr	Static PE information: section name: _RDATA
Source: BCUninstaller.exe.1.dr	Static PE information: section name: _RDATA
Source: createdump.exe.1.dr	Static PE information: section name: _RDATA
Source: UnRar.exe.1.dr	Static PE information: section name: _RDATA
Source: avformat-60.dll.1.dr	Static PE information: section name: .xdata
Source: avutil-58.dll.1.dr	Static PE information: section name: .xdata
Source: swresample-4.dll.1.dr	Static PE information: section name: .xdata
Source: swscale-7.dll.1.dr	Static PE information: section name: .xdata
Source: zlib.dll.1.dr	Static PE information: section name: .xdata
Source: avcodec-60.dll.1.dr	Static PE information: section name: .rodata
Source: avcodec-60.dll.1.dr	Static PE information: section name: .xdata
Source: MSIB9EC.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI9CC6.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI9D44.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI9D83.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI9DC3.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI9E12.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI9E51.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI9E81.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIB0F1.tmp.1.dr	Static PE information: section name: .fptable

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_0375BDA2 push esp; ret

3_2_0375BDB3

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swscale-7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\utest.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D44.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E81.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\w32-pthreads.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swresample-4.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E12.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avcodec-60.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avformat-60.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\zlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D83.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB9EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB0F1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avutil-58.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9CC6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9DC3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB0F1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E12.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9CC6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D44.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9DC3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E81.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D83.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB9EC.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 10_2_00007FFE0037B840 FreeLibrary,free,calloc,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryExW,_aligned_free,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_errno,GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryExA,FreeLibrary,free,wcslen,GetModuleFileNameW,_aligned_free,_aligned_free,_aligned_free,wcscpy,LoadLibraryExW,LoadLibraryExW,_aligned_free,_aligned_free,_aligned_free,_aligned_free,_aligned_free,_aligned_free,_aligned_free,GetSystemDirectoryW,GetSystemDirectoryW,GetSystemDirectoryW,wcscpy,LoadLibraryExW,_aligned_free,_aligned_free,_aligned_free,_aligned_free,

10_2_00007FFE0037B840

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\msiexec.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 10_2_00007FFE00392D90 rdtsc

10_2_00007FFE00392D90

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3570			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2261			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swscale-7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\utest.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\zlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9D44.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9E81.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9D83.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB9EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB0F1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9E51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9E12.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9CC6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9DC3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe

API coverage: 8.2 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6968	Thread sleep count: 3570 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep count: 2261 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1740	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6304	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: 4d93ec.msi.1.dr	Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1856458663.00007FFDF969A000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Video @
Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1856458663.00007FFDF958D000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: VMware Screen Codec / VMware Video

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 10_2_00007FFE00392D90 Start: 00007FFE0039300F End: 00007FFE00392E85

10_2_00007FFE00392D90

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 10_2_00007FFE00392D90 rdtsc

10_2_00007FFE00392D90

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe

Code function: 7_2_00007FF711D42ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00007FF711D42ECC

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 10_2_00007FFE0037ED32 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,

10_2_00007FFE0037ED32

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Code function: 7_2_00007FF711D42ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF711D42ECC
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Code function: 7_2_00007FF711D43074 SetUnhandledExceptionFilter,	7_2_00007FF711D43074
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Code function: 7_2_00007FF711D42984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF711D42984
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FF7EC503774 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF7EC503774
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FF7EC503C5C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FF7EC503C5C
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FF7EC503E04 SetUnhandledExceptionFilter,	10_2_00007FF7EC503E04
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE1A53004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFE1A53004C
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE1A546CBC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFE1A546CBC
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 10_2_00007FFE1A546710 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFE1A546710

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe"			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssbaa1.ps1" -propfile "c:\users\user\appdata\local\temp\msiba8f.txt" -scriptfile "c:\users\user\appdata\local\temp\scrba90.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrba91.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssbaa1.ps1" -propfile "c:\users\user\appdata\local\temp\msiba8f.txt" -scriptfile "c:\users\user\appdata\local\temp\scrba90.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrba91.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe

Code function: 7_2_00007FF711D42DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00007FF711D42DA0

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 10_2_00007FFE00409720 GetTimeZoneInformation,GetSystemTimeAsFileTime,

10_2_00007FFE00409720

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Native API	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 Windows Service	11 Process Injection	3 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avcodec-60.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avformat-60.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avutil-58.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swresample-4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swscale-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\utest.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\w32-pthreads.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\zlib.dll	0%	ReversingLabs
C:\Windows\Installer\MSI9CC6.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9D44.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9D83.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9DC3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9E12.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9E51.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9E81.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIB0F1.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIB9EC.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://staticmaxepress.com/updater2.phpx	0%	Avira URL Cloud	safe
https://staticmaxepress.com/updater2.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
staticmaxepress.com	172.67.162.17	true	true		unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://staticmaxepress.com/updater2.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1798637325.0000000006478000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000003.00000002.1795534875.00000000035FE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1796388997.0000000005566000.00000004.00000800.00020000.00000000.sdmp	false		high
https://streams.videolan.org/upload/	obs-ffmpeg-mux.exe, obs-ffmpeg-mux.exe, 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.1796388997.0000000005411000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1796388997.0000000005566000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000003.00000002.1796388997.0000000005AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.videolan.org/x264.html	obs-ffmpeg-mux.exe, 0000000A.00000002.1856458663.00007FFDF9AB0000.00000002.00000001.01000000.00000008.sdmp	false		high
https://contoso.com/	powershell.exe, 00000003.00000002.1798637325.0000000006478000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1798637325.0000000006478000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.1798637325.0000000006478000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dashif.org/guidelines/trickmode	obs-ffmpeg-mux.exe, obs-ffmpeg-mux.exe, 0000000A.00000002.1852958468.00007FFDF78DB000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000003.00000002.1798637325.0000000006478000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.micj	setup.msi, 4d93ec.msi.1.dr	false		high
http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd	obs-ffmpeg-mux.exe, 0000000A.00000002.1852958468.00007FFDF78DB000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://aka.ms/winui2/webview2download/Reload():	setup.msi, 4d93ec.msi.1.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1796388997.0000000005411000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1796388997.0000000005566000.00000004.00000800.00020000.00000000.sdmp	false		high
https://staticmaxepress.com/updater2.phpx	setup.msi, 4d93ec.msi.1.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.162.17	staticmaxepress.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589492
Start date and time:	2025-01-12 16:36:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.msi
Detection:	MAL
Classification:	mal72.evad.winMSI@17/88@2/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 20.3.187.198, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target obs-ffmpeg-mux.exe, PID 7152 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6732 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
10:37:18	API Interceptor	4x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.162.17	http://ti6.htinenate.com	Get hash	malicious	Unknown	Browse
	https://futurehvacindia.com/HmF/zJqRTbTA3E8NkEdNG3XSYYpT2CPHqoF9DTsq4XxUrAiFitNdJPZxAsKByKFHL2Bbj7EGed34VRP3gvaoT2ErdEZV8ZcoXh7qUKmkmsJiezE9HjtrHmhzSvnLEPpvK6Khe5ctQxfCrvAgAVcoyVijtR	Get hash	malicious	HTMLPhisher	Browse
	https://staemcomrnunitly.ru/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
staticmaxepress.com	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.34.147

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	Loader.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	104.21.85.189
	installer_1.05_37.4.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.34.147
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.139.144
	PDF-523.msi	Get hash	malicious	AteraAgent	Browse	104.18.18.106
	E6wUHnV51P.exe	Get hash	malicious	DCRat	Browse	104.21.12.142
	gem2.exe	Get hash	malicious	Unknown	Browse	104.21.64.1
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.162.17
	Setup.msi	Get hash	malicious	Unknown	Browse	172.67.162.17
	gem2.exe	Get hash	malicious	Unknown	Browse	172.67.162.17
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.162.17
	1387457-38765948.15.exe	Get hash	malicious	Nitol	Browse	172.67.162.17
	1387457-38765948.15.exe	Get hash	malicious	Unknown	Browse	172.67.162.17
	build.exe	Get hash	malicious	Vidar	Browse	172.67.162.17
	zmpZMfK1b4.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.162.17
	ix8kxoBHDb.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.162.17
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	172.67.162.17

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe	Setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	u1XWB0BIju.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse
	6a7e35.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe	Setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	u1XWB0BIju.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse
	6a7e35.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\4d93ee.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	19981
Entropy (8bit):	5.812911211849952
Encrypted:	false
SSDEEP:	384:5rCsqmthQ5XfUFBHpSx00S6SNH+epcyIbXCa7/J1IXE/z8YWB7Z+8NzVlawqawDS:5rCsqmthQ5XfUFBHpSx00S6SNH+epcyD
MD5:	715A5D24AB50DB6E1CFFBF8028550792
SHA1:	86BA06FAAC9C3F5B0A25D3CA4B4BA23CE19E5AB0
SHA-256:	500830483DEFD191C9174D4F7937DC87A3173944E5494E84FCB169245863A3C1
SHA-512:	08BCAD03FB376B09E957C7D2345229EE73194669B2FEEC9926414705AA8C5BC905CDD52A435BB92AE724EC70429972D56C2E525E5A282F2FCAEBE1378FEF8158
Malicious:	false
Preview:	...@IXOS.@.....@.T,Z.@.....@.....@.....@.....@.....@......&.{5D6904C2-4F69-4F0E-9343-C854009E1C94}..Fira App..setup.msi.@.....@.....@.....@......icon_35.exe..&.{A0ED79E9-FF2A-4A87-B002-47CD0E427B3D}.....@.....@.....@.....@.......@.....@.....@.......@......Fira App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{5D6904C2-4F69-4F0E-9343-C854009E1C94}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{5D6904C2-4F69-4F0E-9343-C854009E1C94}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{5D6904C2-4F69-4F0E-9343-C854009E1C94}.@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}&.{5D6904C2-4F69-4F0E-9343-C854009E1C94}.@......&.{FDDB96EE-847D-4B25-85B1-65E662CF63A8}&.{5D6904C2-4F69-4F0E-9343-C854009E1C94}.@......&.{9608D8ED-8EC6-4540-B232-4A823606F862}&.{5D6904C2-4F69-4F0E-9343-C854009E1C94}.@......&.{17B6E8D6-C004-40DB-BB2D-125D7C1CC21E}&.{5D6904C2-4F69-4F0E-9

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.415059038751397
Encrypted:	false
SSDEEP:	24:3Uyt3WSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R82r6SVbu:ky9WSU4y4RQmFoUeWmfmZ9tK8NWR823Q
MD5:	C9FCDEDA736FE17312D6972E2794F6C0
SHA1:	577B74490A15625AA1F5EB1C3FDC1CEF6CC08826
SHA-256:	B9903D16E49921FE437EC4C8DA74163F9369C519B8E3F3DC763B73AF2B40422A
SHA-512:	96A1C2ADBE659F8D15BE35B342DA7479A2F196F64D9DA82F22E618391C12E37E413F25E539EC17AF3F7FD2DAAF656D2EA509E022BF00BD88A91681484FC98A44
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1qgv2jv.kwo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3sen1hy.ykt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\msiBA8F.txt

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	3.0073551160284637
Encrypted:	false
SSDEEP:	3:Q0JUINRYplflrOdlVWNlANf5Yplf955:Q0JB0LJOn03ANqLN
MD5:	7A131AC8F407D08D1649D8B66D73C3B0
SHA1:	D93E1B78B1289FB51E791E524162D69D19753F22
SHA-256:	9ACBF0D3EEF230CC2D5A394CA5657AE42F3E369292DA663E2537A278A811FF5B
SHA-512:	47B6FF38B4DF0845A83F17E0FE889747A478746E1E7F17926A5CCAC1DD39C71D93F05A88E0EC176C1E5D752F85D4BDCFFB5C64125D1BA92ACC91D03D6031848D
Malicious:	true
Preview:	..Q.u.i.t.e.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .E.x.t.e.n.d.E.x.p.i.r.e. .:.<.-.>.:. .0. .<.<.:.>.>. .

C:\Users\user\AppData\Local\Temp\pssBAA1.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6668
Entropy (8bit):	3.5127462716425657
Encrypted:	false
SSDEEP:	96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
MD5:	30C30EF2CB47E35101D13402B5661179
SHA1:	25696B2AAB86A9233F19017539E2DD83B2F75D4E
SHA-256:	53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
SHA-512:	882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
Malicious:	true
Preview:	..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\scrBA90.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	3.500405439723985
Encrypted:	false
SSDEEP:	6:Q1AGYNk79idK3fOlFoulk+KiV64AGIArMTlP1LlG7JidK3falnUOn03AnfGR:Q1F3Kvoq3VFVrMTQNeFUr3ZR
MD5:	A18EA6E053D5061471852A4151A7D4D0
SHA1:	AEA460891F599C4484F04A3BC5ACC62E9D5AD9F7
SHA-256:	C4EF109DD1FEF1A7E4AF385377801EEA0E7936D207EBCEBBE078BAD56FB1F4AB
SHA-512:	7530E2974622BB6649C895C062C151AC7C496CCC0BDAE4EB53C6F29888FA7B1E184026FBB39DDB5D8741378BEE969DD70B34AC7459F3387D92D21DBCFE28DC9A
Malicious:	true
Preview:	..$.s.k.g.i.e.h.g. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.i.t.e.S.e.s.".....$.o.i.g.s.e.i.g.j. .=. .[.u.i.n.t.3.2.].(.$.s.k.g.i.e.h.g. .-.r.e.p.l.a.c.e. .'.t.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".E.x.t.e.n.d.E.x.p.i.r.e.". .$.o.i.g.s.e.i.g.j.

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	310928
Entropy (8bit):	6.001677789306043
Encrypted:	false
SSDEEP:	3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
MD5:	147B71C906F421AC77F534821F80A0C6
SHA1:	3381128CA482A62333E20D0293FDA50DC5893323
SHA-256:	7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
SHA-512:	2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: u1XWB0BIju.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse Filename: 6a7e35.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}\|...\|...\|....../p....../v....../1...u.a.l....../u...\|........./v....../}...Rich\|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	506008
Entropy (8bit):	6.4284173495366845
Encrypted:	false
SSDEEP:	6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
MD5:	98CCD44353F7BC5BAD1BC6BA9AE0CD68
SHA1:	76A4E5BF8D298800C886D29F85EE629E7726052D
SHA-256:	E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
SHA-512:	D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: u1XWB0BIju.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse Filename: 6a7e35.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............\|.&.....\|.$.J...\|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................\|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.596101286914553
Encrypted:	false
SSDEEP:	192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
MD5:	919E653868A3D9F0C9865941573025DF
SHA1:	EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
SHA-256:	2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
SHA-512:	6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.640081558424349
Encrypted:	false
SSDEEP:	192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
MD5:	7676560D0E9BC1EE9502D2F920D2892F
SHA1:	4A7A7A99900E41FF8A359CA85949ACD828DDB068
SHA-256:	00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
SHA-512:	F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11712
Entropy (8bit):	6.6023398138369505
Encrypted:	false
SSDEEP:	192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
MD5:	AC51E3459E8FCE2A646A6AD4A2E220B9
SHA1:	60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
SHA-256:	77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
SHA-512:	6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.614262942006268
Encrypted:	false
SSDEEP:	192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
MD5:	B0E0678DDC403EFFC7CDC69AE6D641FB
SHA1:	C1A4CE4DED47740D3518CD1FF9E9CE277D959335
SHA-256:	45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
SHA-512:	2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.654155040985372
Encrypted:	false
SSDEEP:	192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
MD5:	94788729C9E7B9C888F4E323A27AB548
SHA1:	B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
SHA-256:	ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
SHA-512:	AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15304
Entropy (8bit):	6.548897063441128
Encrypted:	false
SSDEEP:	192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
MD5:	580D9EA2308FC2D2D2054A79EA63227C
SHA1:	04B3F21CBBA6D59A61CD839AE3192EA111856F65
SHA-256:	7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
SHA-512:	97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11712
Entropy (8bit):	6.622041192039296
Encrypted:	false
SSDEEP:	192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
MD5:	35BC1F1C6FBCCEC7EB8819178EF67664
SHA1:	BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
SHA-256:	7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
SHA-512:	9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.730719514840594
Encrypted:	false
SSDEEP:	192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
MD5:	3BF4406DE02AA148F460E5D709F4F67D
SHA1:	89B28107C39BB216DA00507FFD8ADB7838D883F6
SHA-256:	349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
SHA-512:	5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.626458901834476
Encrypted:	false
SSDEEP:	192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
MD5:	BBAFA10627AF6DFAE5ED6E4AEAE57B2A
SHA1:	3094832B393416F212DB9107ADD80A6E93A37947
SHA-256:	C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
SHA-512:	D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.577869728469469
Encrypted:	false
SSDEEP:	192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
MD5:	3A4B6B36470BAD66621542F6D0D153AB
SHA1:	5005454BA8E13BAC64189C7A8416ECC1E3834DC6
SHA-256:	2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
SHA-512:	84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11712
Entropy (8bit):	6.6496318655699795
Encrypted:	false
SSDEEP:	192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
MD5:	A038716D7BBD490378B26642C0C18E94
SHA1:	29CD67219B65339B637A1716A78221915CEB4370
SHA-256:	B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
SHA-512:	43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12736
Entropy (8bit):	6.587452239016064
Encrypted:	false
SSDEEP:	192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
MD5:	D75144FCB3897425A855A270331E38C9
SHA1:	132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
SHA-256:	08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
SHA-512:	295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14280
Entropy (8bit):	6.658205945107734
Encrypted:	false
SSDEEP:	384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
MD5:	8ACB83D102DABD9A5017A94239A2B0C6
SHA1:	9B43A40A7B498E02F96107E1524FE2F4112D36AE
SHA-256:	059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
SHA-512:	B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.621310788423453
Encrypted:	false
SSDEEP:	96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
MD5:	808F1CB8F155E871A33D85510A360E9E
SHA1:	C6251ABFF887789F1F4FC6B9D85705788379D149
SHA-256:	DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
SHA-512:	441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.7263193693903345
Encrypted:	false
SSDEEP:	192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
MD5:	CFF476BB11CC50C41D8D3BF5183D07EC
SHA1:	71E0036364FD49E3E535093E665F15E05A3BDE8F
SHA-256:	B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
SHA-512:	7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.601327134572443
Encrypted:	false
SSDEEP:	192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
MD5:	F43286B695326FC0C20704F0EEBFDEA6
SHA1:	3E0189D2A1968D7F54E721B1C8949487EF11B871
SHA-256:	AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
SHA-512:	6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14272
Entropy (8bit):	6.519411559704781
Encrypted:	false
SSDEEP:	192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
MD5:	E173F3AB46096482C4361378F6DCB261
SHA1:	7922932D87D3E32CE708F071C02FB86D33562530
SHA-256:	C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
SHA-512:	3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.659079053710614
Encrypted:	false
SSDEEP:	192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
MD5:	9C9B50B204FCB84265810EF1F3C5D70A
SHA1:	0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
SHA-256:	25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
SHA-512:	EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11200
Entropy (8bit):	6.7627840671368835
Encrypted:	false
SSDEEP:	192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
MD5:	0233F97324AAAA048F705D999244BC71
SHA1:	5427D57D0354A103D4BB8B655C31E3189192FC6A
SHA-256:	42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
SHA-512:	8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.590253878523919
Encrypted:	false
SSDEEP:	192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
MD5:	E1BA66696901CF9B456559861F92786E
SHA1:	D28266C7EDE971DC875360EB1F5EA8571693603E
SHA-256:	02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
SHA-512:	08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.672720452347989
Encrypted:	false
SSDEEP:	192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
MD5:	7A15B909B6B11A3BE6458604B2FF6F5E
SHA1:	0FEB824D22B6BEEB97BCE58225688CB84AC809C7
SHA-256:	9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
SHA-512:	D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13760
Entropy (8bit):	6.575688560984027
Encrypted:	false
SSDEEP:	192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
MD5:	6C3FCD71A6A1A39EAB3E5C2FD72172CD
SHA1:	15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
SHA-256:	A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
SHA-512:	EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..\|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.70261983917014
Encrypted:	false
SSDEEP:	192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
MD5:	D175430EFF058838CEE2E334951F6C9C
SHA1:	7F17FBDCEF12042D215828C1D6675E483A4C62B1
SHA-256:	1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
SHA-512:	6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.599515320379107
Encrypted:	false
SSDEEP:	192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
MD5:	9D43B5E3C7C529425EDF1183511C29E4
SHA1:	07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
SHA-256:	19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
SHA-512:	C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.690164913578267
Encrypted:	false
SSDEEP:	192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
MD5:	43E1AE2E432EB99AA4427BB68F8826BB
SHA1:	EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
SHA-256:	3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
SHA-512:	40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.615761482304143
Encrypted:	false
SSDEEP:	192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
MD5:	735636096B86B761DA49EF26A1C7F779
SHA1:	E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
SHA-256:	5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
SHA-512:	3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.627282858694643
Encrypted:	false
SSDEEP:	192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
MD5:	031DC390780AC08F498E82A5604EF1EB
SHA1:	CF23D59674286D3DC7A3B10CD8689490F583F15F
SHA-256:	B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
SHA-512:	1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15816
Entropy (8bit):	6.435326465651674
Encrypted:	false
SSDEEP:	192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
MD5:	285DCD72D73559678CFD3ED39F81DDAD
SHA1:	DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
SHA-256:	6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
SHA-512:	84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.5874576656353145
Encrypted:	false
SSDEEP:	192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
MD5:	5CCE7A5ED4C2EBAF9243B324F6618C0E
SHA1:	FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
SHA-256:	AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
SHA-512:	FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13768
Entropy (8bit):	6.645869978118917
Encrypted:	false
SSDEEP:	192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
MD5:	41FBBB054AF69F0141E8FC7480D7F122
SHA1:	3613A572B462845D6478A92A94769885DA0843AF
SHA-256:	974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
SHA-512:	97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avcodec-60.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	37333152
Entropy (8bit):	6.632921864082428
Encrypted:	false
SSDEEP:	393216:LzyCmQCOCLheXbl4MEf+Eidgrpj3xO6FLzq2KHplhrX5:L5WLheXbl4MEf+HgrpjVF6PD5
MD5:	32F56F3E644C4AC8C258022C93E62765
SHA1:	06DFF5904EBBF69551DFA9F92E6CC2FFA9679BA1
SHA-256:	85AF2FB4836145098423E08218AC381110A6519CB559FF6FC7648BA310704315
SHA-512:	CAE2B9E40FF71DDAF76A346C20028867439B5726A16AE1AD5E38E804253DFCF6ED0741095A619D0999728D953F2C375329E86B8DE4A0FCE55A8CDC13946D5AD8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........(........&"...&............P........................................P.......3:...`... ......................................`...........A.....p.......t...X.9.H'.......M..............................(......................P............................text...............................`..`.rodata.0........................... ..`.data...............................@....rdata....X......X.................@..@.pdata..t...........................@..@.xdata..`...........................@..@.bss...................................edata.......`.......\|..............@..@.idata...A.......B..................@....CRT....`..........................@....tls...............................@....rsrc...p..........................@....reloc...M.......N..................@..B........................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avformat-60.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5100112
Entropy (8bit):	6.374242928276845
Encrypted:	false
SSDEEP:	49152:WBUp8DPNkkup6GAx9HEekwEfG/66xcPiw+UgAnBM+sVf9d3PWKOyz/Omlc69kXOV:WB/Z16w8idUgfT0b6LnBSpytGyodUl
MD5:	01589E66D46ABCD9ACB739DA4B542CE4
SHA1:	6BF1BD142DF68FA39EF26E2CAE82450FED03ECB6
SHA-256:	9BB4A5F453DA85ACD26C35969C049592A71A7EF3060BFA4EB698361F2EDB37A3
SHA-512:	0527AF5C1E7A5017E223B3CC0343ED5D42EC236D53ECA30D6DECCEB2945AF0C1FBF8C7CE367E87BC10FCD54A77F5801A0D4112F783C3B7E829B2F40897AF8379
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........D..,....&"...&.R4...D.....P.........................................E.....r}N...`... .......................................D.0-....D.hX...PE.......?.......M.H'...`E..e............................>.(.....................D.`............................text....P4......R4.................`..`.data....3...p4..4...V4.............@....rdata...&....4..(....4.............@..@.pdata........?.......?.............@..@.xdata..8{....A..\|...TA.............@..@.bss..........D..........................edata..0-....D.......C.............@..@.idata..hX....D..Z....C.............@....CRT....`....0E......XD.............@....tls.........@E......ZD.............@....rsrc........PE......\D.............@....reloc...e...`E..f...`D.............@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avutil-58.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1089600
Entropy (8bit):	6.535744457220272
Encrypted:	false
SSDEEP:	24576:NFUq9wHzADwiB0Bm3k6gz0sA+wLDZyoFNRsKYw:TUdMDwIgm3kpzsNpyoFDsKYw
MD5:	3AAF57892F2D66F4A4F0575C6194F0F8
SHA1:	D65C9143603940EDE756D7363AB6750F6B45AB4E
SHA-256:	9E0D0A05B798DA5D6C38D858CE1AD855C6D68BA2F9822FA3DA16E148E97F9926
SHA-512:	A5F595D9C48B8D5191149D59896694C6DD0E9E1AF782366162D7E3C90C75B2914F6E7AFF384F4B59CA7C5A1ECCCDBF5758E90A6A2B14A8625858A599DCCA429B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........f..X.....&"...&.2...b......P......................................... ......?....`... ......................................0 .xC.... ....... .h.......@>...x..H'.... ............................. Z..(..................... .P............................text....1.......2..................`..`.data........P.......6..............@....rdata...,...`.......8..............@..@.pdata..@>.......@...f..............@..@.xdata...K.......L..................@..@.bss......... ...........................edata..xC...0 ..D..................@..@.idata........ ......6..............@....CRT....`..... ......N..............@....tls.......... ......P..............@....rsrc...h..... ......R..............@....reloc........ ......V..............@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57488
Entropy (8bit):	6.382541157520703
Encrypted:	false
SSDEEP:	768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
MD5:	71F796B486C7FAF25B9B16233A7CE0CD
SHA1:	21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
SHA-256:	B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
SHA-512:	A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\iwhgjds.rar

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	400302
Entropy (8bit):	7.999482164139176
Encrypted:	true
SSDEEP:	12288:Wm1ILZ7zy0c80NF8U12IrinGsjFj0ptYHxc:R1ILXEF80SRuYHO
MD5:	1BF46BA2280009ABF837555819810078
SHA1:	B699BD2A01E65A765B5A490C0C57F8DD553EB612
SHA-256:	17BE93B6CEE354165A00BCAA883E5055176B4B7D7512F7D329237D4B9E5E6658
SHA-512:	6CBF2FEF3ECF88952983895C04CFAF818B302A3597C2FD08FE7BB56E7140EC7F09CD1A04FBBA30C9500523C3D0BCDEAFCD6C802EC814EADDE1D6400F5FA2396B
Malicious:	false
Preview:	Rar!.....pi=!.....mo.8u.'.....,q..@?...\|v.M...J.!.JJ.X}............5<.'H.7..1hq[8..u.....(..@.....#.$+...Y.9...UP...&e<XEb....7...YT)...K4...P.....eh...>...}. .4.....0.sc...g.s...R.U....g.A,N.1q.9ps83w;.u,.........mA......]3..cg..i..kH..t...9...Xgt..4.l..o>..[.5......l..j.kS...x....f..\O..o...O..].....\.......\|.....{.i....,....R.. .`...py<,G....?....=V.K...%..h....K...<]-.q[.6...I.g..%.e.j..\|._...P.i.\|.j.b........k.)...!.z......2!...5k..C.......E.m.\..e.9.....).c...:.~..[.dK.[M.D<F.saF...._.L.R......^m...Uk1...w0.&1.c. ..u....L.{.....E...#.(1.7}0.&8k..Ib...D..'.Bt.?......W..%t....].....2.Q.3..r...O....>.......t......IY.i.......E.+.{!...S....R..R.B.....q..h....k...#.i......X[,.)....+..@=Mi....._...0.JU.....e..b.....i.<..]\|.\|Z..2...l...Q-...J<..J.6......33.0...>k.o.V.jN."ng..z=..=.......F..h\|'q...X.....w6{.7S...l...i...j....9...g......(..5?.Gy.E..:....$^.Gx....t/..q......^..AV5.:\|:.p.....6m.FjQD..ff.....f.l..*]=....).IP.s..d...a..j..

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\msvcp140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	566704
Entropy (8bit):	6.494428734965787
Encrypted:	false
SSDEEP:	12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
MD5:	6DA7F4530EDB350CF9D967D969CCECF8
SHA1:	3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
SHA-256:	9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
SHA-512:	1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%\|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35656
Entropy (8bit):	6.370522595411868
Encrypted:	false
SSDEEP:	768:ixmeWkfdHAWcgj7Y7rEabyLcRwEpYinAMx1nyqaJ:pXUdg8jU7r4LcRZ7Hx1nyqa
MD5:	D3CAC4D7B35BACAE314F48C374452D71
SHA1:	95D2980786BC36FEC50733B9843FDE9EAB081918
SHA-256:	4233600651FB45B9E50D2EC8B98B9A76F268893B789A425B4159675B74F802AA
SHA-512:	21C8D73CC001EF566C1F3C7924324E553A6DCA68764ECB11C115846CA54E74BD1DFED12A65AF28D9B00DDABA04F987088AA30E91B96E050E4FC1A256FFF20880
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D..D..D..M.3.J......F......W......N......G......F..D..l......A..D.........E...._.E......E..RichD..................PE..d................"....#.2...4......`7.........@..........................................`..................................................b..,....................d..H'......<....Z..p...........................`Y..@............P...............................text....1.......2.................. ..`.rdata..H"...P...$...6..............@..@.data...H............Z..............@....pdata...............\..............@..@.rsrc................`..............@..@.reloc..<............b..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.879664004902594
Encrypted:	false
SSDEEP:	3:mKDDlR+7H6U:hOD6U
MD5:	D9324699E54DC12B3B207C7433E1711C
SHA1:	864EB0A68C2979DCFF624118C9C0618FF76FA76C
SHA-256:	EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
SHA-512:	E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
Malicious:	false
Preview:	@echo off..Start "" %1

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swresample-4.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	158968
Entropy (8bit):	6.4238235663554955
Encrypted:	false
SSDEEP:	1536:izN/1rbQ+rTccg/Lla75jjVBzYCDNzuDQr5whduOd7EKPuh9Aco6uAGUtQFUzcnX:8N/FQ+rejlaFhdrXORhjD6VGUtQWk
MD5:	7FB892E2AC9FF6981B6411FF1F932556
SHA1:	861B6A1E59D4CD0816F4FEC6FD4E31FDE8536C81
SHA-256:	A45A29AECB118FC1A27ECA103EAD50EDD5343F85365D1E27211FE3903643C623
SHA-512:	986672FBB14F3D61FFF0924801AAB3E9D6854BB3141B95EE708BF5B80F8552D5E0D57182226BABA0AE8995A6A6F613864AB0E5F26C4DCE4EB88AB82B060BDAC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........O.....&"...&.h..........P.....................................................`... ...................................... .......0..T....`..........X....E..H'...p..................................(...................02...............................text....f.......h..................`..`.data................l..............@....rdata...Q.......R...n..............@..@.pdata..X...........................@..@.xdata..............................@..@.bss.....................................edata....... ......................@..@.idata..T....0......................@....CRT....X....@......................@....tls.........P......................@....rsrc........`......................@....reloc.......p......................@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swscale-7.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	707200
Entropy (8bit):	6.610520126248797
Encrypted:	false
SSDEEP:	12288:hTl8xt5jEuhuoWZz8Rt5brZcXVEZMbYwepVQ0G6ddTD8qevJMLf50555555555mj:hZ8xt5jEuhuoWZz8Rt5brZcXVEZMbYJz
MD5:	1144E36E0F8F739DB55A7CF9D4E21E1B
SHA1:	9FA49645C0E3BAE0EDD44726138D7C72EECE06DD
SHA-256:	65F8E4D76067C11F183C0E1670972D81E878E6208E501475DE514BC4ED8638FD
SHA-512:	A82290D95247A67C4D06E5B120415318A0524D00B9149DDDD8B32E21BBD0EE4D86BB397778C4F137BF60DDD4167EE2E9C6490B3018031053E9FE3C0D0B3250E7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........-.....&"...&............P.....................................................`... ......................................P.......`..........x....P......8...H'......................................(....................c..`............................text...(...........................`..`.data...............................@....rdata...s.......t..................@..@.pdata.......P...0...&..............@..@.xdata...9.......:...V..............@..@.bss.....................................edata.......P......................@..@.idata.......`......................@....CRT....`....p......................@....tls................................@....rsrc...x...........................@....reloc..............................@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\una_front\classes.jsa

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	12124160
Entropy (8bit):	4.1175508751036585
Encrypted:	false
SSDEEP:	49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
MD5:	8A13CBE402E0BBF3DA56315F0EBA7F8E
SHA1:	EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
SHA-256:	7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
SHA-512:	46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
Malicious:	false
Preview:	.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\una_front\java.datatransfer.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	51389
Entropy (8bit):	7.916683616123071
Encrypted:	false
SSDEEP:	768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
MD5:	8F4C0388762CD566EAE3261FF8E55D14
SHA1:	B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
SHA-256:	AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
SHA-512:	1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^#.j...R.A..qV.1o...p.....\|._.-N$.!.;X....\|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be..eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N......r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\una_front\java.instrument.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	41127
Entropy (8bit):	7.961466748192397
Encrypted:	false
SSDEEP:	768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
MD5:	D039093C051B1D555C8F9B245B3D7FA0
SHA1:	C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
SHA-256:	4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
SHA-512:	334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..\|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z\|.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......\|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\una_front\java.logging.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	113725
Entropy (8bit):	7.928841651831531
Encrypted:	false
SSDEEP:	3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
MD5:	3A03EF8F05A2D0472AE865D9457DAB32
SHA1:	7204170A08115A16A50D5A06C3DE7B0ADB6113B1
SHA-256:	584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
SHA-512:	1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm........Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h..^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz\|..^.........8q..{...}.G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH\|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\una_front\java.management.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	896846
Entropy (8bit):	7.923431656723031
Encrypted:	false
SSDEEP:	12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
MD5:	C6FBB7D49CAA027010C2A817D80CA77C
SHA1:	4191E275E1154271ABF1E54E85A4FF94F59E7223
SHA-256:	1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
SHA-512:	FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..\|..]{.........S\|...(cu/..i.d.z...[....'.M\|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.\|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..\|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\utest.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	639224
Entropy (8bit):	6.219852228773659
Encrypted:	false
SSDEEP:	12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
MD5:	01DACEA3CBE5F2557D0816FC64FAE363
SHA1:	566064A9CB1E33DB10681189A45B105CDD504FD4
SHA-256:	B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
SHA-512:	C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140_1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37256
Entropy (8bit):	6.297533243519742
Encrypted:	false
SSDEEP:	384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
MD5:	135359D350F72AD4BF716B764D39E749
SHA1:	2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
SHA-256:	34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
SHA-512:	CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)\|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\w32-pthreads.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53576
Entropy (8bit):	6.371750593889357
Encrypted:	false
SSDEEP:	1536:ij2SSS5nVoSiH/pOfv3Q3cY37Hx1nI6q:GhSSntiH/pOfvAf3
MD5:	E1EEBD44F9F4B52229D6E54155876056
SHA1:	052CEA514FC3DA5A23DE6541F97CD4D5E9009E58
SHA-256:	D96F2242444A334319B4286403D4BFADAF3F9FCCF390F3DD40BE32FB48CA512A
SHA-512:	235BB9516409A55FE7DDB49B4F3179BDCA406D62FD0EC1345ACDDF032B0F3F111C43FF957D4D09AD683D39449C0FFC4C050B387507FADF5384940BD973DAB159
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.<.K.o.K.o.K.o.3.o.K.oK7.n.K.oK7so.K.oK7.n.K.oK7.n.K.oK7.n.K.o'9.n.K.o.K.o.K.o,6.n.K.o,6.n.K.o,6qo.K.o.K.o.K.o,6.n.K.oRich.K.o........PE..d....Q............" ...#.b...J.......f............................................../.....`............................................X...(...........................H'......8.......p...........................P...@...............@............................text...ha.......b.................. ..`.rdata..P,...........f..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..8...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\zlib.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	144200
Entropy (8bit):	6.592048391646652
Encrypted:	false
SSDEEP:	1536:GjxOs8gLeu4iSssNiTh9Yks32X3KqVy5SmBolzXfqLROJA0o1ZXMvr7Rn6dheIOI:I34iDsG5vm4bfqFKoDmr7h2MHTtwV6K
MD5:	3A0DBC5701D20AA87BE5680111A47662
SHA1:	BC581374CA1EBE8565DB182AC75FB37413220F03
SHA-256:	D53BC4348AD6355C20F75ED16A2F4F641D24881956A7AE8A0B739C0B50CF8091
SHA-512:	4740945606636C110AB6C365BD1BE6377A2A9AC224DE6A79AA506183472A9AD0641ECC63E5C5219EE8097ADEF6533AB35E2594D6F8A91788347FDA93CDB0440E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...&............P....................................................`... ......................................0..\|....@..8....p..................H'......................................(....................A..p............................text...............................`..`.data...............................@....rdata...W.......X..................@..@.pdata..............................@..@.xdata..............................@..@.bss......... ...........................edata..\|....0......................@..@.idata..8....@......................@....CRT....X....P......................@....tls.........`......................@....rsrc........p......................@....reloc..............................@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Installer\{5D6904C2-4F69-4F0E-9343-C854009E1C94}\icon_35.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	172242
Entropy (8bit):	3.920583934112822
Encrypted:	false
SSDEEP:	768:v+U57GB0uPJGGbN99NvQIUfGQ9zSN75NsnKcKgM90be1ERgygKEmw:GU5IH2II/+VyKkbIEgKEv
MD5:	38EADA415479858E73B3791D1A2F2A8A
SHA1:	53972C0D6830BB51F5E324D16675FFCE7AC67A69
SHA-256:	9E5A10145DD2A9AFB76B584FFCAEB50C1A7D5C87EA9F6ECB2A70CBF6B79F58B0
SHA-512:	F244025DF4CFCC7316E70E45CE0AEEE448253A92A1EF2BCAA4B2F45FD383BE88C38D24AB2629631EEA6BDDDE98207135EE0C7DF82AC7911B6A15B7C2279FE83B
Malicious:	false
Preview:	............ .\|(............ .(....)..``.... .....:1..HH.... ..T......@@.... .(B..j...00.... ..%...\.. .... .....:......... .............. .h...j....PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx...y....7..^f..a.qaQ.M@e...f0....,.'.<.sN.3.&...F..&.%F.g@.MBD......j4n.A`......G3..=.t.R...9s...U_g....w.W...~....(....`..)G#..@OVli....0vL.l.\...(..D*..PT..3\|...K:.mn..6BQ....H..j..)'A8...A8..K....sr....g ...@..u.f1.b"..L.p..4....X.....m.0..\ .O.;W..j.4..os&....Y....k.3....W....c0}..a0>..........-b@.@....Y L.0..K.tI+.`..m.....@.@.@..._....re........^.p.\.-..)...`.......i..4"..ee83)....l ..0... ...W.........\.NX.gJ...c..{4S!c....f.0]...s3.>.#.`.0.D.... .+K.........\.r..CR.b`.c.. ..,.2..j.y{.RA4....7..........r.mq\|IO.@.l\|..!D......2.Lt.Q)...`..K...t/@[.TRI.Q..KFR."h.c....w........aQ...`...\U.W.O...\n.z..).a....J..A.zYYl0..)....._..+..........~.$.....i.}....L.....xR.!.......C.,..x=.V..:.D$. DO.{.r...{Y)1@...]......U.O..Kr..Z.U"...]..G......Y.du<"@.@

C:\Windows\Installer\4d93ec.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {A0ED79E9-FF2A-4A87-B002-47CD0E427B3D}, Number of Words: 10, Subject: Fira App, Author: Hypera Cisia Quero, Name of Creating Application: Fira App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Fira App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Jan 11 12:02:06 2025, Last Saved Time/Date: Sat Jan 11 12:02:06 2025, Last Printed: Sat Jan 11 12:02:06 2025, Number of Pages: 450
Category:	dropped
Size (bytes):	60682938
Entropy (8bit):	7.215683614842876
Encrypted:	false
SSDEEP:	786432:OrB0uVmrjV7eIAteQOTZjoh7Da0JZ+16ZhHNY9jyWSwXO/hdYO:OrJVmrjV7eIvQOTZjca0O16Zh4W3Y
MD5:	743FB4A347F2CB18852AA2CB25E62AC5
SHA1:	813A4943C2D176B63D1F51E677C9F517C50D72B7
SHA-256:	053CD0F09335110C8B9FDF3F5FE6B220FA91D65E1A9479A10DC796D5113BBD2E
SHA-512:	8CED64249DF4CFFFF2AFFC5F3D4AB26309568A3F0F097A21CBAAE5B6C20B94794540479A8E979D86E5280051CC06A0C07CD075AF42E980D1F9198B82808E2AFE
Malicious:	false
Preview:	......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)......................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

C:\Windows\Installer\4d93ef.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {A0ED79E9-FF2A-4A87-B002-47CD0E427B3D}, Number of Words: 10, Subject: Fira App, Author: Hypera Cisia Quero, Name of Creating Application: Fira App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Fira App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Jan 11 12:02:06 2025, Last Saved Time/Date: Sat Jan 11 12:02:06 2025, Last Printed: Sat Jan 11 12:02:06 2025, Number of Pages: 450
Category:	dropped
Size (bytes):	60682938
Entropy (8bit):	7.215683614842876
Encrypted:	false
SSDEEP:	786432:OrB0uVmrjV7eIAteQOTZjoh7Da0JZ+16ZhHNY9jyWSwXO/hdYO:OrJVmrjV7eIvQOTZjca0O16Zh4W3Y
MD5:	743FB4A347F2CB18852AA2CB25E62AC5
SHA1:	813A4943C2D176B63D1F51E677C9F517C50D72B7
SHA-256:	053CD0F09335110C8B9FDF3F5FE6B220FA91D65E1A9479A10DC796D5113BBD2E
SHA-512:	8CED64249DF4CFFFF2AFFC5F3D4AB26309568A3F0F097A21CBAAE5B6C20B94794540479A8E979D86E5280051CC06A0C07CD075AF42E980D1F9198B82808E2AFE
Malicious:	false
Preview:	......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)......................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

C:\Windows\Installer\MSI9CC6.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9D44.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9D83.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9DC3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9E12.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201504
Entropy (8bit):	6.4557937684843365
Encrypted:	false
SSDEEP:	24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
MD5:	E83D774F643972B8ECCDB3A34DA135C5
SHA1:	A58ECCFB12D723C3460563C5191D604DEF235D15
SHA-256:	D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
SHA-512:	CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.\|CF..@G.\|DF..@G.\|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9E51.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9E81.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB0F1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380520
Entropy (8bit):	6.512348002260683
Encrypted:	false
SSDEEP:	6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
MD5:	FFDAACB43C074A8CB9A608C612D7540B
SHA1:	8F054A7F77853DE365A7763D93933660E6E1A890
SHA-256:	7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
SHA-512:	A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB9BC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	191613
Entropy (8bit):	4.390024887685164
Encrypted:	false
SSDEEP:	768:ljoSuhD9WTztg+U57GB0uPJGGbN99NvQIUfGQ9zSN75NsnKcKgM90be1ERgygKEc:iSQ9WTnU5IH2II/+VyKkbIEgKEwj
MD5:	21C2ED757F4533689C1A2F58DD851E87
SHA1:	629E81077C8E8333379DF1AE2970223A967C2FFD
SHA-256:	9ADB51229B00F364EB3E7CF113A9EE472AEF92B1C6C6892454E7E7A2B4865ADF
SHA-512:	9B3EB92E8244F49FD0F1A2CC31695E84EA2E234A8B02AF00B26FBDFF5D931F5D50AFD0B13D0853ACB4C2C40E7BC244F9BB440344CA2D9637CC7581DF2A7F30D6
Malicious:	false
Preview:	...@IXOS.@.....@.T,Z.@.....@.....@.....@.....@.....@......&.{5D6904C2-4F69-4F0E-9343-C854009E1C94}..Fira App..setup.msi.@.....@.....@.....@......icon_35.exe..&.{A0ED79E9-FF2A-4A87-B002-47CD0E427B3D}.....@.....@.....@.....@.......@.....@.....@.......@......Fira App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@3....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F};.C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}0.21:\Software\Hypera Cisia Quero\Fira App\Version.@.......@.....@.....@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}D.C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\utest.dll.@.......@.....@.....@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}K.C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140.dll.@.......@.....@.....@......&.{FDDB96EE-847D-4B25-85B

C:\Windows\Installer\MSIB9EC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	787808
Entropy (8bit):	6.693392695195763
Encrypted:	false
SSDEEP:	24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
MD5:	8CF47242B5DF6A7F6D2D7AF9CC3A7921
SHA1:	B51595A8A113CF889B0D1DD4B04DF16B3E18F318
SHA-256:	CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
SHA-512:	748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{5D6904C2-4F69-4F0E-9343-C854009E1C94}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1621111785175344
Encrypted:	false
SSDEEP:	12:JSbX72Fj1AGiLIlHVRpMh/7777777777777777777777777vDHFPYoLp3Xl0i8Q:J7QI5cnl6F
MD5:	943DF964A053F68B58E016A217625034
SHA1:	6C4FDB5488DE0460BCF18F07040F82AB9B9E96DC
SHA-256:	1D61B897674F3F2F71AF2262AA8A53AB01B3195BFDDABBCD18C97F0360C98F43
SHA-512:	E6FBC781CB004FD6107668A49EF885098B03E1C6AD8105BCB9949B0511DD2CD814BF1FEBBC378D1C0F78F10E0F24370984105692829BAEACD4D46D559F4C8B09
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5640075912119182
Encrypted:	false
SSDEEP:	48:28PhluRc06WXOCFT514S9IBmsAECiCyfSCmjoGMUXOmmSCmqT3:Jhl1UFTB9DECQ+Xs
MD5:	3C268AB72E9F35C658AF9E05FDF7ED5C
SHA1:	EB0D4E1FBA447DD25368D6EDF2567F2349BCFF6A
SHA-256:	92E3422E4DAD17612C59D0C5CE6A94025B220C2DD4A8FFA1C27E6B2EA8E465D4
SHA-512:	567CFF98BC5D74B041639B9F01F6DD34822D58C324E09AE403A2CA0409B8C281DF018DF1788E1BF2A1C2DA2C54F2807B23D4FBE7910CBE54ED5F39B5A5D050DD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.3751677958689035
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau+:zTtbmkExhMJCIpErj
MD5:	FC0D885A46D9E8A05D2AF2CD0532CC9E
SHA1:	2FAA4318CE03494CBE5BA00A091FB3DA53600090
SHA-256:	C975EEE65E7ECFF6B999CDDC4EBE7A9B038DB6D4308A11DFCEBCC7303A116E37
SHA-512:	65A82DADEDC1BC89B09C60D407247DDEC32212B0433D8F42A357184560281CE6D70D7169043E0D8AF2ADD821F6164FB60543E6C31235DBED7D122A37CBFAC9F2
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF0DC78A708DE5C53F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1A3E3BA6E2CD4BD5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF22EF3DF5B289A575.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.253792827399944
Encrypted:	false
SSDEEP:	48:akduNPvcFXOTT5Q4S9IBmsAECiCyfSCmjoGMUXOmmSCmqT3:HdlOTW9DECQ+Xs
MD5:	076008EA3DB547D91B0B6FC28F53890C
SHA1:	BA2E7BD48138C919BB61EB0D67F716D2C14707A9
SHA-256:	5C33416AAD32BC71177B19817DCED8052AEAD4837B275FF46219E71E664FB358
SHA-512:	22050DBD2A5FEBC1046A43C2DA8AB9C8DE05118EEA160E1A8ACD49621469BE8C0637124409B65EDF87EEBE54F2CCBAD10E8EF70A6D5F6D97BD6482161ECC96E6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4677BB3AD96D3DBD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4F47EA56204005AA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06930324507929364
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOP0cpMQWUKCEyVky6l3X:2F0i8n0itFzDHFPYo23X
MD5:	6D3CB84B09EE559F932A5660763ED81D
SHA1:	A446D6142FB6DCDA141ED269D6E9766B1ECC12B7
SHA-256:	62BC27F58383B6C7B24B7F1B54BD0874DED32D2AFBA9FF9628314D6C5575AFC1
SHA-512:	63C657665FA67DCD871382A1F310BE37BBB67A841C2B9C317EA9E801792FB634E2C4D6856815D6C8FA89A2AA1DAC3A6DDA3BE2CC5EA659A3DE9CE9C8AD892360
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7FA5DDF0106C6DE3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5640075912119182
Encrypted:	false
SSDEEP:	48:28PhluRc06WXOCFT514S9IBmsAECiCyfSCmjoGMUXOmmSCmqT3:Jhl1UFTB9DECQ+Xs
MD5:	3C268AB72E9F35C658AF9E05FDF7ED5C
SHA1:	EB0D4E1FBA447DD25368D6EDF2567F2349BCFF6A
SHA-256:	92E3422E4DAD17612C59D0C5CE6A94025B220C2DD4A8FFA1C27E6B2EA8E465D4
SHA-512:	567CFF98BC5D74B041639B9F01F6DD34822D58C324E09AE403A2CA0409B8C281DF018DF1788E1BF2A1C2DA2C54F2807B23D4FBE7910CBE54ED5F39B5A5D050DD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8A103E80C365C248.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8E05F09EB4415EB8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5640075912119182
Encrypted:	false
SSDEEP:	48:28PhluRc06WXOCFT514S9IBmsAECiCyfSCmjoGMUXOmmSCmqT3:Jhl1UFTB9DECQ+Xs
MD5:	3C268AB72E9F35C658AF9E05FDF7ED5C
SHA1:	EB0D4E1FBA447DD25368D6EDF2567F2349BCFF6A
SHA-256:	92E3422E4DAD17612C59D0C5CE6A94025B220C2DD4A8FFA1C27E6B2EA8E465D4
SHA-512:	567CFF98BC5D74B041639B9F01F6DD34822D58C324E09AE403A2CA0409B8C281DF018DF1788E1BF2A1C2DA2C54F2807B23D4FBE7910CBE54ED5F39B5A5D050DD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAAC90BF4712FCFF8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB85B38E52F7C8855.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.253792827399944
Encrypted:	false
SSDEEP:	48:akduNPvcFXOTT5Q4S9IBmsAECiCyfSCmjoGMUXOmmSCmqT3:HdlOTW9DECQ+Xs
MD5:	076008EA3DB547D91B0B6FC28F53890C
SHA1:	BA2E7BD48138C919BB61EB0D67F716D2C14707A9
SHA-256:	5C33416AAD32BC71177B19817DCED8052AEAD4837B275FF46219E71E664FB358
SHA-512:	22050DBD2A5FEBC1046A43C2DA8AB9C8DE05118EEA160E1A8ACD49621469BE8C0637124409B65EDF87EEBE54F2CCBAD10E8EF70A6D5F6D97BD6482161ECC96E6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC379D49BFEEDC7E2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13743883599967782
Encrypted:	false
SSDEEP:	48:3+TemmSCm/msAECiCyfSCmjoGMUX5IDk4:rbECQ+X5E
MD5:	5679A6A7DC81DBAB0713A4599E5AF395
SHA1:	875CEBCE4B5E5AB840960825E4C1D745D7B1AF2B
SHA-256:	6652DE85840D8144199E4158C6A88B390CAD40524D1394E1F199725BB0AB73DD
SHA-512:	86D087B7EAE24A295FDBD9413C69475EC224393DEC03420C1EB5B156F58194CA5904B87F4968D63AE8490F782BEE54720D794299C4BFDABF1518EC2F5FFA249C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE5B1E32C32967FBF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.253792827399944
Encrypted:	false
SSDEEP:	48:akduNPvcFXOTT5Q4S9IBmsAECiCyfSCmjoGMUXOmmSCmqT3:HdlOTW9DECQ+Xs
MD5:	076008EA3DB547D91B0B6FC28F53890C
SHA1:	BA2E7BD48138C919BB61EB0D67F716D2C14707A9
SHA-256:	5C33416AAD32BC71177B19817DCED8052AEAD4837B275FF46219E71E664FB358
SHA-512:	22050DBD2A5FEBC1046A43C2DA8AB9C8DE05118EEA160E1A8ACD49621469BE8C0637124409B65EDF87EEBE54F2CCBAD10E8EF70A6D5F6D97BD6482161ECC96E6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	638
Entropy (8bit):	4.751962275036146
Encrypted:	false
SSDEEP:	12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
MD5:	15CA959638E74EEC47E0830B90D0696E
SHA1:	E836936738DCB6C551B6B76054F834CFB8CC53E5
SHA-256:	57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
SHA-512:	101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
Malicious:	false
Preview:	[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {A0ED79E9-FF2A-4A87-B002-47CD0E427B3D}, Number of Words: 10, Subject: Fira App, Author: Hypera Cisia Quero, Name of Creating Application: Fira App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Fira App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Jan 11 12:02:06 2025, Last Saved Time/Date: Sat Jan 11 12:02:06 2025, Last Printed: Sat Jan 11 12:02:06 2025, Number of Pages: 450
Entropy (8bit):	7.215683614842876
TrID:	Windows SDK Setup Transform Script (63028/2) 88.73% Generic OLE2 / Multistream Compound File (8008/1) 11.27%
File name:	setup.msi
File size:	60'682'938 bytes
MD5:	743fb4a347f2cb18852aa2cb25e62ac5
SHA1:	813a4943c2d176b63d1f51e677c9f517c50d72b7
SHA256:	053cd0f09335110c8b9fdf3f5fe6b220fa91d65e1a9479a10dc796d5113bbd2e
SHA512:	8ced64249df4cffff2affc5f3d4ab26309568a3f0f097a21cbaae5b6c20b94794540479a8e979d86e5280051cc06a0c07cd075af42e980d1f9198b82808e2afe
SSDEEP:	786432:OrB0uVmrjV7eIAteQOTZjoh7Da0JZ+16ZhHNY9jyWSwXO/hdYO:OrJVmrjV7eIvQOTZjca0O16Zh4W3Y
TLSH:	BFD77C01B3FA4148F2F75E717EBA95A5947ABD521B30C0EF1204A60E1B72BC25BB1763
File Content Preview:	........................>............................................2..................................................................x......................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-12T16:37:17.303185+0100	2829202	ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA	1	192.168.2.4	49732	172.67.162.17	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 16:37:16.773252964 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:16.773320913 CET	443	49732	172.67.162.17	192.168.2.4
Jan 12, 2025 16:37:16.773416996 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:16.777642012 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:16.777693987 CET	443	49732	172.67.162.17	192.168.2.4
Jan 12, 2025 16:37:17.252954960 CET	443	49732	172.67.162.17	192.168.2.4
Jan 12, 2025 16:37:17.253165960 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:17.297816038 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:17.297873974 CET	443	49732	172.67.162.17	192.168.2.4
Jan 12, 2025 16:37:17.298933983 CET	443	49732	172.67.162.17	192.168.2.4
Jan 12, 2025 16:37:17.299015999 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:17.302794933 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:17.302886963 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:17.302994967 CET	443	49732	172.67.162.17	192.168.2.4
Jan 12, 2025 16:37:18.271090984 CET	443	49732	172.67.162.17	192.168.2.4
Jan 12, 2025 16:37:18.271177053 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:18.271255970 CET	443	49732	172.67.162.17	192.168.2.4
Jan 12, 2025 16:37:18.271292925 CET	443	49732	172.67.162.17	192.168.2.4
Jan 12, 2025 16:37:18.271330118 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:18.271370888 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:18.272114038 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:18.272150040 CET	443	49732	172.67.162.17	192.168.2.4
Jan 12, 2025 16:37:18.272175074 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:18.272228003 CET	49732	443	192.168.2.4	172.67.162.17
Jan 12, 2025 16:37:40.277525902 CET	51290	53	192.168.2.4	162.159.36.2
Jan 12, 2025 16:37:40.282423973 CET	53	51290	162.159.36.2	192.168.2.4
Jan 12, 2025 16:37:40.282494068 CET	51290	53	192.168.2.4	162.159.36.2
Jan 12, 2025 16:37:40.287350893 CET	53	51290	162.159.36.2	192.168.2.4
Jan 12, 2025 16:37:40.732629061 CET	51290	53	192.168.2.4	162.159.36.2
Jan 12, 2025 16:37:40.737700939 CET	53	51290	162.159.36.2	192.168.2.4
Jan 12, 2025 16:37:40.737750053 CET	51290	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 16:37:16.726201057 CET	64176	53	192.168.2.4	1.1.1.1
Jan 12, 2025 16:37:16.762120008 CET	53	64176	1.1.1.1	192.168.2.4
Jan 12, 2025 16:37:40.273951054 CET	53	54629	162.159.36.2	192.168.2.4
Jan 12, 2025 16:37:40.751029015 CET	54824	53	192.168.2.4	1.1.1.1
Jan 12, 2025 16:37:40.758346081 CET	53	54824	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 12, 2025 16:37:16.726201057 CET	192.168.2.4	1.1.1.1	0x2a65	Standard query (0)	staticmaxepress.com	A (IP address)	IN (0x0001)	false
Jan 12, 2025 16:37:40.751029015 CET	192.168.2.4	1.1.1.1	0xbf01	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 12, 2025 16:37:16.762120008 CET	1.1.1.1	192.168.2.4	0x2a65	No error (0)	staticmaxepress.com		172.67.162.17	A (IP address)	IN (0x0001)	false
Jan 12, 2025 16:37:16.762120008 CET	1.1.1.1	192.168.2.4	0x2a65	No error (0)	staticmaxepress.com		104.21.34.147	A (IP address)	IN (0x0001)	false
Jan 12, 2025 16:37:40.758346081 CET	1.1.1.1	192.168.2.4	0xbf01	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

staticmaxepress.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	172.67.162.17	443	1216	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-12 15:37:17 UTC	198	OUT	POST /updater2.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvancedInstaller Host: staticmaxepress.com Content-Length: 71 Cache-Control: no-cache
2025-01-12 15:37:17 UTC	71	OUT	Data Raw: 44 61 74 65 3d 31 32 25 32 46 30 31 25 32 46 32 30 32 35 26 54 69 6d 65 3d 31 30 25 33 41 33 37 25 33 41 31 35 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65 Data Ascii: Date=12%2F01%2F2025&Time=10%3A37%3A15&BuildVersion=8.9.9&SoroqVins=True
2025-01-12 15:37:18 UTC	834	IN	HTTP/1.1 500 Internal Server Error Date: Sun, 12 Jan 2025 15:37:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m2uH2F45Kfgb0CMUppe9LthxIHFIJZ1fs38yTGBTMI43qy7EVhgi0avdjeJtLt3tI4eI1I7Ywq1bAWDAMIIsHTvWwGujguiVptz%2BEDRzne1POPLqMVlQR4SkvMiyP%2B98UCKIvo%2BN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900e3a1b7edcef9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1935&min_rtt=1904&rtt_var=776&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=929&delivery_rate=1355617&cwnd=219&unsent_bytes=0&cid=507771116c90dd59&ts=1041&x=0"
2025-01-12 15:37:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	10:37:07
Start date:	12/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
Imagebase:	0x7ff7927d0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:37:07
Start date:	12/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7927d0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:37:10
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 02F842FA0A6C6BE670B8D0D8CCB5D4F3
Imagebase:	0x460000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:37:17
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBAA1.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBA8F.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBA90.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBA91.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Imagebase:	0xc10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:37:18
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:37:24
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat" "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe""
Imagebase:	0x7ff6cce10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:37:24
Start date:	12/01/2025
Path:	C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe"
Imagebase:	0x7ff711d40000
File size:	57'488 bytes
MD5 hash:	71F796B486C7FAF25B9B16233A7CE0CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:37:24
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0xb20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:37:24
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:37:24
Start date:	12/01/2025
Path:	C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe"
Imagebase:	0x7ff7ec500000
File size:	35'656 bytes
MD5 hash:	D3CAC4D7B35BACAE314F48C374452D71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:37:24
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 07DF1B50 Relevance: 4.0, Strings: 3, Instructions: 208COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DF1C3E
$^q, xrefs: 07DF1BEB
$^q, xrefs: 07DF1C32

Memory Dump Source

Source File: 00000003.00000002.1800758227.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 07f804298380560ea5e33be95df54af6de6ac5d39f3503b933d1ed838ba35561
Instruction ID: 09021a7b820c04b0838ac5b892df92891a65e8986d8d2149b3ba8297294dc646
Opcode Fuzzy Hash: 07f804298380560ea5e33be95df54af6de6ac5d39f3503b933d1ed838ba35561
Instruction Fuzzy Hash: DA6155B070424DDFDB249F69D840AAAFBF6AF85310F15C46AE645CB251DB32C941CBA1

Function 07DF1B34 Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DF1BEB
$^q, xrefs: 07DF1C32

Memory Dump Source

Source File: 00000003.00000002.1800758227.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: a3d8fee0013a11a52ae3ba0d99ff0bbaaaa2c2790c6af402bfb6b83135482938
Instruction ID: 57d9ee4a52737048874fff31c79291a624180899ce025701ea9da75f4d70b301
Opcode Fuzzy Hash: a3d8fee0013a11a52ae3ba0d99ff0bbaaaa2c2790c6af402bfb6b83135482938
Instruction Fuzzy Hash: 4741A2F060424EDFDB24CF15C584AA9FBF1FF82315F1A80AAE6458B251D736C945CB51

Function 03758478 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796116740.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb1cd90f2abd9ef1586ab61633a89d8cdbb45730a874f130317dc68c3513d83
Instruction ID: dfb77b02edb4be3724d0797361d68ccaac32261caab3033c8966a12f68b3ddd4
Opcode Fuzzy Hash: feb1cd90f2abd9ef1586ab61633a89d8cdbb45730a874f130317dc68c3513d83
Instruction Fuzzy Hash: D3A19135B002189FDB18DFA4D584A9DBBF6FF84300F154558E806AF369DBB4AD89CB41

Function 03758BC8 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796116740.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d415c1b000297420fafba86889a768215a6eaab6acac7fc7ee5472b9ebab26f
Instruction ID: fe5e4e4747c2a040a45435162d61b61f0f10724d21ff63267ebf4d53582fd43d
Opcode Fuzzy Hash: 9d415c1b000297420fafba86889a768215a6eaab6acac7fc7ee5472b9ebab26f
Instruction Fuzzy Hash: 2971CF30A00209DFCB18DF68D884A9DFBF6FF89354F18856AE815DB265DB71AC45CB81

Function 03758D36 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796116740.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28abd4ad09300212ee4ea5d26d54fdfcfaf4757047f33aef60c46653a3b0066
Instruction ID: e76f96e797c1f7a92f6df880bddab04dcbcb9cf53fcbfa0e36db468652f9f3de
Opcode Fuzzy Hash: b28abd4ad09300212ee4ea5d26d54fdfcfaf4757047f33aef60c46653a3b0066
Instruction Fuzzy Hash: 99716070E00208DFDB18DFA4D484BADBBF6BF88344F188469E816AB265DF709C46CB51

Function 03758959 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796116740.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887fb0f87e90001f3734eb06897d70eb7c730ef586122ee709d76002dc4b5201
Instruction ID: 842e23b6cdb4b6bb0634bd80555721e51ab361e0a048e2bb3e2df403ca69320a
Opcode Fuzzy Hash: 887fb0f87e90001f3734eb06897d70eb7c730ef586122ee709d76002dc4b5201
Instruction Fuzzy Hash: BC41D0707042409FEB19DB34C958AAEBBF6FF89750F185569E802EB3A4CB749C41CB51

Function 03758BB3 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796116740.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8c9ed05958c8727ad39fa9a15a5008911219651286f9ce9794d741efa2537c
Instruction ID: 143971c57e1f8ee268aaa415c74da21e2c646e1a01a6466f1124ede3fe92cc0d
Opcode Fuzzy Hash: 4c8c9ed05958c8727ad39fa9a15a5008911219651286f9ce9794d741efa2537c
Instruction Fuzzy Hash: 9A418D70A04208DFDB18DFA9C88469DBBF6FF89344F148569E406AB3A5DBB19845CB41

Function 03753D10 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796116740.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e55e92d53c4e4c8e64e196f65a9ae0b404810b25f3bab89880105861f9f9788
Instruction ID: 2649b7b0f2352d2c9aebe6e7982348b66df98a467cbc32ca38ba6ab033e39017
Opcode Fuzzy Hash: 1e55e92d53c4e4c8e64e196f65a9ae0b404810b25f3bab89880105861f9f9788
Instruction Fuzzy Hash: A34138B4A406459FDB0ACF58C594AAEFBB1FF48310B158299D805AB365C736FC51CFA0

Function 03753A80 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796116740.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397ec4bbf57ac1f853f6ce6a82f2f154cd9a9e0ece0b8f7554626619664d292b
Instruction ID: 79e23b7918fa06784c39c44a1d51392b27e2eefd5b00b15c82a0ce994c12784b
Opcode Fuzzy Hash: 397ec4bbf57ac1f853f6ce6a82f2f154cd9a9e0ece0b8f7554626619664d292b
Instruction Fuzzy Hash: 89318E787092018FD398DA2C9060369BBF2FBC6281304C569F48ACF771DA71FC069B51

Function 0353D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1795513315.000000000353D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0353D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_353d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2045828ab19496948cab5f859608161ef8ff0e225e5400e9bfd7e5f6974195a4
Instruction ID: 6653dac9381107bc56ddce64955150bab178b668d5009adeb5d9a5ad4db9b36b
Opcode Fuzzy Hash: 2045828ab19496948cab5f859608161ef8ff0e225e5400e9bfd7e5f6974195a4
Instruction Fuzzy Hash: 1101F7714083009AE711CB26D9847A7FFFCFF42B24F0CC469ED184A166D2799841C6B1

Function 0353D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1795513315.000000000353D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0353D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_353d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb568f1b85710d642b2647d2be0d9a9486136fc3d80a03d40cdcee1232469726
Instruction ID: ca9bc5abe7c996db6d2de3c09a956f51661b2831ab5dd2cafa695d7bdf20e983
Opcode Fuzzy Hash: cb568f1b85710d642b2647d2be0d9a9486136fc3d80a03d40cdcee1232469726
Instruction Fuzzy Hash: FD01447100D3C09ED7128B25DC94B52BFB8EF43624F1D80CBD9848F1A3C2695845C772

Function 037588ED Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1796116740.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34af488de510f1669288500b950412d437098a9008c76f28da90785773a335d0
Instruction ID: b3c167bd3fa9124d7f30013c111947cbdbc9b2d8d745f7491b657f96fd3b8d48
Opcode Fuzzy Hash: 34af488de510f1669288500b950412d437098a9008c76f28da90785773a335d0
Instruction Fuzzy Hash: 2EF03074B4020ADFDB04DBA4D595B6E7BB2EF80340F108914E5029F368DB789D48CBC1

Non-executed Functions

Function 07DF1658 Relevance: 15.3, Strings: 12, Instructions: 259COMMON

Download Yara Rule

Strings

84\k, xrefs: 07DF17E0
Tk, xrefs: 07DF174D
tP^q, xrefs: 07DF1837
Tk, xrefs: 07DF173F
$^q, xrefs: 07DF17B4
$^q, xrefs: 07DF1690
tP^q, xrefs: 07DF1843
$^q, xrefs: 07DF169C
tP^q, xrefs: 07DF16D5
84\k, xrefs: 07DF17EA
tP^q, xrefs: 07DF16E1
$^q, xrefs: 07DF166A

Memory Dump Source

Source File: 00000003.00000002.1800758227.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 84\k$84\k$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$Tk$Tk
API String ID: 0-3318624252
Opcode ID: 5663bd1bf4b01948855a5cadc9bdd733c166eb58ea48a120a94d837044be792b
Instruction ID: 053189e9b1d2aaf33cd358cf8360a1f035300396a91bd625a39011c16aa841cc
Opcode Fuzzy Hash: 5663bd1bf4b01948855a5cadc9bdd733c166eb58ea48a120a94d837044be792b
Instruction Fuzzy Hash: F48158B1B04359DFD7259B69980066AFBE6AFC6310F1980ABD684CF391CE32CC45C7A1

Function 07DF0898 Relevance: 10.2, Strings: 8, Instructions: 179COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DF0A56
$^q, xrefs: 07DF091D
$^q, xrefs: 07DF0A3E
$^q, xrefs: 07DF0A62
4'^q, xrefs: 07DF0947
$^q, xrefs: 07DF0929
4'^q, xrefs: 07DF0953
$^q, xrefs: 07DF08EF

Memory Dump Source

Source File: 00000003.00000002.1800758227.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3732357466
Opcode ID: c6ef2a3448f0583318dffa599654c3497cb5bacf2bdfce6246580d00675c9491
Instruction ID: 09648ebba30704760d1d882bb22fa925570c85baf84ad632874686afdf77ae69
Opcode Fuzzy Hash: c6ef2a3448f0583318dffa599654c3497cb5bacf2bdfce6246580d00675c9491
Instruction Fuzzy Hash: 67514CB170530ACFDB255A29980066AFBF6EFC5220F19847FD645CB253EA31C945C7A1

Function 07DF0E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON

Download Yara Rule

Strings

4[k, xrefs: 07DF0F3E
4[k, xrefs: 07DF0F30
$^q, xrefs: 07DF0ECB
$^q, xrefs: 07DF0F00
$^q, xrefs: 07DF0F0C

Memory Dump Source

Source File: 00000003.00000002.1800758227.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4[k$4[k$$^q$$^q$$^q
API String ID: 0-1905604279
Opcode ID: 64f105b259d4f2ef0390d1dfd7a442280557e6c293bf60194a6abde1b5105294
Instruction ID: dd9bac9f148a51abd0e6a85023c36c563be52eb3a4c68ad76bf5663bdb13c3b1
Opcode Fuzzy Hash: 64f105b259d4f2ef0390d1dfd7a442280557e6c293bf60194a6abde1b5105294
Instruction Fuzzy Hash: 141159F131021A9BD7245A299820B7BF7DA8FC1610B1A847BD646CF397DE36C846C3B1

Function 07DF04D0 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DF0547
$^q, xrefs: 07DF0526
$^q, xrefs: 07DF051A
4'^q, xrefs: 07DF053B

Memory Dump Source

Source File: 00000003.00000002.1800758227.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 5b8ac1b60c864a0b160ea270674f08a28dbf2d8635727f7ebe7bf6fa68db76be
Instruction ID: 5df7d7b811b2f95c855b494e65405915197b61fa769c4aa051511a1dea59a65c
Opcode Fuzzy Hash: 5b8ac1b60c864a0b160ea270674f08a28dbf2d8635727f7ebe7bf6fa68db76be
Instruction Fuzzy Hash: A701F761B0D3864FD72B162818205A59FF25FC3510B2A05DBC0C0CF3ABCD658D4A83A3

Analysis Process: createdump.exePID: 5720, Parent PID: 7088COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	701
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF711D41060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF711D4112F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF711D4115B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF711D41187
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF711D41230
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF711D4123C
GetTempPathA.KERNEL32 ref: 00007FF711D412C1
GetLastError.KERNEL32 ref: 00007FF711D412CB
GetLastError.KERNEL32 ref: 00007FF711D412DF
strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF711D412F8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41350
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41359
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41364
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D4136D

Strings

dump.%p.dmp, xrefs: 00007FF711D412E9
-, xrefs: 00007FF711D410DC
full dump, xrefs: 00007FF711D411C3
v, xrefs: 00007FF711D4121A
strcat_s failed (%d), xrefs: 00007FF711D41306
--normal, xrefs: 00007FF711D41125
createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn, xrefs: 00007FF711D41386
minidump with heap, xrefs: 00007FF711D4107C, 00007FF711D410BF
--withheap, xrefs: 00007FF711D41151
-, xrefs: 00007FF711D411D7
GetTempPath failed (0x%08x), xrefs: 00007FF711D412D3
--triage, xrefs: 00007FF711D4117D
triage minidump, xrefs: 00007FF711D41247
--diag, xrefs: 00007FF711D411EF
Dump successfully written, xrefs: 00007FF711D41338
-, xrefs: 00007FF711D41168
-, xrefs: 00007FF711D41110
-, xrefs: 00007FF711D41194
-, xrefs: 00007FF711D4113C
--full, xrefs: 00007FF711D411A8
minidump, xrefs: 00007FF711D41267
--name, xrefs: 00007FF711D410B8
-, xrefs: 00007FF711D41215
--verbose, xrefs: 00007FF711D41226

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
API String ID: 2647627392-2367407095
Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
Instruction ID: 19371f5b3bc1c53b9409bd0e132ac0f7b115cca4526d5a4f7d05131b67c1046e
Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
Instruction Fuzzy Hash: 59A16471E0CE8A45FF61AB31A481279A6ACAB45774F8441B1C9CD4AD95DEBCF44CC320

Function 00007FF711D427EC Relevance: 13.6, APIs: 9, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF711D42800

Part of subcall function 00007FF711D42B8C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF711D42BAE

__scrt_release_startup_lock.LIBCMT ref: 00007FF711D42883
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D428D1
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D428D6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D428DE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D428E6
__scrt_is_managed_app.LIBCMT ref: 00007FF711D428FA
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D42908
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D42962

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 2308368977-0
Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
Instruction ID: 9f49e9c8a4c7c4556efebd617faa4ed3b0b95d153924ba6d4b4d9ecb590d5034
Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
Instruction Fuzzy Hash: E0314D31A0CA4B41FB14BB65A4553B99298AF417A4FC440B4E6CD0FFA7DEACA84CC270

Function 00007FF711D41450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41475
fprintf.MSPDB140-MSVCRT ref: 00007FF711D41485

Part of subcall function 00007FF711D41010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41047

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41494
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414B3
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414BE
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414C7

Strings

[createdump] , xrefs: 00007FF711D4147E

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
String ID: [createdump]
API String ID: 3735572767-2657508301
Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
Instruction ID: 0368ec2a23ce3859e314efbfb548fc0ecd61c777eeede80add32a40e80e74958
Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
Instruction Fuzzy Hash: 1F012C31A08F5582E700AB91F88516AE368EB84BE5F804575DA8E07F659F7CD459C710

Non-executed Functions

Function 00007FF711D42ECC Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF711D42EE8
RtlCaptureContext.KERNEL32 ref: 00007FF711D42F15
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF711D42F2F
RtlVirtualUnwind.KERNEL32 ref: 00007FF711D42F70
IsDebuggerPresent.KERNEL32 ref: 00007FF711D42FC4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF711D42FE5
UnhandledExceptionFilter.KERNEL32 ref: 00007FF711D42FF0

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
Instruction ID: ec19c28ceb24cc750e7506ec980d0a102a6a56578fd816c33d5556401434ac3b
Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
Instruction Fuzzy Hash: FB314F72618F8586EB60AF60E8403E9B369FB84754F844439DB8E4BE98DF78D54CC720

Function 00007FF711D43074 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
Instruction ID: 51b86fb350cf8dd8d26872130dde96725114492848c9cd71e387f48ad2d646ed
Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
Instruction Fuzzy Hash: 23A0023191CC7AE0E754AF54E855131A378FF50360BC005B1E08D49CA09FBCA44CD320

Function 00007FF711D423C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF711D4242D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF711D4243B

Part of subcall function 00007FF711D41450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41475
Part of subcall function 00007FF711D41450: fprintf.MSPDB140-MSVCRT ref: 00007FF711D41485
Part of subcall function 00007FF711D41450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41494
Part of subcall function 00007FF711D41450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414B3
Part of subcall function 00007FF711D41450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414BE
Part of subcall function 00007FF711D41450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414C7

K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF711D42466
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF711D42470
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF711D42487
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF711D425F3

Strings

Invalid process id '%d' error %d, xrefs: 00007FF711D42447
Invalid dump path '%s' error %d, xrefs: 00007FF711D4252C
Get process name FAILED %d, xrefs: 00007FF711D42478
Writing %s to file %s, xrefs: 00007FF711D424C3
Write dump FAILED 0x%08x, xrefs: 00007FF711D4258E

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
API String ID: 3971781330-1292085346
Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
Instruction ID: 66079c688fe5392d5e9a8a713c68318ccfbbffb5c7f9a893b20ca9739b8df5fc
Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
Instruction Fuzzy Hash: 19617331608E4681E720AB15F45067AE765FB857F0F900170DADE0BEA5DFBCE449D750

Function 00007FF711D449A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF711D44B42
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF711D44E65
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D44E7B
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D44E93
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D44E99

Strings

csm, xrefs: 00007FF711D44A89
csm, xrefs: 00007FF711D44AEB
csm, xrefs: 00007FF711D44B69

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 695522112-393685449
Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
Instruction ID: ed7409409caebb5116ac05bd4067bc61f4d27d696a01fba9b2ece11a196869d1
Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
Instruction Fuzzy Hash: D4E1A472908E8A8AE720EF24D4403ADB7A8FB44B68F944175DACD4BF55DF78E489C710

Function 00007FF711D413C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D413E5
fprintf.MSPDB140-MSVCRT ref: 00007FF711D413F5

Part of subcall function 00007FF711D41010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41047

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41404
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41423
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D4142E
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41437

Strings

[createdump] , xrefs: 00007FF711D413EE

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
String ID: [createdump]
API String ID: 3735572767-2657508301
Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
Instruction ID: e23d958b7ba3ff494718c101d9bbb7c25cc4dbfb7ca6c60b678fe6f050ccaadd
Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
Instruction Fuzzy Hash: 4D017C31A08F4582E700AB90F8851AAA368EB84BE0F804134DA8D07F658FBCD498C310

Function 00007FF711D41800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF711D4186C

Part of subcall function 00007FF711D41450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41475
Part of subcall function 00007FF711D41450: fprintf.MSPDB140-MSVCRT ref: 00007FF711D41485
Part of subcall function 00007FF711D41450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41494
Part of subcall function 00007FF711D41450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414B3
Part of subcall function 00007FF711D41450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414BE
Part of subcall function 00007FF711D41450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414C7

Strings

%%%%%%%%, xrefs: 00007FF711D41890
Pipe syntax in dump name not supported, xrefs: 00007FF711D41850
%%%%%%%%, xrefs: 00007FF711D41D5C
--name, xrefs: 00007FF711D4180A
Invalid dump name format char '%c', xrefs: 00007FF711D41DD0

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
API String ID: 3378602911-3973674938
Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
Instruction ID: d0678273a37bf1c376a324e32733b8cf27d8c98ff5b84a070ab64a04460fa740
Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
Instruction Fuzzy Hash: 2931F672B08E8856E759AF29A8547F9A759BB45394FC400B2DDCD0BE91CFBCE049C310

Function 00007FF711D46498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF711D4669F,?,?,?,00007FF711D4441E,?,?,?,00007FF711D443D9), ref: 00007FF711D4651D
GetLastError.KERNEL32(?,00000000,00007FF711D4669F,?,?,?,00007FF711D4441E,?,?,?,00007FF711D443D9,?,?,?,?,00007FF711D43524), ref: 00007FF711D4652B
LoadLibraryExW.KERNEL32(?,00000000,00007FF711D4669F,?,?,?,00007FF711D4441E,?,?,?,00007FF711D443D9,?,?,?,?,00007FF711D43524), ref: 00007FF711D46555
FreeLibrary.KERNEL32(?,00000000,00007FF711D4669F,?,?,?,00007FF711D4441E,?,?,?,00007FF711D443D9,?,?,?,?,00007FF711D43524), ref: 00007FF711D4659B
GetProcAddress.KERNEL32(?,00000000,00007FF711D4669F,?,?,?,00007FF711D4441E,?,?,?,00007FF711D443D9,?,?,?,?,00007FF711D43524), ref: 00007FF711D465A7

Strings

api-ms-, xrefs: 00007FF711D4653D

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
Instruction ID: 8cd17d04012dbddafd07165388915806d0f361203d6a55e9fd28d9e0a452d16b
Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
Instruction Fuzzy Hash: 4531A531A19E46C1EF11BB02A800575A298FF09BB0F994675DD9E4EF84DFBCF4488360

Function 00007FF711D41B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF711D41B1D

Strings

Could not get the host name for dump name: %d, xrefs: 00007FF711D41DB2
%%%%%%%%, xrefs: 00007FF711D41D5C

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: _time64
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 1670930206-4114407318
Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
Instruction ID: e89c17eff18c4c3a935a99457bf8746425791893638ced8b70d21ab0d5d04f02
Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
Instruction Fuzzy Hash: 0851C372B18F8986EB009B38E4803A9A769EB417E0F800175DADD1BFA5DF7CE049D750

Function 00007FF711D44EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EncodePointer.KERNEL32 ref: 00007FF711D44F10
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D45189

Strings

MOC, xrefs: 00007FF711D44F24
RCC, xrefs: 00007FF711D44F2C

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: EncodePointerabort
String ID: MOC$RCC
API String ID: 1188231555-2084237596
Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
Instruction ID: bdd426cc407bc7e7e18a82f643f936e4bc3cb9d7c1862a831743a59bc323130d
Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
Instruction Fuzzy Hash: 8A91D273A08B9A8AE710DB64E8802ADB7A4F744798F944139EF8D1BF54DF78D199C700

Function 00007FF711D45414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF711D4543E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D456A2

Strings

csm, xrefs: 00007FF711D45463
csm, xrefs: 00007FF711D455D2

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
Instruction ID: 94200491e2040dcacf84af29f8ce28e81f67c304d04820d584bf996c0927e71b
Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
Instruction Fuzzy Hash: BE71C332608A868ADB20AF25E04077DBBA5FB40BA9FC481B5DACD4BE85CF7CD455C750

Function 00007FF711D4195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not get the host name for dump name: %d, xrefs: 00007FF711D41DB2
%%%%%%%%, xrefs: 00007FF711D41D5C

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID:
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 0-4114407318
Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
Instruction ID: 3769d4cb9f6c72ac1dbeebca4d1241f48f16a0759b6d60aecd7104a4e1615fbb
Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
Instruction Fuzzy Hash: 7551C472B18B8946E700DB39E4407AAA799EB817E0F800175EADD1BF99CF7DE045D710

Function 00007FF711D45860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF711D4590A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF711D45936

Strings

csm, xrefs: 00007FF711D45A36

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
Instruction ID: 2601860be2a1fde14c58285f79382ef93a3f00540f48efd3f7eeeec725c6c786
Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
Instruction Fuzzy Hash: 8F513D72618B8A86D720AB15F44126EB7B8F789BA4F540174DBCD0BF55CFB8E4A4CB10

Function 00007FF711D417E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00007FF711D417EB
WSAStartup.WS2_32 ref: 00007FF711D4186C

Part of subcall function 00007FF711D41450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41475
Part of subcall function 00007FF711D41450: fprintf.MSPDB140-MSVCRT ref: 00007FF711D41485
Part of subcall function 00007FF711D41450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D41494
Part of subcall function 00007FF711D41450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414B3
Part of subcall function 00007FF711D41450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414BE
Part of subcall function 00007FF711D41450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF711D414C7

Strings

string too long, xrefs: 00007FF711D417E4
Pipe syntax in dump name not supported, xrefs: 00007FF711D41850
--name, xrefs: 00007FF711D4180A

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
String ID: --name$Pipe syntax in dump name not supported$string too long
API String ID: 1412700758-3183687674
Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
Instruction ID: 344d2ee405aeeaaccdfab0b9adc2ea21d7edce16aa6fa702626be4135f8c7177
Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
Instruction Fuzzy Hash: 6A01B932B18D8595F761AF22EC417E6A354BB487B4F840075DE8C0AE51CE7CD48AC710

Function 00007FF711D41CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32 ref: 00007FF711D41CFA
WSAGetLastError.WS2_32 ref: 00007FF711D41DA9

Strings

Could not get the host name for dump name: %d, xrefs: 00007FF711D41DB2
%%%%%%%%, xrefs: 00007FF711D41D5C

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: ErrorLastgethostname
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 3782448640-4114407318
Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
Instruction ID: 16dc5e10619e19b7d936cb6c420d2018d38c253ce67fe26a30071ab9d3bc351a
Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
Instruction Fuzzy Hash: 5711EB31A0994A45F744BB21B4503FAA2489F857B4F801275D9DF1FED6DE7CE04A8360

Function 00007FF711D44158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF711D441B8

Strings

RCC, xrefs: 00007FF711D44168
csm, xrefs: 00007FF711D44178
MOC, xrefs: 00007FF711D44170

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: terminate
String ID: MOC$RCC$csm
API String ID: 1821763600-2671469338
Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
Instruction ID: c994f50cf7ff66f224024cde09d41f3ac9e61ca0428ba3ab77054e77f7cff2eb
Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
Instruction Fuzzy Hash: 24F08136A08A4E91E3647B51B14506CB668EF58B54F8851B1D7890EE52CFFCE4E4C611

Function 00007FF711D420C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF711D418EE), ref: 00007FF711D421E0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF711D4221E

Strings

Invalid process id '%d' error %d, xrefs: 00007FF711D42447

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: Invalid process id '%d' error %d
API String ID: 73155330-4244389950
Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
Instruction ID: 057e6974dd245df7093cf63f255207e6cedee16e318217df050e9811a81c6c20
Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
Instruction Fuzzy Hash: EF31D636709B8985EB10AF15A5442A9E369AB05BF0F940671DBDD0BFD5CEBCE0588320

Function 00007FF711D43F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF711D4173F), ref: 00007FF711D43FC8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF711D4173F), ref: 00007FF711D4400E

Strings

csm, xrefs: 00007FF711D43FFB

Memory Dump Source

Source File: 00000007.00000002.1849860772.00007FF711D41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF711D40000, based on PE: true

Associated: 00000007.00000002.1849643317.00007FF711D40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849938426.00007FF711D48000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1849974830.00007FF711D4C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1850010042.00007FF711D4D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff711d40000_createdump.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
Instruction ID: 2fbd125e4270b2fa4b5c4f55f0b050274a9b6fb4a7867228b3fcabd9488578ce
Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
Instruction Fuzzy Hash: CF113D32618F9592EB209B19F440269B7A4FB88B94F584270EECD0BF58DF7DD559CB00

Analysis Process: obs-ffmpeg-mux.exePID: 7152, Parent PID: 1196COMMON

Non-executed Functions

Function 00007FFE0037B840 Relevance: 372.3, APIs: 121, Strings: 91, Instructions: 1269libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFE0037B86D
free.MSVCRT ref: 00007FFE0037B876
calloc.MSVCRT ref: 00007FFE0037B885
MultiByteToWideChar.KERNEL32 ref: 00007FFE0037B8C8
MultiByteToWideChar.KERNEL32 ref: 00007FFE0037B90A
GetModuleHandleW.KERNEL32 ref: 00007FFE0037B913
GetProcAddress.KERNEL32 ref: 00007FFE0037B92A
LoadLibraryExW.KERNEL32 ref: 00007FFE0037B940
_aligned_free.MSVCRT ref: 00007FFE0037B94C
GetProcAddress.KERNEL32 ref: 00007FFE0037B98A
GetProcAddress.KERNEL32 ref: 00007FFE0037B9C1
GetProcAddress.KERNEL32 ref: 00007FFE0037B9F9
GetProcAddress.KERNEL32 ref: 00007FFE0037BA31
GetProcAddress.KERNEL32 ref: 00007FFE0037BA69
GetProcAddress.KERNEL32 ref: 00007FFE0037BAA1
GetProcAddress.KERNEL32 ref: 00007FFE0037BAD9
GetProcAddress.KERNEL32 ref: 00007FFE0037BB11
GetProcAddress.KERNEL32 ref: 00007FFE0037BB49
GetProcAddress.KERNEL32 ref: 00007FFE0037BB81
GetProcAddress.KERNEL32 ref: 00007FFE0037BBB9
GetProcAddress.KERNEL32 ref: 00007FFE0037BBF1
GetProcAddress.KERNEL32 ref: 00007FFE0037BC29
GetProcAddress.KERNEL32 ref: 00007FFE0037BC61
GetProcAddress.KERNEL32 ref: 00007FFE0037BC99
GetProcAddress.KERNEL32 ref: 00007FFE0037BCD1
GetProcAddress.KERNEL32 ref: 00007FFE0037BD0C
GetProcAddress.KERNEL32 ref: 00007FFE0037BD47
GetProcAddress.KERNEL32 ref: 00007FFE0037BD82
GetProcAddress.KERNEL32 ref: 00007FFE0037BDBD
GetProcAddress.KERNEL32 ref: 00007FFE0037BDF8
GetProcAddress.KERNEL32 ref: 00007FFE0037BE33
GetProcAddress.KERNEL32 ref: 00007FFE0037BE6E
GetProcAddress.KERNEL32 ref: 00007FFE0037BEA9
GetProcAddress.KERNEL32 ref: 00007FFE0037BEE4
GetProcAddress.KERNEL32 ref: 00007FFE0037BF1F
GetProcAddress.KERNEL32 ref: 00007FFE0037BF5A
GetProcAddress.KERNEL32 ref: 00007FFE0037BF95
GetProcAddress.KERNEL32 ref: 00007FFE0037BFD0
GetProcAddress.KERNEL32 ref: 00007FFE0037C00B
GetProcAddress.KERNEL32 ref: 00007FFE0037C046
GetProcAddress.KERNEL32 ref: 00007FFE0037C081
GetProcAddress.KERNEL32 ref: 00007FFE0037C0BC
GetProcAddress.KERNEL32 ref: 00007FFE0037C0F7
GetProcAddress.KERNEL32 ref: 00007FFE0037C132
GetProcAddress.KERNEL32 ref: 00007FFE0037C16D
GetProcAddress.KERNEL32 ref: 00007FFE0037C1A8
GetProcAddress.KERNEL32 ref: 00007FFE0037C1E3
GetProcAddress.KERNEL32 ref: 00007FFE0037C21E
GetProcAddress.KERNEL32 ref: 00007FFE0037C259
GetProcAddress.KERNEL32 ref: 00007FFE0037C294
GetProcAddress.KERNEL32 ref: 00007FFE0037C2CF
GetProcAddress.KERNEL32 ref: 00007FFE0037C30A
GetProcAddress.KERNEL32 ref: 00007FFE0037C345
GetProcAddress.KERNEL32 ref: 00007FFE0037C380
GetProcAddress.KERNEL32 ref: 00007FFE0037C3BB
GetProcAddress.KERNEL32 ref: 00007FFE0037C3F6
GetProcAddress.KERNEL32 ref: 00007FFE0037C431
GetProcAddress.KERNEL32 ref: 00007FFE0037C46C
GetProcAddress.KERNEL32 ref: 00007FFE0037C4A7
GetProcAddress.KERNEL32 ref: 00007FFE0037C4E2
GetProcAddress.KERNEL32 ref: 00007FFE0037C51D
GetProcAddress.KERNEL32 ref: 00007FFE0037C558
GetProcAddress.KERNEL32 ref: 00007FFE0037C593
GetProcAddress.KERNEL32 ref: 00007FFE0037C5CE
GetProcAddress.KERNEL32 ref: 00007FFE0037C609
GetProcAddress.KERNEL32 ref: 00007FFE0037C644
GetProcAddress.KERNEL32 ref: 00007FFE0037C67F
GetProcAddress.KERNEL32 ref: 00007FFE0037C6BA
GetProcAddress.KERNEL32 ref: 00007FFE0037C6F5
GetProcAddress.KERNEL32 ref: 00007FFE0037C730
GetProcAddress.KERNEL32 ref: 00007FFE0037C76B
GetProcAddress.KERNEL32 ref: 00007FFE0037C7A6
GetProcAddress.KERNEL32 ref: 00007FFE0037C7DE
GetProcAddress.KERNEL32 ref: 00007FFE0037C819
GetProcAddress.KERNEL32 ref: 00007FFE0037C854
GetProcAddress.KERNEL32 ref: 00007FFE0037C88F
GetProcAddress.KERNEL32 ref: 00007FFE0037C8CA
GetProcAddress.KERNEL32 ref: 00007FFE0037C905
GetProcAddress.KERNEL32 ref: 00007FFE0037C940
GetProcAddress.KERNEL32 ref: 00007FFE0037C97B
GetProcAddress.KERNEL32 ref: 00007FFE0037C9B6
GetProcAddress.KERNEL32 ref: 00007FFE0037C9F1
GetProcAddress.KERNEL32 ref: 00007FFE0037CA2C
GetProcAddress.KERNEL32 ref: 00007FFE0037CA67
GetProcAddress.KERNEL32 ref: 00007FFE0037CAA2
GetProcAddress.KERNEL32 ref: 00007FFE0037CADD
GetProcAddress.KERNEL32 ref: 00007FFE0037CB18
GetProcAddress.KERNEL32 ref: 00007FFE0037CB53
GetProcAddress.KERNEL32 ref: 00007FFE0037CB8E
GetProcAddress.KERNEL32 ref: 00007FFE0037CBC9
GetProcAddress.KERNEL32 ref: 00007FFE0037CC04
GetProcAddress.KERNEL32 ref: 00007FFE0037CC3F
GetProcAddress.KERNEL32 ref: 00007FFE0037CC7A
_errno.MSVCRT ref: 00007FFE0037CCBA
GetModuleHandleW.KERNEL32 ref: 00007FFE0037CCD7
GetProcAddress.KERNEL32 ref: 00007FFE0037CCEE
LoadLibraryExA.KERNEL32 ref: 00007FFE0037CD08
FreeLibrary.KERNEL32 ref: 00007FFE0037CD4B
free.MSVCRT ref: 00007FFE0037CD54
_aligned_free.MSVCRT ref: 00007FFE0037D0AA
_aligned_free.MSVCRT ref: 00007FFE0037D0B1

Strings

cuCtxGetDevice, xrefs: 00007FFE0037BFC9, 00007FFE0037BFD2
cuLinkAddData, xrefs: 00007FFE0037C3EF, 00007FFE0037C3F8
cuD3D11GetDevice, xrefs: 00007FFE0037CBFD, 00007FFE0037CC06
cuMemcpy, xrefs: 00007FFE0037BD05, 00007FFE0037BD0E
cuImportExternalSemaphore, xrefs: 00007FFE0037C939, 00007FFE0037C942
cuArray3DCreate_v2, xrefs: 00007FFE0037CA60, 00007FFE0037CA69
cuStreamCreate, xrefs: 00007FFE0037C12B, 00007FFE0037C134
cuStreamAddCallback, xrefs: 00007FFE0037C217, 00007FFE0037C220
cuGraphicsSubResourceGetMappedArray, xrefs: 00007FFE0037C729, 00007FFE0037C732
cuEGLStreamProducerDisconnect, xrefs: 00007FFE0037CB11, 00007FFE0037CB1A
cuDestroyExternalSemaphore, xrefs: 00007FFE0037C974, 00007FFE0037C97D
SetDefaultDllDirectories, xrefs: 00007FFE0037B920, 00007FFE0037CCE4
cuDevicePrimaryCtxReset, xrefs: 00007FFE0037C0F0, 00007FFE0037C0F9
cuDeviceGet, xrefs: 00007FFE0037B9F2, 00007FFE0037B9FB
cuMemAllocPitch_v2, xrefs: 00007FFE0037BC22, 00007FFE0037BC2B
cuEventRecord, xrefs: 00007FFE0037C33E, 00007FFE0037C347
cuDeviceGetCount, xrefs: 00007FFE0037B9BA, 00007FFE0037B9C3
cuInit, xrefs: 00007FFE0037B983, 00007FFE0037B98C
cuLinkCreate, xrefs: 00007FFE0037C3B4, 00007FFE0037C3BD
cuMipmappedArrayGetLevel, xrefs: 00007FFE0037C8C3, 00007FFE0037C8CC
cuGraphicsGLRegisterImage, xrefs: 00007FFE0037C63D, 00007FFE0037C646
cuEGLStreamProducerPresentFrame, xrefs: 00007FFE0037CB87, 00007FFE0037CB90
cuDeviceComputeCapability, xrefs: 00007FFE0037BA9A, 00007FFE0037BAA3
cuGraphicsUnregisterResource, xrefs: 00007FFE0037C678, 00007FFE0037C681
Loaded lib: %s, xrefs: 00007FFE0037B968
cuMemsetD8Async, xrefs: 00007FFE0037BC92, 00007FFE0037BC9B
cuMemcpy2D_v2, xrefs: 00007FFE0037BD7B, 00007FFE0037BD84
cuModuleGetFunction, xrefs: 00007FFE0037C516, 00007FFE0037C51F
cuCtxCreate_v2, xrefs: 00007FFE0037BAD2, 00007FFE0037BADB
cuGraphicsResourceGetMappedPointer_v2, xrefs: 00007FFE0037C764, 00007FFE0037C76D
cuMemFree_v2, xrefs: 00007FFE0037BCCA, 00007FFE0037BCD3
cuGetErrorString, xrefs: 00007FFE0037BF8E, 00007FFE0037BF97
cuGraphicsD3D11RegisterResource, xrefs: 00007FFE0037CC73, 00007FFE0037CC7C
cuExternalMemoryGetMappedMipmappedArray, xrefs: 00007FFE0037C888, 00007FFE0037C891
cuGLGetDevices_v2, xrefs: 00007FFE0037C602, 00007FFE0037C60B
cuStreamQuery, xrefs: 00007FFE0037C166, 00007FFE0037C16F
cuStreamDestroy_v2, xrefs: 00007FFE0037C1DC, 00007FFE0037C1E5
cuGraphicsMapResources, xrefs: 00007FFE0037C6B3, 00007FFE0037C6BC
Loaded sym: %s, xrefs: 00007FFE0037B99F, 00007FFE0037B9D7, 00007FFE0037BA0F, 00007FFE0037BA47, 00007FFE0037BA7F, 00007FFE0037BAB7, 00007FFE0037BAEF, 00007FFE0037BB27, 00007FFE0037BB5F, 00007FFE0037BB97, 00007FFE0037BBCF, 00007FFE0037BC07, 00007FFE0037BC3F, 00007FFE0037BC77, 00007FFE0037BCAF, 00007FFE0037BCEA, 00007FFE0037BD25, 00007FFE0037BD60, 00007FFE0037BD9B, 00007FFE0037BDD6, 00007FFE0037BE11, 00007FFE0037BE4C, 00007FFE0037BE87, 00007FFE0037BEC2, 00007FFE0037BEFD, 00007FFE0037BF38, 00007FFE0037BF73, 00007FFE0037BFAE, 00007FFE0037BFE9, 00007FFE0037C024, 00007FFE0037C05F, 00007FFE0037C09A, 00007FFE0037C0D5, 00007FFE0037C110, 00007FFE0037C14B, 00007FFE0037C186, 00007FFE0037C1C1, 00007FFE0037C1FC, 00007FFE0037C237, 00007FFE0037C272, 00007FFE0037C2AD, 00007FFE0037C2E8, 00007FFE0037C323, 00007FFE0037C35E, 00007FFE0037C399, 00007FFE0037C3D4, 00007FFE0037C40F, 00007FFE0037C44A, 00007FFE0037C485, 00007FFE0037C4C0, 00007FFE0037C4FB, 00007FFE0037C536, 00007FFE0037C571, 00007FFE0037C5AC, 00007FFE0037C5E7, 00007FFE0037C622, 00007FFE0037C65D, 00007FFE0037C698, 00007FFE0037C6D3, 00007FFE0037C70E, 00007FFE0037C749, 00007FFE0037C784, 00007FFE0037C7BC, 00007FFE0037C7F7, 00007FFE0037C832, 00007FFE0037C86D, 00007FFE0037C8A8, 00007FFE0037C8E3, 00007FFE0037C91E, 00007FFE0037C959, 00007FFE0037C994, 00007FFE0037C9CF, 00007FFE0037CA0A, 00007FFE0037CA45, 00007FFE0037CA80, 00007FFE0037CABB, 00007FFE0037CAF6, 00007FFE0037CB31, 00007FFE0037CB6C, 00007FFE0037CBA7, 00007FFE0037CBE2, 00007FFE0037CC1D, 00007FFE0037CC58, 00007FFE0037CC93
cuEventDestroy_v2, xrefs: 00007FFE0037C28D, 00007FFE0037C296
cuMemcpyHtoD_v2, xrefs: 00007FFE0037BDF1, 00007FFE0037BDFA
cuArrayCreate_v2, xrefs: 00007FFE0037CA25, 00007FFE0037CA2E
cuEGLStreamProducerConnect, xrefs: 00007FFE0037CAD6, 00007FFE0037CADF
cuCtxDestroy_v2, xrefs: 00007FFE0037BBB2, 00007FFE0037BBBB
cuGetErrorName, xrefs: 00007FFE0037BF53, 00007FFE0037BF5C
cuLinkComplete, xrefs: 00007FFE0037C42A, 00007FFE0037C433
cuGraphicsUnmapResources, xrefs: 00007FFE0037C6EE, 00007FFE0037C6F7
cuModuleLoadData, xrefs: 00007FFE0037C4A0, 00007FFE0037C4A9
cuMemcpyDtoD_v2, xrefs: 00007FFE0037BEDD, 00007FFE0037BEE6
cuTexObjectCreate, xrefs: 00007FFE0037C58C, 00007FFE0037C595
cuEGLStreamConsumerDisconnect, xrefs: 00007FFE0037CB4C, 00007FFE0037CB55
cuModuleGetGlobal, xrefs: 00007FFE0037C551, 00007FFE0037C55A
cuMemcpyDtoDAsync_v2, xrefs: 00007FFE0037BF18, 00007FFE0037BF21
cuD3D11GetDevices, xrefs: 00007FFE0037CC38, 00007FFE0037CC41
cuEventQuery, xrefs: 00007FFE0037C303, 00007FFE0037C30C
cuCtxPopCurrent_v2, xrefs: 00007FFE0037BB7A, 00007FFE0037BB83
cuMemcpyDtoHAsync_v2, xrefs: 00007FFE0037BEA2, 00007FFE0037BEAB
cuTexObjectDestroy, xrefs: 00007FFE0037C5C7, 00007FFE0037C5D0
cuMemAlloc_v2, xrefs: 00007FFE0037BBEA, 00007FFE0037BBF3
Cannot load optional %s, xrefs: 00007FFE0037CD70, 00007FFE0037CD90, 00007FFE0037CDB0, 00007FFE0037CDD0, 00007FFE0037CDF0, 00007FFE0037CE10, 00007FFE0037CE30, 00007FFE0037CE50, 00007FFE0037CE70, 00007FFE0037CE90, 00007FFE0037CEB0, 00007FFE0037CED0, 00007FFE0037CEF0, 00007FFE0037CF10, 00007FFE0037CF30, 00007FFE0037CF50
cuArrayDestroy, xrefs: 00007FFE0037CA9B, 00007FFE0037CAA4
cuDestroyExternalMemory, xrefs: 00007FFE0037C812, 00007FFE0037C81B
cuModuleUnload, xrefs: 00007FFE0037C4DB, 00007FFE0037C4E4
cuExternalMemoryGetMappedBuffer, xrefs: 00007FFE0037C84D, 00007FFE0037C856
nvcuda.dll, xrefs: 00007FFE0037B8C1, 00007FFE0037B8F9, 00007FFE0037B961, 00007FFE0037CD01, 00007FFE0037D0C1
cuDevicePrimaryCtxSetFlags, xrefs: 00007FFE0037C07A, 00007FFE0037C083
cuDevicePrimaryCtxRetain, xrefs: 00007FFE0037C004, 00007FFE0037C00D
cuDevicePrimaryCtxGetState, xrefs: 00007FFE0037C0B5, 00007FFE0037C0BE
cuLinkDestroy, xrefs: 00007FFE0037C465, 00007FFE0037C46E
cuMemcpyDtoH_v2, xrefs: 00007FFE0037BE67, 00007FFE0037BE70
cuMemcpy2DAsync_v2, xrefs: 00007FFE0037BDB6, 00007FFE0037BDBF
cuSignalExternalSemaphoresAsync, xrefs: 00007FFE0037C9AF, 00007FFE0037C9B8
cuLaunchKernel, xrefs: 00007FFE0037C379, 00007FFE0037C382
cuDeviceGetAttribute, xrefs: 00007FFE0037BA2A, 00007FFE0037BA33
cuDevicePrimaryCtxRelease, xrefs: 00007FFE0037C03F, 00007FFE0037C048
kernel32.dll, xrefs: 00007FFE0037B90C, 00007FFE0037CCD0
cuMemAllocManaged, xrefs: 00007FFE0037BC5A, 00007FFE0037BC63
cuWaitExternalSemaphoresAsync, xrefs: 00007FFE0037C9EA, 00007FFE0037C9F3
cuEventSynchronize, xrefs: 00007FFE0037C2C8, 00007FFE0037C2D1
cuStreamSynchronize, xrefs: 00007FFE0037C1A1, 00007FFE0037C1AA
cuMemcpyAsync, xrefs: 00007FFE0037BD40, 00007FFE0037BD49
cuDeviceGetUuid, xrefs: 00007FFE0037C79F, 00007FFE0037C7A8
cuDeviceGetName, xrefs: 00007FFE0037BA62, 00007FFE0037BA6B
cuEventCreate, xrefs: 00007FFE0037C252, 00007FFE0037C25B
cuMemcpyHtoDAsync_v2, xrefs: 00007FFE0037BE2C, 00007FFE0037BE35
cuCtxPushCurrent_v2, xrefs: 00007FFE0037BB42, 00007FFE0037BB4B
cuImportExternalMemory, xrefs: 00007FFE0037C7D7, 00007FFE0037C7E0
Cannot load %s, xrefs: 00007FFE0037CD20, 00007FFE0037D0C8
cuCtxSetLimit, xrefs: 00007FFE0037BB0A, 00007FFE0037BB13
cuMipmappedArrayDestroy, xrefs: 00007FFE0037C8FE, 00007FFE0037C907
cuEGLStreamProducerReturnFrame, xrefs: 00007FFE0037CBC2, 00007FFE0037CBCB

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: AddressProc$Library$_aligned_free$ByteCharFreeHandleLoadModuleMultiWidefree$_errnocalloc
String ID: Cannot load %s$Cannot load optional %s$Loaded lib: %s$Loaded sym: %s$SetDefaultDllDirectories$cuArray3DCreate_v2$cuArrayCreate_v2$cuArrayDestroy$cuCtxCreate_v2$cuCtxDestroy_v2$cuCtxGetDevice$cuCtxPopCurrent_v2$cuCtxPushCurrent_v2$cuCtxSetLimit$cuD3D11GetDevice$cuD3D11GetDevices$cuDestroyExternalMemory$cuDestroyExternalSemaphore$cuDeviceComputeCapability$cuDeviceGet$cuDeviceGetAttribute$cuDeviceGetCount$cuDeviceGetName$cuDeviceGetUuid$cuDevicePrimaryCtxGetState$cuDevicePrimaryCtxRelease$cuDevicePrimaryCtxReset$cuDevicePrimaryCtxRetain$cuDevicePrimaryCtxSetFlags$cuEGLStreamConsumerDisconnect$cuEGLStreamProducerConnect$cuEGLStreamProducerDisconnect$cuEGLStreamProducerPresentFrame$cuEGLStreamProducerReturnFrame$cuEventCreate$cuEventDestroy_v2$cuEventQuery$cuEventRecord$cuEventSynchronize$cuExternalMemoryGetMappedBuffer$cuExternalMemoryGetMappedMipmappedArray$cuGLGetDevices_v2$cuGetErrorName$cuGetErrorString$cuGraphicsD3D11RegisterResource$cuGraphicsGLRegisterImage$cuGraphicsMapResources$cuGraphicsResourceGetMappedPointer_v2$cuGraphicsSubResourceGetMappedArray$cuGraphicsUnmapResources$cuGraphicsUnregisterResource$cuImportExternalMemory$cuImportExternalSemaphore$cuInit$cuLaunchKernel$cuLinkAddData$cuLinkComplete$cuLinkCreate$cuLinkDestroy$cuMemAllocManaged$cuMemAllocPitch_v2$cuMemAlloc_v2$cuMemFree_v2$cuMemcpy$cuMemcpy2DAsync_v2$cuMemcpy2D_v2$cuMemcpyAsync$cuMemcpyDtoDAsync_v2$cuMemcpyDtoD_v2$cuMemcpyDtoHAsync_v2$cuMemcpyDtoH_v2$cuMemcpyHtoDAsync_v2$cuMemcpyHtoD_v2$cuMemsetD8Async$cuMipmappedArrayDestroy$cuMipmappedArrayGetLevel$cuModuleGetFunction$cuModuleGetGlobal$cuModuleLoadData$cuModuleUnload$cuSignalExternalSemaphoresAsync$cuStreamAddCallback$cuStreamCreate$cuStreamDestroy_v2$cuStreamQuery$cuStreamSynchronize$cuTexObjectCreate$cuTexObjectDestroy$cuWaitExternalSemaphoresAsync$kernel32.dll$nvcuda.dll
API String ID: 3405737670-3447704524
Opcode ID: 4af3281c0e25db81b3078cec52e73783fda2d96fdf649ea0d565a5970141e5c3
Instruction ID: 2dba28503b40346a907d36d6a040c04fc34e1ea6661a66a098219dae4f7d73b8
Opcode Fuzzy Hash: 4af3281c0e25db81b3078cec52e73783fda2d96fdf649ea0d565a5970141e5c3
Instruction Fuzzy Hash: 61D2E664B1AB4791EA12EF21E8602FD23A5EF95744FC45436DA0D0B3B9EE3CE909C354

Function 00007FFE0037FDF0 Relevance: 140.7, APIs: 62, Strings: 18, Instructions: 667libraryloaderCOMMON

Download Yara Rule

APIs

atoi.MSVCRT ref: 00007FFE0037FE1E
MultiByteToWideChar.KERNEL32 ref: 00007FFE0037FE84
MultiByteToWideChar.KERNEL32 ref: 00007FFE0037FEC6
GetProcAddress.KERNEL32 ref: 00007FFE0037FEEE
LoadLibraryExW.KERNEL32 ref: 00007FFE0037FF04
_aligned_free.MSVCRT ref: 00007FFE0037FF12
MultiByteToWideChar.KERNEL32 ref: 00007FFE0037FF50
MultiByteToWideChar.KERNEL32 ref: 00007FFE0037FF9A
GetProcAddress.KERNEL32 ref: 00007FFE0037FFB4
LoadLibraryExW.KERNEL32 ref: 00007FFE0037FFCA
_aligned_free.MSVCRT ref: 00007FFE0037FFD6
GetProcAddress.KERNEL32 ref: 00007FFE0037FFF2
GetProcAddress.KERNEL32 ref: 00007FFE003800D6
GetDesktopWindow.USER32 ref: 00007FFE0038014A
_errno.MSVCRT ref: 00007FFE00380220
GetProcAddress.KERNEL32 ref: 00007FFE00380256
LoadLibraryExA.KERNEL32 ref: 00007FFE00380270
_errno.MSVCRT ref: 00007FFE0038027B
GetProcAddress.KERNEL32 ref: 00007FFE003802A8
_aligned_free.MSVCRT ref: 00007FFE003802B5
_aligned_free.MSVCRT ref: 00007FFE003802BC
GetProcAddress.KERNEL32 ref: 00007FFE00380398
GetDesktopWindow.USER32 ref: 00007FFE003803EB

Strings

&, xrefs: 00007FFE00380408
Using D3D9Ex device., xrefs: 00007FFE0038019A
Direct3DCreate9, xrefs: 00007FFE0038030F
Failed to locate DXVA2CreateDirect3DDeviceManager9, xrefs: 00007FFE0038094E
Direct3DCreate9Ex, xrefs: 00007FFE00380011
d3d9.dll, xrefs: 00007FFE0037FE5A, 00007FFE0037FEB5, 00007FFE00380269
Failed to load DXVA2 library, xrefs: 00007FFE003802C9
DXVA2CreateDirect3DDeviceManager9, xrefs: 00007FFE0037FFE8
Failed to open device handle, xrefs: 00007FFE003809A8
Failed to bind Direct3D device to device manager, xrefs: 00007FFE0038096C
dxva2.dll, xrefs: 00007FFE0037FF36, 00007FFE0037FF89, 00007FFE00380598
Failed to create Direct3D device, xrefs: 00007FFE00380425
SetDefaultDllDirectories, xrefs: 00007FFE0037FEE4, 00007FFE0037FFAA, 00007FFE0038024C, 00007FFE0038029E
Failed to create IDirect3D object, xrefs: 00007FFE00380A18
kernel32.dll, xrefs: 00007FFE0037FECF, 00007FFE0037FF9C, 00007FFE00380237, 00007FFE00380290
Failed to locate Direct3DCreate9, xrefs: 00007FFE00380A50
Failed to create Direct3D device manager, xrefs: 00007FFE0038098A
Failed to load D3D9 library, xrefs: 00007FFE003805C5

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: AddressProc$ByteCharMultiWide_aligned_free$LibraryLoad$DesktopWindow_errno$atoi
String ID: &$DXVA2CreateDirect3DDeviceManager9$Direct3DCreate9$Direct3DCreate9Ex$Failed to bind Direct3D device to device manager$Failed to create Direct3D device$Failed to create Direct3D device manager$Failed to create IDirect3D object$Failed to load D3D9 library$Failed to load DXVA2 library$Failed to locate DXVA2CreateDirect3DDeviceManager9$Failed to locate Direct3DCreate9$Failed to open device handle$SetDefaultDllDirectories$Using D3D9Ex device.$d3d9.dll$dxva2.dll$kernel32.dll
API String ID: 1760633067-2418308259
Opcode ID: 1b8f3b45278436593ea4620b683ff6dcafb812b761b95205c1ba724c4eb98057
Instruction ID: b756d19c59e96125ed2fa895097da186088c2a4a0d9d54470c95c83fee6b6cdf
Opcode Fuzzy Hash: 1b8f3b45278436593ea4620b683ff6dcafb812b761b95205c1ba724c4eb98057
Instruction Fuzzy Hash: E5526B21A0DB8281EBA5DB52E4147BE67A1FF84B84F504536EB8D47BA9DF7CE408C740

Function 00007FFE1A503AA7 Relevance: 130.3, APIs: 64, Strings: 10, Instructions: 798COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A503940: av_channel_layout_describe.AVUTIL-58 ref: 00007FFE1A503999
Part of subcall function 00007FFE1A503940: av_log.AVUTIL-58 ref: 00007FFE1A5039B0

av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A503BBE
av_channel_layout_subset.AVUTIL-58 ref: 00007FFE1A503BCF
av_channel_layout_uninit.AVUTIL-58 ref: 00007FFE1A503BDC
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A503C2E
av_channel_layout_subset.AVUTIL-58 ref: 00007FFE1A503C3F
av_channel_layout_uninit.AVUTIL-58 ref: 00007FFE1A503C4C
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A503CA3
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A503CD3
av_channel_layout_from_mask.AVUTIL-58 ref: 00007FFE1A503CE4
av_channel_layout_describe.AVUTIL-58 ref: 00007FFE1A503CF5
av_log.AVUTIL-58 ref: 00007FFE1A503D0C
av_channel_layout_check.AVUTIL-58 ref: 00007FFE1A503D14
av_log.AVUTIL-58 ref: 00007FFE1A503D32
av_channel_layout_describe.AVUTIL-58 ref: 00007FFE1A503D5A
av_log.AVUTIL-58 ref: 00007FFE1A503D71
av_channel_layout_check.AVUTIL-58 ref: 00007FFE1A503D7E
av_log.AVUTIL-58 ref: 00007FFE1A503D9C
av_channel_layout_describe.AVUTIL-58 ref: 00007FFE1A503DCB
av_log.AVUTIL-58 ref: 00007FFE1A503DE2
av_channel_layout_uninit.AVUTIL-58 ref: 00007FFE1A504A05
av_channel_layout_uninit.AVUTIL-58 ref: 00007FFE1A504A0F

Strings

Input channel layout is invalid, xrefs: 00007FFE1A503D1D
Full-on remixing from 22.2 has not yet been implemented! Processing the input as '%s', xrefs: 00007FFE1A503D05
%s: , xrefs: 00007FFE1A50497A
Matrix coefficients:, xrefs: 00007FFE1A504924
src/libswresample/rematrix.c, xrefs: 00007FFE1A503F3B
Input channel layout '%s' is not supported, xrefs: 00007FFE1A503D6A
Output channel layout '%s' is not supported, xrefs: 00007FFE1A503DDB
%s:%f , xrefs: 00007FFE1A5049C3
Output channel layout is invalid, xrefs: 00007FFE1A503D87
Assertion %s failed at %s:%d, xrefs: 00007FFE1A503F52

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_log$av_channel_layout_compareav_channel_layout_describeav_channel_layout_uninit$av_channel_layout_checkav_channel_layout_subset$av_channel_layout_from_mask
String ID: %s: $%s:%f $Assertion %s failed at %s:%d$Full-on remixing from 22.2 has not yet been implemented! Processing the input as '%s'$Input channel layout '%s' is not supported$Input channel layout is invalid$Matrix coefficients:$Output channel layout '%s' is not supported$Output channel layout is invalid$src/libswresample/rematrix.c
API String ID: 2619559304-3174812640
Opcode ID: 5aa9f050ff1bdde174cdacfa5c37e80b8c215c118cb67db339f9d22cf6abd8d3
Instruction ID: 38d5bcb430d9f48aaede874475f59e1343f165014ec5699e28155d614b2f181d
Opcode Fuzzy Hash: 5aa9f050ff1bdde174cdacfa5c37e80b8c215c118cb67db339f9d22cf6abd8d3
Instruction Fuzzy Hash: 82828322F1CF8585E272CE2295103BFA765FF97BA4F5083B3DA4A66566EF3CD0418600

Function 00007FFE1A527508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A5275A4
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52768B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A5276D6
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A5276F7
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A527767
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A527779

Strings

protected: , xrefs: 00007FFE1A528248
/, xrefs: 00007FFE1A52801E
}' , xrefs: 00007FFE1A527726, 00007FFE1A527C67
private: , xrefs: 00007FFE1A528216
static , xrefs: 00007FFE1A528122
public: , xrefs: 00007FFE1A52826F
`template static data member destructor helper', xrefs: 00007FFE1A528017
virtual , xrefs: 00007FFE1A528199
`adjustor{, xrefs: 00007FFE1A527C3C
extern "C" , xrefs: 00007FFE1A528336
`vtordispex{, xrefs: 00007FFE1A527B08
`vtordisp{, xrefs: 00007FFE1A527BDD
[thunk]:, xrefs: 00007FFE1A5282E1
`local static destructor helper', xrefs: 00007FFE1A527F96
`template static data member constructor helper', xrefs: 00007FFE1A527FD4

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
API String ID: 2943138195-2884338863
Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
Instruction ID: bf0051866e047ae599fab1da88f18747080293080362949d84405af7ef701cc9
Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
Instruction Fuzzy Hash: 35927132B1CE8286E741CBA5E4802BE77A1FB95764F5011B7FA8D42AA9DF7CD544CB00

Function 00007FFE1A504B4A Relevance: 83.2, APIs: 43, Strings: 4, Instructions: 981COMMON

Download Yara Rule

APIs

av_get_packed_sample_fmt.AVUTIL-58 ref: 00007FFE1A504BAC
av_get_packed_sample_fmt.AVUTIL-58 ref: 00007FFE1A504BC5
av_calloc.AVUTIL-58 ref: 00007FFE1A504C81
av_mallocz.AVUTIL-58 ref: 00007FFE1A504C93
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A504DAC
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A504DF3
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A504E3C
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A504ED5
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A504F19
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A505047
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A50508E
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A5050D7
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A505170
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A5051B4
av_calloc.AVUTIL-58 ref: 00007FFE1A5052AA
av_mallocz.AVUTIL-58 ref: 00007FFE1A5052BC
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A505380
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A5053C7
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A505410
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A5054A9
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A5054ED
av_calloc.AVUTIL-58 ref: 00007FFE1A5055E3
av_mallocz.AVUTIL-58 ref: 00007FFE1A5055F5
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A5056BD
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A505704
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A50574D
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A5057E6
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A50582A
av_mallocz.AVUTIL-58 ref: 00007FFE1A505918
av_calloc.AVUTIL-58 ref: 00007FFE1A505937
av_freep.AVUTIL-58 ref: 00007FFE1A505963
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A505A2C
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A505A73
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A505ABC
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A505B55
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A505B99
av_log.AVUTIL-58 ref: 00007FFE1A505C71
abort.MSVCRT ref: 00007FFE1A505C76
av_get_cpu_flags.AVUTIL-58 ref: 00007FFE1A5072E3
av_calloc.AVUTIL-58 ref: 00007FFE1A507341
av_mallocz.AVUTIL-58 ref: 00007FFE1A507352

Strings

src/libswresample/rematrix.c, xrefs: 00007FFE1A505C4B
?, xrefs: 00007FFE1A505AAA
@, xrefs: 00007FFE1A504C24
Assertion %s failed at %s:%d, xrefs: 00007FFE1A505C62

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_channel_layout_compare$av_callocav_mallocz$av_get_packed_sample_fmt$abortav_freepav_get_cpu_flagsav_log
String ID: ?$@$Assertion %s failed at %s:%d$src/libswresample/rematrix.c
API String ID: 589828794-1409810779
Opcode ID: 5188afd4967a419cf0fd434335850466d59e66cd640ed80c7eb5b51fe742ae3d
Instruction ID: 7464aee8cd7e1a14499ba32685afd6fbf33e5eb4e8f586e5eac5b5f9cdfeae20
Opcode Fuzzy Hash: 5188afd4967a419cf0fd434335850466d59e66cd640ed80c7eb5b51fe742ae3d
Instruction Fuzzy Hash: B0A2FA72B0CE4A45EB618B3292597BE6268FF02BE4F5181F6CB4D572A5DF3CA049C704

Function 00007FF7EC502A10 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 209stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7EC502A7F
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7EC502A87
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC502A93
fprintf.MSPDB140-MSVCRT ref: 00007FF7EC502AAA

Part of subcall function 00007FF7EC502320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF7EC5029D8,?,?,?,00007FF7EC5012F1), ref: 00007FF7EC502357

brealloc.OBS ref: 00007FF7EC502AD2
memmove.VCRUNTIME140 ref: 00007FF7EC502B16
pthread_mutex_init.W32-PTHREADS ref: 00007FF7EC502B36
os_event_init.OBS ref: 00007FF7EC502B44
os_event_init.OBS ref: 00007FF7EC502B52
pthread_create.W32-PTHREADS ref: 00007FF7EC502B6A
av_malloc.AVUTIL-58 ref: 00007FF7EC502B74
avio_alloc_context.AVFORMAT-60 ref: 00007FF7EC502BA7
av_dict_parse_string.AVUTIL-58 ref: 00007FF7EC502BDE
av_strerror.AVUTIL-58 ref: 00007FF7EC502C06
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC502C10
fprintf.MSPDB140-MSVCRT ref: 00007FF7EC502C2B
av_dict_free.AVUTIL-58 ref: 00007FF7EC502C34
av_dict_count.AVUTIL-58 ref: 00007FF7EC502C3D
printf.MSPDB140-MSVCRT ref: 00007FF7EC502C4D
av_dict_get.AVUTIL-58 ref: 00007FF7EC502C66
printf.MSPDB140-MSVCRT ref: 00007FF7EC502C8E
av_dict_get.AVUTIL-58 ref: 00007FF7EC502CA7
printf.MSPDB140-MSVCRT ref: 00007FF7EC502CBB
avformat_write_header.AVFORMAT-60 ref: 00007FF7EC502CC7
av_strerror.AVUTIL-58 ref: 00007FF7EC502CF5
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC502CFF
fprintf.MSPDB140-MSVCRT ref: 00007FF7EC502D17
av_dict_free.AVUTIL-58 ref: 00007FF7EC502D20

Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC50204A
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC502065
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC502080
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC50209B
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC5020B6

avio_open.AVFORMAT-60 ref: 00007FF7EC502D41
av_strerror.AVUTIL-58 ref: 00007FF7EC502D6D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC502D77
av_dict_free.AVUTIL-58 ref: 00007FF7EC502D8A

Strings

Couldn't open '%s', %s, xrefs: 00007FF7EC502AA0
Error opening '%s': %s, xrefs: 00007FF7EC502D10
%s=%s, xrefs: 00007FF7EC502C84
Failed to parse muxer settings: %s%s, xrefs: 00007FF7EC502C24
Using muxer settings:, xrefs: 00007FF7EC502C46

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strncmp$__acrt_iob_func$av_dict_freeav_strerrorfprintfprintf$av_dict_getos_event_init$__stdio_common_vfprintf_errnoav_dict_countav_dict_parse_stringav_mallocavformat_write_headeravio_alloc_contextavio_openbreallocmemmovepthread_createpthread_mutex_initstrerror
String ID: %s=%s$Couldn't open '%s', %s$Error opening '%s': %s$Failed to parse muxer settings: %s%s$Using muxer settings:
API String ID: 2783795328-2826353358
Opcode ID: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
Instruction ID: f9a7f3bdd9f5afe41b1698332e7ef601adb688d5bbc9c356bc109fc5403b7dbc
Opcode Fuzzy Hash: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
Instruction Fuzzy Hash: A0A1622AA04A8292F714EB21D4523F9A360FB5878CFE04537EA4D87656FF3CE554C351

Function 00007FF7EC502EE0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7EC502F39
SetErrorMode.KERNEL32 ref: 00007FF7EC502F5D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC502F6B
WideCharToMultiByte.KERNEL32 ref: 00007FF7EC502FD8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC502FE7
WideCharToMultiByte.KERNEL32 ref: 00007FF7EC503016
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC503044
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC50304D
_setmode.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC50305A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC503065
setvbuf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC503077
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC503098
fprintf.MSPDB140-MSVCRT ref: 00007FF7EC5030A8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC5030F8
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC50311C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC503167
fprintf.MSPDB140-MSVCRT ref: 00007FF7EC503177
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC50319A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC5031A3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC5031C5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC5031D6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC503215
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC503239
av_rescale_q_rnd.AVUTIL-58 ref: 00007FF7EC50330C
av_rescale_q_rnd.AVUTIL-58 ref: 00007FF7EC503344
av_interleaved_write_frame.AVFORMAT-60 ref: 00007FF7EC50336D
av_strerror.AVUTIL-58 ref: 00007FF7EC5033BA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC5033C4
fprintf.MSPDB140-MSVCRT ref: 00007FF7EC5033DE

Part of subcall function 00007FF7EC502320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF7EC5029D8,?,?,?,00007FF7EC5012F1), ref: 00007FF7EC502357

Strings

av_interleaved_write_frame failed: %d: %s, xrefs: 00007FF7EC5033D7
Couldn't initialize muxer, xrefs: 00007FF7EC5030A1, 00007FF7EC503170

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: __acrt_iob_func$freemalloc$fprintf$ByteCharMultiWideav_rescale_q_rndrealloc$ErrorMode__stdio_common_vfprintf_fileno_setmodeav_interleaved_write_frameav_strerrormemsetsetvbuf
String ID: Couldn't initialize muxer$av_interleaved_write_frame failed: %d: %s
API String ID: 4192084208-164389310
Opcode ID: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
Instruction ID: 17f673c3aaab8f5a36899cc2ca46d9dca8ecaa7ba1dd6eabdefc3dbc2f7edf33
Opcode Fuzzy Hash: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
Instruction Fuzzy Hash: C9E1B536A08A8286FB20EF61D8553BDA760FB48B88FA04136DE4E97755EF3CD145C711

Function 00007FFE0036C2F0 Relevance: 51.3, APIs: 25, Strings: 4, Instructions: 582stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0036C347
strtol.MSVCRT ref: 00007FFE0036C3ED
strchr.MSVCRT ref: 00007FFE0036C462
strcmp.MSVCRT ref: 00007FFE0036C564
_aligned_free.MSVCRT ref: 00007FFE0036C594
_aligned_free.MSVCRT ref: 00007FFE0036C59E
_aligned_free.MSVCRT ref: 00007FFE0036C5D5

Strings

channels, xrefs: 00007FFE0036CB80
ambisonic , xrefs: 00007FFE0036C3A0
%d channels (%[^)], xrefs: 00007FFE0036C44B
mono, xrefs: 00007FFE0036C317

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$strcmp$strchrstrtol
String ID: channels$%d channels (%[^)]$ambisonic $mono
API String ID: 6235670-221731140
Opcode ID: 9a9eb1e0a00dde1935faf8ff688298a0d262cbf1e4cfcb0e70de2c1dca8238e4
Instruction ID: 25b908981575b1ed6dcd0f61cdb060935b111e32597da9065d75fa7e89742d8c
Opcode Fuzzy Hash: 9a9eb1e0a00dde1935faf8ff688298a0d262cbf1e4cfcb0e70de2c1dca8238e4
Instruction Fuzzy Hash: 9F424D72A1C68385EB628B15E45037A67A1FB85B84F54E031DB8D47BADDF7CE841CB40

Function 00007FFE1A4F8DB0 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 108COMMON

Download Yara Rule

APIs

av_opt_set_chlayout.AVUTIL-58 ref: 00007FFE1A4F8DFE
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8E1B
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8E38
av_opt_set_chlayout.AVUTIL-58 ref: 00007FFE1A4F8E5A
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8E7C
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8E9E
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8EBB
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8ED0
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8EE5
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8EFA
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8F0F
av_log.AVUTIL-58 ref: 00007FFE1A4F8F53

Strings

ichl, xrefs: 00007FFE1A4F8E50
ich, xrefs: 00007FFE1A4F8EF3
och, xrefs: 00007FFE1A4F8F08
isr, xrefs: 00007FFE1A4F8E94
icl, xrefs: 00007FFE1A4F8EC9
ochl, xrefs: 00007FFE1A4F8DE7
isf, xrefs: 00007FFE1A4F8E72
uch, xrefs: 00007FFE1A4F8EB1
osf, xrefs: 00007FFE1A4F8E11
Failed to set option, xrefs: 00007FFE1A4F8F40
osr, xrefs: 00007FFE1A4F8E2E
ocl, xrefs: 00007FFE1A4F8EDE

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_opt_set_int$av_opt_set_chlayout$av_log
String ID: Failed to set option$ich$ichl$icl$isf$isr$och$ochl$ocl$osf$osr$uch
API String ID: 4144258317-3247528414
Opcode ID: 10ab7c08c9e10468c087a0fc18b47031af3b6046317781463100eb67561eeeb0
Instruction ID: 556d7b80981b9b0d8219bf8b96454445277f8de2a335780ce714fdfb92d5770b
Opcode Fuzzy Hash: 10ab7c08c9e10468c087a0fc18b47031af3b6046317781463100eb67561eeeb0
Instruction Fuzzy Hash: FF415165B0CB5341F6649727AA52BBF1651AF47BE8F8064F3DE4C47A65EE3CE0058700

Function 00007FFE00392D90 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 203COMMON

Download Yara Rule

APIs

_read.MSVCRT ref: 00007FFE00392E0D
_close.MSVCRT ref: 00007FFE00392E17
_read.MSVCRT ref: 00007FFE00392E48
_close.MSVCRT ref: 00007FFE00392E52
clock.MSVCRT ref: 00007FFE00392EF9

Strings

Assertion %s failed at %s:%d, xrefs: 00007FFE00393080
Microsoft Primitive Provider, xrefs: 00007FFE00392DA0
/dev/random, xrefs: 00007FFE00392E27
RNG, xrefs: 00007FFE00392DA7
src/libavutil/random_seed.c, xrefs: 00007FFE00393069
N, xrefs: 00007FFE00393087
sizeof(tmp) >= av_sha_size, xrefs: 00007FFE00393070
/dev/urandom, xrefs: 00007FFE00392DEC

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _close_read$clock
String ID: /dev/random$/dev/urandom$Assertion %s failed at %s:%d$Microsoft Primitive Provider$N$RNG$sizeof(tmp) >= av_sha_size$src/libavutil/random_seed.c
API String ID: 3077350862-4220122895
Opcode ID: 42a263d787bb1900c231adad2bae4144787def7db549a8d8b5a27e8b710399cc
Instruction ID: 98cf300133afbc9053da3048373e573ea71d3d51ab0a3327e9bb2ea4c504102b
Opcode Fuzzy Hash: 42a263d787bb1900c231adad2bae4144787def7db549a8d8b5a27e8b710399cc
Instruction Fuzzy Hash: 617126B2B19A5355F7199B34E5412BA37A1AB88780F405139DB0F87BBDEEBCE504C704

Function 00007FFE0038F2C0 Relevance: 23.2, APIs: 3, Strings: 10, Instructions: 461COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0038F94F
_errno.MSVCRT ref: 00007FFE0038F977

Strings

AliceBlue, xrefs: 00007FFE0038F5CD
%H:%M:%S, xrefs: 00007FFE0038F68E
%M:%S, xrefs: 00007FFE0038F923
%Y - %m - %d, xrefs: 00007FFE0038F62C
+, xrefs: 00007FFE0038F5A4
%Y%m%d, xrefs: 00007FFE0038F64D
%H%M%S, xrefs: 00007FFE0038F6A9
%J:%M:%S, xrefs: 00007FFE0038F331
%H:%M, xrefs: 00007FFE0038F57A
now, xrefs: 00007FFE0038F613

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: %H%M%S$%H:%M$%H:%M:%S$%J:%M:%S$%M:%S$%Y - %m - %d$%Y%m%d$+$AliceBlue$now
API String ID: 2918714741-785088730
Opcode ID: 8cc4219109180221a37125365c6cb82e6481bf229ae85591e8e1ba171042397c
Instruction ID: 6ac5742671212cbebd15cf22849a91591d76d996bdcb2e598fa8c901800dd9ac
Opcode Fuzzy Hash: 8cc4219109180221a37125365c6cb82e6481bf229ae85591e8e1ba171042397c
Instruction Fuzzy Hash: D8021462B187964AFB25CB29E44037EAB91EB81784F548172DB4D07BFCEE3DE4058B00

Function 00007FFE0036D9B0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 272COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE0036D9FF

Strings

av_crc_init(av_crc_table[AV_CRC_16_CCITT], 0, 16, 0x1021, sizeof(av_crc_table[AV_CRC_16_CCITT])) >= 0, xrefs: 00007FFE0036DAFB
av_crc_init(av_crc_table[AV_CRC_8_ATM], 0, 8, 0x07, sizeof(av_crc_table[AV_CRC_8_ATM])) >= 0, xrefs: 00007FFE0036D9DB, 00007FFE0036DA3B, 00007FFE0036DA9B
av_crc_init(av_crc_table[AV_CRC_32_IEEE], 0, 32, 0x04C11DB7, sizeof(av_crc_table[AV_CRC_32_IEEE])) >= 0, xrefs: 00007FFE0036DBBB
Assertion %s failed at %s:%d, xrefs: 00007FFE0036D9EB, 00007FFE0036DA4B, 00007FFE0036DAAB, 00007FFE0036DB0B, 00007FFE0036DB6B, 00007FFE0036DBCB
src/libavutil/crc.c, xrefs: 00007FFE0036D9D4, 00007FFE0036DA34, 00007FFE0036DA94, 00007FFE0036DAF4, 00007FFE0036DB54, 00007FFE0036DBB4
av_crc_init(av_crc_table[AV_CRC_24_IEEE], 0, 24, 0x864CFB, sizeof(av_crc_table[AV_CRC_24_IEEE])) >= 0, xrefs: 00007FFE0036DB5B

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$av_crc_init(av_crc_table[AV_CRC_16_CCITT], 0, 16, 0x1021, sizeof(av_crc_table[AV_CRC_16_CCITT])) >= 0$av_crc_init(av_crc_table[AV_CRC_24_IEEE], 0, 24, 0x864CFB, sizeof(av_crc_table[AV_CRC_24_IEEE])) >= 0$av_crc_init(av_crc_table[AV_CRC_32_IEEE], 0, 32, 0x04C11DB7, sizeof(av_crc_table[AV_CRC_32_IEEE])) >= 0$av_crc_init(av_crc_table[AV_CRC_8_ATM], 0, 8, 0x07, sizeof(av_crc_table[AV_CRC_8_ATM])) >= 0$src/libavutil/crc.c
API String ID: 4206212132-2611614167
Opcode ID: 92c9e43b5e3701d523069e98b3d843c3635d7b65042acc036af35ff1e6a13f27
Instruction ID: a1350cc1724e0c43b91acc5581310add02f71826236aba5a041ba828794fae30
Opcode Fuzzy Hash: 92c9e43b5e3701d523069e98b3d843c3635d7b65042acc036af35ff1e6a13f27
Instruction Fuzzy Hash: 58A17B72F28A4782E701AF64D8853ED27A1EB98304FC48235D70D867AAEE7CE245C754

Function 00007FFE0037ED32 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 176libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE0037ED8A

Strings

Failed to load D3D11 library or its functions, xrefs: 00007FFE0037F00B
dxgidebug.dll, xrefs: 00007FFE0037EF50
d3d11_1sdklayers.dll, xrefs: 00007FFE0037ED80
Using device %04x:%04x (%ls)., xrefs: 00007FFE0037EEEF
Failed to create Direct3D device (%lx), xrefs: 00007FFE0037F02D
debug, xrefs: 00007FFE0037ED66
DXGIGetDebugInterface, xrefs: 00007FFE0037EF65

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: LibraryLoad
String ID: DXGIGetDebugInterface$Failed to create Direct3D device (%lx)$Failed to load D3D11 library or its functions$Using device %04x:%04x (%ls).$d3d11_1sdklayers.dll$debug$dxgidebug.dll
API String ID: 1029625771-4247103231
Opcode ID: 5e2a214d2a33974e5b6e87ebf4458333bd18d13c46bc31c7c438c065be5d4816
Instruction ID: 99977cd409912b10b3aa296dadfb6ade16e66ed18945bd010a9e7037e0d09f72
Opcode Fuzzy Hash: 5e2a214d2a33974e5b6e87ebf4458333bd18d13c46bc31c7c438c065be5d4816
Instruction Fuzzy Hash: 27713F22B08B4682EB22CB26E45076A67A0FF88B88F545571DF4D47BB8DF7DE409C740

Function 00007FFE0038C650 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 299COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFE0038CA63
none, xrefs: 00007FFE0038C7EF
%d%*1[:/]%d%c, xrefs: 00007FFE0038CB60
Unable to parse option value "%s", xrefs: 00007FFE0038CBAE
const_values array too small for %s, xrefs: 00007FFE0038CB8A
The "%s" option is deprecated: %s, xrefs: 00007FFE0038CABE
min, xrefs: 00007FFE0038C7E0
max, xrefs: 00007FFE0038C7C9
default, xrefs: 00007FFE0038C784
all, xrefs: 00007FFE0038C7FE

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %d%*1[:/]%d%c$-$The "%s" option is deprecated: %s$Unable to parse option value "%s"$all$const_values array too small for %s$default$max$min$none
API String ID: 0-679463259
Opcode ID: 9d9d9a3b7a0190a60b3e1d7de4052083c20cc3d048e1b11ee78faf5db607be51
Instruction ID: 33f485b22851a2ffc218859084c3139e89f64e23f781746ed1f340f34b37aa19
Opcode Fuzzy Hash: 9d9d9a3b7a0190a60b3e1d7de4052083c20cc3d048e1b11ee78faf5db607be51
Instruction Fuzzy Hash: 86E1B032A18B8586E762CF10E4407AFB3A4FB85788F545172EB8D577A8DF3CD0048B10

Function 00007FFE1A4F68B0 Relevance: 16.3, APIs: 6, Strings: 3, Instructions: 567COMMON

Download Yara Rule

APIs

av_malloc_array.AVUTIL-58 ref: 00007FFE1A4F6976
av_malloc_array.AVUTIL-58 ref: 00007FFE1A4F698B

Strings

src/libswresample/resample.c, xrefs: 00007FFE1A4F6CEA, 00007FFE1A4F73D2
tap_count == 1 || tap_count % 2 == 0, xrefs: 00007FFE1A4F73E1
Assertion %s failed at %s:%d, xrefs: 00007FFE1A4F6D05

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_malloc_array
String ID: Assertion %s failed at %s:%d$src/libswresample/resample.c$tap_count == 1 || tap_count % 2 == 0
API String ID: 1862890220-3187375394
Opcode ID: 821feb5264397491c723a34886a4805e0f008ad312c9caf0883d02201ff3be8e
Instruction ID: 8212eb13e4373fccd10a050229b3c3299003fef5b693244d6f78231aa84d1af2
Opcode Fuzzy Hash: 821feb5264397491c723a34886a4805e0f008ad312c9caf0883d02201ff3be8e
Instruction Fuzzy Hash: FD42C832E1CF8549D2238B3995512BAA724FF977D1F41D3B3E94E72A65DF2CE0928600

Function 00007FFE00384C80 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 398COMMON

Download Yara Rule

Strings

[%s @ %p] , xrefs: 00007FFE00384DCB, 00007FFE00384E42
?, xrefs: 00007FFE003850A8
8, xrefs: 00007FFE0038529D
Last message repeated %d times, xrefs: 00007FFE003852F6
[%s] , xrefs: 00007FFE00385316
Last message repeated %d times, xrefs: 00007FFE00384FA2
%s%s%s%s, xrefs: 00007FFE00384F2A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Last message repeated %d times$ Last message repeated %d times$%s%s%s%s$8$?$[%s @ %p] $[%s]
API String ID: 0-179686365
Opcode ID: 700e6493641140c6dda8d7c6b21148849bcfbba81eaa22d40e06a7a62df99f25
Instruction ID: 3df2280a43654e8c9e8afffd586fc75a5485cae117f1aa9d071e4329a56501e2
Opcode Fuzzy Hash: 700e6493641140c6dda8d7c6b21148849bcfbba81eaa22d40e06a7a62df99f25
Instruction Fuzzy Hash: D4F1CF62A0CB8785EB66CB11A4503BE6791BF86B84F844076DF8D177AEDE3EE444C740

Function 00007FFE003824D0 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 442COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0038262A
abort.MSVCRT ref: 00007FFE003826EF
memcpy.MSVCRT ref: 00007FFE00382A6B

Strings

src/libavutil/imgutils.c, xrefs: 00007FFE003826C4
ret >= 0, xrefs: 00007FFE003826CB
Assertion %s failed at %s:%d, xrefs: 00007FFE003826DB

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy$abort
String ID: Assertion %s failed at %s:%d$ret >= 0$src/libavutil/imgutils.c
API String ID: 3629556515-2504023021
Opcode ID: 2312a6da2723e7e0594906141bd6e79322ef9e88a15247b0ee1471fd6e159ad7
Instruction ID: fe5d1d0cadf2f6ab651a51846ff70aabdc31044240cc8384584557810ef77209
Opcode Fuzzy Hash: 2312a6da2723e7e0594906141bd6e79322ef9e88a15247b0ee1471fd6e159ad7
Instruction Fuzzy Hash: D2028D36A0878186EB66CB15E4803AFB7E1FB89784F544136DB8957BA8DF3DE445CB00

Function 00007FFE1A546CBC Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE1A546CD8
memset.VCRUNTIME140 ref: 00007FFE1A546CFC
RtlCaptureContext.KERNEL32 ref: 00007FFE1A546D05
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE1A546D1F
RtlVirtualUnwind.KERNEL32 ref: 00007FFE1A546D60
memset.VCRUNTIME140 ref: 00007FFE1A546D93
IsDebuggerPresent.KERNEL32 ref: 00007FFE1A546DB4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE1A546DD5
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE1A546DE0

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 13250969f5b2de30470bf22d6d750f243ba906d20c34ed2405166bb0a67cfad5
Instruction ID: e82bea0e73e336039550365ce2ee710e03693792829ef47103c1c9699fade52b
Opcode Fuzzy Hash: 13250969f5b2de30470bf22d6d750f243ba906d20c34ed2405166bb0a67cfad5
Instruction Fuzzy Hash: 4B313A7270DE818AEB609F61E8407F97360FB86B54F4444BADA4D47BA9EF38D548C710

Function 00007FF7EC503C5C Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7EC503C78
memset.VCRUNTIME140 ref: 00007FF7EC503C9C
RtlCaptureContext.KERNEL32 ref: 00007FF7EC503CA5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7EC503CBF
RtlVirtualUnwind.KERNEL32 ref: 00007FF7EC503D00
memset.VCRUNTIME140 ref: 00007FF7EC503D33
IsDebuggerPresent.KERNEL32 ref: 00007FF7EC503D54
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7EC503D75
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7EC503D80

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
Instruction ID: e12049d33a869d61a3c2e91158189e2d3e52a452fcb87ef5223ab3d11872aada
Opcode Fuzzy Hash: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
Instruction Fuzzy Hash: 46315076609B8186FB60AF60E8553EDB360FB84748F94403ADA4E87B94EF3CD548C725

Function 00007FFE00385980 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 408COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE003859AF

Strings

src/libavutil/lzo.c, xrefs: 00007FFE00385984
cnt >= 0, xrefs: 00007FFE0038598F
[, xrefs: 00007FFE003859A2
?, xrefs: 00007FFE00385A39
Assertion %s failed at %s:%d, xrefs: 00007FFE00385996

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: ?$Assertion %s failed at %s:%d$[$cnt >= 0$src/libavutil/lzo.c
API String ID: 4206212132-2884727783
Opcode ID: 7011ca950fc2a7db3eb286879491971854b83ca07a450eddb1490616219303e7
Instruction ID: caed4911941f08ba6b4cb7a244d89853ab0a99666b8373024d21f5ffb2e57794
Opcode Fuzzy Hash: 7011ca950fc2a7db3eb286879491971854b83ca07a450eddb1490616219303e7
Instruction Fuzzy Hash: 14E12572B1DBA282EB26CE1185847BD6B92BB44780F95C171CF0E477A8EA7DE605D700

Function 00007FFE0036BE20 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 216COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE0036C141

Strings

ambisonic %d, xrefs: 00007FFE0036BF01
src/libavutil/channel_layout.c, xrefs: 00007FFE0036C116
Assertion %s failed at %s:%d, xrefs: 00007FFE0036C12D
channel_layout->order == AV_CHANNEL_ORDER_CUSTOM, xrefs: 00007FFE0036C11D

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$ambisonic %d$channel_layout->order == AV_CHANNEL_ORDER_CUSTOM$src/libavutil/channel_layout.c
API String ID: 4206212132-610793534
Opcode ID: 4154b1103f2502a80824f1cfea4b5c08add524b0e9befcb9efd5374d9646e1ef
Instruction ID: e478650df82397437bac9388064b4a9a1443b48f66d8b6bc78a82673954a23ce
Opcode Fuzzy Hash: 4154b1103f2502a80824f1cfea4b5c08add524b0e9befcb9efd5374d9646e1ef
Instruction Fuzzy Hash: 6A714CA3F3890743E7164735DC013685291AB957A0F4CD235EB0AD6B99EF3DE9C18B41

Function 00007FFE003E46C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE003E4707

Strings

(state[4] & 3) == 3, xrefs: 00007FFE003E46E3
n, xrefs: 00007FFE003E46FA
Assertion %s failed at %s:%d, xrefs: 00007FFE003E46F3
src/libavutil/utils.c, xrefs: 00007FFE003E46DC

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: (state[4] & 3) == 3$Assertion %s failed at %s:%d$n$src/libavutil/utils.c
API String ID: 4206212132-3394967418
Opcode ID: f745146a8868629358c2eef4edc24f02b811a2bcba902581bbe48fb0424e79ec
Instruction ID: 521bb4491f99f6d4fb4c7d20423b3c6d81d9e267ad2af9a074246d5ccb3d2264
Opcode Fuzzy Hash: f745146a8868629358c2eef4edc24f02b811a2bcba902581bbe48fb0424e79ec
Instruction Fuzzy Hash: 97215C67D2C9C245F7129E38984027E3392AB5AB65F964332E739827FCCB3CD5858240

Function 00007FFE0036BA70 Relevance: 7.8, Strings: 6, Instructions: 250COMMON

Download Yara Rule

Strings

%d channels, xrefs: 00007FFE0036BB5E
AMBI%d, xrefs: 00007FFE0036BDD8
@%s, xrefs: 00007FFE0036BC1D
NONE, xrefs: 00007FFE0036BB96
%d channels (, xrefs: 00007FFE0036BB71
USR%d, xrefs: 00007FFE0036BCE0

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %d channels$%d channels ($@%s$AMBI%d$NONE$USR%d
API String ID: 0-1306170362
Opcode ID: b58385b35ee8c0576a5674ace7b060eb4fb2608f8c8b053f2f6c87950b102242
Instruction ID: 08f4ffcdb73e6c6b93a8156ed64dce431a642f1ff8f27a00c83295367e3e3b16
Opcode Fuzzy Hash: b58385b35ee8c0576a5674ace7b060eb4fb2608f8c8b053f2f6c87950b102242
Instruction Fuzzy Hash: 8B9129A2F1C15746EA268A15D840B79A755AF55B94F88C031CF0D8BBBDDF3CAAC1CB40

Function 00007FFE0040DAA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

pow, xrefs: 00007FFE0040DBCF, 00007FFE0040DCFE, 00007FFE0040E0AC

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: 4e4d1c9717f4655b5bbf70594396bdc5da546f85907a2c9caf3bda01d7e980ea
Instruction ID: 155452a515388c3ace1f78f07527cf7ce82782e476562c717257e0da3eb1beb5
Opcode Fuzzy Hash: 4e4d1c9717f4655b5bbf70594396bdc5da546f85907a2c9caf3bda01d7e980ea
Instruction Fuzzy Hash: 65D1F912D0CA5281F6225AF4941037A6615AF96390F508332EF8E763FDDF7DBE89914C

Function 00007FFE003A5B00 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE003A5E9A

Strings

src/libavutil/tx.c, xrefs: 00007FFE003A5E6F
', xrefs: 00007FFE003A5E8D
Assertion %s failed at %s:%d, xrefs: 00007FFE003A5E86

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: '$Assertion %s failed at %s:%d$src/libavutil/tx.c
API String ID: 4206212132-3565471776
Opcode ID: ec47289fc772912451eea82ccb2b1043ae62ca5012e7b26885c9d820250d193f
Instruction ID: be7d6d6d3ee3d655c4d153c926f77dabfdcdeda3640f9f495a97a69990ea2f6f
Opcode Fuzzy Hash: ec47289fc772912451eea82ccb2b1043ae62ca5012e7b26885c9d820250d193f
Instruction Fuzzy Hash: 20A1F573A09B8186D761CF18E4403AAB7A1FB89794F545035EB4E83B68EB3DE844CB00

Function 00007FFE0036D5C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FFE0036D5CD
GetProcessAffinityMask.KERNEL32 ref: 00007FFE0036D5E0

Strings

overriding to %d logical cores, xrefs: 00007FFE0036D69D
detected %d logical cores, xrefs: 00007FFE0036D6C3

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID: detected %d logical cores$overriding to %d logical cores
API String ID: 1231390398-3421371979
Opcode ID: 2e9904b101b569c18024893eab007079966040748388d549111c530203c0def7
Instruction ID: 0ae1c8e6144b83de42125bc5b2b9d9479427687f5d3005267027ecb1debbab70
Opcode Fuzzy Hash: 2e9904b101b569c18024893eab007079966040748388d549111c530203c0def7
Instruction Fuzzy Hash: 4921B6A3F2990603E7158A29EC013691292BBA8764F8DD136DF0EC7B69ED3CE605C341

Function 00007FFE00361C30 Relevance: 4.2, APIs: 3, Instructions: 497COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE00361EA6
memcpy.MSVCRT ref: 00007FFE00361EBB

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 403baa3e1a488a5a0e7543da01e81e3aaffd6a2fe1ed6e15f3cbc0658172d83e
Instruction ID: c3cbe960b2ca805499d6887bf162e9e1692681ecd2535315ddf51a2739f7a444
Opcode Fuzzy Hash: 403baa3e1a488a5a0e7543da01e81e3aaffd6a2fe1ed6e15f3cbc0658172d83e
Instruction Fuzzy Hash: BB32C173A0CBC186D7668B29E5403AEBBA1F795384F459126DBC947B6ACB3CE164C700

Function 00007FFE00410640 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE00410754

Strings

__powi, xrefs: 00007FFE00410761

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: __powi
API String ID: 2918714741-2331859415
Opcode ID: 1ed4b1acd7149e56c63c0e5b63662fa1acdc3d18d69be49f294a8596855a1eb9
Instruction ID: f155a4a798a76cd01bc59ea521431c1049b6c1708829525e4ba0ca9efe9e15a3
Opcode Fuzzy Hash: 1ed4b1acd7149e56c63c0e5b63662fa1acdc3d18d69be49f294a8596855a1eb9
Instruction Fuzzy Hash: C751C010E1DA0785FA564A2458503B27355BFA6388F14D336DB1D3A7ECEFADBCC28508

Function 00007FFE00363B87 Relevance: 3.5, APIs: 2, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238db13e466d98e71d78f61cae172d4804caeca104bc3b3bb4d467ddbb97d8ec
Instruction ID: 7d6fb5fe8ae88b7591b383541abd49e6c152760da200b7290134ecfa0a9f88fa
Opcode Fuzzy Hash: 238db13e466d98e71d78f61cae172d4804caeca104bc3b3bb4d467ddbb97d8ec
Instruction Fuzzy Hash: 8F229F62A0CBD685D6228B15A0403BEB7A1FB96BC0F948536DB9D53BADDF3CE540C701

Function 00007FFE0036B030 Relevance: 3.1, APIs: 2, Instructions: 87stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0036AE10: strlen.MSVCRT ref: 00007FFE0036AE26
Part of subcall function 00007FFE0036AE10: memcmp.MSVCRT ref: 00007FFE0036AEA5

strtol.MSVCRT ref: 00007FFE0036B0F6
_errno.MSVCRT ref: 00007FFE0036B0FE

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errnomemcmpstrlenstrtol
String ID:
API String ID: 1078869015-0
Opcode ID: 4e62ed5a4916453a6424c7a293e756ef9a25259ab9570582f9bd8a4894d05afe
Instruction ID: 656ca7a79ef97cad1452ea3f987a36671d74fa3933d1b89391b348c175cf1c93
Opcode Fuzzy Hash: 4e62ed5a4916453a6424c7a293e756ef9a25259ab9570582f9bd8a4894d05afe
Instruction Fuzzy Hash: 842192A3F2950603EB5D8A25DC2233956C397A4770F4CC139DF0AC6799EA3C99958705

Function 00007FFE00409720 Relevance: 3.0, APIs: 2, Instructions: 39timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 00007FFE00409739
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE00409760

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Time$FileInformationSystemZone
String ID:
API String ID: 2921752741-0
Opcode ID: a6735fc188ae2be04b6747e7321527e39212664d39bbfa2ed8a26b191bdbbc72
Instruction ID: 19a2b95365aec2a4895e7a5f1461b051bc7450990bce513667871a28cbf55c32
Opcode Fuzzy Hash: a6735fc188ae2be04b6747e7321527e39212664d39bbfa2ed8a26b191bdbbc72
Instruction Fuzzy Hash: C501D4B3A2854682DF68DF21F410379A291AB54794F48C131DA9E977A8EE3CD945C700

Function 00007FFE003A6350 Relevance: 1.7, Strings: 1, Instructions: 449COMMON

Download Yara Rule

Strings

%i: , xrefs: 00007FFE003A696A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %i:
API String ID: 0-3112360579
Opcode ID: 56225696255aec5cf75f5aaaa0dab9d34a63c7dc86180539428f912345232fc3
Instruction ID: 33dc5c0efe72d5269ed843acaa4f22a80973732209208627422763ae88ccc666
Opcode Fuzzy Hash: 56225696255aec5cf75f5aaaa0dab9d34a63c7dc86180539428f912345232fc3
Instruction Fuzzy Hash: DF02EF73A18B9286DB268F28C40527D73A4FB86B88F694235CB5D037A8DF7DE951C740

Function 00007FFE003A5350 Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

, xrefs: 00007FFE003A5365, 00007FFE003A542D, 00007FFE003A54AB, 00007FFE003A5522, 00007FFE003A559D, 00007FFE003A561F, 00007FFE003A5689, 00007FFE003A56D4

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID: 0-399585960
Opcode ID: 32d18d1ae2b9536030ec3fb165465a0a39662cd1298dc4829aec3954e2195451
Instruction ID: 93f14c0ccac80d340baebfd6e713368cee5df9fe1974a10e42a3efc0caf631f1
Opcode Fuzzy Hash: 32d18d1ae2b9536030ec3fb165465a0a39662cd1298dc4829aec3954e2195451
Instruction Fuzzy Hash: 09E15E32A08A868BE721DF16E440BAA7764FB89784F515036DF8D43B69DF3DE446CB00

Function 00007FFE003E4840 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00007FFE003E4840

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: 067b04213758aebbec89ab64825b0ea9af463173314dc67680d0fe0a86fcad37
Instruction ID: bb898d5204e4aa49f5ecd47aa0000b4b9c164be8c539ca8d33ab7dd7caa310be
Opcode Fuzzy Hash: 067b04213758aebbec89ab64825b0ea9af463173314dc67680d0fe0a86fcad37
Instruction Fuzzy Hash: 5761B8977292F19DD72247A9A810F9CBE56D266B45F1D4289D7C10BF93C212C0B2FB21

Function 00007FFE0036B150 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

%d channels, xrefs: 00007FFE0036B273

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %d channels
API String ID: 0-1351059727
Opcode ID: fb37549d1e1a87d1845128c91bcf027e9804e02a172115fddd54d2ad187c1367
Instruction ID: d0b57b29ea52d71f2b0fc42757b1f951ca6953371fb0d250f9a35831bc6e5cd0
Opcode Fuzzy Hash: fb37549d1e1a87d1845128c91bcf027e9804e02a172115fddd54d2ad187c1367
Instruction Fuzzy Hash: 3F41E7A3F1940602EB168606BC116794782ABA47B5F8CD031DF0987B6DEE3CA9C6C300

Function 00007FFE003A2B60 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

%02u:%02u:%02u%c%02u, xrefs: 00007FFE003A2C47

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %02u:%02u:%02u%c%02u
API String ID: 0-3773705257
Opcode ID: 05e44b18eb7a4dcf895f83e0c2975131c3305643ef67c3862a7710349e35a628
Instruction ID: c68eff1a07ce263aa61408ef17ddf3ac3aff4ed741f71de8a85c43416d7d093d
Opcode Fuzzy Hash: 05e44b18eb7a4dcf895f83e0c2975131c3305643ef67c3862a7710349e35a628
Instruction Fuzzy Hash: 58315BB3F285554AE7668E199880B6F6342F7457D9F888230EF0A4BB5CE93CE948C340

Function 00007FFE0036E9A0 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

9%lld, xrefs: 00007FFE0036EADF

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: 4bf4b89b430cf95bf7994c152801e5258dcff788620b942f10691eac737950a8
Instruction ID: 8fb44e0d34ce893bb0f534b9257419d21b48a0af13920fcb5090cd34efa90ba6
Opcode Fuzzy Hash: 4bf4b89b430cf95bf7994c152801e5258dcff788620b942f10691eac737950a8
Instruction Fuzzy Hash: 8931E4A773494143E657CEA6A8552E92752F38978AF84A032FE0BC7348EA7DDD09D140

Function 00007FFE0036E820 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

9%lld, xrefs: 00007FFE0036E95C

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: b7dcea320b78e429be7da6e3a51ac97eece9d04196250d78cf97526035406e98
Instruction ID: a41c5a102108ff0dbff3f0427c87ddae33b14f3c4b87dab7d2e8f7ecfdb562de
Opcode Fuzzy Hash: b7dcea320b78e429be7da6e3a51ac97eece9d04196250d78cf97526035406e98
Instruction Fuzzy Hash: 6631C4A773095143EA57CEA6A8556ED2751F38D78AFC4A032FE0AC7348EA7DCD09D240

Function 00007FFE003A2CC0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

%02u:%02u:%02u%c%02u, xrefs: 00007FFE003A2D5D

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %02u:%02u:%02u%c%02u
API String ID: 0-3773705257
Opcode ID: fdd9d13a151395552cd65e209512f394c3a647e9cf21eb926f75bca4cb5d8e29
Instruction ID: 3287e2ccbbf15be1fdf44058a10359e50a58dc28ec555c43be4daf6983200123
Opcode Fuzzy Hash: fdd9d13a151395552cd65e209512f394c3a647e9cf21eb926f75bca4cb5d8e29
Instruction Fuzzy Hash: 62113A735384454A9B4EDB1A88116A97791F391B84BC85235EA9BCF359ED3CD709C700

Function 00007FFE0036B6A0 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

front left, xrefs: 00007FFE0036B743

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: front left
API String ID: 0-959785498
Opcode ID: 23cad181ecbb07febb14ec29e22a05d1089456614179c0b502e2ad97e0cb5eae
Instruction ID: c55411422dff7cc9dff9e79109e40137238c102b6797b37e79d8dd22fb006098
Opcode Fuzzy Hash: 23cad181ecbb07febb14ec29e22a05d1089456614179c0b502e2ad97e0cb5eae
Instruction Fuzzy Hash: 521106D7F3456A43EF20862DCC0175802C2A7E5770B8CE131E909C2B58FD3DEA828A42

Function 00007FFE003887F0 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFE00388819

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 30d0097c098d0a2c9e6ec4e870c0f712385f61fe009233d20c93c0c5dbd3fad9
Instruction ID: 71fd1d930421c7dacf657ea82b299d627c020dcd092c5a5993c84ec5774b1d77
Opcode Fuzzy Hash: 30d0097c098d0a2c9e6ec4e870c0f712385f61fe009233d20c93c0c5dbd3fad9
Instruction Fuzzy Hash: F311B2A2711B4C42AD08C7AAA8A68B9925AA3ADFD4718F032CF0D4B354DD3CE091C340

Function 00007FFE00394920 Relevance: 1.0, Instructions: 994COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e651fe4c88c82812c6238caf3bdcde6ab459b46390ea8f8b4a9699f07545262f
Instruction ID: 1bda1fb4674d5b31257bf7ffee1b08a0ed086879fa134946f1178f46d8c42b44
Opcode Fuzzy Hash: e651fe4c88c82812c6238caf3bdcde6ab459b46390ea8f8b4a9699f07545262f
Instruction Fuzzy Hash: 6572EAB7B251204BE354CF2AE844E46BB92F7D8748B56A114EE56E7F04D23DEA06CF40

Function 00007FFE00393C00 Relevance: 1.0, Instructions: 989COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d4f91dbcd3920678f56ce2ea7d672d73a39a89e5afe551f032633b1d0d58bd
Instruction ID: 964c822f9f187339aa42b2d0479b64a4cd5d221fa53f8ffe4ad9e35da9718a6b
Opcode Fuzzy Hash: f1d4f91dbcd3920678f56ce2ea7d672d73a39a89e5afe551f032633b1d0d58bd
Instruction Fuzzy Hash: A0720977B282244B9318CF26E809D4AB796F7D4704B469128EF16D7F08E67DEA058F84

Function 00007FFE00383580 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a118a507555301ea384540139cf8e1fb3b65300ff54bfeb7e4b20e0f2e86e279
Instruction ID: fd826384ba97da551abccb73f2b428c02aeefe1ee9cd161fcf23ee404b987a70
Opcode Fuzzy Hash: a118a507555301ea384540139cf8e1fb3b65300ff54bfeb7e4b20e0f2e86e279
Instruction Fuzzy Hash: 2052E76361C2A187E3658B69A400B7EF7A1FB94B81F109125FBD983FA9E73CD540DB10

Function 00007FFE00386820 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36dddfe8cf3ff9be88c3b72cff50abe549f3a298be1906c93472ea6cf2cfdb2f
Instruction ID: 1f70059621abf587596c108572594885d62e12f8f1eca8ca9e804558d5e3404e
Opcode Fuzzy Hash: 36dddfe8cf3ff9be88c3b72cff50abe549f3a298be1906c93472ea6cf2cfdb2f
Instruction Fuzzy Hash: 6212A377B6016047D76CCF36E816F993796E399758389E12C9A02D7F08DA3DD90ACB80

Function 00007FFE003A3560 Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8160ea691a23e1b632a407eca822979379531e44aeec8686b9d2442b5e3ae57d
Instruction ID: 34dd2721a90626b7b21c4f591585bd02a2d0a5154d55033852455e910e8c0dc3
Opcode Fuzzy Hash: 8160ea691a23e1b632a407eca822979379531e44aeec8686b9d2442b5e3ae57d
Instruction Fuzzy Hash: 9422AF72B29A4582DA62CF16E444A6E67A4FB86FC4B518035EF9E9B758DF3DD600C300

Function 00007FFE003ACBE0 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff40ba625cf61736bb64c8bdf5840a366f4253e3d55665abfb5f43b414cbf64c
Instruction ID: 2c54d5f43ac1a56c0c602db925502ca011976b4ad48cb69f21ee386340938fa5
Opcode Fuzzy Hash: ff40ba625cf61736bb64c8bdf5840a366f4253e3d55665abfb5f43b414cbf64c
Instruction Fuzzy Hash: E322C662E28F904ED653CE75945223A6B58BFA77C5B41E313EE4B76B11DB34E1878200

Function 00007FFE003909B0 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0debf0142da6a9273804bc82d00e17f960341957d4bf9a7368440b236c8168
Instruction ID: 728ba9b7b9d0a9385e30f4a5a1ac2ad96095500cae7af6dddb00b7792edc239e
Opcode Fuzzy Hash: 5d0debf0142da6a9273804bc82d00e17f960341957d4bf9a7368440b236c8168
Instruction Fuzzy Hash: E002E3B3F18A918AEB7A8B54E101E7D7FA0FB50B45F459039C78E13B98DA3CA9159340

Function 00007FFE003C2B80 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5050afa32f6ddfb6a114996f9f218715255f7c7b544984919c9caa6235c0bb16
Instruction ID: 1f6b7cd490bfd5ad5fa0b8ee95e17401f1422c97bed1852688e9fb2f75296120
Opcode Fuzzy Hash: 5050afa32f6ddfb6a114996f9f218715255f7c7b544984919c9caa6235c0bb16
Instruction Fuzzy Hash: B4220732E28A8C47D613CA7794411797710FFAE7C4B69EB16EE05727A2DB34F1889704

Function 00007FFE00367260 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a7950f2253a1c48c8c137fbc100e25f2fe9e5a0653b74c0b8ed70f9fb77fc6
Instruction ID: 2f6959ae7e08fdb1610c6f4bf728667b1846f27185833747e17424f19e5f9fdc
Opcode Fuzzy Hash: 81a7950f2253a1c48c8c137fbc100e25f2fe9e5a0653b74c0b8ed70f9fb77fc6
Instruction Fuzzy Hash: 181284732108148BD391CF5EE8C0E5DB7D1F798B4EB629324EB4693B61D632A863D790

Function 00007FFE00391160 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7b787218cfe6dc98328e18f40f484bb36194aafcb0adaf6dc1dee95f7ee729
Instruction ID: 776cf47ee8af9f6467f19849d03018ad478049fc64b8a8ac6d61a06d574232c9
Opcode Fuzzy Hash: 6f7b787218cfe6dc98328e18f40f484bb36194aafcb0adaf6dc1dee95f7ee729
Instruction Fuzzy Hash: FBB129B7F1868286DB724B54E042EBD7BB0FF54B84F469035CB4E63B98E62C69169300

Function 00007FFE00369D50 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b431d04f8cfd326d065826c0ea4a07768d4831b2dc7686569c959b8d95ae5da
Instruction ID: 8330472413201fac2fb5add68bc3c11f238d32d2c259d8a6ed3fe980ccd4d4bb
Opcode Fuzzy Hash: 1b431d04f8cfd326d065826c0ea4a07768d4831b2dc7686569c959b8d95ae5da
Instruction Fuzzy Hash: A3B1F6526095C15AEB1A8B7699207EB6BE0EB5EBC4F45E032DFDD4B74ACE2CD240C300

Function 00007FFE0036A520 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd04e1f6e5b77fd235431d6daf680498f867f8c369b5541b7e47b1bcb3da3638
Instruction ID: f4baa51cfe7ca8e8ace836c1a0c7b8f306f2bcd718f60cf6e45ce4e77d2699b0
Opcode Fuzzy Hash: bd04e1f6e5b77fd235431d6daf680498f867f8c369b5541b7e47b1bcb3da3638
Instruction Fuzzy Hash: 20B1BC735006588FD348DF6AD95843E3BA2F7D8B59B9B0229DB4317780EB707826DB90

Function 00007FFE0036A1B0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26bc9e0afa6a36dad590029bfac38e6475024b67d277dcd255fc33b8d7af121
Instruction ID: de2c00f51d81d4516705dcb751df56522bb656b940147a4e69cbb66d9c7b7468
Opcode Fuzzy Hash: c26bc9e0afa6a36dad590029bfac38e6475024b67d277dcd255fc33b8d7af121
Instruction Fuzzy Hash: 01B16E33A005A48FD788CF6ED89887D37A3E7C871179B832ADB4553389DA746809DBC0

Function 00007FFE00382F20 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f169184c6d2b13734529f87c174bec29b0316c2a188a1d7a05902af3d816c2
Instruction ID: 166957d138d6f3690229d406905dfd439fc0eaf12d4019d129b36c4927d6ad36
Opcode Fuzzy Hash: 99f169184c6d2b13734529f87c174bec29b0316c2a188a1d7a05902af3d816c2
Instruction Fuzzy Hash: A3910891B2C36643F76AC649D80173EA791EB50FC0F44A535EF4A477A8DA2EE7508700

Function 00007FFE00366E70 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a701fd31c154d2dc192229eb25d8d25638208f0de1ecaa09b169f4e8a8f8eb
Instruction ID: 5ecff00a341bd34dbe8412c3541c4df4444f7e048cbc0b7a87d7250357c9fd73
Opcode Fuzzy Hash: c8a701fd31c154d2dc192229eb25d8d25638208f0de1ecaa09b169f4e8a8f8eb
Instruction Fuzzy Hash: 45A130720198148BE34BCF5E948021EB3E1FB48A9FB616710EF4F87661D636AE63D750

Function 00007FFE003A44D0 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b32cb7f7fc63c6fb00127071f37436bbba4780064a9dd077ecd279716693df
Instruction ID: 599e6026f47c5b01f9f136e641046d4e9ecfd24effeb573123822d3d9408e063
Opcode Fuzzy Hash: 90b32cb7f7fc63c6fb00127071f37436bbba4780064a9dd077ecd279716693df
Instruction Fuzzy Hash: 3191D2231082E0AED307CF3A96449AE7FE0F75E788B9AD151DB954BB47C238E612D710

Function 00007FFE00369A50 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ca8846758f7279c89c706cb55d4a6c794990205b94bc84ef3eb9dab7f83264
Instruction ID: f341f7a713871a642a4835f77370f9de5425843fb9ec06e7001d83d86b7483fb
Opcode Fuzzy Hash: 76ca8846758f7279c89c706cb55d4a6c794990205b94bc84ef3eb9dab7f83264
Instruction Fuzzy Hash: EF616DA270446686EF999B368D613AA13D57B4EBC0F81F832DE4D87399DE3CD841C341

Function 00007FFE003930A0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01a8d336d240b66a520b8f76eca36f64ac119a91bb538f3d36a02399c46787c
Instruction ID: d8a4f2e4031d7edd612ab11620655fff5d47218c4838d0db98a37ad3a6e64818
Opcode Fuzzy Hash: a01a8d336d240b66a520b8f76eca36f64ac119a91bb538f3d36a02399c46787c
Instruction Fuzzy Hash: D8512B6271E3E501DE358B2AB900BA6A7C5BB48FC8F499436DE4D4BFA4DE3CE9414300

Function 00007FFE0036E4C0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d77631254022a2564090f98b8bfa30d20299f2ed0b727a65807a914737ba4ae
Instruction ID: 4fc96ffcb5b4885dfef79b324d37e198ca3adcbee5990ac35c6a38d8ab1bd577
Opcode Fuzzy Hash: 5d77631254022a2564090f98b8bfa30d20299f2ed0b727a65807a914737ba4ae
Instruction Fuzzy Hash: 564161A6B0450303FB2AE97BA85907A52927B897D87049139EF0F87B9DED7CE585C240

Function 00007FFE003A1E10 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afccfe9f3e014e08196aad724a937f91ef825408217a78f00344b29ce58b4f81
Instruction ID: 3b55e9381aeb560770feee53f9f64f34212f269bc3456819229bb072311743e8
Opcode Fuzzy Hash: afccfe9f3e014e08196aad724a937f91ef825408217a78f00344b29ce58b4f81
Instruction Fuzzy Hash: D651E477B092C19ED71A8B25A904AADBFE0BB1A788F488135DF9D43B49C63CE551C710

Function 00007FFE0036D210 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925e7221762b452499bd5f1cd8d4647ae936fd8bfb8d6f0e8219c8ca6ea31777
Instruction ID: ad14c2b3a55d45b9a81e0c9a0304d1ecbfb58ead7d68ee52230ac8084d3f81f4
Opcode Fuzzy Hash: 925e7221762b452499bd5f1cd8d4647ae936fd8bfb8d6f0e8219c8ca6ea31777
Instruction Fuzzy Hash: 614157B7F1840747FB7A492AD851B3917807B64BA8B1CD435EF0BC77D8D92CE9828242

Function 00007FFE00392B40 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da0fa7538a61e1ec26d81ef3ee2e77181907d7570b22cc55868e0e260c2f721
Instruction ID: b77a3696514af5b094a93d0f63060a8df60303f4882499fee1968bfd54a36a67
Opcode Fuzzy Hash: 1da0fa7538a61e1ec26d81ef3ee2e77181907d7570b22cc55868e0e260c2f721
Instruction Fuzzy Hash: 92414602F1A2E10BC7924EFF4DD922DADD2158E44638CC77AA7D4C52DFD86CE20E6614

Function 00007FFE0036CCE0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbb289327d116bb0d3926814ce134dcf89bf85936bb88c31896ce7583001f71
Instruction ID: e9c2ef573926ae678e9cc9c2be765959dbc6f90cf18b53510967a84a5d814f60
Opcode Fuzzy Hash: 1bbb289327d116bb0d3926814ce134dcf89bf85936bb88c31896ce7583001f71
Instruction Fuzzy Hash: E341C3E3F3984603EB6D8629CC0573851836BE57B174CD235DA1ACAFDCE83DEA168542

Function 00007FFE003928B0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8289133b11807aa708dee106fcce6d7ef6ccc2dac79a51c200281d0fae8d85f5
Instruction ID: 0a24dedc9a0a57ffe617537608a8400275a41b98e14bb4ea312f375e18c72059
Opcode Fuzzy Hash: 8289133b11807aa708dee106fcce6d7ef6ccc2dac79a51c200281d0fae8d85f5
Instruction Fuzzy Hash: 8741A2522380F00AC76E1F3D293AA39BE92725664774EE36EFE8342AC7D41D8910A714

Function 00007FFE003613A0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e751435a9f45e6580fe7b108adce3f96b0c8069535fb2d3307a909beff15caba
Instruction ID: df1980091b01841c591307ed5eccf7c92ae5d29abca6797cb673db97fbc0b14c
Opcode Fuzzy Hash: e751435a9f45e6580fe7b108adce3f96b0c8069535fb2d3307a909beff15caba
Instruction Fuzzy Hash: 6B319B93F6026B03FF1A8B5A6C02BB495416F857D8F48D231EE1E5BBD9E43CD946E200

Function 00007FFE0036D030 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cb80125cf637f8d0b0a114fc56422192b4e9792f88120ada6a7116402668c2
Instruction ID: 52b14dec5e4c8ee140595cc590548c43d0bfc5f414fee09b49b26c8aa3101bc5
Opcode Fuzzy Hash: 66cb80125cf637f8d0b0a114fc56422192b4e9792f88120ada6a7116402668c2
Instruction Fuzzy Hash: 7A3162E7F355BA43EB7C4629CC55B2802919766770B8CE039DE4AC2F81E81EE641CF42

Function 00007FFE00361990 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50bf9d45b07f9fed7a8078693abee7f23351cad672a747608ffeb063cebe12d
Instruction ID: 49a069f2e02664e3eae4757018f63e197d567a8cbb49f244a9a61f54aa4d5beb
Opcode Fuzzy Hash: f50bf9d45b07f9fed7a8078693abee7f23351cad672a747608ffeb063cebe12d
Instruction Fuzzy Hash: 15515F33508AE18AD792DB64D448BEE7BA4F71D384F968471CBAC87712DBB5D890D700

Function 00007FFE00361730 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860bab9d395cf43ed3b1cf56782110bfed2c0c3dddb8109515e6473b81413bd7
Instruction ID: 2117763fe7a45b020953ad044ed271be7307b9d089340d90c3543a609de555ac
Opcode Fuzzy Hash: 860bab9d395cf43ed3b1cf56782110bfed2c0c3dddb8109515e6473b81413bd7
Instruction Fuzzy Hash: DF518E73508AE186E792DB64D448BEE7BA4F719384F568471CBEC83702DBA5D990C700

Function 00007FFE003833E0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf754ad211c098a8f34c6fa0d70b3b75da22e1392d81fac143d3245663dd1af9
Instruction ID: fe67c5504539092032c4d37bf1c9c60c2dc4cca9c3ba151d8188853d2db2a232
Opcode Fuzzy Hash: bf754ad211c098a8f34c6fa0d70b3b75da22e1392d81fac143d3245663dd1af9
Instruction Fuzzy Hash: 5F41B4A673C1B253F3368718E001D2EF7A1FB52FC1B54A210DBA412FA8966AD658DF10

Function 00007FFE003A4330 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b6c65e6f8fbbfa1a7d368a2725116908e408c53695cc2cda4a45b28fc02054
Instruction ID: de270ee9d35940e104c8f6964eefd03ae43f6eac6805ccfdf34b1451ef42b6dd
Opcode Fuzzy Hash: 51b6c65e6f8fbbfa1a7d368a2725116908e408c53695cc2cda4a45b28fc02054
Instruction Fuzzy Hash: 6A417F731046648BD341CF2AE980A9AB7E2F398B4CFA5D225DF4257356D739E907CB80

Function 00007FFE0036B460 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b83fdb0131200dfce48832797b5ce1ee65e01df28847898595a6ba08a50e8d6
Instruction ID: f85ecf0f847092dd37d60e5f5d870697c6ab09b03ee84e1951aa54e2c87a594b
Opcode Fuzzy Hash: 1b83fdb0131200dfce48832797b5ce1ee65e01df28847898595a6ba08a50e8d6
Instruction Fuzzy Hash: 782150E7F3086A07EB78427DEC16F1405C255B977434CE136EA06D6F85F42EEA524A83

Function 00007FFE00382D20 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9accf3f83477c77ce7ab5b6679156a875be267288f965f0b915796913070d0d7
Instruction ID: 7eed5754b1834e89ad7b281dee9995115732208a055216060500222a49c2bc36
Opcode Fuzzy Hash: 9accf3f83477c77ce7ab5b6679156a875be267288f965f0b915796913070d0d7
Instruction Fuzzy Hash: 1121299B7315F903FB010ABE6D056759982A188BF73499732ECA8E77CDC478DC519290

Function 00007FFE00382BF0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a414ea0c491aecb8e1acee4f50acb857c601688e8d49eddf1fb7be55f6bcb7eb
Instruction ID: 7a5d0e89ee220409aea0cd3b8462f96d225d0e593cd00c887ba69c6791ff7a16
Opcode Fuzzy Hash: a414ea0c491aecb8e1acee4f50acb857c601688e8d49eddf1fb7be55f6bcb7eb
Instruction Fuzzy Hash: 7F213E9FF656BA03FB1846AF6C412786280E648BF63489732DDDDE77CAD47C890291D0

Function 00007FFE0036C1A0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f149c23a356f76f238516a0c29d6d6da4b78dcaf03ebe63ea6bb4be2698659
Instruction ID: bdb6f419b3bb62e949d68bff6274991888e31a23df9c8eb6221f3e0994142c3b
Opcode Fuzzy Hash: 13f149c23a356f76f238516a0c29d6d6da4b78dcaf03ebe63ea6bb4be2698659
Instruction Fuzzy Hash: C321A3FBF380A642EF76472DE400F2416416366BB4698E520CA4A83F95D91ADA429F02

Function 00007FFE0036D700 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e375ad6e9128b21d2b8073199f54bc1e05150e57f45dacb5095166fe167bd8
Instruction ID: a758cb3846fca0b75f38809cb23a1bc5cc35dfac2ec72c5e22d073ea61e23d9f
Opcode Fuzzy Hash: b6e375ad6e9128b21d2b8073199f54bc1e05150e57f45dacb5095166fe167bd8
Instruction Fuzzy Hash: 57213673B708AA4BD7508779E846F956A90E3A1B4CF98E631E715D3E80D13EE092C740

Function 00007FFE0036D8D0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333bc48ed0cd00a2d1b15b774f25581d7625ddc281499ec81eb7566562b50259
Instruction ID: f0819b1df79dd4d6237304390fcf2b0d9e2665c69495c1b625683c2a6cbe57ba
Opcode Fuzzy Hash: 333bc48ed0cd00a2d1b15b774f25581d7625ddc281499ec81eb7566562b50259
Instruction Fuzzy Hash: 63118FB3B324B20BD7489ABCCC0A3A932C3D3C8746F9CC534E745CAA89D63CE2519604

Function 00007FFE0036B5C0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c7e682ef6fe0021f165804b69b7812e3084bd1803e36f36abadd25f99cf90a
Instruction ID: c79030a26107fe809ddaee3605ef15dfa7bf1484dca033b9b75ddf7a03ca939a
Opcode Fuzzy Hash: 48c7e682ef6fe0021f165804b69b7812e3084bd1803e36f36abadd25f99cf90a
Instruction Fuzzy Hash: 84118ED7F359AB03EB60462DCC42714428297A97B178CE432ED09C6F59F83DE6918A42

Function 00007FFE0036B790 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921da5e6bee8a79c60022e540b3013bc24987b6f10c9384b169f9994f4f13c7f
Instruction ID: af8f4e21a5bffc151cc4015f0ae81b52c18ea40c6cf6b389e8d032898902ca9a
Opcode Fuzzy Hash: 921da5e6bee8a79c60022e540b3013bc24987b6f10c9384b169f9994f4f13c7f
Instruction Fuzzy Hash: AB115EF7F340BA03EB7C015AE822F7846455271BA888CE03DDE0B53F81E81E56404F82

Function 00007FFE0036DEF0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8c63fbc3d1884eef626a7aef42dd066a5768f9b76b144cbd0180c709170efd
Instruction ID: 5f6bd66e430d0f97a3fb6db71db4518ed2e2c5ba0c0aac393552d459991e4d81
Opcode Fuzzy Hash: 5b8c63fbc3d1884eef626a7aef42dd066a5768f9b76b144cbd0180c709170efd
Instruction Fuzzy Hash: 9411D672F140928BEA96C629D858ABC37D1E784344F86C136DB079A78CD72CA945D790

Function 00007FFE0036B8D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87362e0b0484954b111388de62736d52838e743fda6cb01bb5a4730a87f793d9
Instruction ID: 72abdb8925d3c0dfb257656b5252bf1ea48579de7b669352487fd96ea053bf6c
Opcode Fuzzy Hash: 87362e0b0484954b111388de62736d52838e743fda6cb01bb5a4730a87f793d9
Instruction Fuzzy Hash: D4017CE3F3186A03DB64867DCC0670441C396F877178CD031A904C6F89F93EE6418A42

Function 00007FFE0036B380 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b36b57bc46747f380974be252968c61105f93df6c2abcd15431a709e92770c1
Instruction ID: 14bd2cacf1174b1c4f3da44626b05ac20a3ec18444f4115fae820648a13c1207
Opcode Fuzzy Hash: 7b36b57bc46747f380974be252968c61105f93df6c2abcd15431a709e92770c1
Instruction Fuzzy Hash: 43F0B7D7F3685A03EB5C456DDC1631401C391E823238DD13ABA47C6B8AF839EA968643

Function 00007FFE003699C0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dde2236b060dd472fafee045e56aa39d7b712360777964fc0ed02c3a9815e90
Instruction ID: f5d4e44c405854f04c7eba98a6bb08e23d9f84482e0824b39d559204d10afdfa
Opcode Fuzzy Hash: 3dde2236b060dd472fafee045e56aa39d7b712360777964fc0ed02c3a9815e90
Instruction Fuzzy Hash: E3F0AFD9231BB64BE911A69990D07D69721F30CBC6B70A622DF4D2B735CA13A10BCA00

Function 00007FFE1A528C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52913D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A529175
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A5291AF

Strings

__int16, xrefs: 00007FFE1A528E1C
short, xrefs: 00007FFE1A528CE0
const, xrefs: 00007FFE1A528FDD
int, xrefs: 00007FFE1A528CCE
__w64 , xrefs: 00007FFE1A528E3A
__int64, xrefs: 00007FFE1A528EC9
char8_t, xrefs: 00007FFE1A528F2D
__int128, xrefs: 00007FFE1A528EB7
bool, xrefs: 00007FFE1A529056
long, xrefs: 00007FFE1A528CBC
wchar_t, xrefs: 00007FFE1A5290A8
auto, xrefs: 00007FFE1A528F3F
long , xrefs: 00007FFE1A528D31
char, xrefs: 00007FFE1A528CF2
UNKNOWN, xrefs: 00007FFE1A52908D
__int32, xrefs: 00007FFE1A528EDB
double, xrefs: 00007FFE1A528D48
unsigned , xrefs: 00007FFE1A5290FA
void, xrefs: 00007FFE1A528D86
char32_t, xrefs: 00007FFE1A5290B7
signed , xrefs: 00007FFE1A52910A
decltype(auto), xrefs: 00007FFE1A5290C6
<unknown>, xrefs: 00007FFE1A528F1B
volatile, xrefs: 00007FFE1A529025
volatile, xrefs: 00007FFE1A528FF8
float, xrefs: 00007FFE1A528D74
__int8, xrefs: 00007FFE1A528E2E
char16_t, xrefs: 00007FFE1A529065

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1388207849
Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction ID: 2a85a979f7a0deb5460ed37b7c1043d3ad92640ab528afb4a6f7e88fb2f3aaa8
Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction Fuzzy Hash: 98F16A62B0CE16C4F7158BE6D8942BC26B2BF52BA4F4045F7DA0D56AB8DF3DA604C340

Function 00007FF7EC5025C0 Relevance: 51.0, APIs: 6, Strings: 23, Instructions: 206COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7EC502570: printf.MSPDB140-MSVCRT ref: 00007FF7EC502587

Part of subcall function 00007FF7EC502530: atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,00000000,00007FF7EC502617,?,?,?,00007FF7EC501BD6,?,?,?,00007FF7EC501A02), ref: 00007FF7EC502552

puts.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7EC501BD6,?,?,?,00007FF7EC501A02), ref: 00007FF7EC5028DF

Strings

video chroma sample location, xrefs: 00007FF7EC50276D
audio codec, xrefs: 00007FF7EC502809
video height, xrefs: 00007FF7EC5026D7
video track count, xrefs: 00007FF7EC502601
Invalid number of video tracks, xrefs: 00007FF7EC5028D8
video color primaries, xrefs: 00007FF7EC5026F5
stream key, xrefs: 00007FF7EC502872
video color range, xrefs: 00007FF7EC50274F
video codec, xrefs: 00007FF7EC50267D
Invalid number of audio tracks, xrefs: 00007FF7EC502652
video colorspace, xrefs: 00007FF7EC502731
{stream_key}, xrefs: 00007FF7EC502897
video fps num, xrefs: 00007FF7EC5027A9
audio track count, xrefs: 00007FF7EC50261F
Must have at least 1 audio track or 1 video track, xrefs: 00007FF7EC50266A
muxer settings, xrefs: 00007FF7EC5028BA
video codec tag, xrefs: 00007FF7EC5027DE
file name, xrefs: 00007FF7EC5025E1
video bitrate, xrefs: 00007FF7EC50269B
video max luminance, xrefs: 00007FF7EC50278B
video width, xrefs: 00007FF7EC5026B9
video color trc, xrefs: 00007FF7EC502713
video fps den, xrefs: 00007FF7EC5027C7

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: atoiprintfputs
String ID: Invalid number of audio tracks$Invalid number of video tracks$Must have at least 1 audio track or 1 video track$audio codec$audio track count$file name$muxer settings$stream key$video bitrate$video chroma sample location$video codec$video codec tag$video color primaries$video color range$video color trc$video colorspace$video fps den$video fps num$video height$video max luminance$video track count$video width${stream_key}
API String ID: 3402752964-4246942696
Opcode ID: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
Instruction ID: 92f5c6de1cf58a8d7455fc221238e017870e31ac73ba80bd3e2363f3768a43fa
Opcode Fuzzy Hash: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
Instruction Fuzzy Hash: 07815F6C90875691FA24FF51AA166F89351BF09788FE14433DD0D87696BF3CE106C326

Function 00007FF7EC501C50 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC501C70
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC501C8E
fprintf.MSPDB140-MSVCRT ref: 00007FF7EC501C9E

Part of subcall function 00007FF7EC502320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF7EC5029D8,?,?,?,00007FF7EC5012F1), ref: 00007FF7EC502357

os_event_wait.OBS ref: 00007FF7EC501CEF
pthread_mutex_lock.W32-PTHREADS ref: 00007FF7EC501D0F
memcpy.VCRUNTIME140 ref: 00007FF7EC501D5D
memcpy.VCRUNTIME140 ref: 00007FF7EC501D76
memcpy.VCRUNTIME140 ref: 00007FF7EC501E2D
memcpy.VCRUNTIME140 ref: 00007FF7EC501E48
os_event_signal.OBS ref: 00007FF7EC501EB8
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC50200F

Strings

Error writing to '%s', %s, xrefs: 00007FF7EC501FC3
Error allocating memory for output, xrefs: 00007FF7EC501C97

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy$__acrt_iob_func__stdio_common_vfprintffclosefprintfmallocos_event_signalos_event_waitpthread_mutex_lock
String ID: Error allocating memory for output$Error writing to '%s', %s
API String ID: 2637689336-4070097938
Opcode ID: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
Instruction ID: fb281410550bf7409e9fd605b61a7bd5f2cf1b7402382056f0cd38833581cc35
Opcode Fuzzy Hash: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
Instruction Fuzzy Hash: 25A16236619A8285F711AF21D4423FEA760FB48B8CFA40036EE8D97759EF78D144C722

Function 00007FFE1A4F8C00 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 105COMMON

Download Yara Rule

APIs

av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8C44
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8C63
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8C82
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8CA3
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8CC4
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8CE5
av_get_channel_layout_nb_channels.AVUTIL-58 ref: 00007FFE1A4F8CFE
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8D15
av_get_channel_layout_nb_channels.AVUTIL-58 ref: 00007FFE1A4F8D2A
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8D41
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4F8D5C
av_log.AVUTIL-58 ref: 00007FFE1A4F8D9C

Strings

ich, xrefs: 00007FFE1A4F8D0B
och, xrefs: 00007FFE1A4F8D37
isr, xrefs: 00007FFE1A4F8CDE
icl, xrefs: 00007FFE1A4F8C9C
isf, xrefs: 00007FFE1A4F8CBD
uch, xrefs: 00007FFE1A4F8D55
osf, xrefs: 00007FFE1A4F8C5C
osr, xrefs: 00007FFE1A4F8C7B
Failed to set option, xrefs: 00007FFE1A4F8D90
ocl, xrefs: 00007FFE1A4F8C2B

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_opt_set_int$av_get_channel_layout_nb_channels$av_log
String ID: Failed to set option$ich$icl$isf$isr$och$ocl$osf$osr$uch
API String ID: 2637049493-2814753009
Opcode ID: 0f1e360016396a0d2e4be37984f8ca9eacfdb0712dded5c64320b3a02cc610f5
Instruction ID: 8ec10962df84eb075e0c041fd8ced74ddd414d40c0e9c67d00d46b568dc3a102
Opcode Fuzzy Hash: 0f1e360016396a0d2e4be37984f8ca9eacfdb0712dded5c64320b3a02cc610f5
Instruction Fuzzy Hash: 98414C22B0DF4241FA10AB17F6906BE16A0EF96BA4F4410F2DF4C8BA65EE2CE441C700

Function 00007FFE00370410 Relevance: 36.1, APIs: 24, Instructions: 131COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FFE0037043E
_aligned_free.MSVCRT ref: 00007FFE00370475
_aligned_free.MSVCRT ref: 00007FFE003704AD
_aligned_free.MSVCRT ref: 00007FFE003704DD
_aligned_free.MSVCRT ref: 00007FFE0037050D
_aligned_free.MSVCRT ref: 00007FFE00370528
_aligned_free.MSVCRT ref: 00007FFE00370531
_aligned_free.MSVCRT ref: 00007FFE0037053A
_aligned_free.MSVCRT ref: 00007FFE00370542
_aligned_free.MSVCRT ref: 00007FFE0037054A
_aligned_free.MSVCRT ref: 00007FFE00370553
_aligned_free.MSVCRT ref: 00007FFE0037055C
_aligned_free.MSVCRT ref: 00007FFE00370564
_aligned_free.MSVCRT ref: 00007FFE0037056C
_aligned_free.MSVCRT ref: 00007FFE00370575
_aligned_free.MSVCRT ref: 00007FFE0037057E
_aligned_free.MSVCRT ref: 00007FFE00370586
_aligned_free.MSVCRT ref: 00007FFE0037058F
_aligned_free.MSVCRT ref: 00007FFE00370598
_aligned_free.MSVCRT ref: 00007FFE003705A1
_aligned_free.MSVCRT ref: 00007FFE003705A9
_aligned_free.MSVCRT ref: 00007FFE003705B2
_aligned_free.MSVCRT ref: 00007FFE003705BC
_aligned_free.MSVCRT ref: 00007FFE003705C6

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: b1b7e4f8b11abefead583c2dde418006ab1f199e84be47299285f48100eacfdc
Instruction ID: 91bab3d133234d2391b2a364258c2fad9244954140a8915d73ebf0b0dc1678c1
Opcode Fuzzy Hash: b1b7e4f8b11abefead583c2dde418006ab1f199e84be47299285f48100eacfdc
Instruction Fuzzy Hash: 2A511126B1D64182DA66EB12D8959BE2726FFC4F44B1544B5EF1D473AACE2CE401C780

Function 00007FFE1A4FB2B0 Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

av_channel_layout_from_mask.AVUTIL-58 ref: 00007FFE1A4FB314
av_channel_layout_copy.AVUTIL-58 ref: 00007FFE1A4FB32F
av_opt_set_chlayout.AVUTIL-58 ref: 00007FFE1A4FB34F
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4FB370
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4FB394
av_channel_layout_uninit.AVUTIL-58 ref: 00007FFE1A4FB3D2
av_channel_layout_from_mask.AVUTIL-58 ref: 00007FFE1A4FB3E1
av_opt_set_chlayout.AVUTIL-58 ref: 00007FFE1A4FB3F6
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4FB413
av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4FB433
av_channel_layout_uninit.AVUTIL-58 ref: 00007FFE1A4FB477

Strings

osr, xrefs: 00007FFE1A4FB429
osf, xrefs: 00007FFE1A4FB409
isr, xrefs: 00007FFE1A4FB38A
ochl, xrefs: 00007FFE1A4FB3EC
ichl, xrefs: 00007FFE1A4FB345
isf, xrefs: 00007FFE1A4FB366
Failed to set option, xrefs: 00007FFE1A4FB460

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_opt_set_int$av_channel_layout_from_maskav_channel_layout_uninitav_opt_set_chlayout$av_channel_layout_copy
String ID: Failed to set option$ichl$isf$isr$ochl$osf$osr
API String ID: 389780152-1201144049
Opcode ID: c1b362974a6b1451826b30618634720778a4b9fcb98fd731a30a779224ad2209
Instruction ID: 0775a0ca9f41a5e4905338384d3ec2bba56ae044ef4edef414ada3902864a380
Opcode Fuzzy Hash: c1b362974a6b1451826b30618634720778a4b9fcb98fd731a30a779224ad2209
Instruction Fuzzy Hash: 9F419D61B08F4381EA11962BA2607FA1351FF06FE8F8460F3CE0D4A265EE7DE809C240

Function 00007FFE00398800 Relevance: 34.6, APIs: 12, Strings: 11, Instructions: 88stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE00398813
strcmp.MSVCRT ref: 00007FFE0039882A
strcmp.MSVCRT ref: 00007FFE00398841
strcmp.MSVCRT ref: 00007FFE00398858
strcmp.MSVCRT ref: 00007FFE0039886F
strcmp.MSVCRT ref: 00007FFE00398886
strcmp.MSVCRT ref: 00007FFE0039889D
strcmp.MSVCRT ref: 00007FFE003988B4
strcmp.MSVCRT ref: 00007FFE003988CB
strcmp.MSVCRT ref: 00007FFE003988DE
strcmp.MSVCRT ref: 00007FFE003988F1
strcmp.MSVCRT ref: 00007FFE00398904

Strings

fltp, xrefs: 00007FFE003988C4
flt, xrefs: 00007FFE00398851
s32, xrefs: 00007FFE0039883A
dblp, xrefs: 00007FFE003988D7
u8p, xrefs: 00007FFE0039887F
s32p, xrefs: 00007FFE003988AD
s64, xrefs: 00007FFE003988EA
s16, xrefs: 00007FFE00398823
dbl, xrefs: 00007FFE00398868
s16p, xrefs: 00007FFE00398896
s64p, xrefs: 00007FFE003988FD

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: dbl$dblp$flt$fltp$s16$s16p$s32$s32p$s64$s64p$u8p
API String ID: 1004003707-1774405992
Opcode ID: c5f0c382e97445bf1fdad9ea523356781cb8596a76fcd8cb5a790a5f3faa4372
Instruction ID: 66355e6dca9755aa84de3a47d7cb42f02cbe33e55579a010379880b049380756
Opcode Fuzzy Hash: c5f0c382e97445bf1fdad9ea523356781cb8596a76fcd8cb5a790a5f3faa4372
Instruction Fuzzy Hash: 4931E750F0C14384FE529722D9553BA1341AF92388F885432DB9DCA3FDEE5CEA44D31A

Function 00007FFE1A4F7650 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 309COMMON

Download Yara Rule

APIs

av_freep.AVUTIL-58 ref: 00007FFE1A4F7784
av_freep.AVUTIL-58 ref: 00007FFE1A4F7791
av_mallocz.AVUTIL-58 ref: 00007FFE1A4F779B
av_get_bytes_per_sample.AVUTIL-58 ref: 00007FFE1A4F77BB
av_calloc.AVUTIL-58 ref: 00007FFE1A4F782F
memcpy.MSVCRT ref: 00007FFE1A4F78D1
memcpy.MSVCRT ref: 00007FFE1A4F7905
av_reduce.AVUTIL-58 ref: 00007FFE1A4F7934

Strings

Filter length too large, xrefs: 00007FFE1A4F79E2
src/libswresample/resample.c, xrefs: 00007FFE1A4F7B03
Assertion %s failed at %s:%d, xrefs: 00007FFE1A4F7B1A
Unsupported sample format, xrefs: 00007FFE1A4F7AF0

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_freepmemcpy$av_callocav_get_bytes_per_sampleav_malloczav_reduce
String ID: Assertion %s failed at %s:%d$Filter length too large$Unsupported sample format$src/libswresample/resample.c
API String ID: 2174235161-2726094951
Opcode ID: c5a204f5f4996df374bfc84a6a3db035d48d9563b93a9ca167c4fa16f58e0cf6
Instruction ID: 7316bd15e87445b33df8388322d19082607f00a74f4d59d4f535d54f826a6e04
Opcode Fuzzy Hash: c5a204f5f4996df374bfc84a6a3db035d48d9563b93a9ca167c4fa16f58e0cf6
Instruction Fuzzy Hash: 57D1F872A08F818AD765CB29D1403BD7394FB45B91F1093B7DA4AA76A1DF3CE445CB00

Function 00007FFE00376890 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFE00376903
MultiByteToWideChar.KERNEL32 ref: 00007FFE00376945
GetFullPathNameW.KERNEL32 ref: 00007FFE0037696E
GetFullPathNameW.KERNEL32 ref: 00007FFE003769A2
wcslen.MSVCRT ref: 00007FFE003769C1
_wsopen.MSVCRT ref: 00007FFE003769EB
_sopen.MSVCRT ref: 00007FFE00376A15
wcslen.MSVCRT ref: 00007FFE00376A98
wcscpy.MSVCRT ref: 00007FFE00376AE5
wcscat.MSVCRT ref: 00007FFE00376AF0
_errno.MSVCRT ref: 00007FFE00376B77
wcscpy.MSVCRT ref: 00007FFE00376BB8
wcscat.MSVCRT ref: 00007FFE00376BC4
_errno.MSVCRT ref: 00007FFE00376BCE
_errno.MSVCRT ref: 00007FFE00376BE3

Strings

\\?\UNC\, xrefs: 00007FFE00376BAE
\\?\, xrefs: 00007FFE00376ADB

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno$ByteCharFullMultiNamePathWidewcscatwcscpywcslen$_sopen_wsopen
String ID: \\?\$\\?\UNC\
API String ID: 2611099503-3019864461
Opcode ID: 8b58886237893d285495af4019e8dee8374e10659ea7d6d5ad0572367657074e
Instruction ID: 5a3403a5d2dc30ae85a40064836df5c1c1596e60e1735a2ecf04bcec12766c75
Opcode Fuzzy Hash: 8b58886237893d285495af4019e8dee8374e10659ea7d6d5ad0572367657074e
Instruction Fuzzy Hash: 8171C121A18A4280EAB6AB12A42677A27D1FF85790F948135EF5E577FDEF3CE440C700

Function 00007FFE0037E100 Relevance: 30.1, APIs: 2, Strings: 15, Instructions: 302stringCOMMON

Download Yara Rule

APIs

strtol.MSVCRT ref: 00007FFE0037E144
strtol.MSVCRT ref: 00007FFE0037E178

Strings

%s failed, xrefs: 00007FFE0037E3C0, 00007FFE0037E5E3
Using CUDA primary device context, xrefs: 00007FFE0037E430
-> %s: %s, xrefs: 00007FFE0037E3ED, 00007FFE0037E610
cu->cuDevicePrimaryCtxRetain(&hwctx->cuda_ctx, hwctx->internal->cuda_device), xrefs: 00007FFE0037E366, 00007FFE0037E3AF
Could not dynamically load CUDA, xrefs: 00007FFE0037E48E
primary_ctx, xrefs: 00007FFE0037E127
cu->cuDeviceGet(&hwctx->internal->cuda_device, device_idx), xrefs: 00007FFE0037E1EA, 00007FFE0037E57C
Disabling use of CUDA primary device context, xrefs: 00007FFE0037E151
cu->cuCtxPopCurrent(&dummy), xrefs: 00007FFE0037E295, 00007FFE0037E5DC
Primary context already active with incompatible flags., xrefs: 00007FFE0037E520
cu->cuCtxCreate(&hwctx->cuda_ctx, desired_flags, hwctx->internal->cuda_device), xrefs: 00007FFE0037E258, 00007FFE0037E59C
cu->cuDevicePrimaryCtxGetState(hwctx->internal->cuda_device, &dev_flags, &dev_active), xrefs: 00007FFE0037E308, 00007FFE0037E5BC
Calling %s, xrefs: 00007FFE0037E1AE, 00007FFE0037E1F1, 00007FFE0037E25F, 00007FFE0037E29C, 00007FFE0037E30F, 00007FFE0037E36D, 00007FFE0037E4D2
cu->cuInit(0), xrefs: 00007FFE0037E1A7, 00007FFE0037E555
cu->cuDevicePrimaryCtxSetFlags(hwctx->internal->cuda_device, desired_flags), xrefs: 00007FFE0037E4CB, 00007FFE0037E514

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strtol
String ID: -> %s: %s$%s failed$Calling %s$Could not dynamically load CUDA$Disabling use of CUDA primary device context$Primary context already active with incompatible flags.$Using CUDA primary device context$cu->cuCtxCreate(&hwctx->cuda_ctx, desired_flags, hwctx->internal->cuda_device)$cu->cuCtxPopCurrent(&dummy)$cu->cuDeviceGet(&hwctx->internal->cuda_device, device_idx)$cu->cuDevicePrimaryCtxGetState(hwctx->internal->cuda_device, &dev_flags, &dev_active)$cu->cuDevicePrimaryCtxRetain(&hwctx->cuda_ctx, hwctx->internal->cuda_device)$cu->cuDevicePrimaryCtxSetFlags(hwctx->internal->cuda_device, desired_flags)$cu->cuInit(0)$primary_ctx
API String ID: 76114499-3193254869
Opcode ID: b1d8503496d87b39853df48a8e21de1adfc12c32e64f3833a9af2b5287376059
Instruction ID: 35792d3e7878484e0f31aa3e8a08fdd3732c03ccec8cde4f43181c8215081dfc
Opcode Fuzzy Hash: b1d8503496d87b39853df48a8e21de1adfc12c32e64f3833a9af2b5287376059
Instruction Fuzzy Hash: 90D16D25708B4692EA6ADB21E4007AE6361FB89798FC05472DF4E177B9DF3DE849C300

Function 00007FFE00368700 Relevance: 28.9, APIs: 12, Strings: 7, Instructions: 414stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00007FFE003687CB

Strings

, xrefs: 00007FFE003689A7, 00007FFE003689C5, 00007FFE00368AB7, 00007FFE00368AD6
<, xrefs: 00007FFE00368742
'\'', xrefs: 00007FFE003688BB
&, xrefs: 00007FFE00368926, 00007FFE00368C88, 00007FFE00368CA0
", xrefs: 00007FFE00368771, 00007FFE00368DC8
>, xrefs: 00007FFE00368753
', xrefs: 00007FFE00368C16

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strchr
String ID: $&$'$>$<$"$'\''
API String ID: 2830005266-2908976646
Opcode ID: 58878a93e8017a577d70043575bf448a998ddca24cee1ed7eb6ac7db7c468040
Instruction ID: 794df230ca6fcd902849a3c9bbd84c3ac108e9d603f37cc6040c9ea4625a584f
Opcode Fuzzy Hash: 58878a93e8017a577d70043575bf448a998ddca24cee1ed7eb6ac7db7c468040
Instruction Fuzzy Hash: 62E1BB10F5C66344FE66971294513BA1B926F5AB89F88C136CF0D0B3FECE6EB9468341

Function 00007FFE00370BA0 Relevance: 28.6, APIs: 19, Instructions: 115COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FFE00370BD6
_aligned_free.MSVCRT ref: 00007FFE00370C0D
_aligned_free.MSVCRT ref: 00007FFE00370C3D
_aligned_free.MSVCRT ref: 00007FFE00370C6D
_aligned_free.MSVCRT ref: 00007FFE00370C89
_aligned_free.MSVCRT ref: 00007FFE00370C92
_aligned_free.MSVCRT ref: 00007FFE00370C9B
_aligned_free.MSVCRT ref: 00007FFE00370CA3
_aligned_free.MSVCRT ref: 00007FFE00370CAB
_aligned_free.MSVCRT ref: 00007FFE00370CB4
_aligned_free.MSVCRT ref: 00007FFE00370CBD
_aligned_free.MSVCRT ref: 00007FFE00370CC5
_aligned_free.MSVCRT ref: 00007FFE00370CCE
_aligned_free.MSVCRT ref: 00007FFE00370CD7
_aligned_free.MSVCRT ref: 00007FFE00370CE0
_aligned_free.MSVCRT ref: 00007FFE00370CE8
_aligned_free.MSVCRT ref: 00007FFE00370CF1
_aligned_free.MSVCRT ref: 00007FFE00370CFB
_aligned_free.MSVCRT ref: 00007FFE00370D05

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: d09f3d952e3eb66ce5eccd33bd3b0168fb06931170680be69507253bbd36f74d
Instruction ID: e17adb2e05fda3a310f27238d087186aaac631b5e5f0f1a4484e008470f4de75
Opcode Fuzzy Hash: d09f3d952e3eb66ce5eccd33bd3b0168fb06931170680be69507253bbd36f74d
Instruction Fuzzy Hash: 83414126B1960282EA57EB12D8D997E2716FFC4F44B1645B5EF2D473AACE3CE441C380

Function 00007FFE00376650 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE00376890: MultiByteToWideChar.KERNEL32 ref: 00007FFE00376903
Part of subcall function 00007FFE00376890: MultiByteToWideChar.KERNEL32 ref: 00007FFE00376945
Part of subcall function 00007FFE00376890: GetFullPathNameW.KERNEL32 ref: 00007FFE0037696E
Part of subcall function 00007FFE00376890: GetFullPathNameW.KERNEL32 ref: 00007FFE003769A2
Part of subcall function 00007FFE00376890: wcslen.MSVCRT ref: 00007FFE003769C1
Part of subcall function 00007FFE00376890: _wsopen.MSVCRT ref: 00007FFE003769EB
Part of subcall function 00007FFE00376890: _sopen.MSVCRT ref: 00007FFE00376A15

_fstat64.MSVCRT ref: 00007FFE003766AE
_close.MSVCRT ref: 00007FFE003766D7
_get_osfhandle.MSVCRT ref: 00007FFE003766F3
CreateFileMappingA.KERNEL32 ref: 00007FFE00376718
MapViewOfFile.KERNEL32 ref: 00007FFE00376741
CloseHandle.KERNEL32 ref: 00007FFE0037674D
_errno.MSVCRT ref: 00007FFE00376768
_errno.MSVCRT ref: 00007FFE003767B0
_close.MSVCRT ref: 00007FFE003767F1

Strings

Error occurred in fstat(): %s, xrefs: 00007FFE003767DD
Error occurred in MapViewOfFile(), xrefs: 00007FFE00376831
Error occurred in CreateFileMapping(), xrefs: 00007FFE00376800
Cannot read file '%s': %s, xrefs: 00007FFE0037679A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ByteCharFileFullMultiNamePathWide_close_errno$CloseCreateHandleMappingView_fstat64_get_osfhandle_sopen_wsopenwcslen
String ID: Cannot read file '%s': %s$Error occurred in CreateFileMapping()$Error occurred in MapViewOfFile()$Error occurred in fstat(): %s
API String ID: 741575255-3109280323
Opcode ID: 7267cfeadb9c871bf9fb2dec6a57e72c4003b2fad726f8657ee3e356bb816377
Instruction ID: f58cd3614fcd2e1019302023aff3dc0ae360349e8b4309bfc5714e18e3411e92
Opcode Fuzzy Hash: 7267cfeadb9c871bf9fb2dec6a57e72c4003b2fad726f8657ee3e356bb816377
Instruction Fuzzy Hash: C2415E31B08B8692FB669B21E4157AA6398FF88788F844535EB4E07BA9DF3DD405C740

Function 00007FF7EC501A40 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7EC501A6D

Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC50204A
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC502065
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC502080
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC50209B
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC5020B6

avformat_network_init.AVFORMAT-60 ref: 00007FF7EC501A85
av_guess_format.AVFORMAT-60 ref: 00007FF7EC501AAF
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC501ABC
fprintf.MSPDB140-MSVCRT ref: 00007FF7EC501AD0
avformat_alloc_output_context2.AVFORMAT-60 ref: 00007FF7EC501AEC
av_strerror.AVUTIL-58 ref: 00007FF7EC501B19
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC501B23
fprintf.MSPDB140-MSVCRT ref: 00007FF7EC501B38

Part of subcall function 00007FF7EC502910: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7EC501B4C), ref: 00007FF7EC502939

Part of subcall function 00007FF7EC502370: avcodec_free_context.AVCODEC-60 ref: 00007FF7EC502388
Part of subcall function 00007FF7EC502370: av_free.AVUTIL-58 ref: 00007FF7EC5023B1
Part of subcall function 00007FF7EC502370: avio_context_free.AVFORMAT-60 ref: 00007FF7EC5023BD
Part of subcall function 00007FF7EC502370: avformat_free_context.AVFORMAT-60 ref: 00007FF7EC5023CC
Part of subcall function 00007FF7EC502370: avcodec_free_context.AVCODEC-60 ref: 00007FF7EC502402
Part of subcall function 00007FF7EC502370: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC502415

Strings

mpegts, xrefs: 00007FF7EC501A92
video/M2PT, xrefs: 00007FF7EC501A9C
Couldn't initialize output context: %s, xrefs: 00007FF7EC501B31
http, xrefs: 00007FF7EC501A5C
Couldn't find an appropriate muxer for '%s', xrefs: 00007FF7EC501AC6

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strncmp$__acrt_iob_funcavcodec_free_contextfprintf$av_freeav_guess_formatav_strerroravformat_alloc_output_context2avformat_free_contextavformat_network_initavio_context_freecallocfree
String ID: Couldn't find an appropriate muxer for '%s'$Couldn't initialize output context: %s$http$mpegts$video/M2PT
API String ID: 3777911973-2524251934
Opcode ID: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
Instruction ID: a2e01d0234afd1d61d1da5f1ce7fceae28ab0c42aa5de127095a615297900619
Opcode Fuzzy Hash: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
Instruction Fuzzy Hash: 5C319319A1864242FB24BB2594133BAA350AF8979CFF05237ED5D86296FF3CE444C722

Function 00007FFE1A4FB4A0 Relevance: 24.2, APIs: 16, Instructions: 234COMMON

Download Yara Rule

APIs

av_channel_layout_from_mask.AVUTIL-58 ref: 00007FFE1A4FB5AA
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A4FB5B6
av_channel_layout_uninit.AVUTIL-58 ref: 00007FFE1A4FB606
av_channel_layout_from_mask.AVUTIL-58 ref: 00007FFE1A4FB615
av_channel_layout_compare.AVUTIL-58 ref: 00007FFE1A4FB621
av_channel_layout_uninit.AVUTIL-58 ref: 00007FFE1A4FB649

Part of subcall function 00007FFE1A4FB2B0: av_channel_layout_from_mask.AVUTIL-58 ref: 00007FFE1A4FB314
Part of subcall function 00007FFE1A4FB2B0: av_opt_set_chlayout.AVUTIL-58 ref: 00007FFE1A4FB34F
Part of subcall function 00007FFE1A4FB2B0: av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4FB370
Part of subcall function 00007FFE1A4FB2B0: av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4FB394
Part of subcall function 00007FFE1A4FB2B0: av_channel_layout_uninit.AVUTIL-58 ref: 00007FFE1A4FB3D2
Part of subcall function 00007FFE1A4FB2B0: av_channel_layout_from_mask.AVUTIL-58 ref: 00007FFE1A4FB3E1
Part of subcall function 00007FFE1A4FB2B0: av_opt_set_chlayout.AVUTIL-58 ref: 00007FFE1A4FB3F6
Part of subcall function 00007FFE1A4FB2B0: av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4FB413
Part of subcall function 00007FFE1A4FB2B0: av_opt_set_int.AVUTIL-58 ref: 00007FFE1A4FB433
Part of subcall function 00007FFE1A4FB2B0: av_channel_layout_uninit.AVUTIL-58 ref: 00007FFE1A4FB477

Part of subcall function 00007FFE1A505F8E: av_log.AVUTIL-58 ref: 00007FFE1A505FC9

av_frame_get_buffer.AVUTIL-58 ref: 00007FFE1A4FB706
av_get_bytes_per_sample.AVUTIL-58 ref: 00007FFE1A4FB74B
av_sample_fmt_is_planar.AVUTIL-58 ref: 00007FFE1A4FB763

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_channel_layout_from_maskav_channel_layout_uninitav_opt_set_int$av_channel_layout_compareav_opt_set_chlayout$av_frame_get_bufferav_get_bytes_per_sampleav_logav_sample_fmt_is_planar
String ID:
API String ID: 1741793059-0
Opcode ID: 5f9c736c55c51c0448996e1834cac8009cd8094c6cea8c5c45183c0897257ebe
Instruction ID: bad461dc1eae86d18a8808764dd79263307ee1f4a47d79a3bc6606e4906cebb8
Opcode Fuzzy Hash: 5f9c736c55c51c0448996e1834cac8009cd8094c6cea8c5c45183c0897257ebe
Instruction Fuzzy Hash: E5918721B0CA428AFA559E3B95107BE62D5BF42FA5F4464F3DE0D572A5EE3CE8128700

Function 00007FFE1A52A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A88D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A969
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A9B2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A9C3

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction ID: d5cc3458795ad514d52f46b9084db4c14b7fccf1bee96b18b579944a4fea0f06
Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction Fuzzy Hash: 16F14B72B0CA82DAE711DFA6D4901FC37A2AB46B58F4440F7EA4D67AA5DF38D509C340

Function 00007FFE1A52D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52D712

Strings

`generic-class-parameter-, xrefs: 00007FFE1A52D6C7
`template-type-parameter-, xrefs: 00007FFE1A52D6D0
`generic-method-parameter-, xrefs: 00007FFE1A52D6B7
nullptr, xrefs: 00007FFE1A52D3FA
NULL, xrefs: 00007FFE1A52D2D7

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
API String ID: 2943138195-2309034085
Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction ID: 68e47da8d77bff542cbedfb44235dddc4beb06a79f9df40df20250a802e8ebe6
Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction Fuzzy Hash: A0E17C63F0CE42C4FA149BE699941BC27A2AF56F64F5401F7DA0E26AB5DF7CA508C340

Function 00007FFE0038EA60 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 176stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0038EAAA
strchr.MSVCRT ref: 00007FFE0038EAE4
strlen.MSVCRT ref: 00007FFE0038EB01
strtoul.MSVCRT ref: 00007FFE0038EB65

Strings

random, xrefs: 00007FFE0038EB0A
Cannot find color '%s', xrefs: 00007FFE0038ED2A
Invalid 0xRRGGBB[AA] color string: '%s', xrefs: 00007FFE0038ED09
0123456789ABCDEFabcdef, xrefs: 00007FFE0038EC1C
bikeshed, xrefs: 00007FFE0038EB20
Invalid alpha value specifier '%s' in '%s', xrefs: 00007FFE0038ECF0

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strlen$strchrstrtoul
String ID: 0123456789ABCDEFabcdef$Cannot find color '%s'$Invalid 0xRRGGBB[AA] color string: '%s'$Invalid alpha value specifier '%s' in '%s'$bikeshed$random
API String ID: 643661298-1323625105
Opcode ID: 05b314dcd31ff43a5f327d01538bb3f4bf05cbc92719439464dceff93f7a60bd
Instruction ID: 17098d9bc3d08c2283c9cd63f784e59117a7b4062fc9b7d1e4de587ed7e64c87
Opcode Fuzzy Hash: 05b314dcd31ff43a5f327d01538bb3f4bf05cbc92719439464dceff93f7a60bd
Instruction Fuzzy Hash: 7171E512E1D78249FB63DB2194117BE6791AF82784F4492B1EB4E477FDDE6CE4448340

Function 00007FFE00384960 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 173COMMON

Download Yara Rule

APIs

SetConsoleTextAttribute.KERNEL32 ref: 00007FFE003849C2
GetStdHandle.KERNEL32 ref: 00007FFE00384A74
GetConsoleMode.KERNEL32 ref: 00007FFE00384A8F
GetConsoleScreenBufferInfo.KERNEL32 ref: 00007FFE00384AAF
getenv.MSVCRT ref: 00007FFE00384AD3
getenv.MSVCRT ref: 00007FFE00384AF2

Strings

AV_LOG_FORCE_NOCOLOR, xrefs: 00007FFE00384ACC
256color, xrefs: 00007FFE00384B29
AV_LOG_FORCE_256COLOR, xrefs: 00007FFE00384AEB
TERM, xrefs: 00007FFE00384A60
AV_LOG_FORCE_COLOR, xrefs: 00007FFE00384C10

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Console$getenv$AttributeBufferHandleInfoModeScreenText
String ID: 256color$AV_LOG_FORCE_256COLOR$AV_LOG_FORCE_COLOR$AV_LOG_FORCE_NOCOLOR$TERM
API String ID: 250312076-468416034
Opcode ID: 01025577c71988898b66c8b0eb027abf6c2326527978ea750917b74e8b6462d0
Instruction ID: 1f229c53e3c1f19cdfb2d634965e23ab429f1e7154f9e66347dffaa7d46f56a7
Opcode Fuzzy Hash: 01025577c71988898b66c8b0eb027abf6c2326527978ea750917b74e8b6462d0
Instruction Fuzzy Hash: D7716A21E1D74385FA62DB14E85027A23A0AF50770F840375DF6D06BF8EF3CA4958345

Function 00007FF7EC5014B0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 164COMMON

Download Yara Rule

APIs

avcodec_descriptor_get_by_name.AVCODEC-60 ref: 00007FF7EC5014C9
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC5014D9
av_memdup.AVUTIL-58 ref: 00007FF7EC50152F
avcodec_alloc_context3.AVCODEC-60 ref: 00007FF7EC501539
av_content_light_metadata_alloc.AVUTIL-58 ref: 00007FF7EC501610
av_stream_add_side_data.AVFORMAT-60 ref: 00007FF7EC50162B
av_mastering_display_metadata_alloc.AVUTIL-58 ref: 00007FF7EC501630

Strings

2, xrefs: 00007FF7EC5016C5
E, xrefs: 00007FF7EC50168B
Couldn't find codec '%s', xrefs: 00007FF7EC5014E2

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: __acrt_iob_funcav_content_light_metadata_allocav_mastering_display_metadata_allocav_memdupav_stream_add_side_dataavcodec_alloc_context3avcodec_descriptor_get_by_name
String ID: 2$Couldn't find codec '%s'$E
API String ID: 3726879996-2734579634
Opcode ID: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
Instruction ID: e9ba796a8cacfeaf2974f6ada6e4bd1efe8d601b3902d653afed7a4a9d5dd75b
Opcode Fuzzy Hash: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
Instruction Fuzzy Hash: FC812976609780CBD754DF25E55035EBBB0F389B88F60402AEB8C87B58EB7AD854CB01

Function 00007FF7EC501250 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

avcodec_descriptor_get_by_name.AVCODEC-60 ref: 00007FF7EC50126F
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC50127F
avcodec_find_encoder.AVCODEC-60 ref: 00007FF7EC5012A9
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7EC5012B9

Strings

Couldn't find codec descriptor '%s', xrefs: 00007FF7EC501288
title, xrefs: 00007FF7EC50131D
Couldn't find codec '%s', xrefs: 00007FF7EC5012C2

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: __acrt_iob_func$avcodec_descriptor_get_by_nameavcodec_find_encoder
String ID: Couldn't find codec '%s'$Couldn't find codec descriptor '%s'$title
API String ID: 3715327632-3279048111
Opcode ID: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
Instruction ID: e6d84a95a8161fd32ba3b7882f07afdaa00a79da602d0a7b4a6c312bdbb41557
Opcode Fuzzy Hash: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
Instruction Fuzzy Hash: 7261C036604B8186E708DF16E5913AEB7A0FB88B98F95403AEF4E87754EF38E055C711

Function 00007FFE003A3CB0 Relevance: 21.1, APIs: 14, Instructions: 123COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FFE003A3D1B
_aligned_free.MSVCRT ref: 00007FFE003A3D23

Part of subcall function 00007FFE003A3CB0: _aligned_free.MSVCRT ref: 00007FFE003A3CF9

_aligned_free.MSVCRT ref: 00007FFE003A3D4D
_aligned_free.MSVCRT ref: 00007FFE003A3D6F
_aligned_free.MSVCRT ref: 00007FFE003A3D77
_aligned_free.MSVCRT ref: 00007FFE003A3D7F
_aligned_free.MSVCRT ref: 00007FFE003A3DB7
_aligned_free.MSVCRT ref: 00007FFE003A3DD9
_aligned_free.MSVCRT ref: 00007FFE003A3DE1
_aligned_free.MSVCRT ref: 00007FFE003A3E0B
_aligned_free.MSVCRT ref: 00007FFE003A3E2D
_aligned_free.MSVCRT ref: 00007FFE003A3E35
_aligned_free.MSVCRT ref: 00007FFE003A3E3D

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: 9507d53f166a1d0254cdadf622783abd4b684d210657e614246861b7e6ebef3c
Instruction ID: 1f0df5844de12fa5dafc78ddb63b660abeeba32192de02a8043601d196f02258
Opcode Fuzzy Hash: 9507d53f166a1d0254cdadf622783abd4b684d210657e614246861b7e6ebef3c
Instruction Fuzzy Hash: 5F411612B1D56280E947EF12C85697E6755AF82F90B028831FF1D5B3AACF3CEA458380

Function 00007FF7EC5017A0 Relevance: 19.6, APIs: 13, Instructions: 72COMMON

Download Yara Rule

APIs

av_write_trailer.AVFORMAT-60 ref: 00007FF7EC5017B5
pthread_mutex_lock.W32-PTHREADS ref: 00007FF7EC5017DE
os_event_signal.OBS ref: 00007FF7EC5017EA
pthread_mutex_unlock.W32-PTHREADS ref: 00007FF7EC5017F6
pthread_join.W32-PTHREADS ref: 00007FF7EC50180E
os_event_destroy.OBS ref: 00007FF7EC50181A
os_event_destroy.OBS ref: 00007FF7EC501826
pthread_mutex_destroy.W32-PTHREADS ref: 00007FF7EC501832
bfree.OBS ref: 00007FF7EC50183E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC5018A3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC5018BA
bfree.OBS ref: 00007FF7EC5018C4
av_packet_free.AVCODEC-60 ref: 00007FF7EC5018E5

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: bfreefreeos_event_destroy$av_packet_freeav_write_traileros_event_signalpthread_joinpthread_mutex_destroypthread_mutex_lockpthread_mutex_unlock
String ID:
API String ID: 3736584056-0
Opcode ID: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
Instruction ID: 595db34db49f691839a3a7d307816f247fa7ddc814dae2fef67f3ebb3557f76a
Opcode Fuzzy Hash: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
Instruction Fuzzy Hash: 4A31122A91858181F751FF30C4663F96360FF95B4CFA84132DE4E8A296FF389585C362

Function 00007FFE1A522CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE1A522D40

Part of subcall function 00007FFE1A525010: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FFE1A525045
Part of subcall function 00007FFE1A525010: __GetUnwindTryBlock.LIBCMT ref: 00007FFE1A525053
Part of subcall function 00007FFE1A525010: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE1A525078

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A522E18
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A522E25
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE1A523060
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A52308E
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FFE1A5230CC

Part of subcall function 00007FFE1A526710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A52239E), ref: 00007FFE1A52671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A523154
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A523189

Strings

csm, xrefs: 00007FFE1A522D5A
csm, xrefs: 00007FFE1A522DC1
csm, xrefs: 00007FFE1A522E3D

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3436797354-393685449
Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction ID: 33716ba22d8c008a2870ca80807ab27776e56404ee7798f9272c8e607b3b4dfe
Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction Fuzzy Hash: 70D14E76B0CB41C6EB109BA6A4412BD77A6FB46BA8F0401B7DE4D57B66CF38E494C700

Function 00007FFE1A4F7400 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 161COMMON

Download Yara Rule

APIs

av_calloc.AVUTIL-58 ref: 00007FFE1A4F7470
memcpy.MSVCRT ref: 00007FFE1A4F74F2
memcpy.MSVCRT ref: 00007FFE1A4F751E
av_freep.AVUTIL-58(?,?), ref: 00007FFE1A4F75A9

Strings

src/libswresample/resample.c, xrefs: 00007FFE1A4F760B
Assertion %s failed at %s:%d, xrefs: 00007FFE1A4F7622
!c->frac && !c->dst_incr_mod, xrefs: 00007FFE1A4F7612

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy$av_callocav_freep
String ID: !c->frac && !c->dst_incr_mod$Assertion %s failed at %s:%d$src/libswresample/resample.c
API String ID: 1182148616-608564573
Opcode ID: ae225f1ac773ac5f9c1fe2fea1a141108402761e9a2d6cdf13e09e92a9034940
Instruction ID: 6bc0aafa8ea5ae9418e8dd3aa9ee86d31a89f370c4673fb0261f921ea3fc9bb5
Opcode Fuzzy Hash: ae225f1ac773ac5f9c1fe2fea1a141108402761e9a2d6cdf13e09e92a9034940
Instruction Fuzzy Hash: 5661A272B08B028AD758CF2AD19057D77A1EB45B69B105176EA0DC77A8EB3CE451CB40

Function 00007FFE0036AE10 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 151stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0036AE26
memcmp.MSVCRT ref: 00007FFE0036AEA5

Strings

mono, xrefs: 00007FFE0036AE70

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcmpstrlen
String ID: mono
API String ID: 3108337309-2381334079
Opcode ID: 4442f9bb683f4af6272261eaf8af414874aa53633c76ffc30400c404e096c1e0
Instruction ID: ab73d383a6fc48dd31ae424da10fbeaa2d701edddd8a085f5fcc8270cfd176b7
Opcode Fuzzy Hash: 4442f9bb683f4af6272261eaf8af414874aa53633c76ffc30400c404e096c1e0
Instruction Fuzzy Hash: FC51B162B0D94346FE629F15D8402B9ABA0AF05BC4F8D8431DF0E5B7A8DE3DE445CB42

Function 00007FFE1A4F8F70 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

av_freep.AVUTIL-58 ref: 00007FFE1A4F909C
av_log.AVUTIL-58 ref: 00007FFE1A4F9187
abort.MSVCRT ref: 00007FFE1A4F918C
av_log.AVUTIL-58 ref: 00007FFE1A4F91B5
abort.MSVCRT ref: 00007FFE1A4F91BA

Strings

Assertion %s failed at %s:%d, xrefs: 00007FFE1A4F9178, 00007FFE1A4F91AE
a->bps, xrefs: 00007FFE1A4F9198
src/libswresample/swresample.c, xrefs: 00007FFE1A4F9161, 00007FFE1A4F9191
a->ch_count, xrefs: 00007FFE1A4F9168

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortav_log$av_freep
String ID: Assertion %s failed at %s:%d$a->bps$a->ch_count$src/libswresample/swresample.c
API String ID: 2329147549-2798989596
Opcode ID: 8a6bc04a2563c4ca64b9d2f166cec7721cca9d96160b8b29e1ad9d54915bbd6c
Instruction ID: 5324a190e90af980a2ac8901d99b6fe0a184aac1c71cda26d62e859b35dbb56b
Opcode Fuzzy Hash: 8a6bc04a2563c4ca64b9d2f166cec7721cca9d96160b8b29e1ad9d54915bbd6c
Instruction Fuzzy Hash: 5E510875B08A8249EB308F2BA944BFD3354EF45BA9F0051B7DE1D86AA6DF38A504C600

Function 00007FFE0036F360 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE003878F0: strlen.MSVCRT ref: 00007FFE003878FF
Part of subcall function 00007FFE003878F0: _aligned_realloc.MSVCRT ref: 00007FFE0038791F
Part of subcall function 00007FFE003878F0: memcpy.MSVCRT ref: 00007FFE00387936

_aligned_free.MSVCRT ref: 00007FFE0036F410
_aligned_free.MSVCRT ref: 00007FFE0036F418
_aligned_free.MSVCRT ref: 00007FFE0036F49B
_aligned_free.MSVCRT ref: 00007FFE0036F4A5
_aligned_free.MSVCRT ref: 00007FFE0036F51E
_aligned_free.MSVCRT ref: 00007FFE0036F528
strlen.MSVCRT ref: 00007FFE0036F5C0
strlen.MSVCRT ref: 00007FFE0036F5CB
memcpy.MSVCRT ref: 00007FFE0036F5F9

Strings

%lld, xrefs: 00007FFE0036F386

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$strlen$memcpy$_aligned_realloc
String ID: %lld
API String ID: 3853940031-1962030014
Opcode ID: 8ef0d90d922d738ed908a9e8d1ebc5c3fb02acdd9b45e12231443154cef6d25c
Instruction ID: 28678aa3be1c36045da8e47f048e10e237cc12b85950828c133df49f40ec365f
Opcode Fuzzy Hash: 8ef0d90d922d738ed908a9e8d1ebc5c3fb02acdd9b45e12231443154cef6d25c
Instruction Fuzzy Hash: B8619F22A0DA4345EA27DA16F51127E6391BF89B98F148531EF5E47BADEF3CE850C340

Function 00007FFE0041AF60 Relevance: 16.7, APIs: 11, Instructions: 159sleepCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 00007FFE0041AFE2
Sleep.KERNEL32 ref: 00007FFE0041AFF7

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CreateEventSleep
String ID:
API String ID: 3100162736-0
Opcode ID: e5aaf2775736aee3134771c4ec912a0918e928d2149e6c1679b1ab5e8eb6a53e
Instruction ID: 3a478d21a2b92e8f315ab3f522c51233525a37d5b1d03bd9e5371840f77bff09
Opcode Fuzzy Hash: e5aaf2775736aee3134771c4ec912a0918e928d2149e6c1679b1ab5e8eb6a53e
Instruction Fuzzy Hash: A751A032A0960286E7658B24E958BBB32A4FB447A4F154335DF2D473E8DF3DD845C348

Function 00007FFE1A4F9B80 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 426COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4F8F70: av_freep.AVUTIL-58 ref: 00007FFE1A4F909C

av_log.AVUTIL-58 ref: 00007FFE1A4FA2CE
abort.MSVCRT ref: 00007FFE1A4FA2D3

Strings

Assertion %s failed at %s:%d, xrefs: 00007FFE1A4FA2C3
s->midbuf.ch_count == s->used_ch_layout.nb_channels, xrefs: 00007FFE1A4FA2B7
src/libswresample/swresample.c, xrefs: 00007FFE1A4FA2A8, 00007FFE1A4FA2D8, 00007FFE1A4FA2F5, 00007FFE1A4FA312
?, xrefs: 00007FFE1A4F9ED2
s->dither.noise.ch_count == preout->ch_count, xrefs: 00007FFE1A4FA304
s->midbuf.ch_count == s->out.ch_count, xrefs: 00007FFE1A4FA2E7
s->in.planar, xrefs: 00007FFE1A4FA321

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortav_freepav_log
String ID: ?$Assertion %s failed at %s:%d$s->dither.noise.ch_count == preout->ch_count$s->in.planar$s->midbuf.ch_count == s->out.ch_count$s->midbuf.ch_count == s->used_ch_layout.nb_channels$src/libswresample/swresample.c
API String ID: 3736396223-3190629393
Opcode ID: d26e443fe19845a36fdde429c2a9a759add677dece32294348b5e2c239672df1
Instruction ID: 88514f64d799d222248ba47e15da63334c3a296db2cb5e2ca1d650a4aa597cf7
Opcode Fuzzy Hash: d26e443fe19845a36fdde429c2a9a759add677dece32294348b5e2c239672df1
Instruction Fuzzy Hash: C402E436B08A8686E7608E2B94006FA77A1FB45FA9F5810B7DE4D477A9CF3CE454C710

Function 00007FFE1A52E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON

Download Yara Rule

Strings

generic-type-, xrefs: 00007FFE1A52E45E
`generic-type-, xrefs: 00007FFE1A52E491
`template-parameter-, xrefs: 00007FFE1A52E44A
template-parameter-, xrefs: 00007FFE1A52E417

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 0-3207858774
Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction ID: 3ecb9041a8a3b8461c69d2b2a597e25a674f2b91b17f374a9e9a12db70d91d14
Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction Fuzzy Hash: A4914962B1CE8699EB118B62E4502BC2BA2AF96F64F4840F7DE4D037A5DF3CE505D350

Function 00007FFE00409990 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE00409AF8

Strings

-, xrefs: 00007FFE00409A98

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: -
API String ID: 2918714741-2547889144
Opcode ID: f978b8ec28ce8a6f9b5e47dd2052fece94246ae97b2b9cc28d4a0647f4bf6175
Instruction ID: 9f2bdf4f27c02fa022fb2a01b35f3893e283a7b8d63da8128ed337eb193b9c1f
Opcode Fuzzy Hash: f978b8ec28ce8a6f9b5e47dd2052fece94246ae97b2b9cc28d4a0647f4bf6175
Instruction Fuzzy Hash: B951E062F0D29745FA659AA564103BD26917F41774F4A0634DF2E2A3EBEE3CFE408708

Function 00007FFE00409BF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE00409D38

Strings

ambisonic , xrefs: 00007FFE00409BF9
-, xrefs: 00007FFE00409CFA

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: -$ambisonic
API String ID: 2918714741-2876420257
Opcode ID: c1d0ba877cb9a5e33fb598b34b3d9939bb9d6dbd7a5e029ec6c2859871519c45
Instruction ID: 8adfd7439c31eb6d5fa418e1655fe6497546458d68bfe39398af785fa08cd240
Opcode Fuzzy Hash: c1d0ba877cb9a5e33fb598b34b3d9939bb9d6dbd7a5e029ec6c2859871519c45
Instruction Fuzzy Hash: 31414972F4D15306FB645AA158453BD26C26F427A4F454931DF2E6A3EEEE3CEE418308

Function 00007FFE1A52A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A198

Part of subcall function 00007FFE1A52722C: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1A527247

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A2C5

Strings

struct , xrefs: 00007FFE1A52A2E9
enum , xrefs: 00007FFE1A52A287
cointerface , xrefs: 00007FFE1A52A26C
`unknown ecsu', xrefs: 00007FFE1A52A164
union , xrefs: 00007FFE1A52A2F2
class , xrefs: 00007FFE1A52A2DA
coclass , xrefs: 00007FFE1A52A27E

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 179159573-1464470183
Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction ID: 612b2496eeb269280d465727d918c6cb0cb21e94fd1bba90b9793d06ecae2f4d
Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction Fuzzy Hash: 02514A31F1CE52D9FB14CBA6E8805BC27B1BB16BA4F5041B7EA0D62A68DF69E541C700

Function 00007FFE0038D3D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 110stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE00365FB0: strlen.MSVCRT ref: 00007FFE00365FC9

strspn.MSVCRT ref: 00007FFE0038D44B
_aligned_free.MSVCRT ref: 00007FFE0038D4BB
_aligned_free.MSVCRT ref: 00007FFE0038D4C3
_aligned_free.MSVCRT ref: 00007FFE0038D544
_aligned_free.MSVCRT ref: 00007FFE0038D54C
_aligned_free.MSVCRT ref: 00007FFE0038D57A

Strings

Missing key or no key/value separator found after key '%s', xrefs: 00007FFE0038D55B
Setting entry with key '%s' to value '%s', xrefs: 00007FFE0038D40E
Key '%s' not found., xrefs: 00007FFE0038D525

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$strlenstrspn
String ID: Key '%s' not found.$Missing key or no key/value separator found after key '%s'$Setting entry with key '%s' to value '%s'
API String ID: 1832283230-2858522012
Opcode ID: 6858625f83de9048fadb2900624906809c4cd63edab14c6c68f5989beb2d347c
Instruction ID: d2a4d63787dd9c6b5e8e303b0a92a5201f10fb5608ae2da01ef4310e1c5cc7b8
Opcode Fuzzy Hash: 6858625f83de9048fadb2900624906809c4cd63edab14c6c68f5989beb2d347c
Instruction Fuzzy Hash: 4641A051A0C78250FA62DA12A8406BE6B91BF85BD4F549472EF4E077FEDE3CE485C340

Function 00007FFE00389900 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 317stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE003899A4

Strings

%s, xrefs: 00007FFE00389B9A
(from , xrefs: 00007FFE00389C1B
to , xrefs: 00007FFE00389C59
%-12s , xrefs: 00007FFE00389A5D
%s%-17s , xrefs: 00007FFE00389A3D
I, xrefs: 00007FFE00389D30
%-15s , xrefs: 00007FFE003899B0
%c%c%c%c%c%c%c%c%c%c%c, xrefs: 00007FFE00389B55
(default , xrefs: 00007FFE00389D46

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: %-15s $ %s%-17s $ %s$ (default $ (from $ I$ to $%-12s $%c%c%c%c%c%c%c%c%c%c%c
API String ID: 1004003707-1704579004
Opcode ID: 2ea16860b3427611d439ee252ee5f1f96aacb857c5cfc9ddd7f0c0fe524bede6
Instruction ID: 5ffe777f84add99b222ecc2734ccf202ca31648c36d14c6ba70f4debbfeb3aae
Opcode Fuzzy Hash: 2ea16860b3427611d439ee252ee5f1f96aacb857c5cfc9ddd7f0c0fe524bede6
Instruction Fuzzy Hash: 08C19F72B18B4286EB16CB25E4407BE2761FB81794F589176EB0E47BA9DF3CE444C740

Function 00007FFE0036F640 Relevance: 15.2, APIs: 10, Instructions: 244stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE00365FB0: strlen.MSVCRT ref: 00007FFE00365FC9

strspn.MSVCRT ref: 00007FFE0036F71E
_aligned_free.MSVCRT ref: 00007FFE0036F7E5
_aligned_free.MSVCRT ref: 00007FFE0036F7ED

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$strlenstrspn
String ID:
API String ID: 1832283230-0
Opcode ID: 26bc88a9fd69d679ea30a0b0f13b4c0f719b999fe5c0e19c8c29863e318b563f
Instruction ID: 03745a9023c1cb136ca88ff78db4d966a0d0f91c3f17060448160ea8bfe2d754
Opcode Fuzzy Hash: 26bc88a9fd69d679ea30a0b0f13b4c0f719b999fe5c0e19c8c29863e318b563f
Instruction Fuzzy Hash: 9BA15D22A0DB8685EA52DB11E4503BEA7A1EF85B84F149175EF8D47BBDDE3CE840C740

Function 00007FFE1A5288E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A5289AE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A5289BE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A528A0A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A528A1A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A528A2A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A528A9D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A528AAE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A528AC0
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A528AEC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A528AFB

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction ID: a841f905618d60b67d9bd42dd1e559ed773f49d7b7ad83c8011753b6c21397a5
Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction Fuzzy Hash: 54615F62B08B52D8F701DBE2D8811FC27B2BB45BA8B4044B7EE4D2BA69DF78D545C340

Function 00007FFE003709B0 Relevance: 15.1, APIs: 10, Instructions: 135COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FFE00370AA6
_aligned_free.MSVCRT ref: 00007FFE00370ADD
_aligned_free.MSVCRT ref: 00007FFE00370AFA
_aligned_free.MSVCRT ref: 00007FFE00370B03
_aligned_free.MSVCRT ref: 00007FFE00370B0C
_aligned_free.MSVCRT ref: 00007FFE00370B14
_aligned_free.MSVCRT ref: 00007FFE00370B1D
_aligned_free.MSVCRT ref: 00007FFE00370B27
_aligned_free.MSVCRT ref: 00007FFE00370B31
_aligned_free.MSVCRT ref: 00007FFE00370B3C

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: 5319d01e5d1025e7fc0068ae3d94082f79af11993daff4612deb7ef89ba06dda
Instruction ID: 07503ef02aca92f5191b8d984af5f4c40ee93654201de75d05254a03c0327816
Opcode Fuzzy Hash: 5319d01e5d1025e7fc0068ae3d94082f79af11993daff4612deb7ef89ba06dda
Instruction Fuzzy Hash: B3418322B0970682EAA7EB15D44977F239AEF84B94F150475EF1D473A9DE7CE840C380

Function 00007FFE00419840 Relevance: 15.1, APIs: 10, Instructions: 100COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FFE0041985D

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: de550876fdf94b650e17a9c6284cbc8fe7517bb1ab88a7b2ec8df1b363e153e6
Instruction ID: 9c282736dace64ab5b1bd1fe40b8fe5bbdc1d988b5af53cfd09cced0d3e22219
Opcode Fuzzy Hash: de550876fdf94b650e17a9c6284cbc8fe7517bb1ab88a7b2ec8df1b363e153e6
Instruction Fuzzy Hash: AD315972A1AA0286EB60AF25E8147B936A4FF54BA9F444239DE4D073E8DF3CE444C714

Function 00007FF7EC502030 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 41stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC50204A
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC502065
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC502080
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC50209B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC5020B6

Strings

rist, xrefs: 00007FF7EC5020A9
srt, xrefs: 00007FF7EC502039
tcp, xrefs: 00007FF7EC502073
http, xrefs: 00007FF7EC50208E
udp, xrefs: 00007FF7EC502058

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strncmp
String ID: http$rist$srt$tcp$udp
API String ID: 1114863663-504309389
Opcode ID: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
Instruction ID: 13f0b2dda4ea5c3d34f6da156325eda60d4026c3c796ba3b43b19f18c4ca4d1e
Opcode Fuzzy Hash: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
Instruction Fuzzy Hash: BF010C98B1460380FB216F22E85676453A4AF45B99FE45036C90DC7250EF3DE549C73A

Function 00007FFE1A4F5C20 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 341COMMON

Download Yara Rule

Strings

s->out_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC || out->ch_count == s->out_ch_layout.nb_channels, xrefs: 00007FFE1A4F61DF
src/libswresample/rematrix.c, xrefs: 00007FFE1A4F61D0, 00007FFE1A4F6200
Assertion %s failed at %s:%d, xrefs: 00007FFE1A4F61EB
s-> in_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC || in ->ch_count == s->in_ch_layout.nb_channels, xrefs: 00007FFE1A4F620F

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Assertion %s failed at %s:%d$s-> in_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC || in ->ch_count == s->in_ch_layout.nb_channels$s->out_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC || out->ch_count == s->out_ch_layout.nb_channels$src/libswresample/rematrix.c
API String ID: 0-729179064
Opcode ID: 497491d05170ef8247b869581e7d03bb9a59682df4ab4db83a46a576b33f8865
Instruction ID: bb4330328b4bb4ba199e92d27486a5e996e9b55377938e3a4d6aec7253b22ffa
Opcode Fuzzy Hash: 497491d05170ef8247b869581e7d03bb9a59682df4ab4db83a46a576b33f8865
Instruction Fuzzy Hash: E9E10272B09A8286D720CF2AE044BFE77A5FB44B95F4652B2DA4D17768DF38E151CB00

Function 00007FFE1A5231A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A52333E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A52334B

Part of subcall function 00007FFE1A526710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A52239E), ref: 00007FFE1A52671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A5235F9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A523644
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A523679

Strings

csm, xrefs: 00007FFE1A523285
csm, xrefs: 00007FFE1A5232E7
csm, xrefs: 00007FFE1A523367

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction ID: 163c779f42af852266aa311dd54f7ee3a6d2ef514fcf3848ca14d6dcc4b8d50b
Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction Fuzzy Hash: 8AE18372B0CA81CAE7209BA6D4402BD77A2FB56B68F1401B7DA4D57766CF38E485C700

Function 00007FFE00381E20 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 248COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE00382154

Strings

((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth, xrefs: 00007FFE003821A6
src/libavutil/imgutils.c, xrefs: 00007FFE00382167, 00007FFE00382197
av_image_get_linesize failed, xrefs: 00007FFE003820D0
((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth, xrefs: 00007FFE00382176
Assertion %s failed at %s:%d, xrefs: 00007FFE00382182

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy
String ID: ((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth$((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth$Assertion %s failed at %s:%d$av_image_get_linesize failed$src/libavutil/imgutils.c
API String ID: 3510742995-882259572
Opcode ID: 0f20995bfb48e77148fec557d5fbaa226202661854b0129ced2db76bb94dc692
Instruction ID: 3023c3d9c6479840e728311d1b7c54bcd21b352fb60870c9ba7fd73bcc33b15f
Opcode Fuzzy Hash: 0f20995bfb48e77148fec557d5fbaa226202661854b0129ced2db76bb94dc692
Instruction Fuzzy Hash: 92A1A072A09B9586EA15CF15A94016EB7A5FB88BD0F188175EF4D47BA8DF3CE442C700

Function 00007FFE00381A70 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 243COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE00381B99
memcpy.MSVCRT ref: 00007FFE00381D31
abort.MSVCRT ref: 00007FFE00381DF2

Strings

((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth, xrefs: 00007FFE00381DD6
src/libavutil/imgutils.c, xrefs: 00007FFE00381DC7, 00007FFE00381DF7
av_image_get_linesize failed, xrefs: 00007FFE00381D93
((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth, xrefs: 00007FFE00381E06
Assertion %s failed at %s:%d, xrefs: 00007FFE00381DE2

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy$abort
String ID: ((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth$((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth$Assertion %s failed at %s:%d$av_image_get_linesize failed$src/libavutil/imgutils.c
API String ID: 3629556515-882259572
Opcode ID: 720129b710e5ed98a497ce0c61193de95d3f52df19d8a310f2021f8bda355e19
Instruction ID: bb33ce2d48f0c6d6d53233571221cc688e342b84638560f2df07da8cca066c0e
Opcode Fuzzy Hash: 720129b710e5ed98a497ce0c61193de95d3f52df19d8a310f2021f8bda355e19
Instruction Fuzzy Hash: 83A18E32A09B8586DA66CF15E44037EB7A4FB88B90F148575DF8D47BA8DF3CE4868700

Function 00007FFE0038D5B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0038C1D0: strspn.MSVCRT ref: 00007FFE0038C1FC
Part of subcall function 00007FFE0038C1D0: strspn.MSVCRT ref: 00007FFE0038C245
Part of subcall function 00007FFE0038C1D0: strchr.MSVCRT ref: 00007FFE0038C25D
Part of subcall function 00007FFE0038C1D0: memcpy.MSVCRT ref: 00007FFE0038C28C

_aligned_free.MSVCRT ref: 00007FFE0038D678
_aligned_free.MSVCRT ref: 00007FFE0038D682
_aligned_free.MSVCRT ref: 00007FFE0038D72C
_aligned_free.MSVCRT ref: 00007FFE0038D736

Strings

No option name near '%s', xrefs: 00007FFE0038D7FC
Option '%s' not found, xrefs: 00007FFE0038D832
Setting '%s' to value '%s', xrefs: 00007FFE0038D620
Unable to parse '%s': %s, xrefs: 00007FFE0038D7E3

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$strspn$memcpystrchr
String ID: No option name near '%s'$Option '%s' not found$Setting '%s' to value '%s'$Unable to parse '%s': %s
API String ID: 2931229598-2003673103
Opcode ID: 5496a8e94afb4b653dcbea0521884cd186c85a6990d9a2e756bf1473de833a0d
Instruction ID: 7ea40a850172e7c43b0c7b4a5990abfdac0039b44885d8bce9c89e290aae2254
Opcode Fuzzy Hash: 5496a8e94afb4b653dcbea0521884cd186c85a6990d9a2e756bf1473de833a0d
Instruction Fuzzy Hash: DA518C32A08B8685E762CB51E8507AEA7A1FB84798F904075EF8D47BE9DF3CD444C740

Function 00007FFE003E44C0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 142COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE003E45DA

Strings

[%d], xrefs: 00007FFE003E4603
. -_, xrefs: 00007FFE003E468B
!"valid element size", xrefs: 00007FFE003E45B6
Assertion %s failed at %s:%d, xrefs: 00007FFE003E45C6
D, xrefs: 00007FFE003E45CD
src/libavutil/utils.c, xrefs: 00007FFE003E45AF

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: !"valid element size"$. -_$Assertion %s failed at %s:%d$D$[%d]$src/libavutil/utils.c
API String ID: 4206212132-1952739643
Opcode ID: 8dda062a40ab2f67f05643896e4bd6b922d436051c7bb03a64cbc94b01d14da1
Instruction ID: 78f215b7cfa9f6d21a7d752052a7ee5d1fe4874f725200898d2d2188376b5ca1
Opcode Fuzzy Hash: 8dda062a40ab2f67f05643896e4bd6b922d436051c7bb03a64cbc94b01d14da1
Instruction Fuzzy Hash: DB51F866F1929A86EB219F11A500A793B91FB7AB84F854230CF0D537FCEE3CA595C700

Function 00007FFE1A52BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52BFD8

Part of subcall function 00007FFE1A528C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52913D
Part of subcall function 00007FFE1A528C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A529175

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52BF8A

Strings

void , xrefs: 00007FFE1A52BE96
void, xrefs: 00007FFE1A52BE6E
cli::array<, xrefs: 00007FFE1A52BF57
std::nullptr_t , xrefs: 00007FFE1A52BF16
cli::pin_ptr<, xrefs: 00007FFE1A52BFA1
std::nullptr_t, xrefs: 00007FFE1A52BF03

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction ID: df7acc093ad7b6bbb2063dcf6b808a2eb124cebc51698fc17102349faa3fd222
Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction Fuzzy Hash: DE513662F1CF4698FB118BA2E8812BC77A1BB5AB64F4540F7DA4D12AA5DF3CA044C710

Function 00007FFE1A4F8AB0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE1A4F8B22
av_log.AVUTIL-58 ref: 00007FFE1A4F8B83
abort.MSVCRT ref: 00007FFE1A4F8B88

Strings

Assertion %s failed at %s:%d, xrefs: 00007FFE1A4F8B78
out->ch_count == in->ch_count, xrefs: 00007FFE1A4F8B6C
src/libswresample/swresample.c, xrefs: 00007FFE1A4F8B5D, 00007FFE1A4F8B8D, 00007FFE1A4F8BAA
out->bps == in->bps, xrefs: 00007FFE1A4F8B9C
out->planar == in->planar, xrefs: 00007FFE1A4F8BB9

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortav_logmemcpy
String ID: Assertion %s failed at %s:%d$out->bps == in->bps$out->ch_count == in->ch_count$out->planar == in->planar$src/libswresample/swresample.c
API String ID: 2496068414-3511948170
Opcode ID: b7f206457b9caba27af6789feee01ca3d186e054d088e26f0222d9f3267d756f
Instruction ID: 6ece17b5b7a37b69fc2f7a56bd5f49f8d020ace4aeb15e6b2d9d66801003f3f0
Opcode Fuzzy Hash: b7f206457b9caba27af6789feee01ca3d186e054d088e26f0222d9f3267d756f
Instruction Fuzzy Hash: 7121E072B0CE0286E225CB16EA440FE37A4EB45B72F9451F7DA4C062B1DF3CE155C600

Function 00007FFE1A5463B0 Relevance: 13.7, APIs: 9, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE1A5463D8
__scrt_initialize_crt.LIBCMT ref: 00007FFE1A54641D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE1A54642A
_RTC_Initialize.LIBCMT ref: 00007FFE1A546458
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE1A54647E
__scrt_release_startup_lock.LIBCMT ref: 00007FFE1A5464A9

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 05d8b91213d8a4974e84562f7c7d5bb031e6d637f96e7ddce6b44401f1817edf
Instruction ID: 076cb8932408b9074bbae6522694064790996b9eeaa78e100b089e4b14c94a55
Opcode Fuzzy Hash: 05d8b91213d8a4974e84562f7c7d5bb031e6d637f96e7ddce6b44401f1817edf
Instruction Fuzzy Hash: 3F814D61F0CE43C6FA54AB67A4413B96691AF56FA0F4440FFD90C47BB6FE2CE8458620

Function 00007FFE0036FAD0 Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FFE0036FBE6
_aligned_free.MSVCRT ref: 00007FFE0036FBF0
_aligned_free.MSVCRT ref: 00007FFE0036FC3D
_aligned_free.MSVCRT ref: 00007FFE0036FC45

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: bb8437b69a084f07a8ed3204e31c2741436194e29f9f638b4584538b28a8ba08
Instruction ID: b88c7cc9691523da9c59fa953395c9749832d7fa85acaf3e780ec235018ee0ca
Opcode Fuzzy Hash: bb8437b69a084f07a8ed3204e31c2741436194e29f9f638b4584538b28a8ba08
Instruction Fuzzy Hash: 7E816A32A0CB8689EA16DB16E45067AA7A1FF85B80F148435EF5D47BADDE3CE450C740

Function 00007FFE0036F080 Relevance: 13.7, APIs: 9, Instructions: 181COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FFE0036F10E
_aligned_free.MSVCRT ref: 00007FFE0036F118
_aligned_free.MSVCRT ref: 00007FFE0036F157
_aligned_free.MSVCRT ref: 00007FFE0036F15F

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: 01f721f6df29f9dd6bf7ef2f97b91fefc10836ccc23b581315bb421e2c98f023
Instruction ID: a2f6e250f90290f583518af54ead0b8a9494ee5298efcc3cf56040911ff613bf
Opcode Fuzzy Hash: 01f721f6df29f9dd6bf7ef2f97b91fefc10836ccc23b581315bb421e2c98f023
Instruction Fuzzy Hash: 4B619D26A0DB4385EA22DA12F45127A6791BF89BD8F148530EF9D477EEDE3CE441C740

Function 00007FFE00389D80 Relevance: 13.6, APIs: 2, Strings: 7, Instructions: 146stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE003899A4
strcmp.MSVCRT ref: 00007FFE00389DD7

Strings

I64_MAX, xrefs: 00007FFE0038A31A
%-15s , xrefs: 00007FFE003899B0
INT_MAX, xrefs: 00007FFE0038A2B6
%lld, xrefs: 00007FFE0038A29D
INT_MIN, xrefs: 00007FFE0038A301
I64_MIN, xrefs: 00007FFE0038A2CF
UINT32_MAX, xrefs: 00007FFE0038A2E8

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: %-15s $%lld$I64_MAX$I64_MIN$INT_MAX$INT_MIN$UINT32_MAX
API String ID: 1004003707-1419900426
Opcode ID: 60724dc2eec3de23298e2ae44bcb11fdf03ae2348c3838bc2f08ec1f1516dc3e
Instruction ID: d6cce396bada8a928a56f95a3ff2610e4962d56ad0133332ef875ce5472bf668
Opcode Fuzzy Hash: 60724dc2eec3de23298e2ae44bcb11fdf03ae2348c3838bc2f08ec1f1516dc3e
Instruction Fuzzy Hash: 51513A31A08B428AEA66DE11A5103BE2390BF41754F9866B3DB1E477EDDF7DE850C381

Function 00007FF7EC502160 Relevance: 13.6, APIs: 9, Instructions: 98COMMON

Download Yara Rule

APIs

pthread_mutex_lock.W32-PTHREADS ref: 00007FF7EC5021BB
os_event_reset.OBS ref: 00007FF7EC5021E7
pthread_mutex_unlock.W32-PTHREADS ref: 00007FF7EC5021F3
os_event_wait.OBS ref: 00007FF7EC5021FF
pthread_mutex_lock.W32-PTHREADS ref: 00007FF7EC50220B
memcpy.VCRUNTIME140 ref: 00007FF7EC50227B
memcpy.VCRUNTIME140 ref: 00007FF7EC50228E
os_event_signal.OBS ref: 00007FF7EC5022D1
pthread_mutex_unlock.W32-PTHREADS ref: 00007FF7EC5022DD

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpypthread_mutex_lockpthread_mutex_unlock$os_event_resetos_event_signalos_event_wait
String ID:
API String ID: 2918620995-0
Opcode ID: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
Instruction ID: 13f5435b06b1c2846ef5f99bd640c058c67870f47fbf2dcdfaa42002517bf870
Opcode Fuzzy Hash: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
Instruction Fuzzy Hash: CA416436618A8281E610EF61E5523ADA760FB85BDCF940433EF8D4BB5AEF38D194C711

Function 00007FFE00417C30 Relevance: 13.6, APIs: 9, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE00417B90: EnterCriticalSection.KERNEL32(?,?,?,?,00007FFE00417EA7,?,?,?,?,?,?,?,?,00007FFE003A1502), ref: 00007FFE00417BB6
Part of subcall function 00007FFE00417B90: LeaveCriticalSection.KERNEL32(?,?,00007FFE00417EA7,?,?,?,?,?,?,?,?,00007FFE003A1502), ref: 00007FFE00417BDB

TryEnterCriticalSection.KERNEL32 ref: 00007FFE00417CB0
CloseHandle.KERNEL32(?,?,?,?,?,?,00007FFE003A1817), ref: 00007FFE00417CF8
CloseHandle.KERNEL32(?,?,?,?,?,?,00007FFE003A1817), ref: 00007FFE00417D02
LeaveCriticalSection.KERNEL32 ref: 00007FFE00417D07
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00007FFE003A1817), ref: 00007FFE00417D17
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00007FFE003A1817), ref: 00007FFE00417D1C
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00007FFE003A1817), ref: 00007FFE00417D23
free.MSVCRT ref: 00007FFE00417D28

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CriticalSection$Delete$CloseEnterHandleLeave$free
String ID:
API String ID: 3899327206-0
Opcode ID: 2505bcbe3cd4d1a469b291fb81c03ba1909a3890b205137eb9b30536ece67948
Instruction ID: ab41cbff3923a4aa43a8014cd3810e40d6b983598b6dc0cd83a5845385d5377a
Opcode Fuzzy Hash: 2505bcbe3cd4d1a469b291fb81c03ba1909a3890b205137eb9b30536ece67948
Instruction Fuzzy Hash: EC314D21A0C90281EA509B62D8147FA27A5BF45BE8F844631DF2E833FADE3CD542D348

Function 00007FF7EC5035E4 Relevance: 13.6, APIs: 9, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7EC5035F8
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7EC50360D
__scrt_release_startup_lock.LIBCMT ref: 00007FF7EC50367B
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7EC5036C9
_get_initial_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7EC5036CE
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7EC5036D6
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7EC5036DE
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7EC503700
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7EC50375A

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1184979102-0
Opcode ID: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
Instruction ID: 41022fb65f2cff1e87cf2a81cdcfcbe5fa49b1fe3a5178c716a4ae44a1c7ce91
Opcode Fuzzy Hash: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
Instruction Fuzzy Hash: F3310929A0864281FA14BB2594573B99391AF5578CFE44037EA4DCB3E3FE7DE844C632

Function 00007FFE004087A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FFE004088B9

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFE00408A0C
VirtualProtect failed with code 0x%x, xrefs: 00007FFE004089B2
Address %p has no image-section, xrefs: 00007FFE00408810, 00007FFE00408A20
Mingw-w64 runtime failure:, xrefs: 00007FFE004087D8

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: a8cae70abf7ffee8518c3ea9921427e896fff9301f328d805a1cc0052b195cee
Instruction ID: 841f9390e0333711ba518b6f34eaed45b1ec5a52a8982e4f22ae3ba2df7ebf1d
Opcode Fuzzy Hash: a8cae70abf7ffee8518c3ea9921427e896fff9301f328d805a1cc0052b195cee
Instruction Fuzzy Hash: 0E61E572B09B0286EB109F51E98527977A1FF457A0F548239EB9D173E9EE3CE940C708

Function 00007FFE1A502290 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FFE1A5023A9

Strings

Address %p has no image-section, xrefs: 00007FFE1A502300, 00007FFE1A502510
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFE1A5024FC
VirtualProtect failed with code 0x%x, xrefs: 00007FFE1A5024A2
Mingw-w64 runtime failure:, xrefs: 00007FFE1A5022C8

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 177a0442ffddc2d8412e742cb8e5249e265e09483f4b31c5fb5574984be0ec8a
Instruction ID: 60eff6c8c7fdc77157f17f96e5edc6898516ccfd2a9c8018f6b66b2f746bbd85
Opcode Fuzzy Hash: 177a0442ffddc2d8412e742cb8e5249e265e09483f4b31c5fb5574984be0ec8a
Instruction Fuzzy Hash: D1617D72B0DF4282EA109B16E9452BD77A1BB56BF0F5442B6EB5C473A1DE3CE544C300

Function 00007FFE1A525F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A5263F0: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A526434
Part of subcall function 00007FFE1A5263F0: RaiseException.KERNEL32 ref: 00007FFE1A52647A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A525FA7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE1A526003

Strings

Attempted a typeid of nullptr pointer!, xrefs: 00007FFE1A5260E5
Access violation - no RTTI data!, xrefs: 00007FFE1A525F0A, 00007FFE1A52612B
Bad dynamic_cast!, xrefs: 00007FFE1A526072
Bad read pointer - no RTTI data!, xrefs: 00007FFE1A526108

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction ID: e2ca834dce7717f22a26b4c4c84e8b655d672dc0a457be976c0e9a4c086ee453
Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction Fuzzy Hash: 07516E6271DE86D2EE20CBA6E4905B96361FF95FA8F4044B3DA4E07A75DE3CE505C300

Function 00007FFE1A4F3F10 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 144COMMON

Download Yara Rule

APIs

av_free.AVUTIL-58 ref: 00007FFE1A4F4056
av_log.AVUTIL-58 ref: 00007FFE1A4F4139
abort.MSVCRT ref: 00007FFE1A4F413E

Strings

s->dither.method < SWR_DITHER_NB, xrefs: 00007FFE1A4F4152
src/libswresample/dither.c, xrefs: 00007FFE1A4F4113, 00007FFE1A4F414B
Assertion %s failed at %s:%d, xrefs: 00007FFE1A4F412E
*, xrefs: 00007FFE1A4F416A

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortav_freeav_log
String ID: *$Assertion %s failed at %s:%d$s->dither.method < SWR_DITHER_NB$src/libswresample/dither.c
API String ID: 3300847756-1990850000
Opcode ID: ab30c3e9237167edfc00d8e6b718087be1c521b79e3897be0253280de5e0c4da
Instruction ID: 9768a479145000ad0041a5a4e9a83d7f4963198fc65c84eee18cf0555a6a129c
Opcode Fuzzy Hash: ab30c3e9237167edfc00d8e6b718087be1c521b79e3897be0253280de5e0c4da
Instruction Fuzzy Hash: 5A513A31F1CF4249DA22CB3A95411B9B314EF53BA5F10D3B3E61E26665EF3DA096C600

Function 00007FFE1A52E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52E1BC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52E1CB
DName::operator+=.LIBVCRUNTIME ref: 00007FFE1A52E2E8

Part of subcall function 00007FFE1A52C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C459
Part of subcall function 00007FFE1A52C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C492
Part of subcall function 00007FFE1A52C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52E26B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52E27B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52E325

Strings

{for , xrefs: 00007FFE1A52E1F4

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: {for
API String ID: 179159573-864106941
Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction ID: a60029afba3899f6bf3d83f85d28d4e719edb6d213facd6d960c98832fb058fb
Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction Fuzzy Hash: 9F514772B0CE85A9E7118F66D4413FD27A2EB56B68F8480F3EA4D07AA5DF78E550C310

Function 00007FFE0037D650 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFE0037D6EA
free.MSVCRT ref: 00007FFE0037D6F3

Strings

%s failed, xrefs: 00007FFE0037D771
-> %s: %s, xrefs: 00007FFE0037D79E
cu->cuCtxDestroy(hwctx->cuda_ctx), xrefs: 00007FFE0037D68E, 00007FFE0037D7DF
cu->cuDevicePrimaryCtxRelease(hwctx->internal->cuda_device), xrefs: 00007FFE0037D721, 00007FFE0037D76A
Calling %s, xrefs: 00007FFE0037D695, 00007FFE0037D728

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: FreeLibraryfree
String ID: -> %s: %s$%s failed$Calling %s$cu->cuCtxDestroy(hwctx->cuda_ctx)$cu->cuDevicePrimaryCtxRelease(hwctx->internal->cuda_device)
API String ID: 155010425-3275200884
Opcode ID: 5bf74a7dc137a0c155993daea2b6d87e70908d77a28ad94112a4fe68d911b2e3
Instruction ID: 082b031093e0bcf0319099f0db964b03b0aaf8cc32adac6e4be0c5d8710533eb
Opcode Fuzzy Hash: 5bf74a7dc137a0c155993daea2b6d87e70908d77a28ad94112a4fe68d911b2e3
Instruction Fuzzy Hash: 6E413C25A09B8692EA6A9F21E410BAE6360FF44B94FC45032DF5E17768CF3CE859C340

Function 00007FFE1A4F6770 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4F8F70: av_freep.AVUTIL-58 ref: 00007FFE1A4F909C

memcpy.MSVCRT ref: 00007FFE1A4F6814
av_log.AVUTIL-58 ref: 00007FFE1A4F6865
abort.MSVCRT ref: 00007FFE1A4F686A
av_freep.AVUTIL-58 ref: 00007FFE1A4F6885

Strings

src/libswresample/resample.c, xrefs: 00007FFE1A4F683F
Assertion %s failed at %s:%d, xrefs: 00007FFE1A4F6856
a->planar, xrefs: 00007FFE1A4F6846

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_freep$abortav_logmemcpy
String ID: Assertion %s failed at %s:%d$a->planar$src/libswresample/resample.c
API String ID: 932020481-1037444191
Opcode ID: 2fed7eb9d3f7d8d6d6ab3b2d75b72cd75ee98cc0c08d437b01389e601e0e5f9a
Instruction ID: 1ed057a2e9d8056a1641ae03d025063668da50c2681fe0216f959c83ab441640
Opcode Fuzzy Hash: 2fed7eb9d3f7d8d6d6ab3b2d75b72cd75ee98cc0c08d437b01389e601e0e5f9a
Instruction Fuzzy Hash: 25312433F09A828BE724CB7AD9410FD73A1FB85B69F0581B6DA0847665EF38E501C700

Function 00007FFE00409860 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE00409878
_errno.MSVCRT ref: 00007FFE00409897
rand.MSVCRT ref: 00007FFE00409910
_sopen.MSVCRT ref: 00007FFE0040995F
_errno.MSVCRT ref: 00007FFE00409970

Strings

XXXX, xrefs: 00007FFE0040988F
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00007FFE004098FE

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno$_sopenrandstrlen
String ID: XXXX$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
API String ID: 1081397658-1416102993
Opcode ID: 7ac93ad39a8cb676dc86535b40274021b571b1fd82cfda16182900e2eb2af889
Instruction ID: 2115b4c0b2c08d43611fe7c38f9fe6343673e7a96755014a19010bdeba317c5a
Opcode Fuzzy Hash: 7ac93ad39a8cb676dc86535b40274021b571b1fd82cfda16182900e2eb2af889
Instruction Fuzzy Hash: 1231AF23F2955256F621AAA49D001BC1A91AF467A4F4AC231DF0C577EAEE3DEE41C314

Function 00007FFE0038C1D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strspn.MSVCRT ref: 00007FFE0038C1FC
strspn.MSVCRT ref: 00007FFE0038C245
strchr.MSVCRT ref: 00007FFE0038C25D
memcpy.MSVCRT ref: 00007FFE0038C28C

Strings

ambisonic , xrefs: 00007FFE0038C1D7
, xrefs: 00007FFE0038C1EF, 00007FFE0038C23B

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strspn$memcpystrchr
String ID: $ambisonic
API String ID: 2918080867-3257024572
Opcode ID: 0f5482def2ad202852d1b32bcf54bb77238b5e8d6a621b367dc68f81b01bffa8
Instruction ID: 3922e94ccd1b628399250085e60fd2569060f8513b31deca8bca0100ddbdf34e
Opcode Fuzzy Hash: 0f5482def2ad202852d1b32bcf54bb77238b5e8d6a621b367dc68f81b01bffa8
Instruction Fuzzy Hash: CA310822B1874280EE22DB65A9401BE2791AF497D4F489972DF1D473EEDE3CE441C314

Function 00007FFE1A5268AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A526A6B,?,?,00000000,00007FFE1A52689C,?,?,?,?,00007FFE1A5265E5), ref: 00007FFE1A526931
GetLastError.KERNEL32(?,?,?,00007FFE1A526A6B,?,?,00000000,00007FFE1A52689C,?,?,?,?,00007FFE1A5265E5), ref: 00007FFE1A52693F
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A526A6B,?,?,00000000,00007FFE1A52689C,?,?,?,?,00007FFE1A5265E5), ref: 00007FFE1A526958
LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A526A6B,?,?,00000000,00007FFE1A52689C,?,?,?,?,00007FFE1A5265E5), ref: 00007FFE1A52696A
FreeLibrary.KERNEL32(?,?,?,00007FFE1A526A6B,?,?,00000000,00007FFE1A52689C,?,?,?,?,00007FFE1A5265E5), ref: 00007FFE1A5269B0
GetProcAddress.KERNEL32(?,?,?,00007FFE1A526A6B,?,?,00000000,00007FFE1A52689C,?,?,?,?,00007FFE1A5265E5), ref: 00007FFE1A5269BC

Strings

api-ms-, xrefs: 00007FFE1A526951

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction ID: 0d1df70ec0763a455a0c10bf6c743f7312ee5119319c8c4b3fb23e7020a400b3
Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction Fuzzy Hash: DC319C21B0EF42D1EE119B53A8005B522A6FF46FB0F5905B7DD2D0ABA4EF3CE5448360

Function 00007FFE00370D30 Relevance: 12.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE00370E09
memcpy.MSVCRT ref: 00007FFE00370E31
memcpy.MSVCRT ref: 00007FFE00370E64
_aligned_free.MSVCRT ref: 00007FFE00370EFD
_aligned_free.MSVCRT ref: 00007FFE00370F22
_aligned_free.MSVCRT ref: 00007FFE00370F2B
_aligned_free.MSVCRT ref: 00007FFE00370F34
_aligned_free.MSVCRT ref: 00007FFE00370F3C

Part of subcall function 00007FFE003709B0: _aligned_free.MSVCRT ref: 00007FFE00370AA6
Part of subcall function 00007FFE003709B0: _aligned_free.MSVCRT ref: 00007FFE00370ADD
Part of subcall function 00007FFE003709B0: _aligned_free.MSVCRT ref: 00007FFE00370AFA
Part of subcall function 00007FFE003709B0: _aligned_free.MSVCRT ref: 00007FFE00370B03
Part of subcall function 00007FFE003709B0: _aligned_free.MSVCRT ref: 00007FFE00370B0C
Part of subcall function 00007FFE003709B0: _aligned_free.MSVCRT ref: 00007FFE00370B14
Part of subcall function 00007FFE003709B0: _aligned_free.MSVCRT ref: 00007FFE00370B1D
Part of subcall function 00007FFE003709B0: _aligned_free.MSVCRT ref: 00007FFE00370B27
Part of subcall function 00007FFE003709B0: _aligned_free.MSVCRT ref: 00007FFE00370B31

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$memcpy
String ID:
API String ID: 2399556850-0
Opcode ID: 3c9d650dbb13996a3ec22da08a15398705cb45436fe499cb8ebfbe706efbcf1e
Instruction ID: cf4af4b33fbb7d977cb04c04c24cfb2cd4581e3b40f727386f3c5278eaeea94d
Opcode Fuzzy Hash: 3c9d650dbb13996a3ec22da08a15398705cb45436fe499cb8ebfbe706efbcf1e
Instruction Fuzzy Hash: C651C322B19A45C5EA6ADB15E48477E67A1FB88BC4F144435EF4E47BA9DF3CE840C700

Function 00007FFE0041BC90 Relevance: 12.1, APIs: 8, Instructions: 89timethreadCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32 ref: 00007FFE0041BCBD
QueryPerformanceCounter.KERNEL32 ref: 00007FFE0041BCD0
GetCurrentThread.KERNEL32 ref: 00007FFE0041BD39
GetThreadTimes.KERNEL32 ref: 00007FFE0041BD5B
GetCurrentProcess.KERNEL32 ref: 00007FFE0041BDA8
GetProcessTimes.KERNEL32 ref: 00007FFE0041BDCA
_errno.MSVCRT ref: 00007FFE0041BDD4
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE0041BDF5

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CurrentPerformanceProcessQueryThreadTimeTimes$CounterFileFrequencySystem_errno
String ID:
API String ID: 3786581644-0
Opcode ID: d139243207ebbece3588048b73cc12c1a18ec046571d34b62e2ee2edf8e95ea4
Instruction ID: 1918b36a51d9c29e35c031e472aa9cf20243a772ceeedbf3a3320f88ea5098b0
Opcode Fuzzy Hash: d139243207ebbece3588048b73cc12c1a18ec046571d34b62e2ee2edf8e95ea4
Instruction Fuzzy Hash: 0C3161B2A18A4782DF688F25E4501BA6365EB85B84B509136D78E47BBCDF3DD444CB40

Function 00007FFE00391C90 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 85stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE00391D24

Strings

yuv420p, xrefs: 00007FFE00391CE5, 00007FFE00391D74
bgra, xrefs: 00007FFE00391D40
rgb32, xrefs: 00007FFE00391C9A
bgr32, xrefs: 00007FFE00391CC3
%s%s, xrefs: 00007FFE00391D63
rgba, xrefs: 00007FFE00391CD3

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: %s%s$bgr32$bgra$rgb32$rgba$yuv420p
API String ID: 1004003707-3566121812
Opcode ID: 98d685d57b4154a566717737cbd7b33df6296256410a4f9ae653ec1de5376476
Instruction ID: eb4613a3d8433765dbaef18fe27500ad239dc61c46b63a8b6b74cd4721f801b4
Opcode Fuzzy Hash: 98d685d57b4154a566717737cbd7b33df6296256410a4f9ae653ec1de5376476
Instruction Fuzzy Hash: BE316B25F08A0398FF669F12A9012B95365AF40B84F885532DF0E2B3BCFE6CE605C304

Function 00007FFE00366810 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226COMMON

Download Yara Rule

Strings

tail_len <= 5, xrefs: 00007FFE003669FD
Assertion %s failed at %s:%d, xrefs: 00007FFE00366A0D
src/libavutil/avstring.c, xrefs: 00007FFE003669F6

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Assertion %s failed at %s:%d$src/libavutil/avstring.c$tail_len <= 5
API String ID: 0-789252298
Opcode ID: 329d394584cb3486badaf9e4265f6a7098fb55d9a784c86af4291aec6c9427e0
Instruction ID: 079fd4197f3f07590cc5c53a64d627fdeb279f55fe8bfc3be069596f3ac275b7
Opcode Fuzzy Hash: 329d394584cb3486badaf9e4265f6a7098fb55d9a784c86af4291aec6c9427e0
Instruction Fuzzy Hash: 43710273F1D68342EA674A25A90677966D17F057E4F58C232DF6E067E8EE7DA840C300

Function 00007FFE0037AF20 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

Invalid mapping found when attempting unmap., xrefs: 00007FFE0037B0F6
orig_dst_frames == ((void *)0) || orig_dst_frames == dst->hw_frames_ctx, xrefs: 00007FFE0037B11C
Assertion %s failed at %s:%d, xrefs: 00007FFE0037B12C
src/libavutil/hwcontext.c, xrefs: 00007FFE0037B115
Failed to map frame into derived frame context: %d., xrefs: 00007FFE0037B1DD

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Assertion %s failed at %s:%d$Failed to map frame into derived frame context: %d.$Invalid mapping found when attempting unmap.$orig_dst_frames == ((void *)0) || orig_dst_frames == dst->hw_frames_ctx$src/libavutil/hwcontext.c
API String ID: 0-1886799933
Opcode ID: 7de98eef6f36daff8acd38367cc58669d168e51f435deb3ddf0eda039419a1c9
Instruction ID: ba8ff98ef05babf0ea17446cb7c6972f36f8a97f4ae89e670aebd931552c1885
Opcode Fuzzy Hash: 7de98eef6f36daff8acd38367cc58669d168e51f435deb3ddf0eda039419a1c9
Instruction Fuzzy Hash: D5716C72A09A4A85EA63CB16D85476E67A0FB44BD4F844036DF1D477B8EF3CE481C740

Function 00007FFE00385327 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE00384F79
strcpy.MSVCRT ref: 00007FFE00384FC5
strlen.MSVCRT ref: 00007FFE003852C6

Strings

?, xrefs: 00007FFE003850A8
[%s] , xrefs: 00007FFE00385316
Last message repeated %d times, xrefs: 00007FFE00384FA2
%s%s%s%s, xrefs: 00007FFE00384F2A
panic, xrefs: 00007FFE00385327

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $panic
API String ID: 895318938-4009946497
Opcode ID: 76949ceaf3e161934144b751887d61ea7784a81ae46f4df191c02a4c19fb6b98
Instruction ID: 173459b4ca6a6f8575673d851538f827a7570031f9b6aa5d6b3c539ab77525b5
Opcode Fuzzy Hash: 76949ceaf3e161934144b751887d61ea7784a81ae46f4df191c02a4c19fb6b98
Instruction Fuzzy Hash: FA616161D0CB8645EB61DB51A4143FE6B92BF82B44F8440B6DB8D173AEDE3EE405C744

Function 00007FFE00385330 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE00384F79
strcpy.MSVCRT ref: 00007FFE00384FC5
strlen.MSVCRT ref: 00007FFE003852C6

Strings

?, xrefs: 00007FFE003850A8
[%s] , xrefs: 00007FFE00385316
Last message repeated %d times, xrefs: 00007FFE00384FA2
error, xrefs: 00007FFE00385330
%s%s%s%s, xrefs: 00007FFE00384F2A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $error
API String ID: 895318938-746115170
Opcode ID: 290f8d961d26d619dfad9ec8fbf528cba7d9e151612daada1adc1da91ff29958
Instruction ID: d521871c2915450ffa7421043303c9eeaa5ceb1ffc8cb6e96f96c82ff6d4ec67
Opcode Fuzzy Hash: 290f8d961d26d619dfad9ec8fbf528cba7d9e151612daada1adc1da91ff29958
Instruction Fuzzy Hash: 37616161D0CB8645EB61DB51A4143FE6B92BF82B44F8440B6DB8D173AEDE3EE405C744

Function 00007FFE00385339 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE00384F79
strcpy.MSVCRT ref: 00007FFE00384FC5
strlen.MSVCRT ref: 00007FFE003852C6

Strings

?, xrefs: 00007FFE003850A8
[%s] , xrefs: 00007FFE00385316
fatal, xrefs: 00007FFE00385339
Last message repeated %d times, xrefs: 00007FFE00384FA2
%s%s%s%s, xrefs: 00007FFE00384F2A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $fatal
API String ID: 895318938-1232420508
Opcode ID: 5564261fac44c2804085dbb4aa80a2cc84f05d2c4e199730b9fad23d48acbc1c
Instruction ID: b5dbbd32c6ae7f72d5bb12ab6a344ceec2ffba9ef97dcd578c0acffc3b024f78
Opcode Fuzzy Hash: 5564261fac44c2804085dbb4aa80a2cc84f05d2c4e199730b9fad23d48acbc1c
Instruction Fuzzy Hash: 53616161D0CB8645EB61DB51A4143FE6B92BF82B44F8440B6DB8D173AEDE3EE405C744

Function 00007FFE00385342 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE00384F79
strcpy.MSVCRT ref: 00007FFE00384FC5
strlen.MSVCRT ref: 00007FFE003852C6

Strings

?, xrefs: 00007FFE003850A8
[%s] , xrefs: 00007FFE00385316
Last message repeated %d times, xrefs: 00007FFE00384FA2
verbose, xrefs: 00007FFE00385342
%s%s%s%s, xrefs: 00007FFE00384F2A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $verbose
API String ID: 895318938-125437466
Opcode ID: a2fd106a1c9acae8677d10434890b9ef8f33735a9d1e14c72d708d45250e3eb7
Instruction ID: a50bda4d226aee04570fee9950905364071ebde7143ca82c4b50cb9f6e1eff2a
Opcode Fuzzy Hash: a2fd106a1c9acae8677d10434890b9ef8f33735a9d1e14c72d708d45250e3eb7
Instruction Fuzzy Hash: 94618161D0CB8645EB61DB11A4143FE6B92BF82B44F8440B6DB8D173AEDE3EE405C784

Function 00007FFE0038534B Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE00384F79
strcpy.MSVCRT ref: 00007FFE00384FC5
strlen.MSVCRT ref: 00007FFE003852C6

Strings

?, xrefs: 00007FFE003850A8
[%s] , xrefs: 00007FFE00385316
Last message repeated %d times, xrefs: 00007FFE00384FA2
info, xrefs: 00007FFE0038534B
%s%s%s%s, xrefs: 00007FFE00384F2A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $info
API String ID: 895318938-3747654419
Opcode ID: 94470c2433cdf86f563b52056e8aa694089832e0010874791d716f3e200e382d
Instruction ID: e3f981efd6c362936fae38a37ff5616f7c5000f6f40ca115a979bc595e5049a9
Opcode Fuzzy Hash: 94470c2433cdf86f563b52056e8aa694089832e0010874791d716f3e200e382d
Instruction Fuzzy Hash: 2E616161D0CB8645EB61DB51A4143FE6B92BF82B44F8440B6DB8D173AEDE3EE405C784

Function 00007FFE00385354 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE00384F79
strcpy.MSVCRT ref: 00007FFE00384FC5
strlen.MSVCRT ref: 00007FFE003852C6

Strings

?, xrefs: 00007FFE003850A8
[%s] , xrefs: 00007FFE00385316
Last message repeated %d times, xrefs: 00007FFE00384FA2
warning, xrefs: 00007FFE00385354
%s%s%s%s, xrefs: 00007FFE00384F2A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $warning
API String ID: 895318938-1705345410
Opcode ID: 08d12eebc39462adb75762280ad986e564744e38b177ed1b8a4005c961454d7e
Instruction ID: 0563a83296e316cdf33d33f747b63baea2592bcc652d711cf0eaf1adab32a72a
Opcode Fuzzy Hash: 08d12eebc39462adb75762280ad986e564744e38b177ed1b8a4005c961454d7e
Instruction Fuzzy Hash: E2616161D0CB8645EB61DB51A4143FE6B92BF82B44F8440B6DB8D173AEDE3EE405C744

Function 00007FFE0038535D Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE00384F79
strcpy.MSVCRT ref: 00007FFE00384FC5
strlen.MSVCRT ref: 00007FFE003852C6

Strings

?, xrefs: 00007FFE003850A8
trace, xrefs: 00007FFE0038535D
[%s] , xrefs: 00007FFE00385316
Last message repeated %d times, xrefs: 00007FFE00384FA2
%s%s%s%s, xrefs: 00007FFE00384F2A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $trace
API String ID: 895318938-1090435506
Opcode ID: 388eb94d59a67a7935202ee3fbd654646914f8ea13633ebb36aa983399d9d6e5
Instruction ID: f99739a500052679583ce6801670985394422d952b725c48a3bbb54b6b1a2e4a
Opcode Fuzzy Hash: 388eb94d59a67a7935202ee3fbd654646914f8ea13633ebb36aa983399d9d6e5
Instruction Fuzzy Hash: AF616161D0CB8645EB61DB51A4143FE6B92BF82B44F8440B6DB8D173AEDE3EE405C744

Function 00007FFE00385366 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE00384F79
strcpy.MSVCRT ref: 00007FFE00384FC5
strlen.MSVCRT ref: 00007FFE003852C6

Strings

?, xrefs: 00007FFE003850A8
[%s] , xrefs: 00007FFE00385316
Last message repeated %d times, xrefs: 00007FFE00384FA2
debug, xrefs: 00007FFE00385366
%s%s%s%s, xrefs: 00007FFE00384F2A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $debug
API String ID: 895318938-486550452
Opcode ID: 1bc9e0b77ceed3842ae2b5e7fb56ecccc4e0069f3b8ae22bfc2df3ac513e0b58
Instruction ID: 9f19d064d4460532341290cdfb19ec8fef62a05d2908ba57f9f1a96e85b049bc
Opcode Fuzzy Hash: 1bc9e0b77ceed3842ae2b5e7fb56ecccc4e0069f3b8ae22bfc2df3ac513e0b58
Instruction Fuzzy Hash: B9616161D0CB8645EB61DB51A4143FE6B92BF82B44F8440B6DB8D173AEDE3EE405C744

Function 00007FFE1A525520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A5255E9
_local_unwind.LIBVCRUNTIME ref: 00007FFE1A52568C

Strings

MOC, xrefs: 00007FFE1A525562
RCC, xrefs: 00007FFE1A52556E
csm, xrefs: 00007FFE1A5256D0
csm, xrefs: 00007FFE1A525584

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction ID: 27194a9c02aad2fb733e5560ce7d44bfa56a259f3f2190736ea642fbedd1522c
Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction Fuzzy Hash: 33517272B0DA51C6EA609FB6904137D76A2FF46FA8F1400F3EA4E56765DF3CE4418A01

Function 00007FFE00361010 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FFE0036105D
_amsg_exit.MSVCRT ref: 00007FFE00361086

Strings

h"V, xrefs: 00007FFE00361035, 00007FFE003610B2
`"V, xrefs: 00007FFE0036106F, 00007FFE003610EF

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID: `"V$h"V
API String ID: 1015461914-2814582237
Opcode ID: 3224bf86eb5cef696b33d2aba6a83138660028b8981cd15249a10f7ce29e597b
Instruction ID: b12a13b22045bb7784c0febf28ea0180e3b1783b1af4bddf9b88be0a96f8524a
Opcode Fuzzy Hash: 3224bf86eb5cef696b33d2aba6a83138660028b8981cd15249a10f7ce29e597b
Instruction Fuzzy Hash: C341AE72F0A64385FA529B16E95027923A6EF86794F598032CF0C873BDDE7CE881D301

Function 00007FFE1A4FAC80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFE1A4FAD29
av_log.AVUTIL-58 ref: 00007FFE1A4FAD9C

Strings

adding %d audio samples of silence, xrefs: 00007FFE1A4FAD8D

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_logmemset
String ID: adding %d audio samples of silence
API String ID: 1585849880-1798122562
Opcode ID: 43dec4429a85b2510075a362c729a0e6794df002455a30ccca771920209cc6fe
Instruction ID: f2fe6ece64acc58cd9fa1aede36986582028ec7ae8b89ebf8cdd3d02accfdb56
Opcode Fuzzy Hash: 43dec4429a85b2510075a362c729a0e6794df002455a30ccca771920209cc6fe
Instruction Fuzzy Hash: CE310621B08A6246F755861BA049FFF224AFB45FA2F4060F7DE0D9779ACE2DE501C744

Function 00007FFE1A52D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1A52CE14), ref: 00007FFE1A52D803
DName::DName.LIBVCRUNTIME ref: 00007FFE1A52D822

Strings

void, xrefs: 00007FFE1A52D786
`template-parameter, xrefs: 00007FFE1A52D830

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction ID: 90b81c479a42ab17ce807e378c22ac7194a3f4e766b33db4fbc4a525f3c0b6e2
Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction Fuzzy Hash: 82412722B08F56C8FB009BA6D8512BD2372BF46BA4F5410B7CE0D56A65DF7CA509C340

Function 00007FFE1A528624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A5286DB

Strings

void, xrefs: 00007FFE1A528759
<ellipsis>, xrefs: 00007FFE1A528734
,..., xrefs: 00007FFE1A5286A8
..., xrefs: 00007FFE1A528724
,<ellipsis>, xrefs: 00007FFE1A5286B8

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2943138195-2211150622
Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction ID: 15f9452778cae83defc5c95d5afeae7d9952b108d866b0013a60f36c6b186158
Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction Fuzzy Hash: AA410572B1CF4688FB028BA6E8802BC37A1BB5AB58F4441F7EA4D52664DF3CA545C750

Function 00007FFE1A52A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A40F

Strings

unsigned , xrefs: 00007FFE1A52A3E3
char , xrefs: 00007FFE1A52A3A5
short , xrefs: 00007FFE1A52A39C
long , xrefs: 00007FFE1A52A37E
int , xrefs: 00007FFE1A52A38D

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction ID: 464fd02f9de96c28ec3d6348bc6dc7c5be75456f395684db0fa49720762a8906
Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction Fuzzy Hash: 77414C32B1CE56C9E7258FAAE8441BC37A2BB56B64F4481F7CA0C56B68DF389544C710

Function 00007FFE0036AD20 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0036AD79

Strings

R, xrefs: 00007FFE0036ADD4
U, xrefs: 00007FFE0036ADC0
S, xrefs: 00007FFE0036ADC6
AMBI, xrefs: 00007FFE0036AD2A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: AMBI$R$S$U
API String ID: 1004003707-1923686996
Opcode ID: 2c03c1ff48f72caf1a01bafe690d171ef4b5263fdc57e4468dab7bf39da5722a
Instruction ID: ff97bb3891c42c9c7d664c654b16194d963bd7a2f3023f4aa62b86e8560e7ed7
Opcode Fuzzy Hash: 2c03c1ff48f72caf1a01bafe690d171ef4b5263fdc57e4468dab7bf39da5722a
Instruction Fuzzy Hash: 2021C413B1C98355FB238A24A8102B91760AB413AAF889471DF0D06BE8EE7CE984CB05

Function 00007FFE00381880 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0038191C

Strings

((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth, xrefs: 00007FFE00381945
src/libavutil/imgutils.c, xrefs: 00007FFE00381936, 00007FFE00381966
((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth, xrefs: 00007FFE00381975
Assertion %s failed at %s:%d, xrefs: 00007FFE00381951

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy
String ID: ((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth$((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth$Assertion %s failed at %s:%d$src/libavutil/imgutils.c
API String ID: 3510742995-1436408019
Opcode ID: 29eedba0b8a561808ce1373c0d83b9e424659025d8d80de6197fb189af70282f
Instruction ID: 877a2bc05debcdf2f4995fa324b509d6c2b26923555e82d4afa60b23e17099b5
Opcode Fuzzy Hash: 29eedba0b8a561808ce1373c0d83b9e424659025d8d80de6197fb189af70282f
Instruction Fuzzy Hash: 7821A1A3F09B5549F962DB11B9011EB6359AB887D8F884272DF4C067ADEE3CE5468700

Function 00007FFE0038D160 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON

Download Yara Rule

Strings

false,n,no,disable,disabled,off, xrefs: 00007FFE0038D326
Unable to parse option value "%s" as boolean, xrefs: 00007FFE0038D3A8
auto, xrefs: 00007FFE0038D169
true,y,yes,enable,enabled,on, xrefs: 00007FFE0038D2C8

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Unable to parse option value "%s" as boolean$auto$false,n,no,disable,disabled,off$true,y,yes,enable,enabled,on
API String ID: 0-3796170252
Opcode ID: 80dcf72f5eaf96136f939c22b2c5b1b32456b8058e2967939369524f2b68426d
Instruction ID: 11fd1006d3cd574872005df0e6c769c6bc7aa2511e3ff13ea501af0fbca78f14
Opcode Fuzzy Hash: 80dcf72f5eaf96136f939c22b2c5b1b32456b8058e2967939369524f2b68426d
Instruction Fuzzy Hash: 8E219216A1CB0285FA43DB20A51137A5351AF817E4F914671DE1E273F9EF7CE4869304

Function 00007FFE00376860 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE00376C25

Part of subcall function 00007FFE00409860: strlen.MSVCRT ref: 00007FFE00409878
Part of subcall function 00007FFE00409860: _errno.MSVCRT ref: 00007FFE00409897

_errno.MSVCRT ref: 00007FFE00376C93

Strings

/tmp/%sXXXXXX, xrefs: 00007FFE00376C49
ff_tempfile: Cannot allocate file name, xrefs: 00007FFE00376CD6
./%sXXXXXX, xrefs: 00007FFE00376C77
ff_tempfile: Cannot open temporary file %s, xrefs: 00007FFE00376CA2

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errnostrlen
String ID: ./%sXXXXXX$/tmp/%sXXXXXX$ff_tempfile: Cannot allocate file name$ff_tempfile: Cannot open temporary file %s
API String ID: 860928405-2152079688
Opcode ID: 0f688c71126fc59946a20c54ec96a80db71b419569075c9b5168e78452e7bea4
Instruction ID: d30a3935f3421eaeb0581381e0af11a527f765d950b9d08a11547826d93e909f
Opcode Fuzzy Hash: 0f688c71126fc59946a20c54ec96a80db71b419569075c9b5168e78452e7bea4
Instruction Fuzzy Hash: 1C21B072A08A0681EA52DB62E4050BE3364FF88784F804436FF9D473BAEE3CE404C704

Function 00007FFE00381990 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE003819F9
abort.MSVCRT ref: 00007FFE00381A3F

Strings

((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth, xrefs: 00007FFE00381A23
src/libavutil/imgutils.c, xrefs: 00007FFE00381A14, 00007FFE00381A44
((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth, xrefs: 00007FFE00381A53
Assertion %s failed at %s:%d, xrefs: 00007FFE00381A2F

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortmemcpy
String ID: ((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth$((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth$Assertion %s failed at %s:%d$src/libavutil/imgutils.c
API String ID: 985927305-1436408019
Opcode ID: 57f52b22eac4459bf228b66986decd4f74425c1849e3cd511780a932ceefaf11
Instruction ID: 306b072759c4199d696df7c6093c71cf1abf9033cde5495b04f5661b6d88e3f7
Opcode Fuzzy Hash: 57f52b22eac4459bf228b66986decd4f74425c1849e3cd511780a932ceefaf11
Instruction Fuzzy Hash: AD113B62E1AA6285E635DB54E9016FA6794AF49380F880674DF0C07BB9EE3CF901C704

Function 00007FF7EC502370 Relevance: 10.6, APIs: 7, Instructions: 55COMMON

Download Yara Rule

APIs

avcodec_free_context.AVCODEC-60 ref: 00007FF7EC502388
avformat_free_context.AVFORMAT-60 ref: 00007FF7EC5023CC

Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC50204A
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC502065
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC502080
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC50209B
Part of subcall function 00007FF7EC502030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7EC5023A2), ref: 00007FF7EC5020B6

av_free.AVUTIL-58 ref: 00007FF7EC5023B1
avio_context_free.AVFORMAT-60 ref: 00007FF7EC5023BD
avio_close.AVFORMAT-60 ref: 00007FF7EC5023C4
avcodec_free_context.AVCODEC-60 ref: 00007FF7EC502402
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7EC502415

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strncmp$avcodec_free_context$av_freeavformat_free_contextavio_closeavio_context_freefree
String ID:
API String ID: 1086289117-0
Opcode ID: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
Instruction ID: b77be64c24ba4cd6f2564f9f80872656d5cbeaac904bba8f4897575b1fb5de53
Opcode Fuzzy Hash: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
Instruction Fuzzy Hash: 86214166A0465182FB10AF25E46237DA3A4FB44F8CFA55537EA4D87646DF38D441C322

Function 00007FFE0041A660 Relevance: 10.6, APIs: 7, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE00419840: TlsGetValue.KERNEL32 ref: 00007FFE0041985D

longjmp.MSVCRT ref: 00007FFE0041A69B
TlsGetValue.KERNEL32 ref: 00007FFE0041A6A7
CloseHandle.KERNEL32 ref: 00007FFE0041A6D3
_endthreadex.MSVCRT ref: 00007FFE0041A6EB
CloseHandle.KERNEL32 ref: 00007FFE0041A6FD
TlsSetValue.KERNEL32 ref: 00007FFE0041A71B
CloseHandle.KERNEL32 ref: 00007FFE0041A72E

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CloseHandleValue$_endthreadexlongjmp
String ID:
API String ID: 3990644698-0
Opcode ID: 73060f70dbe4c489cd31e19d1776919e8e936670c78b2bffbe7749b2f46d11de
Instruction ID: 1c02f9311adf8534a7e7d33a42d7d11ef804ebc9344a577bcaf0e9520ca1c18d
Opcode Fuzzy Hash: 73060f70dbe4c489cd31e19d1776919e8e936670c78b2bffbe7749b2f46d11de
Instruction Fuzzy Hash: E8215B35A0A68286FBA49B11D4647BA77A4FF84B44F098135CF4E073A8DF3CA854C709

Function 00007FFE0036D810 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE0036D85F

Strings

av_crc_init(av_crc_table[AV_CRC_32_IEEE_LE], 1, 32, 0xEDB88320, sizeof(av_crc_table[AV_CRC_32_IEEE_LE])) >= 0, xrefs: 00007FFE0036D83B
Assertion %s failed at %s:%d, xrefs: 00007FFE0036D84B, 00007FFE0036D8AB
src/libavutil/crc.c, xrefs: 00007FFE0036D834, 00007FFE0036D894
av_crc_init(av_crc_table[AV_CRC_16_ANSI_LE], 1, 16, 0xA001, sizeof(av_crc_table[AV_CRC_16_ANSI_LE])) >= 0, xrefs: 00007FFE0036D89B

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$av_crc_init(av_crc_table[AV_CRC_16_ANSI_LE], 1, 16, 0xA001, sizeof(av_crc_table[AV_CRC_16_ANSI_LE])) >= 0$av_crc_init(av_crc_table[AV_CRC_32_IEEE_LE], 1, 32, 0xEDB88320, sizeof(av_crc_table[AV_CRC_32_IEEE_LE])) >= 0$src/libavutil/crc.c
API String ID: 4206212132-3869419772
Opcode ID: 96f5f185df5af9d250496bea1b812434c02eec593cc3f23363683570a2ddd386
Instruction ID: 75439bd8aaa584c8133ef899b317dc650278e30dc6819bc71346f1da6064da8f
Opcode Fuzzy Hash: 96f5f185df5af9d250496bea1b812434c02eec593cc3f23363683570a2ddd386
Instruction Fuzzy Hash: 23115B61F19A0781E711AF60A8052FE2764EF98304FC04175EB4C467BAEF3CE205C769

Function 00007FFE00388E40 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 136stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE00388F33

Strings

%d:%02d.%06d, xrefs: 00007FFE00388EE2
INT64_MIN, xrefs: 00007FFE00389056
%d.%06d, xrefs: 00007FFE0038907B
%lld:%02d:%02d.%06d, xrefs: 00007FFE00388FE4
INT64_MAX, xrefs: 00007FFE0038901B

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strlen
String ID: %d.%06d$%d:%02d.%06d$%lld:%02d:%02d.%06d$INT64_MAX$INT64_MIN
API String ID: 39653677-2240581584
Opcode ID: cf4f16006c1c0a862bb4f663b07b40e742fc65853bf7fc4d11485ba963f2ff38
Instruction ID: 6a85b3c1a45618663fbbbbe9e57ea120ae239c4d5005795d057ff56d00da2985
Opcode Fuzzy Hash: cf4f16006c1c0a862bb4f663b07b40e742fc65853bf7fc4d11485ba963f2ff38
Instruction Fuzzy Hash: 2F4119D1B1978946EE79CB66A8152BD57825B88BC0EC89272EF1E477EDDE7CB1048300

Function 00007FFE1A541920 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A545530: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE1A541688), ref: 00007FFE1A545552

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A541980
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A5419DE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A541A07
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A541A1C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A541A73
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A541A86

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno$free
String ID:
API String ID: 4247730083-0
Opcode ID: 34b5fe769a158e21acccb4ad1b5a9f683f14a6e55ea9ebd6d8c1efb0b3076924
Instruction ID: f4580743e246de26b8bfb2daf9a29df2f9cca5cfa71ddaa94fa29f7b3f21c5c2
Opcode Fuzzy Hash: 34b5fe769a158e21acccb4ad1b5a9f683f14a6e55ea9ebd6d8c1efb0b3076924
Instruction Fuzzy Hash: 5551E922B1CF1692EA109B23A54017933A4BB56BB4F4441FADB5D436F6FF28E865C780

Function 00007FFE1A5262D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE1A526326
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A526369
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE1A526393
InterlockedPushEntrySList.KERNEL32 ref: 00007FFE1A5263B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A5263BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A5263C5

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction ID: e64f3ce8d40430b0a74a3e61f62a04b84196e5c0ba485dde0c2b56cf5fd74f95
Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction Fuzzy Hash: 1531D222B1DB9180EB118B67A8041B933A1FF5AFE0B5445B7DE2D037A0DE3DD442C310

Function 00007FFE1A543AB0 Relevance: 9.1, APIs: 6, Instructions: 66threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFE1A543B29
GetCurrentProcess.KERNEL32 ref: 00007FFE1A543B35
GetCurrentThread.KERNEL32 ref: 00007FFE1A543B3E
GetCurrentProcess.KERNEL32 ref: 00007FFE1A543B47
DuplicateHandle.KERNEL32 ref: 00007FFE1A543B6C

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Current$ProcessThread$DuplicateHandle
String ID:
API String ID: 4285418203-0
Opcode ID: 122369a1c330d7f29e53f35644df85b62e1c336a8a69c3fc79a39b0e983c8277
Instruction ID: 17fda4c5a699605c14db89b7951da20fa6c7adf629c63f54884e80e41cbd95fc
Opcode Fuzzy Hash: 122369a1c330d7f29e53f35644df85b62e1c336a8a69c3fc79a39b0e983c8277
Instruction Fuzzy Hash: F1314531A0CFC186E7219F22A8452BA7760FB56BA4F1441B9DE8D06B75EF3CD185C700

Function 00007FFE00374910 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 306stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0037494B
_aligned_free.MSVCRT ref: 00007FFE00374E0E

Strings

d, xrefs: 00007FFE003749CB
Invalid chars '%s' at the end of expression '%s', xrefs: 00007FFE00374A7D
pB, xrefs: 00007FFE00374997

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_freestrlen
String ID: Invalid chars '%s' at the end of expression '%s'$d$pB
API String ID: 1887580107-3579329537
Opcode ID: 5a1976bc1fae1619cc5837e51ad9f9ceb58bf78b7d192d9c0debe48df1a25819
Instruction ID: ab26e6d9fe5c362e289484b54f188bc70482faa1a0b4a00039a0a1d03ac17995
Opcode Fuzzy Hash: 5a1976bc1fae1619cc5837e51ad9f9ceb58bf78b7d192d9c0debe48df1a25819
Instruction Fuzzy Hash: 3FE1FB26619B4681DA62DB1AE49027E6B70FFC5B90F541032FB8D47BBADF2DD441CB40

Function 00007FFE1A545C10 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFE1A545C22
OpenProcess.KERNEL32 ref: 00007FFE1A545C36
GetLastError.KERNEL32 ref: 00007FFE1A545C41
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A545C57
CloseHandle.KERNEL32 ref: 00007FFE1A545C72
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A545C7C

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Process_errno$CloseCurrentErrorHandleLastOpen
String ID:
API String ID: 3861255796-0
Opcode ID: e8f9237df677979dc71b34d724e04c16cd4c67e5f51f945e8c435fea502eb581
Instruction ID: 358e91004b052c6596f00abbcae94aecf1a1b035fbf5f3470f4a361e4ae37d54
Opcode Fuzzy Hash: e8f9237df677979dc71b34d724e04c16cd4c67e5f51f945e8c435fea502eb581
Instruction Fuzzy Hash: B4015621B1CE0282EB555B7BB4842395191EF8AF74F4551BDDA2D477A5EE3CD8848700

Function 00007FFE00368250 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 196stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0036828B
strftime.MSVCRT ref: 00007FFE0036832A

Strings

[truncated strftime output], xrefs: 00007FFE0036840E, 00007FFE00368421, 00007FFE003684F1

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strftimestrlen
String ID: [truncated strftime output]
API String ID: 1668665056-4273287863
Opcode ID: 48fee134cde3df212bc8b5240acc974637bc91c92b5dcb55f0befaaa1fd8cc70
Instruction ID: af544e7fa4ab2a7ae51cc3d803d4fa00a257166afa9d7b44cb7434a3de7d4762
Opcode Fuzzy Hash: 48fee134cde3df212bc8b5240acc974637bc91c92b5dcb55f0befaaa1fd8cc70
Instruction Fuzzy Hash: D071D476B0865346E716CF29D88857D2391AF8CB94F65C235DB1A833E9DE3CE846C304

Function 00007FFE1A5238A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A526710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A52239E), ref: 00007FFE1A52671E

EncodePointer.KERNEL32 ref: 00007FFE1A523918
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A523963
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A523B91

Strings

RCC, xrefs: 00007FFE1A523934
MOC, xrefs: 00007FFE1A52392C

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction ID: 5f0ca13b2daec687c3767072e54eacb742df6beb78e037cd1e1076de5ef7fbf5
Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction Fuzzy Hash: D7914E73A08B85CAE710CBA6E4802BD7BA1F745BA8F1441A7EA8D17765DF38D195C700

Function 00007FFE003813C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFE003815FB
_aligned_free.MSVCRT ref: 00007FFE00381633

Strings

Picture size %ux%u is invalid, xrefs: 00007FFE00381649
Formats with a palette require a minimum alignment of 4, xrefs: 00007FFE00381604

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_freememset
String ID: Formats with a palette require a minimum alignment of 4$Picture size %ux%u is invalid
API String ID: 4139559148-2772728507
Opcode ID: d2bce35dc7bea88bc8b002da499a7abb22af52d3ac8cced75f3b84996035a56c
Instruction ID: a626c0133b67275c96db31d457ae00b3166d118c5c213e55d5607621f09ed7e6
Opcode Fuzzy Hash: d2bce35dc7bea88bc8b002da499a7abb22af52d3ac8cced75f3b84996035a56c
Instruction Fuzzy Hash: DB61CF62B1878246EB06CA25990476EA796BFC5BD4F148271DF4E977EDEE3CE4018700

Function 00007FFE003A1850 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 172COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE003A1AF8

Part of subcall function 00007FFE0041AF60: CreateEventA.KERNEL32 ref: 00007FFE0041AFE2
Part of subcall function 00007FFE0041AF60: Sleep.KERNEL32 ref: 00007FFE0041AFF7

Strings

Assertion %s failed at %s:%d, xrefs: 00007FFE003A1AE4
j, xrefs: 00007FFE003A1AEB
nb_threads >= 0, xrefs: 00007FFE003A1AD4
src/libavutil/slicethread.c, xrefs: 00007FFE003A1ACD

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CreateEventSleepabort
String ID: Assertion %s failed at %s:%d$j$nb_threads >= 0$src/libavutil/slicethread.c
API String ID: 723382662-4085466978
Opcode ID: 0dd97ee1e1389a45ab9eeccc6ffecfb3266947cce79cf5f2d17546453878bf81
Instruction ID: 044bb1185bdb79ecda9ea2217b857dcf1bce8fbab3b65f7f6662ffa8bceaf067
Opcode Fuzzy Hash: 0dd97ee1e1389a45ab9eeccc6ffecfb3266947cce79cf5f2d17546453878bf81
Instruction Fuzzy Hash: AB719B72A087828AE725DB12E5003BB73A1FB8A784F148135DB8D47BA9DF3CE415CB41

Function 00007FFE1A52BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52BC50

Part of subcall function 00007FFE1A528C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52913D
Part of subcall function 00007FFE1A528C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A529175

Strings

volatile , xrefs: 00007FFE1A52BBD3, 00007FFE1A52BD21
volatile, xrefs: 00007FFE1A52BBE2, 00007FFE1A52BD30
std::nullptr_t , xrefs: 00007FFE1A52BDC5
std::nullptr_t, xrefs: 00007FFE1A52BDF1

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction ID: 091878ae236bf39047c18706084ca6ba34e2a9ca825f8cfebeec7753007b2ccd
Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction Fuzzy Hash: 67715C71B0CE46C4EB148FA6D9851BC66A2BF46BA4F4485F7DA4D17AB9DF3CA250C300

Function 00007FFE1A503660 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

av_get_packed_sample_fmt.AVUTIL-58 ref: 00007FFE1A503693
av_get_packed_sample_fmt.AVUTIL-58 ref: 00007FFE1A50369E
av_get_bytes_per_sample.AVUTIL-58 ref: 00007FFE1A50386F
av_log.AVUTIL-58 ref: 00007FFE1A5038CE

Strings

Requested noise shaping dither not available at this sampling rate, using triangular hp dither, xrefs: 00007FFE1A5038BF

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_get_packed_sample_fmt$av_get_bytes_per_sampleav_log
String ID: Requested noise shaping dither not available at this sampling rate, using triangular hp dither
API String ID: 3201340904-3665241142
Opcode ID: 3aabd3796ad4e8e3c28a21a01194fa0efc64d4ec367513780e46d480d1dae623
Instruction ID: 272470db77d9bfedba25331d37f8845a41fc356e6f27e145358213f3ca7a6c25
Opcode Fuzzy Hash: 3aabd3796ad4e8e3c28a21a01194fa0efc64d4ec367513780e46d480d1dae623
Instruction Fuzzy Hash: 2961F835F1CE4549E356CB36861137F6251BF5BFA4F0483F3DA0E662A1EF6CA5858600

Function 00007FFE1A523690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A526710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A52239E), ref: 00007FFE1A52671E

EncodePointer.KERNEL32 ref: 00007FFE1A5236DC
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A52372B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A52389F

Strings

MOC, xrefs: 00007FFE1A5236F0
RCC, xrefs: 00007FFE1A5236F9

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction ID: 29e48efa95917043053229bd694ea36b29b5f355a09b95108c6552f3137d9f74
Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction Fuzzy Hash: 6D615976A09B85CAEB148FA6D0803BD77A2FB45BA8F0441A7EE4917B65CF38E155C700

Function 00007FFE0040D620 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0040D6C0
_errno.MSVCRT ref: 00007FFE0040D710

Strings

exp, xrefs: 00007FFE0040D6E6, 00007FFE0040D72B, 00007FFE0040D765

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: exp
API String ID: 2918714741-113136155
Opcode ID: e90ec1942e2a92b2f1d0ed0121cc3710e2463ace097223b5873384d11cd1195e
Instruction ID: b3fe820b0e5f09b45f41db5c487356245dd30465e8e1fee9491ac1ffb74937ae
Opcode Fuzzy Hash: e90ec1942e2a92b2f1d0ed0121cc3710e2463ace097223b5873384d11cd1195e
Instruction Fuzzy Hash: 62512C52D0CE8582E7026F34E81227B6320FF96344F91D321EB8D316AEFF2DE5948A44

Function 00007FFE1A503000 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE1A5030A0
_errno.MSVCRT ref: 00007FFE1A5030F0

Strings

exp, xrefs: 00007FFE1A5030C6, 00007FFE1A50310B, 00007FFE1A503145

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: exp
API String ID: 2918714741-113136155
Opcode ID: e892162a4feb91c5f06d0adc05f7b2a5d8b4b961a27d821f26560dc97cede207
Instruction ID: 91f7d25af0b05ee52588ae24f5160a548a9538540f4b4446dcc6edcde36777e3
Opcode Fuzzy Hash: e892162a4feb91c5f06d0adc05f7b2a5d8b4b961a27d821f26560dc97cede207
Instruction Fuzzy Hash: 25512D12E0CE8582E7025B35E91227F6720FF97764F50E3A2EA89305B7FF1DE5948A40

Function 00007FFE00369750 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

pool->alloc || pool->alloc2, xrefs: 00007FFE003698D0
Assertion %s failed at %s:%d, xrefs: 00007FFE003698E6
src/libavutil/buffer.c, xrefs: 00007FFE003698C9

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Assertion %s failed at %s:%d$pool->alloc || pool->alloc2$src/libavutil/buffer.c
API String ID: 0-4265094632
Opcode ID: d76ba869af0c935bc261349364afef7ac018e203dbb1c970f62eb4bb728a1136
Instruction ID: c19fe344923ca603c41906a3397572351ee47a97b210e4c5ec01adfb4d1fb4b6
Opcode Fuzzy Hash: d76ba869af0c935bc261349364afef7ac018e203dbb1c970f62eb4bb728a1136
Instruction Fuzzy Hash: FB512772609B4681EB669F11E4447AE37A8FB48B88F55813ADF9D073A8DF3CE444C384

Function 00007FFE00386510 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE003866C3

Strings

in_ts != ((int64_t)0x8000000000000000ULL), xrefs: 00007FFE003866A7
src/libavutil/mathematics.c, xrefs: 00007FFE00386698, 00007FFE003866C8
Assertion %s failed at %s:%d, xrefs: 00007FFE003866B3
duration >= 0, xrefs: 00007FFE003866D7

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$duration >= 0$in_ts != ((int64_t)0x8000000000000000ULL)$src/libavutil/mathematics.c
API String ID: 4206212132-3367517387
Opcode ID: 513caed045a4db0526df902e940f6b02687e0721ee3627fbbd4727eb2fb21fc4
Instruction ID: 6b440ae55dcd91d0c46b81463e0181980a59c8134cd8fe44a7dd54162160126a
Opcode Fuzzy Hash: 513caed045a4db0526df902e940f6b02687e0721ee3627fbbd4727eb2fb21fc4
Instruction Fuzzy Hash: 4D41D632709B8585EA20DF41F9456AAA768FB88BD4F445136EF8D07BA9EE7CE141C700

Function 00007FFE003A61E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE003A62C2

Strings

dual_stride <= basis, xrefs: 00007FFE003A6321
!dual_stride || !(dual_stride & (dual_stride - 1)), xrefs: 00007FFE003A62A6
src/libavutil/tx.c, xrefs: 00007FFE003A6297, 00007FFE003A6312
Assertion %s failed at %s:%d, xrefs: 00007FFE003A62B2

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: !dual_stride || !(dual_stride & (dual_stride - 1))$Assertion %s failed at %s:%d$dual_stride <= basis$src/libavutil/tx.c
API String ID: 4206212132-1907613106
Opcode ID: b2d68d41104b27e6dcc2f546f5ee05c62e4ee261660e14a4176fa03e21371bc5
Instruction ID: 5922f1f369dbacb9a3cc11e8040225363903aff7f5db3a80f560c7ad1bdd72cf
Opcode Fuzzy Hash: b2d68d41104b27e6dcc2f546f5ee05c62e4ee261660e14a4176fa03e21371bc5
Instruction Fuzzy Hash: B731A232A0D6869AE761DF14A4417AA7BA0FB89354F544139EB8D43BA8DF7CE145CB00

Function 00007FFE1A4FAEC0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

av_log.AVUTIL-58 ref: 00007FFE1A4FAF42
abort.MSVCRT ref: 00007FFE1A4FAF47

Strings

Assertion %s failed at %s:%d, xrefs: 00007FFE1A4FAF33
s->out_sample_rate == s->in_sample_rate, xrefs: 00007FFE1A4FAF23
src/libswresample/swresample.c, xrefs: 00007FFE1A4FAF1C

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortav_log
String ID: Assertion %s failed at %s:%d$s->out_sample_rate == s->in_sample_rate$src/libswresample/swresample.c
API String ID: 208496458-2566888546
Opcode ID: 6f075df65b6eed603a674aefd9f5f2e9a38cef1fcc3b0318237051135531fcf6
Instruction ID: 6d6fd46ad6c53d1adf2419c89914c00051f5a673e2a80be7fde80d5550c24053
Opcode Fuzzy Hash: 6f075df65b6eed603a674aefd9f5f2e9a38cef1fcc3b0318237051135531fcf6
Instruction Fuzzy Hash: 0F218261F0EB4285EA258B2E94443B927A0EF85F29F5452F6D60C4A7F4CF3CE552C610

Function 00007FFE0038E750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0038E792

Strings

ntsc, xrefs: 00007FFE0038E76B
none, xrefs: 00007FFE0038E755

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: none$ntsc
API String ID: 1004003707-2486863473
Opcode ID: 6b738e6fadc790c156b69ca33ae2bb0c185686464ba8ef256ca71794a6c641fc
Instruction ID: cdb7bb406abec040f61592cc7beff1f9596fc582deb78eca553de419b5e2cd89
Opcode Fuzzy Hash: 6b738e6fadc790c156b69ca33ae2bb0c185686464ba8ef256ca71794a6c641fc
Instruction Fuzzy Hash: 1811E276F0825155E7228F2AEC406BE6791AB45BE8F488071EF4C8B7B8DE2CE481C740

Function 00007FFE00419780 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFE004197D6
_ultoa.MSVCRT ref: 00007FFE004197E9
OutputDebugStringA.KERNEL32 ref: 00007FFE0041982D
abort.MSVCRT ref: 00007FFE00419833

Strings

Error cleaning up spin_keys for thread , xrefs: 00007FFE004197BE

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CurrentDebugOutputStringThread_ultoaabort
String ID: Error cleaning up spin_keys for thread
API String ID: 4191895893-2906507043
Opcode ID: 81378f2af0811eeb7f04898ebd31de8b15f56f487cc7d9f9e4b7e3e7059bb688
Instruction ID: 9408383d19efd774d07b329016020030487b8bb6fe84b89aef27b77803cd06c7
Opcode Fuzzy Hash: 81378f2af0811eeb7f04898ebd31de8b15f56f487cc7d9f9e4b7e3e7059bb688
Instruction Fuzzy Hash: 5D110162F1C64281FB649B24E4283B95A91EF47360F984730DB5C463E8DE2DEC49C306

Function 00007FFE1A542780 Relevance: 7.7, APIs: 5, Instructions: 200synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFE1A542829

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 128c7c0c7c4041ad80a73ece8c7e6e0e6db133071bd0854d49eb70ad7e1cdf79
Instruction ID: 53660ace3dde3eb20a534c63f863790842d20515c47f09672ca4f39dc88bb2bc
Opcode Fuzzy Hash: 128c7c0c7c4041ad80a73ece8c7e6e0e6db133071bd0854d49eb70ad7e1cdf79
Instruction Fuzzy Hash: EE915222B0CF5686E7718B27940037E72A0AF86BB4F5542BADE5D862E5FF78E4418740

Function 00007FFE004178B0 Relevance: 7.7, APIs: 5, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFE00417957

Part of subcall function 00007FFE00418840: WaitForMultipleObjects.KERNEL32 ref: 00007FFE004188B4

ResetEvent.KERNEL32 ref: 00007FFE00417917
WaitForSingleObject.KERNEL32 ref: 00007FFE00417998

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Wait$ObjectSingle$EventMultipleObjectsReset
String ID:
API String ID: 654736092-0
Opcode ID: 34fbc9e2f4b500ec35d71564d19f70a292e06c702ea4cefd25497b8e02179aaa
Instruction ID: a8eae07054846eda432fdac94912e76f59177885ef8436f1f7866379b1555a0f
Opcode Fuzzy Hash: 34fbc9e2f4b500ec35d71564d19f70a292e06c702ea4cefd25497b8e02179aaa
Instruction Fuzzy Hash: 8E516F21F5C50341FBB1522695413FF01A27F8079CF684532DF4E863F9EE2CEA86820A

Function 00007FFE00418970 Relevance: 7.6, APIs: 5, Instructions: 102threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFE004189B0

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 64ab8e10bfe97489d8a8b5c547ce0e4a8904eff289fa1a41a4582324bccb7b1a
Instruction ID: dceb76b6d2e44e9de97ced28e069202a3775c8de9d4c9e43b3d567f3c16363c6
Opcode Fuzzy Hash: 64ab8e10bfe97489d8a8b5c547ce0e4a8904eff289fa1a41a4582324bccb7b1a
Instruction Fuzzy Hash: BE31C333B1911386FB668B1499487BA2294EF403A0F554539DF0D863A8EE3CE885C349

Function 00007FFE1A529FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A52A01D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A03F
DName::DName.LIBVCRUNTIME ref: 00007FFE1A52A052
DName::DName.LIBVCRUNTIME ref: 00007FFE1A52A089
DName::DName.LIBVCRUNTIME ref: 00007FFE1A52A094

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction ID: 51dae45fd3e4a8ec7c38475de939305eabf78f72527b453c495ba15e69626027
Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction Fuzzy Hash: C2413622B0DE56C8EB10CBA2D8801F937A6BB5AFA0B5440F7DA4D537A5DF38E955C300

Function 00007FFE0038A167 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 72stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE003899A4

Strings

%-15s , xrefs: 00007FFE003899B0
false, xrefs: 00007FFE0038A180
auto, xrefs: 00007FFE0038A16A
true, xrefs: 00007FFE0038A179

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: %-15s $auto$false$true
API String ID: 1004003707-1025821387
Opcode ID: fb3527bd10113371e98a9a1ec61775ec9984070070ae132d8b4dc0cee117fe9d
Instruction ID: 6fa0f9cb1611093b427e7e5d85aba75887e028fe7b51e9b923f276beb9b62aeb
Opcode Fuzzy Hash: fb3527bd10113371e98a9a1ec61775ec9984070070ae132d8b4dc0cee117fe9d
Instruction Fuzzy Hash: 67312731A087429AEA66CB11A2517FE23A0EB40790F485176DB4E47BA9DF3CF550C740

Function 00007FFE00417400 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE00417418
ReleaseSemaphore.KERNEL32 ref: 00007FFE00417446
LeaveCriticalSection.KERNEL32 ref: 00007FFE00417453
LeaveCriticalSection.KERNEL32 ref: 00007FFE00417473
LeaveCriticalSection.KERNEL32 ref: 00007FFE00417498

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CriticalSection$Leave$EnterReleaseSemaphore
String ID:
API String ID: 2813224205-0
Opcode ID: f1a7a2740e80d1d3259fae1787131c9bb634157a3b26bf56fc66d50a79331669
Instruction ID: 29b6ead883f17aad651de02433ad44a48b1641825e02323895c525bca7bb33d2
Opcode Fuzzy Hash: f1a7a2740e80d1d3259fae1787131c9bb634157a3b26bf56fc66d50a79331669
Instruction Fuzzy Hash: B501F523F0911742EB558B2ABC812759291BFA97A6F848636CE0E42764DD3C98C68300

Function 00007FFE1A5039E6 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

av_channel_layout_subset.AVUTIL-58 ref: 00007FFE1A503A11
av_channel_layout_subset.AVUTIL-58 ref: 00007FFE1A503A2C
av_channel_layout_subset.AVUTIL-58 ref: 00007FFE1A503A47
av_channel_layout_subset.AVUTIL-58 ref: 00007FFE1A503A62
av_channel_layout_subset.AVUTIL-58 ref: 00007FFE1A503A81

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_channel_layout_subset
String ID:
API String ID: 2965862492-0
Opcode ID: ffdd762dd7e7d539b56224ab97a8e7a7bb2a5354903c6b430eecf0b001850afc
Instruction ID: 5846351ee5f6b0306eb30b87e75b23fc6c18d1660444d7080fc36070a82fb7c7
Opcode Fuzzy Hash: ffdd762dd7e7d539b56224ab97a8e7a7bb2a5354903c6b430eecf0b001850afc
Instruction Fuzzy Hash: 0F118B44B5FB0280FE555A26425633E12C25F87FB0F5888FACA0E0A3D6EE2CE904C210

Function 00007FFE1A545BA0 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFE1A545BAC
OpenProcess.KERNEL32 ref: 00007FFE1A545BC0
GetLastError.KERNEL32 ref: 00007FFE1A545BCB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A545BE1
CloseHandle.KERNEL32 ref: 00007FFE1A545BF7

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpen_errno
String ID:
API String ID: 202612177-0
Opcode ID: 59d5a97e427603bb888d026b8b2610f650cbaf0f5f7bb9ca25a91e49a38cba3c
Instruction ID: dead99281fa9b6d0fa0af43d34ae81b72817db5151e18952330261f7270ec2ea
Opcode Fuzzy Hash: 59d5a97e427603bb888d026b8b2610f650cbaf0f5f7bb9ca25a91e49a38cba3c
Instruction Fuzzy Hash: A9F05E61B1DA0242FB295BB3A4943342190AF4AF35F4440FECA2E867A0FE2C68858310

Function 00007FFE1A4F3C60 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE1A4F3EFB

Strings

Assertion %s failed at %s:%d, xrefs: 00007FFE1A4F3EE7
ctx->channels == out->ch_count, xrefs: 00007FFE1A4F3ED7
src/libswresample/audioconvert.c, xrefs: 00007FFE1A4F3ED0

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$ctx->channels == out->ch_count$src/libswresample/audioconvert.c
API String ID: 4206212132-1145592257
Opcode ID: 866e3859ebfbb8229919b961fbf36017d54387b83d359a5ec9b00af1929c4d7d
Instruction ID: b756c5bb4a4253a454f44f99d52ac0cef583bee1be247e0a57d60110a0ffaf24
Opcode Fuzzy Hash: 866e3859ebfbb8229919b961fbf36017d54387b83d359a5ec9b00af1929c4d7d
Instruction Fuzzy Hash: 2F611332B19A4682EA64CB0BD044BBA7351FF54FA6F05A1B6CE2D077A4EE3CF4508700

Function 00007FFE1A4FAFA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

Failed to compensate for timestamp delta of %f, xrefs: 00007FFE1A4FB250
compensating audio timestamp drift:%f compensation:%d in:%d, xrefs: 00007FFE1A4FB181

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Failed to compensate for timestamp delta of %f$compensating audio timestamp drift:%f compensation:%d in:%d
API String ID: 0-3137371971
Opcode ID: 9453577323ccaac385d38161161e3fdd902f05c07b8afe89a999298048375f23
Instruction ID: 919c7c0880b2ea3fcbf511ac17879938124332db89d5b9757ca204d3a3bf1069
Opcode Fuzzy Hash: 9453577323ccaac385d38161161e3fdd902f05c07b8afe89a999298048375f23
Instruction Fuzzy Hash: EE711A22F18F9A89E6128F3B95053B95264AF57FD5F0DD3B3DD0D263A4DF38A9528200

Function 00007FFE1A524044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A526710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A52239E), ref: 00007FFE1A52671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A5241C3

Strings

, xrefs: 00007FFE1A524114
csm, xrefs: 00007FFE1A5241FD
csm, xrefs: 00007FFE1A524093

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction ID: 86577e43a63b351a4afc586beed9ffc01bc5ca9040e8859c12bbba9fb76ff9df
Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction Fuzzy Hash: D971923660CA91C6D7648BA2D4407B97FB2FB46FA4F0481B7EF4D07AA6CB28D491C741

Function 00007FFE003A15C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE003A1747

Strings

nb_jobs > 0, xrefs: 00007FFE003A1723
Assertion %s failed at %s:%d, xrefs: 00007FFE003A1733
src/libavutil/slicethread.c, xrefs: 00007FFE003A171C

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$nb_jobs > 0$src/libavutil/slicethread.c
API String ID: 4206212132-1031856425
Opcode ID: 6ee0518d565bae88eeec7544e1c0ff8f03f36ef7bb88ca07a7aea4a2878acd5c
Instruction ID: 04363304c47c3f73b559ae79ba7ed905f9f5b894fd966b3690ba8f2788e8f123
Opcode Fuzzy Hash: 6ee0518d565bae88eeec7544e1c0ff8f03f36ef7bb88ca07a7aea4a2878acd5c
Instruction Fuzzy Hash: EC41C337A1560186EB65CF16E4006AAB7A1FB85B98F588135CF4D43778DF3DE442C740

Function 00007FFE00365FB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE00365FC9
strspn.MSVCRT ref: 00007FFE00366030
strspn.MSVCRT ref: 00007FFE003660B6

Strings

, xrefs: 00007FFE00365FEA, 00007FFE003660A3

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strspn$strlen
String ID:
API String ID: 697951671-596783616
Opcode ID: c2f3e75c8f79a9c271b989593eea45416c26161b9ab45691b9c7843e23effee5
Instruction ID: 34c03cd7e6c523c4087e26e4cc830679bbda9db0b9e7aaa627ce761ee8fabb10
Opcode Fuzzy Hash: c2f3e75c8f79a9c271b989593eea45416c26161b9ab45691b9c7843e23effee5
Instruction Fuzzy Hash: D6319461B0D2A740EE579B115A112795BA26F05BC8F48C471DF9D0B3EECE2DF456C344

Function 00007FFE00388990 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strtol.MSVCRT ref: 00007FFE00388A4A

Strings

Value %d for parameter '%s' out of %s format range [%d - %d], xrefs: 00007FFE00388ADA
none, xrefs: 00007FFE003889B2
Unable to parse option value "%s" as %s, xrefs: 00007FFE00388A79

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strtol
String ID: Unable to parse option value "%s" as %s$Value %d for parameter '%s' out of %s format range [%d - %d]$none
API String ID: 76114499-2908652078
Opcode ID: 3dc9da589c42dd02856a593b1258d03a0b292f87372d4db75a7a8f83acead3ae
Instruction ID: 7a0b36db6196c33e40fbd5feb9d774e97dfe02f41616ae795061ab76b0153f2f
Opcode Fuzzy Hash: 3dc9da589c42dd02856a593b1258d03a0b292f87372d4db75a7a8f83acead3ae
Instruction Fuzzy Hash: C6310C6290CB8645E766CB25685067E6352AB817E4F904372EF5D537FCDF3CE4418700

Function 00007FFE1A52A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A52A778

Strings

%lf, xrefs: 00007FFE1A52A7BE

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction ID: 97e20e806bd1a4f9f482ba13a666b34c9380a6245b2b6523d7ca5ef4bed5ebc0
Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction Fuzzy Hash: 63318222B0CE85C5EA20CB66B85027A6361FB86F94F5481F7EA9D47665CF3CD505C740

Function 00007FF7EC502990 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

avformat_new_stream.AVFORMAT-60(?,?,?,00007FF7EC5012F1), ref: 00007FF7EC5029AD
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7EC5012F1), ref: 00007FF7EC5029C0
fprintf.MSPDB140-MSVCRT ref: 00007FF7EC5029D3

Part of subcall function 00007FF7EC502320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF7EC5029D8,?,?,?,00007FF7EC5012F1), ref: 00007FF7EC502357

Strings

Couldn't create stream for encoder '%s', xrefs: 00007FF7EC5029C9

Memory Dump Source

Source File: 0000000A.00000002.1852490030.00007FF7EC501000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7EC500000, based on PE: true

Associated: 0000000A.00000002.1852466810.00007FF7EC500000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852516782.00007FF7EC505000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852546005.00007FF7EC506000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1852568735.00007FF7EC509000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7ec500000_obs-ffmpeg-mux.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintfavformat_new_streamfprintf
String ID: Couldn't create stream for encoder '%s'
API String ID: 306180413-3485626053
Opcode ID: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
Instruction ID: 5db17119170696caf5ab6c02ca5311e3fa353c9bf66cad8635c1d4883c0c105b
Opcode Fuzzy Hash: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
Instruction Fuzzy Hash: 77F06236A19B8081EB48DB16F451169A7A0FB8CBD4B989036EF4D43719EE3CD551CB00

Function 00007FFE0037D880 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31stringCOMMON

Download Yara Rule

APIs

strtol.MSVCRT ref: 00007FFE0037D8AF

Strings

Using CUDA primary device context, xrefs: 00007FFE0037D8E0
primary_ctx, xrefs: 00007FFE0037D889
Disabling use of CUDA primary device context, xrefs: 00007FFE0037D8B8

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strtol
String ID: Disabling use of CUDA primary device context$Using CUDA primary device context$primary_ctx
API String ID: 76114499-1919470267
Opcode ID: 3c091e27e2dbc98c8e65e12db3f15324b02cb9e40d48561a3b36329f0690444e
Instruction ID: af522f57ada5fc5474f6081392d9d3e153d747539dc18e64c01fa172a5580740
Opcode Fuzzy Hash: 3c091e27e2dbc98c8e65e12db3f15324b02cb9e40d48561a3b36329f0690444e
Instruction Fuzzy Hash: F9F0B811F1860350FA26A726A411ABD13A0AF9A790FC0A872DF0D1A7FAED2CE449C304

Function 00007FFE1A522400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A526710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A52239E), ref: 00007FFE1A52671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A52243E

Strings

RCC, xrefs: 00007FFE1A522410
MOC, xrefs: 00007FFE1A522418
csm, xrefs: 00007FFE1A522420

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction ID: 6c9b61b40c19ec7c5ae3a23bcc49e1935a54955d17067e92f9ba712d929e5c32
Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction Fuzzy Hash: C7F03C3AA1CA86C1EB505FA2A18107D3676FB89FA0F0950F3D74906662CF7CD4A0C651

Function 00007FFE00369960 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE003699A4

Strings

Assertion %s failed at %s:%d, xrefs: 00007FFE00369990
src/libavutil/buffer.c, xrefs: 00007FFE00369979
buf, xrefs: 00007FFE00369980

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$buf$src/libavutil/buffer.c
API String ID: 4206212132-2693306993
Opcode ID: 6a1729c8ae82779914f64dfb9c10cf82327e2bfa5a8fbcb130779104fee64848
Instruction ID: 6baaa80e9d80b9806cc0e1629c3aa88f0a67aec0052a1ff6086c1fc28564dd55
Opcode Fuzzy Hash: 6a1729c8ae82779914f64dfb9c10cf82327e2bfa5a8fbcb130779104fee64848
Instruction Fuzzy Hash: 61E0ED61B09B4681EA15EF65D44119D27A0EF88744FD58136DB4C073B9DF3CE105C718

Function 00007FFE00387500 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 14COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE0038752F

Strings

val || !min_size, xrefs: 00007FFE0038750F
Assertion %s failed at %s:%d, xrefs: 00007FFE00387516
src/libavutil/mem.c, xrefs: 00007FFE00387504

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$src/libavutil/mem.c$val || !min_size
API String ID: 4206212132-3343232236
Opcode ID: 9f2d832eee8a386a6791954090d46eb0d2479cb7aefd3148675639f8814a35ca
Instruction ID: d6ab019a550c31d4b1217398ff4b9d33019e7d65637f619efaa258429968a633
Opcode Fuzzy Hash: 9f2d832eee8a386a6791954090d46eb0d2479cb7aefd3148675639f8814a35ca
Instruction Fuzzy Hash: 17E04621909B4288E710FF50A8202F93760FB98304F811236D64E16B79CF3CA1058608

Function 00007FFE003755A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 12COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE003755CF

Strings

src/libavutil/fifo.c, xrefs: 00007FFE003755A4
Assertion %s failed at %s:%d, xrefs: 00007FFE003755B6
cur_size >= size, xrefs: 00007FFE003755AF

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$cur_size >= size$src/libavutil/fifo.c
API String ID: 4206212132-2007657860
Opcode ID: 88a5e5efd281f7ab3c7b4b2a72e72c85cd5da5ff7f8b021ecd333fd393f9dcb8
Instruction ID: d8f31c8bc2f8a24d8f01a05bc2711778cb5cbbf27dac6ddf611b6687ea4a09aa
Opcode Fuzzy Hash: 88a5e5efd281f7ab3c7b4b2a72e72c85cd5da5ff7f8b021ecd333fd393f9dcb8
Instruction Fuzzy Hash: 5FD01732A09A4694E314EF62A8012FD27A1FF98304FC55636D64D02379DF3CE219C718

Function 00007FFE1A529CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A52C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C459
Part of subcall function 00007FFE1A52C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C492
Part of subcall function 00007FFE1A52C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A529E19
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A529E78
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A529EAA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A529EBA

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction ID: 0d18410716d5f0e493f7eeae526e1288950ba66d058a97b3b3bbf19dbbac5bb5
Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction Fuzzy Hash: 21914922F0CA96C9F7118BA2D8403BC2BB2BB46BA4F5440F7DA4D577A5DF78A845C350

Function 00007FFE1A52A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A52A4F1
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A501
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A51E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52A553

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction ID: 9d6bfd9ee1b5691ca247e3d6e0e086f65cdea2892ce8a1fb7047e3b9835909bd
Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction Fuzzy Hash: FC513A72F1CE5689EB11CBA2E8403BD37A2BB96B64F5440F3DA0E476A5DF39A441C740

Function 00007FFE1A543BE0 Relevance: 6.1, APIs: 4, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFE1A543C3E
ResetEvent.KERNEL32 ref: 00007FFE1A543C8E
WaitForSingleObject.KERNEL32 ref: 00007FFE1A543D0F

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ObjectSingleWait$EventReset
String ID:
API String ID: 466820088-0
Opcode ID: 23d1a419ce0311e38330c9e7fff77312c1ba9e2a20c5924deb88d3609af00be2
Instruction ID: e01b9c2fc7e47c062d20ddc4cbfe664420563e8b2ed226077e24b72690913a75
Opcode Fuzzy Hash: 23d1a419ce0311e38330c9e7fff77312c1ba9e2a20c5924deb88d3609af00be2
Instruction Fuzzy Hash: 64414232B1CE4182EB55DF22E4402B97761EF85FA4F4840BADB4D476AAEF38D445DB40

Function 00007FFE1A4F1010 Relevance: 6.1, APIs: 4, Instructions: 124sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FFE1A4F105D
_amsg_exit.MSVCRT ref: 00007FFE1A4F1086

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: b553eb0038be5d07e6e415a4f5416fb2498995f0916b4543aad5407793640784
Instruction ID: b6334e03f5a24a1ec5049b449bc5c019537b05ab1755a508d205448730cd4471
Opcode Fuzzy Hash: b553eb0038be5d07e6e415a4f5416fb2498995f0916b4543aad5407793640784
Instruction Fuzzy Hash: 24414C22B0DA4285F6524B1FEA503B922A5AB8AFB1F4450F7CE0C473B5DE2DE8918300

Function 00007FFE003666B0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE003666D8
strchr.MSVCRT ref: 00007FFE0036670F
strlen.MSVCRT ref: 00007FFE003667FB

Strings

ALL, xrefs: 00007FFE003666F8

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strlen$strchr
String ID: ALL
API String ID: 3013107155-2914988887
Opcode ID: fcefe4586e90ed2a4975fb323870bf9105dc7dc9ba43fdb0f7cef785815bcb23
Instruction ID: 25518cee432c66df67ee5bf3639f7dda9b74a4c57e3b8978ee4216091c597f0f
Opcode Fuzzy Hash: fcefe4586e90ed2a4975fb323870bf9105dc7dc9ba43fdb0f7cef785815bcb23
Instruction Fuzzy Hash: 6E310457B0916740FF67C9316A25B790B921F457C8F599830CF1E17BEADE6CA8868300

Function 00007FFE1A541CF0 Relevance: 6.1, APIs: 4, Instructions: 102threadCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A541D5C
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A541DDB
ResumeThread.KERNEL32 ref: 00007FFE1A541E0A

Part of subcall function 00007FFE1A5456D0: CloseHandle.KERNEL32 ref: 00007FFE1A545775
Part of subcall function 00007FFE1A5456D0: CloseHandle.KERNEL32 ref: 00007FFE1A545785

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A541E42

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CloseHandle$ResumeThread_beginthreadexfreemalloc
String ID:
API String ID: 1141387253-0
Opcode ID: 66f779a04675420d10c3e0e1a40261c3780ffcd5451449fc6e1faf9f36e06287
Instruction ID: cb1baf749ba0d49463cf62051b021121d6629d0575ce8f39cbc0fff0237fd9ff
Opcode Fuzzy Hash: 66f779a04675420d10c3e0e1a40261c3780ffcd5451449fc6e1faf9f36e06287
Instruction Fuzzy Hash: 6C41B432B0CF8186E7618F12A4002BA77A0FB95B64F5451BAEE8D07760EF38D551C740

Function 00007FFE1A541AE0 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ed3023e85355d8c7d662a5ea9ebd51d1dc57e461f8a813a7e81e918f6af5b3
Instruction ID: 1d9a75257c7bd92be71547b6db250c58561fc531083ec078b11f199cd80110cb
Opcode Fuzzy Hash: a5ed3023e85355d8c7d662a5ea9ebd51d1dc57e461f8a813a7e81e918f6af5b3
Instruction Fuzzy Hash: 9B413772B0CF0282EA159B22A84013933A1BF86F64B5984FADA4D477A5FF3CE855C600

Function 00007FFE1A541790 Relevance: 6.1, APIs: 4, Instructions: 96threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

SuspendThread.KERNEL32 ref: 00007FFE1A541845
WaitForSingleObject.KERNEL32 ref: 00007FFE1A541850
ResumeThread.KERNEL32 ref: 00007FFE1A54188E

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Thread$ObjectResumeSingleSuspendWait
String ID:
API String ID: 879609812-0
Opcode ID: e0952a9e7b9d2dd58eff9cf88d52fd7236f715f562f819b9b31cf785f32f6f21
Instruction ID: 0547fc4c226998a7ca2916a1ad65a3f4fa34e055f58d935751c171dee83c4983
Opcode Fuzzy Hash: e0952a9e7b9d2dd58eff9cf88d52fd7236f715f562f819b9b31cf785f32f6f21
Instruction Fuzzy Hash: 21417132B0CA8592E7218B26D0403B973B1FB95F68F5440B6DB4D476A6EF3CE985CB40

Function 00007FFE00416900 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FFE0041695A
MultiByteToWideChar.KERNEL32 ref: 00007FFE0041699A

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 1a996603528365f6f637cd234a293156ba757802906f7287cb03bbb997d6b298
Instruction ID: 37ce83efc366502cfcfdf8c9e699971a718337fee8128faa116aa700b0d3df30
Opcode Fuzzy Hash: 1a996603528365f6f637cd234a293156ba757802906f7287cb03bbb997d6b298
Instruction Fuzzy Hash: CB31A3B2A0C28187E3708B28B4103AD7694FB95794F558235DB98977E9DF3DD584CB04

Function 00007FFE1A52C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A52C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C459
Part of subcall function 00007FFE1A52C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C492
Part of subcall function 00007FFE1A52C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C8F7
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C906
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C982
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A52C991

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction ID: f88377882646e83e3aad436ae60234deaba76799816dbdbbe92bb2de32abe4a6
Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction Fuzzy Hash: 6C416772A08F85C9E701CFA5E8413BC37A0BB86B68F5480A6DA4D5776ADF789441C310

Function 00007FFE0041BF60 Relevance: 6.1, APIs: 4, Instructions: 84timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE0041BF93
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE0041BFF9
_errno.MSVCRT ref: 00007FFE0041C056
_errno.MSVCRT ref: 00007FFE0041C083

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Time$FileSystem_errno
String ID:
API String ID: 3586254970-0
Opcode ID: 49a1365162b2beb6e2a3ccfb8f5b0d34ed3bda1431d8c2c1350c42e5770df44f
Instruction ID: 747c273b005aa9750d56ccb0eceb1f234e57af51a503697d9b5ae3cefad8b527
Opcode Fuzzy Hash: 49a1365162b2beb6e2a3ccfb8f5b0d34ed3bda1431d8c2c1350c42e5770df44f
Instruction Fuzzy Hash: 9C31F762B4964A87EE648F35DE401B966959B98BD4F1C8231DF0D477F8EF3CE4418204

Function 00007FFE1A542670 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199528771ef270659c4c603ab843dedc8cd56cbcb61e71196821b80f414cc4d2
Instruction ID: 91e79bc74a201c23cb3988afbe7e036717f8ed9af1738e7f6fbee04086070714
Opcode Fuzzy Hash: 199528771ef270659c4c603ab843dedc8cd56cbcb61e71196821b80f414cc4d2
Instruction Fuzzy Hash: 86313A76B09F6186EB698F16E44023C77A4EB49FA4B5980BADB4C43764EF38E850C740

Function 00007FFE00392150 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE00392184

Part of subcall function 00007FFE00365DA0: strlen.MSVCRT ref: 00007FFE00365DF3

strlen.MSVCRT ref: 00007FFE003921AC
strcmp.MSVCRT ref: 00007FFE003921FC

Part of subcall function 00007FFE003666B0: strlen.MSVCRT ref: 00007FFE003666D8
Part of subcall function 00007FFE003666B0: strchr.MSVCRT ref: 00007FFE0036670F

Strings

yuv420p, xrefs: 00007FFE003921DA

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strlen$strchrstrcmp
String ID: yuv420p
API String ID: 3490844034-503634524
Opcode ID: 633ea0c1e1550fd14e7121fbcdf51e94ec169c277e73b1c36fc1efad037321a4
Instruction ID: 1d05669b5511ba32ca264d6c29339c5f1edee4a308bca29aa04983457fd6378d
Opcode Fuzzy Hash: 633ea0c1e1550fd14e7121fbcdf51e94ec169c277e73b1c36fc1efad037321a4
Instruction Fuzzy Hash: B021D651E0C98620FF6B8724E41537A57906F01B84F448631CB9D067FDDE5CE595C301

Function 00007FFE003881C0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FFE0038822F
_aligned_malloc.MSVCRT ref: 00007FFE00388249
memset.MSVCRT ref: 00007FFE0038825C

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free_aligned_mallocmemset
String ID:
API String ID: 881591362-0
Opcode ID: cb9fa4dfdc566d95d76ac6a2519e6b12bbd1fac9c9e4a918d491552342bc60f3
Instruction ID: c35a3a9557ab6934e075102a5fe3cddb5d211512af668c9c38176937feee6c7f
Opcode Fuzzy Hash: cb9fa4dfdc566d95d76ac6a2519e6b12bbd1fac9c9e4a918d491552342bc60f3
Instruction Fuzzy Hash: 48219D72B09B4286FB629B55FA0437C63E1AB58BD4F888530CF5D137A9EE7CA4858300

Function 00007FFE0041B1F0 Relevance: 6.1, APIs: 4, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

GetHandleInformation.KERNEL32 ref: 00007FFE0041B221

Part of subcall function 00007FFE00419840: TlsGetValue.KERNEL32 ref: 00007FFE0041985D

WaitForSingleObject.KERNEL32 ref: 00007FFE0041B27E
CloseHandle.KERNEL32(?,?,?,-00000028,?,00007FFE003A17F6), ref: 00007FFE0041B290
CloseHandle.KERNEL32(?,?,?,-00000028,?,00007FFE003A17F6), ref: 00007FFE0041B29C

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Handle$Close$InformationObjectSingleValueWait
String ID:
API String ID: 3336430066-0
Opcode ID: 549c524895db14aa5244f77738d71316e65da89358fac4c80a16bd5f07bf5018
Instruction ID: 2c2188c558263d364a9e5dca34946d75895ebea06731530738905713a00392a7
Opcode Fuzzy Hash: 549c524895db14aa5244f77738d71316e65da89358fac4c80a16bd5f07bf5018
Instruction Fuzzy Hash: 0F216D22B1960680FA619B61D8587FE6394EF447A0F484675DF2D473E8DF3CD845C388

Function 00007FFE1A545E70 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE1A541B64,?,?,?,?,?,00000002,00000000,00007FFE1A544983), ref: 00007FFE1A545F1E

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 96d3de31802f6f9abf018a6055aabe2c4eb702216a45d5bc26d38f291c6951f2
Instruction ID: 392cc00125d1e77c9b18482e779e7fd6e09709249c317092fe8e71deda148ddb
Opcode Fuzzy Hash: 96d3de31802f6f9abf018a6055aabe2c4eb702216a45d5bc26d38f291c6951f2
Instruction Fuzzy Hash: 64215E32B1CF4282F764DB22A44013A76A1AB85BA4F5445BAEB5D43BA4FF38EC15C700

Function 00007FFE003705F0 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FFE00370678
_aligned_free.MSVCRT ref: 00007FFE00370682
_aligned_free.MSVCRT ref: 00007FFE0037068C
_aligned_free.MSVCRT ref: 00007FFE00370697

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: d8a117b9735c8cceecb487bba0c084549c0ddfc89fe5e4f491a561c101f37a0f
Instruction ID: dfe089a65aae384c910939584ae2a5962f1b7272a6f80a37e86004a93ea18a5f
Opcode Fuzzy Hash: d8a117b9735c8cceecb487bba0c084549c0ddfc89fe5e4f491a561c101f37a0f
Instruction Fuzzy Hash: 8F119422A0971242E96BE7095459ABE139BEFC8790F550579EF1D063A6DE3CD840C384

Function 00007FFE1A5458A0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A5458C5

Part of subcall function 00007FFE1A543E30: TlsSetValue.KERNEL32 ref: 00007FFE1A543F19

_endthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A545929
_endthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A54594E

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _endthreadex$Valuefree
String ID:
API String ID: 1763976194-0
Opcode ID: ad5126445cb35a49f1ec9a11fd8a50259baa29f677a2b30741e53d48839e9ca9
Instruction ID: 1a9ea0f0b8d5280160501a1f7f10529c3d84216db825880996a9bbfb6a75d5bc
Opcode Fuzzy Hash: ad5126445cb35a49f1ec9a11fd8a50259baa29f677a2b30741e53d48839e9ca9
Instruction Fuzzy Hash: A4212172708E0182DB109F29E49017D6760E789F75B24117ADA6E477B5EF3DD895C700

Function 00007FFE1A545CF0 Relevance: 6.1, APIs: 4, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FFE1A541BA8,?,?,?,?,?,00000002,00000000,00007FFE1A544983), ref: 00007FFE1A545D3C

Part of subcall function 00007FFE1A542F10: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000018,00007FFE1A5425B8), ref: 00007FFE1A542FFF

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE1A541BA8,?,?,?,?,?,00000002,00000000,00007FFE1A544983), ref: 00007FFE1A545D54
Sleep.KERNEL32(?,?,?,00007FFE1A541BA8,?,?,?,?,?,00000002,00000000,00007FFE1A544983), ref: 00007FFE1A545D92
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A541BA8,?,?,?,?,?,00000002,00000000,00007FFE1A544983), ref: 00007FFE1A545DA9

Memory Dump Source

Source File: 0000000A.00000002.1861532863.00007FFE1A541000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A540000, based on PE: true

Associated: 0000000A.00000002.1861503978.00007FFE1A540000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861559986.00007FFE1A548000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000A.00000002.1861588363.00007FFE1A54C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a540000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CloseEventHandleSleep_errnofree
String ID:
API String ID: 1909294951-0
Opcode ID: fb46983425866d5872816068a530570fbf95f67e655fb18db1a897369a563da2
Instruction ID: 3bef3adf3213e7844fc28f0f703f349e1c0a2019fdc7e6ffb33ef566e2def6fe
Opcode Fuzzy Hash: fb46983425866d5872816068a530570fbf95f67e655fb18db1a897369a563da2
Instruction Fuzzy Hash: 8A114F2170CE5382EA249F23E44427E6260EF46F64F9444FADA5E46AB5EF3CE945C740

Function 00007FFE1A524710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A526710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A52239E), ref: 00007FFE1A52671E

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A5247E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A524844

Strings

csm, xrefs: 00007FFE1A5248EA

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction ID: 0c0a57cd4882c80cc97185911098a9c452a4fa8752e79d79c56e5f85769aa219
Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction Fuzzy Hash: AD51197661CB81C6D6209B56A04027E77B6FB8AFA0F1405B7DB8D07B66CF38E461CB00

Function 00007FFE1A529BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A529CAA

Strings

void , xrefs: 00007FFE1A529C34
void, xrefs: 00007FFE1A529C0C

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction ID: 34076ebcd83ada1703b2892f2d7f77867f532adeab1ef965b22af1125e5c300f
Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction Fuzzy Hash: 83311562F18E55C8FB008BA2E8810FC37B1BB89B98B4405B7DA4D63B69DF389144C750

Function 00007FFE0040E120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0040E19C

Strings

sin, xrefs: 00007FFE0040E1AA, 00007FFE0040E1FC

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: sin
API String ID: 2918714741-3083047850
Opcode ID: 1712686245d460706722795bac48a202a04de283def8482a719af71ef36c7ef1
Instruction ID: 4071a64dc789765d4a526dc02e91199f91c01ea21ddb0c8068a282a3b219cca8
Opcode Fuzzy Hash: 1712686245d460706722795bac48a202a04de283def8482a719af71ef36c7ef1
Instruction Fuzzy Hash: 28210462D1DB8582EB029F35A4002BB6721EFD5304F159334FB89156ADDF3EE5D08B08

Function 00007FFE0040D8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0040D960
_errno.MSVCRT ref: 00007FFE0040D9C0

Strings

log, xrefs: 00007FFE0040D97C, 00007FFE0040D9DC

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: log
API String ID: 2918714741-2403297477
Opcode ID: fa12abfb3e14b30e677fb45da5cfe9a9bbeb6b1c1569a3c707cd0e3862981db9
Instruction ID: ca43ca7c111de1766172ba929cacb408a82510805d62db37aa91c012ba5925b2
Opcode Fuzzy Hash: fa12abfb3e14b30e677fb45da5cfe9a9bbeb6b1c1569a3c707cd0e3862981db9
Instruction Fuzzy Hash: 7D210862E1CE4682EB019F74A44027B6721FFD5354F509334EB8D157AEDF3DE5948608

Function 00007FFE0040D4E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0040D55C

Strings

cos, xrefs: 00007FFE0040D56A, 00007FFE0040D5BC

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: cos
API String ID: 2918714741-2662988677
Opcode ID: 903857df638d29162f1127ec14efd8d82056fcd9a594b0710213474096d9e04a
Instruction ID: e7a226782ffd18aa51a195fa858c766fac5e1d44aeffba145643a24775ca6490
Opcode Fuzzy Hash: 903857df638d29162f1127ec14efd8d82056fcd9a594b0710213474096d9e04a
Instruction Fuzzy Hash: 0821F562D1EB8542EB025F38A84027B6721EFD1308F149235FB89156AEDF2DE5D48608

Function 00007FFE1A502EC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE1A502F3C

Strings

cos, xrefs: 00007FFE1A502F4A, 00007FFE1A502F9C

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: cos
API String ID: 2918714741-2662988677
Opcode ID: 3dedc7b003d8cb5d8982c9379cb08930f2b1518781c78ce34f340fed2c860ab8
Instruction ID: 355aaeee42c24679f89b9dced5fafcb78b39770a24c479f14b8907b2d2a0d297
Opcode Fuzzy Hash: 3dedc7b003d8cb5d8982c9379cb08930f2b1518781c78ce34f340fed2c860ab8
Instruction Fuzzy Hash: B2212822E1CE8682EB014B35A54217F6310FFD2764F1492B6FA89115AADF2DE0D48A04

Function 00007FFE0036FFF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59stringCOMMON

Download Yara Rule

APIs

strftime.MSVCRT ref: 00007FFE00370061

Strings

%Y-%m-%dT%H:%M:%S, xrefs: 00007FFE00370057
.%06dZ, xrefs: 00007FFE00370092

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strftime
String ID: %Y-%m-%dT%H:%M:%S$.%06dZ
API String ID: 1100141660-930656424
Opcode ID: 6197a247b2b8d8ceb3bdce396f44f74d54b797a4093b4ad4865344da7c3ecd53
Instruction ID: 5f0a007dbfc10d022d540d6264d8a88b004f909d5020c290c20c2627e1ac61bb
Opcode Fuzzy Hash: 6197a247b2b8d8ceb3bdce396f44f74d54b797a4093b4ad4865344da7c3ecd53
Instruction Fuzzy Hash: 5F110852709A4254EA268B167D00AFB9715AB89BF4F885332EE3D5B7E9DD3CE0418344

Function 00007FFE1A52604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A5263F0: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A526434
Part of subcall function 00007FFE1A5263F0: RaiseException.KERNEL32 ref: 00007FFE1A52647A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A5260BF

Strings

Access violation - no RTTI data!, xrefs: 00007FFE1A52604F
Bad dynamic_cast!, xrefs: 00007FFE1A526072

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction ID: c9bc0d6e99fbf6a3fcb6c95b60c8e19185ac833101bffcf5ea95e8d1926a3201
Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction Fuzzy Hash: 9F012965B2DE46D1EE409BA6E4501B86362FF91FA4F4054F3E60E06AB6EE6CD504C710

Function 00007FFE1A503940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

av_channel_layout_describe.AVUTIL-58 ref: 00007FFE1A503999
av_log.AVUTIL-58 ref: 00007FFE1A5039B0

Strings

Treating %s as mono, xrefs: 00007FFE1A5039A9

Memory Dump Source

Source File: 0000000A.00000002.1861151239.00007FFE1A4F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE1A4F0000, based on PE: true

Associated: 0000000A.00000002.1861125169.00007FFE1A4F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861182483.00007FFE1A509000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861210487.00007FFE1A512000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861236557.00007FFE1A513000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861273968.00007FFE1A516000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1861325887.00007FFE1A517000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a4f0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_channel_layout_describeav_log
String ID: Treating %s as mono
API String ID: 2946648090-2429896034
Opcode ID: 25249c404e77cebffcfa5134640f119eef46f531f346a7abaed1bc42c180491e
Instruction ID: 65662f568197fd7b54e093e3491acede126232ef8027de747704011d05403085
Opcode Fuzzy Hash: 25249c404e77cebffcfa5134640f119eef46f531f346a7abaed1bc42c180491e
Instruction Fuzzy Hash: E101866271DB4540E651DA03B91977F5144B747BE8F8580B6DE885B391ED7DD149C300

Function 00007FFE00387870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_aligned_malloc.MSVCRT ref: 00007FFE00387898

Strings

Microsoft Primitive Provider, xrefs: 00007FFE00387872

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_malloc
String ID: Microsoft Primitive Provider
API String ID: 175129771-4132848957
Opcode ID: 61d24a781ba67f0d1d7f4682cf0f95fd41d5d8f035c987dadc3b785e5cf7c726
Instruction ID: 44928b11ac65da98c43179bc91acff8e3ea0f219f8e1863f3bc8cfffff2d8564
Opcode Fuzzy Hash: 61d24a781ba67f0d1d7f4682cf0f95fd41d5d8f035c987dadc3b785e5cf7c726
Instruction Fuzzy Hash: 32F0BE01F0E61600FD96D2832C0AAB842825F98BD4D984875DF2C5B7A9EC3CE881C304

Function 00007FFE0036DDB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FFE0036DEE3

Strings

Assertion %s failed at %s:%d, xrefs: 00007FFE0036DECF
src/libavutil/crc.c, xrefs: 00007FFE0036DEB8

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$src/libavutil/crc.c
API String ID: 4206212132-3600904276
Opcode ID: bba2b5a7149953d7c06390e03a8456bfcd7d5d25b4af83ad1be5f4adfa0ba47c
Instruction ID: 4862528b124898e63a7c133026f4e385fc51bafcf79a4ef35e903010b16e9bec
Opcode Fuzzy Hash: bba2b5a7149953d7c06390e03a8456bfcd7d5d25b4af83ad1be5f4adfa0ba47c
Instruction Fuzzy Hash: 6EE039B1A19A06E1E715AF60E4452FD23A5EF68308F85953AD64C06379DF3CE2448658

Function 00007FFE00417F10 Relevance: 5.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE00417F57
LeaveCriticalSection.KERNEL32 ref: 00007FFE00417F81

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: dbaf99fa4423a1f3adf368dfeb11cd1e5322a0253855be351de1d8e7fc337a2b
Instruction ID: 46badb6f874bbc972e8bae618fbbaffb6979336395f38e87010f1163602f1347
Opcode Fuzzy Hash: dbaf99fa4423a1f3adf368dfeb11cd1e5322a0253855be351de1d8e7fc337a2b
Instruction Fuzzy Hash: ED316173A086468AE794CF35D4007AA77A0FB44B6CF588236DF2A4A3A8DF3CD845C754

Function 00007FFE00417DD0 Relevance: 5.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE00417E17
LeaveCriticalSection.KERNEL32 ref: 00007FFE00417E3E

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3daa023327df31125aad0ab46ab992fec0b38e9f634fe2131313756e927dbfc2
Instruction ID: ec41a8fa3a20e4f0fac63ff05bc50d09998c27409e0d06fe8889253ec83418b2
Opcode Fuzzy Hash: 3daa023327df31125aad0ab46ab992fec0b38e9f634fe2131313756e927dbfc2
Instruction Fuzzy Hash: 3E315EB3A082028AEB55CF35D8002A933F1FB54B68F588635DF194A7ACDF38E845CB54

Function 00007FFE1A52672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE1A5265B9,?,?,?,?,00007FFE1A52FB22,?,?,?,?,?), ref: 00007FFE1A52674B
SetLastError.KERNEL32(?,?,?,00007FFE1A5265B9,?,?,?,?,00007FFE1A52FB22,?,?,?,?,?), ref: 00007FFE1A5267D4

Memory Dump Source

Source File: 0000000A.00000002.1861376904.00007FFE1A521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFE1A520000, based on PE: true

Associated: 0000000A.00000002.1861354951.00007FFE1A520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861413232.00007FFE1A531000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861444006.00007FFE1A536000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000A.00000002.1861469849.00007FFE1A537000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe1a520000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction ID: d017b552be5c6387988a1c75ae1c445d33822b93306c04ded77cae4b1b22bc72
Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction Fuzzy Hash: 2011F124F0DA52C2FA549763A94413522A3EF86FB0F1846F7D96E07BF5DF2CA8418720

Function 00007FFE00417B90 Relevance: 5.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00007FFE00417EA7,?,?,?,?,?,?,?,?,00007FFE003A1502), ref: 00007FFE00417BB6
LeaveCriticalSection.KERNEL32(?,?,00007FFE00417EA7,?,?,?,?,?,?,?,?,00007FFE003A1502), ref: 00007FFE00417BDB
EnterCriticalSection.KERNEL32(?,?,00007FFE00417EA7,?,?,?,?,?,?,?,?,00007FFE003A1502), ref: 00007FFE00417C0C
LeaveCriticalSection.KERNEL32(?,?,00007FFE00417EA7,?,?,?,?,?,?,?,?,00007FFE003A1502), ref: 00007FFE00417C16

Memory Dump Source

Source File: 0000000A.00000002.1860836350.00007FFE00361000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00360000, based on PE: true

Associated: 0000000A.00000002.1860804905.00007FFE00360000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860916095.00007FFE00425000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1860938515.00007FFE00426000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861003473.00007FFE00563000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861027068.00007FFE00568000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE00569000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861049427.00007FFE0056C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1861094316.00007FFE0056D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffe00360000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3a1490edba09e3a7becc86b2e09e5672a663190b4e9fac5deeb906d35fe4d6c1
Instruction ID: 9d9b738b3464d1c143f822611c2f2c299f0e0430d39ccc4e5b2c08a679061228
Opcode Fuzzy Hash: 3a1490edba09e3a7becc86b2e09e5672a663190b4e9fac5deeb906d35fe4d6c1
Instruction Fuzzy Hash: 8101F222B0C65599EA25EB23BC00A6A6760BF88FDDF855031DF0E07324CE3CE4428344

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\4d93ee.rbs

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1qgv2jv.kwo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3sen1hy.ykt.ps1

C:\Users\user\AppData\Local\Temp\msiBA8F.txt

C:\Users\user\AppData\Local\Temp\pssBAA1.ps1

C:\Users\user\AppData\Local\Temp\scrBA90.ps1

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-2-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-datetime-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-debug-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-errorhandling-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-2-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l2-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-handle-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-heap-l1-1-0.dll

Windows Analysis Report
setup.msi

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre