Play interactive tour

Edit tour

Analysis Report SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Overview

General Information

Sample Name:	SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe
Analysis ID:	339384
MD5:	276d1a6d58cc96bec4ccf5f19d395170
SHA1:	c918ee3a14f5fe894ae66322a8c577b4cf5a90b3
SHA256:	ef89d342ca08bb27526ec176d4a359bb99e406ccccfc16a9f704d706574e215f
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Potential time zone aware malware

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe (PID: 6072 cmdline: 'C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe' MD5: 276D1A6D58CC96BEC4CCF5F19D395170)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe PID: 6072	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe PID: 6072	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe, 00000000.00000002.1274016968.000000000079A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Process Stats: CPU usage > 98%

Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe, 00000000.00000002.1272656837.0000000000410000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIranske.exe vs SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe
Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe, 00000000.00000002.1273773993.0000000000740000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe
Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Binary or memory string: OriginalFilenameIranske.exe vs SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

File created: C:\Users\user\AppData\Local\Temp\~DF0ED9CA4C86CF4DE5.TMP

Jump to behavior

Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe PID: 6072, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe PID: 6072, type: MEMORY

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00407820 push ds; retf	0_2_00407891
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00406E33 push ebp; retf	0_2_00406E38
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_004048E0 push ebp; ret	0_2_004048E4
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00406A8F push ebp; retf	0_2_00406A90
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00406C95 push ecx; retf	0_2_00406D35
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00405568 push esp; retf	0_2_0040556C
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00406B0C push ds; retf	0_2_00406B31
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_004077D4 push es; ret	0_2_004077F7
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_004077D4 push ds; retf	0_2_00407891
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00404DDB push ecx; retf	0_2_00404DE1
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00406BF1 push cs; ret	0_2_00406C0A
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_004047B2 push ebp; retf	0_2_004047B8
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00784A33 push esp; iretd	0_2_00784A34
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00780005 push esp; ret	0_2_0078009A
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00780007 push esp; ret	0_2_0078009A
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_007800AD push esp; ret	0_2_0078009A
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_007800AD push esp; ret	0_2_00780101
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_0078009B push esp; ret	0_2_0078009A
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_0078009B push edx; retf	0_2_007800A9
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00784A90 push eax; retf	0_2_00784A9F
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00780102 push esp; ret	0_2_00780101
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00780102 push edx; retf	0_2_00780110

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00784049	0_2_00784049
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_007840FD	0_2_007840FD
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00784094	0_2_00784094
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_007825F7	0_2_007825F7
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00781BD9	0_2_00781BD9

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

RDTSC instruction interceptor: First address: 00000000007866BA second address: 00000000007866BA instructions:

Potential time zone aware malware

Show sources

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe, 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	RDTSC instruction interceptor: First address: 00000000007866BA second address: 00000000007866BA instructions:
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	RDTSC instruction interceptor: First address: 000000000078628D second address: 000000000078628D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FA4E4759B24h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f jmp 00007FA4E4759B1Ah 0x00000021 test bl, bl 0x00000023 dec dword ptr [ebp+000000F8h] 0x00000029 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000030 jne 00007FA4E4759A6Eh 0x00000032 fnop 0x00000034 call 00007FA4E4759B53h 0x00000039 call 00007FA4E4759B34h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Code function: 0_2_00782870 rdtsc

0_2_00782870

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe, 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Code function: 0_2_00782870 rdtsc

0_2_00782870

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_0078346F mov eax, dword ptr fs:[00000030h]	0_2_0078346F
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00786A35 mov eax, dword ptr fs:[00000030h]	0_2_00786A35
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00786A19 mov eax, dword ptr fs:[00000030h]	0_2_00786A19
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_007838D0 mov eax, dword ptr fs:[00000030h]	0_2_007838D0
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00782368 mov eax, dword ptr fs:[00000030h]	0_2_00782368
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_0078232A mov eax, dword ptr fs:[00000030h]	0_2_0078232A
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00785F14 mov eax, dword ptr fs:[00000030h]	0_2_00785F14
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_007825FF mov eax, dword ptr fs:[00000030h]	0_2_007825FF
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_007825F7 mov eax, dword ptr fs:[00000030h]	0_2_007825F7
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_00781BD9 mov eax, dword ptr fs:[00000030h]	0_2_00781BD9
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_007859D7 mov eax, dword ptr fs:[00000030h]	0_2_007859D7
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_007867C1 mov eax, dword ptr fs:[00000030h]	0_2_007867C1
Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	Code function: 0_2_007823AE mov eax, dword ptr fs:[00000030h]	0_2_007823AE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe, 00000000.00000002.1274157084.0000000000E20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe, 00000000.00000002.1274157084.0000000000E20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe, 00000000.00000002.1274157084.0000000000E20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe, 00000000.00000002.1274157084.0000000000E20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Code function: 0_2_00784E29 cpuid

0_2_00784E29

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Security Software Discovery511	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery311	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339384
Start date:	13.01.2021
Start time:	22:01:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 31.6% (good quality ratio 17.9%) Quality average: 33.3% Quality standard deviation: 33.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe VT rate limit hit for: /opt/package/joesandbox/database/analysis/339384/sample/SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.138928852734773
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe
File size:	65536
MD5:	276d1a6d58cc96bec4ccf5f19d395170
SHA1:	c918ee3a14f5fe894ae66322a8c577b4cf5a90b3
SHA256:	ef89d342ca08bb27526ec176d4a359bb99e406ccccfc16a9f704d706574e215f
SHA512:	35969877df3943fd1571cb3815d4d62b5b20a386c213c5fde1449bf63fa2e71c29899e6b40938b603ac267c7866dc8125c49c48771946c52081069450cecc94b
SSDEEP:	768:XC1qT3P0XKiCra7AItYI5Pmkd22DRnizxXstAjQKWCCmUY:y4f0dCKnDRizRBT
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L... .TW.....................0....................@................

File Icon


Icon Hash:	f030f0c6f030b100

Static PE Info

General
Entrypoint:	0x401200
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x57541720 [Sun Jun 5 12:12:16 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e4e19abc2b8b3cdf6beb846e51c393a2

Entrypoint Preview

Instruction
push 00401E68h
call 00007FA4E4FAD605h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+7Eh], dh
adc ecx, esi
adc eax, 814B7AD7h
lds edi, fword ptr [esi+69h]
out 11h, eax
pop edi
dec ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
outsd
jc 00007FA4E4FAD676h
jc 00007FA4E4FAD663h
jc 00007FA4E4FAD681h
push 00000065h
arpl word ptr [ecx+esi+00h], si
or eax, 7061430Ah
je 00007FA4E4FAD67Bh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add ebp, dword ptr [edx-7712EC60h]
xchg ebx, ecx
dec edi
cwde
aad 57h
push es
jl 00007FA4E4FAD5BAh
xchg eax, esp
je 00007FA4E4FAD5C9h
add dl, byte ptr [esi-40h]
lds edx, edi
imul ecx, dword ptr [edx-7Ch], 28h
mov bl, 82h
mov ah, DDh
into

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd244	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x8a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xc4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc5e8	0xd000	False	0.522047776442	data	5.84101863969	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xe000	0x1158	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x8a8	0x1000	False	0.135498046875	data	1.28818251933	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x10340	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1032c	0x14	data
RT_VERSION	0x100f0	0x23c	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaCyForInit, _CIcos, _adj_fptan, __vbaFreeVar, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaCyI2, __vbaStrCmp, __vbaCyI4, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaCyForNext, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Iranske
FileVersion	2.00
CompanyName	Axis Corp
Comments	Axis Corp
ProductName	Project1
ProductVersion	2.00
OriginalFilename	Iranske.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe PID: 6072 Parent PID: 5648

General

Start time:	22:02:04
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe'
Imagebase:	0x400000
File size:	65536 bytes
MD5 hash:	276D1A6D58CC96BEC4CCF5F19D395170
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe PID: 6072 Parent PID: 5648 SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exeCOMMON

Executed Functions

Function 0040CEF4, Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040CEF4(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				void* _v36;
				signed int _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v76;
				char _v84;
				intOrPtr _v92;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr _t93;
				char* _t94;
				signed int _t95;
				signed int _t102;
				signed int _t105;
				char* _t106;
				signed int _t116;
				signed int _t120;
				signed int _t123;
				void* _t124;
				signed int _t139;
				void* _t142;
				void* _t144;
				void* _t145;
				intOrPtr _t146;

				 *[fs:0x0] = _t146;
				L004010E0();
				_v16 = _t146;
				_v12 = E004010C8;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				_t93 =  *((intOrPtr*)( *_a4 + 4))(_a4, _t144, _t145, _t124,  *[fs:0x0], 0x4010e6);
				_push(0x53933);
				L004011E2();
				_v124 = _t93;
				_v120 = _t139;
				_push(1);
				L004011DC();
				_v116 = _t93;
				_v112 = _t139;
				_push(_v112);
				_push(_v116);
				_push(_v120);
				_push(_v124);
				_push(0);
				L004011DC();
				_push(_t139);
				_push(_t93);
				_t94 =  &_v32;
				_push(_t94);
				L004011D6();
				_v136 = _t94;
				while(_v136 != 0) {
					_v76 = 0x772813;
					_v84 = 3;
					_t95 =  &_v84;
					_push(_t95);
					L004011C4();
					L004011CA();
					_push(_t95);
					_push(0x402a38);
					_push(0x402a40);
					L004011BE();
					L004011CA();
					_push(_t95);
					_push(0x402a50);
					L004011BE();
					_t139 = _t95;
					L004011CA();
					_push(_t95);
					L004011D0();
					asm("sbb eax, eax");
					_v104 =  ~( ~_t95 + 1);
					_push( &_v64);
					_push( &_v60);
					_push( &_v56);
					_push(3);
					L004011B8();
					_t146 = _t146 + 0x10;
					L004011B2();
					_t102 = _v104;
					if(_t102 != 0) {
						_push(0x402a58);
						_push(0x402a60);
						L004011BE();
						L004011CA();
						_push(_t102);
						L004011A6();
						_push(_t102);
						L004011AC();
						_t139 = _t102;
						L004011CA();
						_push(_t102);
						_push(0x402a68);
						L004011D0();
						asm("sbb eax, eax");
						_v104 =  ~( ~_t102 + 1);
						_push( &_v60);
						_t36 =  &_v56; // 0x402a68
						_push(2);
						L004011B8();
						_t146 = _t146 + 0xc;
						if(_v104 != 0) {
							if( *0x40e010 != 0) {
								_v144 = 0x40e010;
							} else {
								_push(0x40e010);
								_push(0x4021d8);
								L00401194();
								_v144 = 0x40e010;
							}
							_t116 =  &_v68;
							L0040119A();
							_v104 = _t116;
							_t120 =  *((intOrPtr*)( *_v104 + 0x50))(_v104,  &_v56, _t116,  *((intOrPtr*)( *((intOrPtr*)( *_v144)) + 0x304))( *_v144));
							asm("fclex");
							_v108 = _t120;
							if(_v108 >= 0) {
								_v148 = _v148 & 0x00000000;
							} else {
								_push(0x50);
								_push(0x402a6c);
								_push(_v104);
								_push(_v108);
								L0040118E();
								_v148 = _t120;
							}
							_v140 = _v56;
							_v56 = _v56 & 0x00000000;
							_v76 = _v140;
							_v84 = 8;
							_push(0);
							_t123 =  &_v84;
							_push(_t123); // executed
							L004011A0(); // executed
							_t139 = _t123;
							L004011CA();
							L00401188();
							L004011B2();
						}
					}
					_t105 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
					asm("fclex");
					_v104 = _t105;
					if(_v104 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x2b4);
						_push(0x402920);
						_push(_a4);
						_push(_v104);
						L0040118E();
						_v152 = _t105;
					}
					_push(_v112);
					_push(_v116);
					_push(_v120);
					_push(_v124);
					_t106 =  &_v32;
					_push(_t106);
					L00401182();
					_v136 = _t106;
				}
				_v92 = 0x1513131a;
				_t142 =  >=  ? 0x403f0d : _t139;
				goto __edx;
			}

0x0040cf06
0x0040cf12
0x0040cf1a
0x0040cf1d
0x0040cf2a
0x0040cf32
0x0040cf3d
0x0040cf40
0x0040cf45
0x0040cf4a
0x0040cf4d
0x0040cf50
0x0040cf52
0x0040cf57
0x0040cf5a
0x0040cf5d
0x0040cf60
0x0040cf63
0x0040cf66
0x0040cf69
0x0040cf6b
0x0040cf70
0x0040cf71
0x0040cf72
0x0040cf75
0x0040cf76
0x0040cf7b
0x0040d19d
0x0040cf86
0x0040cf8d
0x0040cf94
0x0040cf97
0x0040cf98
0x0040cfa2
0x0040cfa7
0x0040cfa8
0x0040cfad
0x0040cfb2
0x0040cfbc
0x0040cfc1
0x0040cfc2
0x0040cfc7
0x0040cfcc
0x0040cfd1
0x0040cfd6
0x0040cfd7
0x0040cfde
0x0040cfe3
0x0040cfea
0x0040cfee
0x0040cff2
0x0040cff3
0x0040cff5
0x0040cffa
0x0040d000
0x0040d005
0x0040d00b
0x0040d011
0x0040d016
0x0040d01b
0x0040d025
0x0040d02a
0x0040d02b
0x0040d030
0x0040d031
0x0040d036
0x0040d03b
0x0040d040
0x0040d041
0x0040d046
0x0040d04d
0x0040d052
0x0040d059
0x0040d05a
0x0040d05e
0x0040d060
0x0040d065
0x0040d06e
0x0040d07b
0x0040d098
0x0040d07d
0x0040d07d
0x0040d082
0x0040d087
0x0040d08c
0x0040d08c
0x0040d0bc
0x0040d0c0
0x0040d0c5
0x0040d0d4
0x0040d0d7
0x0040d0d9
0x0040d0e0
0x0040d0fc
0x0040d0e2
0x0040d0e2
0x0040d0e4
0x0040d0e9
0x0040d0ec
0x0040d0ef
0x0040d0f4
0x0040d0f4
0x0040d106
0x0040d10c
0x0040d116
0x0040d119
0x0040d120
0x0040d122
0x0040d125
0x0040d126
0x0040d12b
0x0040d130
0x0040d138
0x0040d140
0x0040d140
0x0040d06e
0x0040d14d
0x0040d153
0x0040d155
0x0040d15c
0x0040d17b
0x0040d15e
0x0040d15e
0x0040d163
0x0040d168
0x0040d16b
0x0040d16e
0x0040d173
0x0040d173
0x0040d182
0x0040d185
0x0040d188
0x0040d18b
0x0040d18e
0x0040d191
0x0040d192
0x0040d197
0x0040d197
0x0040d1aa
0x0040d1b9
0x0040d1bc

APIs

__vbaChkstk.MSVBVM60(?,004010E6), ref: 0040CF12
__vbaCyI4.MSVBVM60(00053933,?,?,?,?,004010E6), ref: 0040CF45
__vbaCyI2.MSVBVM60(00000001,00053933,?,?,?,?,004010E6), ref: 0040CF52
__vbaCyI2.MSVBVM60(00000000,?,?,?,?,00000001,00053933,?,?,?,?,004010E6), ref: 0040CF6B
__vbaCyForInit.MSVBVM60(?,00000000,?,00000000,?,?,?,?,00000001,00053933,?,?,?,?,004010E6), ref: 0040CF76
#591.MSVBVM60(00000003), ref: 0040CF98
__vbaStrMove.MSVBVM60(00000003), ref: 0040CFA2
__vbaStrCat.MSVBVM60(00402A40,00402A38,00000000,00000003), ref: 0040CFB2
__vbaStrMove.MSVBVM60(00402A40,00402A38,00000000,00000003), ref: 0040CFBC
__vbaStrCat.MSVBVM60(00402A50,00000000,00402A40,00402A38,00000000,00000003), ref: 0040CFC7
__vbaStrMove.MSVBVM60(00402A50,00000000,00402A40,00402A38,00000000,00000003), ref: 0040CFD1
__vbaStrCmp.MSVBVM60(00000000,00402A50,00000000,00402A40,00402A38,00000000,00000003), ref: 0040CFD7
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000,00402A50,00000000,00402A40,00402A38,00000000,00000003), ref: 0040CFF5
__vbaFreeVar.MSVBVM60(?,?,?,004010E6), ref: 0040D000
__vbaStrCat.MSVBVM60(00402A60,00402A58,?,?,?,004010E6), ref: 0040D01B
__vbaStrMove.MSVBVM60(00402A60,00402A58,?,?,?,004010E6), ref: 0040D025
__vbaI4Str.MSVBVM60(00000000,00402A60,00402A58,?,?,?,004010E6), ref: 0040D02B
#537.MSVBVM60(00000000,00000000,00402A60,00402A58,?,?,?,004010E6), ref: 0040D031
__vbaStrMove.MSVBVM60(00000000,00000000,00402A60,00402A58,?,?,?,004010E6), ref: 0040D03B
__vbaStrCmp.MSVBVM60(00402A68,00000000,00000000,00000000,00402A60,00402A58,?,?,?,004010E6), ref: 0040D046
__vbaFreeStrList.MSVBVM60(00000002,h*@,?,00402A68,00000000,00000000,00000000,00402A60,00402A58,?,?,?,004010E6), ref: 0040D060
__vbaNew2.MSVBVM60(004021D8,0040E010,00000000,00402A60,00402A58,?,?,?,004010E6), ref: 0040D087
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D0C0

Strings

h*@, xrefs: 0040D05A, 0040D05D
X*@, xrefs: 0040D12D

Memory Dump Source

Source File: 00000000.00000002.1272538755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1272507500.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1272617633.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1272656837.0000000000410000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$List$#537#591ChkstkInitNew2
String ID: X*@$h*@
API String ID: 1504116222-61942270
Opcode ID: 929235750a52a96589b6384cb7918d247260e563a3828c3a4831611e32a594b0
Instruction ID: 402fb01f6081aa56ce3b559e6b5b8c651f14bc38cbaba868bd43209da9003f52
Opcode Fuzzy Hash: 929235750a52a96589b6384cb7918d247260e563a3828c3a4831611e32a594b0
Instruction Fuzzy Hash: E1811771E00208AFDB15EFE1C946B9EBBB9BF08304F10447AB605BB1A1DB785A45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401200, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 672
COMMON

Download Yara Rule

C-Code - Quality: 92%

			_entry_(signed int __eax, intOrPtr* __ebx, intOrPtr* __ecx, void* __edx, signed int __esi) {
				signed int _t42;
				signed char _t43;
				signed char _t44;
				intOrPtr* _t45;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t52;
				intOrPtr* _t57;
				intOrPtr* _t63;
				signed char _t64;
				signed char _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t73;
				intOrPtr* _t74;
				void* _t75;
				intOrPtr* _t76;
				intOrPtr* _t77;
				intOrPtr _t78;
				signed char _t79;
				intOrPtr* _t80;
				signed int* _t81;
				void* _t83;
				intOrPtr* _t86;
				void* _t87;
				intOrPtr* _t90;
				signed int _t98;
				void* _t99;
				signed int* _t101;
				intOrPtr* _t104;
				void* _t105;
				signed int _t107;
				void* _t111;
				void* _t112;
				void* _t114;
				void* _t116;
				void* _t119;
				signed char _t129;

				_t107 = __esi;
				_t99 = __edx;
				_t86 = __ecx;
				_t80 = __ebx;
				_t42 = __eax;
				_push("VB5!6&*"); // executed
				L004011FA(); // executed
				 *__eax =  *__eax + __eax;
				while(1) {
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t99;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					_t119 =  *_t42;
					if (_t119 != 0) goto L14;
					while(_t119 > 0) {
						asm("adc ecx, esi");
					}
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *((intOrPtr*)(_t80 + _t86 + 0xb470000)) =  *((intOrPtr*)(_t80 + _t86 + 0xb470000)) + _t80;
					_t43 = _t42 |  *_t42;
					 *_t43 =  *_t43 + _t43;
					_t44 = _t43 |  *_t43;
					_t129 = _t44;
					if (_t129 >= 0) goto L24;
					if(_t129 >= 0) {
						if(_t129 < 0) {
							L22:
							 *_t86 =  *_t86 + _t44;
							 *_t44 =  *_t44 + _t44;
							 *_t86 =  *_t86 + _t44;
							 *_t44 =  *_t44 + _t44;
							 *_t44 =  *_t44 + _t44;
							goto L23;
						} else {
							if(_t129 >= 0) {
								asm("popad");
								if(_t129 != 0) {
									asm("popad");
									asm("insb");
									 *0x54000e01 =  *0x54000e01 + _t86;
									_t86 = _t86 + 1;
									_t111 = _t111 + 1;
									_push(_t80);
									_push(_t44);
									_t105 = _t105;
									_t107 = _t107 - 1 + 1;
									_push(_t111);
									_t114 = _t114;
									_push(_t80);
									 *_t86 =  *_t86 + _t80;
									 *_t44 =  *_t44 + _t44;
									_t104 = _t99 + 2;
									 *_t104 =  *_t104 + _t44;
									 *_t80 =  *_t80 + _t114;
									asm("out dx, al");
									_t79 = _t44 |  *_t44;
									 *((intOrPtr*)(_t114 + _t107 * 2)) =  *((intOrPtr*)(_t114 + _t107 * 2)) + _t86;
									_t99 = _t104 + _t79;
									_t44 = _t79 |  *_t79;
									 *_t44 =  *_t44 + _t44;
									 *_t86 =  *_t86 + _t44;
									 *_t86 =  *_t86 + _t44;
									 *_t44 =  *_t44 + _t99;
									asm("adc [eax], al");
									 *_t86 =  *_t86 + _t44;
									 *_t44 =  *_t44 + _t86;
									 *((intOrPtr*)(_t44 + 5)) =  *((intOrPtr*)(_t44 + 5)) + _t86;
									 *_t44 =  *_t44 + _t44;
									_push(ss);
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t86;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t99;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t44;
									 *_t86 =  *_t86 + _t44;
									 *_t44 =  *_t44 + _t86;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t44;
									 *_t44 =  *_t44 + _t44;
									goto L22;
								}
								L23:
								 *_t44 =  *_t44 + _t44;
							}
						}
					}
					 *_t44 =  *_t44 + _t44;
					asm("lahf");
					asm("lahf");
					asm("lahf");
					 *((intOrPtr*)(_t86 - 0x5aff5e5f)) =  *((intOrPtr*)(_t86 - 0x5aff5e5f)) + _t44;
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t99 - 0x4dff5556)) =  *((intOrPtr*)(_t99 - 0x4dff5556)) + _t86;
					 *((intOrPtr*)(_t114 + _t107 * 4 - 0x4141ff4c)) =  *((intOrPtr*)(_t114 + _t107 * 4 - 0x4141ff4c)) + 0xb2;
					_t87 = _t86 + _t86;
					_pop(_t112);
					_t116 = _t112;
					_t101 = 0xb2 + _t87;
					asm("into");
					asm("into");
					asm("rcl ecx, 1");
					asm("aad 0xd5");
					_t90 = _t87 + 0x164 + _t44;
					asm("loope 0xffffffe3");
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					_t81 = _t80 + _t80;
					asm("invalid");
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t101 =  *_t101 + _t44;
					_t45 = _t44 +  *_t101;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					_push(es);
					_push(es);
					_t47 = _t45 +  *0xc3c3c300 +  *((intOrPtr*)(_t45 +  *0xc3c3c300));
					 *_t47 =  *_t47 + _t47;
					 *_t47 =  *_t47 + _t47;
					 *_t47 =  *_t47 + _t47;
					 *_t47 =  *_t47 + _t47;
					 *_t47 =  *_t47 + _t47;
					_t48 = _t47 +  *_t90;
					 *_t90 =  *_t90 + _t48;
					_t49 = _t48 +  *_t48;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + _t49;
					_t52 = _t49 +  *_t101 +  *_t101 +  *((intOrPtr*)(_t49 +  *_t101 +  *_t101));
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t101 =  *_t101 + _t52;
					_t57 = _t52 +  *_t101 +  *_t101 +  *((intOrPtr*)(_t101 + _t52 +  *_t101 +  *_t101)) +  *_t101 +  *((intOrPtr*)(_t52 +  *_t101 +  *_t101 +  *((intOrPtr*)(_t101 + _t52 +  *_t101 +  *_t101)) +  *_t101));
					 *_t57 =  *_t57 + _t57;
					 *_t101 =  *_t101 + _t57;
					_t63 = _t57 + 0x16;
					 *_t63 =  *_t63 + _t63;
					 *_t101 =  *_t101 + _t63;
					_push(es);
					_push(es);
					_push(es);
					_push(es);
					_push(es);
					_push(es);
					_push(es);
					_push(es);
					_push(es);
					_t64 = _t63 +  *_t63;
					 *_t64 =  *_t64 + _t64;
					es = es;
					_t65 = _t64 |  *_t101;
					 *_t65 =  *_t65 + _t65;
					 *_t65 =  *_t65 + _t65;
					_t67 = _t65 +  *_t101 +  *_t101;
					_t70 = (_t67 |  *_t101) +  *_t101 +  *((intOrPtr*)((_t67 |  *_t101) +  *_t101));
					 *_t70 =  *_t70 + _t70;
					 *_t70 =  *_t70 + _t70;
					 *_t70 =  *_t70 + _t70;
					 *_t101 =  *_t101 + _t70;
					_t71 = _t70 |  *_t101;
					 *_t71 =  *_t71 + _t71;
					 *_t71 =  *_t71 + _t71;
					 *_t71 =  *_t71 + _t71;
					 *_t71 =  *_t71 + _t71;
					 *_t71 =  *_t71 + _t71;
					 *_t101 =  *_t101 + _t71;
					_t98 = _t90 +  *_t81 |  *_t81 |  *_t64 |  *_t101 |  *_t81 |  *_t67 |  *_t101 |  *_t101;
					_t72 = _t71 |  *_t101;
					 *_t72 =  *_t72 + _t72;
					 *_t72 =  *_t72 + _t72;
					 *_t72 =  *_t72 + _t72;
					 *_t72 =  *_t72 + _t72;
					 *_t72 =  *_t72 + _t72;
					 *_t101 =  *_t101 + _t72;
					_t73 = _t72 | 0x00020d0d;
					 *_t73 =  *_t73 + _t73;
					 *_t73 =  *_t73 + _t73;
					 *_t73 =  *_t73 + _t73;
					 *_t73 =  *_t73 + _t73;
					 *_t73 =  *_t73 + _t73;
					 *_t101 =  *_t101 + _t73;
					_t74 = _t73 +  *_t101;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + 1;
					_t83 = _t81 + _t81 + _t81 + _t81;
					 *_t74 =  *_t74 + 1;
					_t75 = _t74 + _t83;
					if (_t75 > 0) goto L25;
					_t76 = _t75 + _t83;
					asm("aas");
					 *_t76 =  *_t76 + _t76;
					asm("clc");
					asm("aas");
					 *_t76 =  *_t76 + _t76;
					asm("clc");
					asm("aas");
					 *_t76 =  *_t76 + _t76;
					asm("rol byte [edi], 0x0");
					 *((intOrPtr*)(_t76 - 0x7ffffffd)) =  *((intOrPtr*)(_t76 - 0x7ffffffd)) + _t76;
					_t77 = _t76 +  *_t76;
					 *((intOrPtr*)(_t77 - 0x3ffffffd)) =  *((intOrPtr*)(_t77 - 0x3ffffffd)) + _t77;
					es = es;
					 *_t77 =  *_t77 + _t77;
					asm("clc");
					asm("aas");
					 *_t77 =  *_t77 + _t77;
					asm("clc");
					asm("aas");
					 *_t77 =  *_t77 + _t77;
					asm("clc");
					asm("aas");
					 *_t77 =  *_t77 + _t77;
					asm("cld");
					if ( *_t77 > 0) goto L26;
					 *_t77 =  *_t77 + 1;
					 *_t77 =  *_t77 + _t98;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t101;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t98 =  *_t98 + _t77;
					 *_t77 =  *_t77 + _t98;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *((intOrPtr*)(_t105 - 0x5eff6061)) =  *((intOrPtr*)(_t105 - 0x5eff6061)) + _t83 + _t83;
					_t78 =  *0xa5a500a1;
					asm("movsd");
					 *((intOrPtr*)(_t101 - 0x4dff5556)) =  *((intOrPtr*)(_t101 - 0x4dff5556)) + _t98;
					 *((intOrPtr*)(_t116 + 0xfffffffecdcd0cb4)) =  *((intOrPtr*)(_t116 + 0xfffffffecdcd0cb4)) + 0xb2;
					return _t78;
				}
			}

0x00401200
0x00401200
0x00401200
0x00401200
0x00401200
0x00401200
0x00401205
0x0040120a
0x0040120b
0x0040120b
0x0040120d
0x0040120f
0x00401211
0x00401213
0x00401216
0x00401218
0x0040121a
0x0040121a
0x0040121c
0x0040121d
0x0040121e
0x0040121e
0x0040129c
0x0040129e
0x004012a0
0x004012a2
0x004012a4
0x004012a6
0x004012a8
0x004012ae
0x004012b0
0x004012b2
0x004012b2
0x004012b4
0x004012b5
0x004012b6
0x0040131c
0x0040131c
0x0040131e
0x00401320
0x00401322
0x00401324
0x00000000
0x004012b7
0x004012b7
0x004012b9
0x004012ba
0x004012bc
0x004012bd
0x004012be
0x004012c4
0x004012c7
0x004012c8
0x004012c9
0x004012cb
0x004012cd
0x004012ce
0x004012cf
0x004012d0
0x004012d1
0x004012d3
0x004012d5
0x004012d6
0x004012d8
0x004012da
0x004012db
0x004012dd
0x004012e1
0x004012e3
0x004012e5
0x004012e7
0x004012e9
0x004012eb
0x004012ed
0x004012ef
0x004012f1
0x004012f3
0x004012f6
0x004012f8
0x004012f9
0x004012fb
0x004012fd
0x004012ff
0x00401301
0x00401303
0x00401305
0x00401307
0x00401309
0x0040130b
0x0040130d
0x0040130f
0x00401311
0x00401313
0x00401315
0x00401317
0x00401319
0x0040131b
0x00000000
0x0040131b
0x00401325
0x00401325
0x00401325
0x004012b7
0x004012b6
0x00401326
0x00401328
0x00401329
0x0040132a
0x0040132b
0x00401331
0x00401332
0x00401333
0x0040133b
0x00401347
0x00401349
0x0040134a
0x0040134b
0x0040134d
0x0040134e
0x00401351
0x00401355
0x00401357
0x00401359
0x0040135b
0x0040135d
0x0040135f
0x00401361
0x00401363
0x00401365
0x00401367
0x00401369
0x0040136b
0x0040136d
0x0040136f
0x00401371
0x00401373
0x00401375
0x00401377
0x00401379
0x0040137b
0x0040137d
0x0040137f
0x00401381
0x00401383
0x00401385
0x00401387
0x00401389
0x0040138b
0x0040138d
0x0040138f
0x00401391
0x00401393
0x00401395
0x00401397
0x00401399
0x0040139b
0x0040139d
0x0040139f
0x004013a1
0x004013a3
0x004013a5
0x004013a7
0x004013a9
0x004013ab
0x004013ad
0x004013af
0x004013b1
0x004013b3
0x004013b5
0x004013b7
0x004013b9
0x004013bb
0x004013bd
0x004013bf
0x004013c1
0x004013c3
0x004013c5
0x004013c7
0x004013c9
0x004013cb
0x004013cd
0x004013cf
0x004013d1
0x004013d3
0x004013d5
0x004013d7
0x004013d9
0x004013db
0x004013dd
0x004013df
0x004013e1
0x004013e3
0x004013e5
0x004013e7
0x004013e9
0x004013eb
0x004013ed
0x004013ef
0x004013f1
0x004013f3
0x004013f5
0x004013f7
0x004013f9
0x004013fb
0x004013fd
0x004013ff
0x00401401
0x00401403
0x00401405
0x00401407
0x00401409
0x0040140b
0x0040140d
0x0040140f
0x00401411
0x00401413
0x00401415
0x00401417
0x00401419
0x0040141b
0x0040141d
0x0040141f
0x00401421
0x00401423
0x00401425
0x00401427
0x00401429
0x0040142b
0x0040142d
0x0040142f
0x00401431
0x00401433
0x00401435
0x00401437
0x00401439
0x0040143b
0x0040143d
0x0040143f
0x00401441
0x00401443
0x00401445
0x00401447
0x00401449
0x0040144b
0x0040144d
0x0040144f
0x00401451
0x00401453
0x00401455
0x00401457
0x00401459
0x0040145b
0x0040145d
0x0040145f
0x00401461
0x00401463
0x00401465
0x00401467
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401471
0x00401473
0x00401475
0x00401477
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401481
0x00401483
0x00401485
0x00401487
0x00401489
0x0040148b
0x0040148d
0x0040148f
0x00401491
0x00401493
0x00401495
0x00401497
0x00401499
0x0040149b
0x0040149d
0x0040149f
0x004014a1
0x004014a3
0x004014a5
0x004014a7
0x004014a9
0x004014ab
0x004014ad
0x004014af
0x004014b1
0x004014b3
0x004014b5
0x004014b7
0x004014b9
0x004014bb
0x004014bd
0x004014bf
0x004014c1
0x004014c3
0x004014c5
0x004014c7
0x004014c9
0x004014cb
0x004014cd
0x004014cf
0x004014d1
0x004014d3
0x004014d5
0x004014d7
0x004014d9
0x004014db
0x004014dd
0x004014df
0x004014e1
0x004014e3
0x004014e5
0x004014e7
0x004014e9
0x004014eb
0x004014ed
0x004014ef
0x004014f1
0x004014f3
0x004014f5
0x004014f7
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401503
0x00401505
0x00401507
0x00401509
0x0040150b
0x0040150d
0x0040150f
0x00401511
0x00401513
0x00401515
0x00401517
0x00401519
0x0040151b
0x0040151d
0x0040151f
0x00401521
0x00401523
0x00401525
0x00401527
0x00401529
0x0040152b
0x0040152d
0x0040152f
0x00401531
0x00401533
0x00401535
0x00401537
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x00401545
0x00401547
0x00401549
0x0040154b
0x0040154d
0x0040154f
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155d
0x0040155f
0x00401561
0x00401563
0x00401565
0x00401567
0x00401569
0x0040156b
0x0040156d
0x0040156f
0x00401571
0x00401573
0x00401575
0x00401577
0x00401579
0x0040157b
0x0040157d
0x0040157f
0x00401581
0x00401583
0x00401585
0x00401587
0x00401589
0x0040158b
0x0040158d
0x0040158f
0x00401591
0x00401593
0x00401595
0x00401597
0x00401599
0x0040159b
0x0040159d
0x0040159f
0x004015a1
0x004015a3
0x004015a5
0x004015a7
0x004015a9
0x004015ab
0x004015ad
0x004015af
0x004015b1
0x004015b3
0x004015b5
0x004015b7
0x004015b9
0x004015bb
0x004015bd
0x004015bf
0x004015c1
0x004015c3
0x004015c5
0x004015c7
0x004015c9
0x004015cb
0x004015cd
0x004015cf
0x004015d1
0x004015d3
0x004015d5
0x004015d7
0x004015d9
0x004015db
0x004015dd
0x004015df
0x004015e1
0x004015e3
0x004015e5
0x004015e7
0x004015e9
0x004015eb
0x004015ed
0x004015ef
0x004015f1
0x004015f3
0x004015f5
0x004015f7
0x004015f9
0x004015fb
0x004015fd
0x004015ff
0x00401601
0x00401603
0x00401605
0x00401607
0x00401609
0x0040160b
0x0040160d
0x0040160f
0x00401611
0x00401613
0x00401615
0x00401617
0x00401619
0x0040161b
0x0040161d
0x0040161f
0x00401621
0x00401623
0x00401625
0x00401627
0x00401629
0x0040162b
0x0040162d
0x0040162f
0x00401631
0x00401633
0x00401635
0x00401637
0x00401639
0x0040163b
0x0040163d
0x0040163f
0x00401641
0x00401643
0x00401645
0x00401647
0x00401649
0x0040164b
0x0040164d
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401657
0x00401659
0x0040165b
0x0040165d
0x0040165f
0x00401661
0x00401663
0x00401665
0x00401667
0x00401669
0x0040166b
0x0040166d
0x0040166f
0x00401671
0x00401673
0x00401675
0x00401677
0x00401679
0x0040167b
0x0040167d
0x0040167f
0x00401681
0x00401683
0x00401685
0x00401687
0x00401689
0x0040168b
0x0040168d
0x0040168f
0x00401691
0x00401693
0x00401695
0x00401697
0x00401699
0x0040169b
0x0040169d
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016a9
0x004016ab
0x004016ad
0x004016af
0x004016b1
0x004016b3
0x004016b5
0x004016b7
0x004016b9
0x004016bb
0x004016bd
0x004016bf
0x004016c1
0x004016c3
0x004016c5
0x004016c7
0x004016c9
0x004016cb
0x004016cd
0x004016cf
0x004016d1
0x004016d3
0x004016d5
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ef
0x004016f1
0x004016f3
0x004016f5
0x004016f7
0x004016f9
0x004016fb
0x004016fd
0x004016ff
0x00401701
0x00401703
0x00401705
0x00401707
0x00401709
0x0040170b
0x0040170d
0x0040170f
0x00401711
0x00401713
0x00401715
0x00401717
0x00401719
0x0040171b
0x0040171d
0x0040171f
0x00401721
0x00401723
0x00401725
0x00401727
0x00401729
0x0040172b
0x0040172d
0x0040172f
0x00401731
0x00401733
0x00401735
0x00401737
0x00401739
0x0040173b
0x0040173d
0x0040173f
0x00401741
0x00401743
0x00401745
0x00401747
0x00401749
0x0040174b
0x0040174d
0x0040174f
0x00401751
0x00401753
0x00401755
0x00401757
0x0040175b
0x0040175c
0x0040175d
0x0040175f
0x00401761
0x00401763
0x00401765
0x00401767
0x00401769
0x0040176b
0x0040176d
0x0040176f
0x00401771
0x00401773
0x00401775
0x00401777
0x0040177d
0x0040177f
0x00401781
0x00401783
0x00401785
0x00401790
0x00401792
0x00401794
0x004017a0
0x004017a2
0x004017a4
0x004017a6
0x004017a7
0x004017a8
0x004017a9
0x004017aa
0x004017ab
0x004017ac
0x004017ad
0x004017ae
0x004017b1
0x004017b3
0x004017bb
0x004017c0
0x004017c2
0x004017c4
0x004017c8
0x004017d0
0x004017d2
0x004017d4
0x004017d6
0x004017d8
0x004017dc
0x004017de
0x004017e0
0x004017e2
0x004017e4
0x004017e6
0x004017e8
0x004017ea
0x004017ec
0x004017ee
0x004017f0
0x004017f2
0x004017f4
0x004017f6
0x004017f8
0x004017fa
0x004017ff
0x00401801
0x00401803
0x00401805
0x00401807
0x00401809
0x0040180b
0x0040180d
0x0040180f
0x00401811
0x00401813
0x00401815
0x00401817
0x00401819
0x0040181b
0x0040181d
0x0040181f
0x00401821
0x00401825
0x00401827
0x00401829
0x0040182b
0x0040182d
0x0040182f
0x00401831
0x00401832
0x00401834
0x00401835
0x00401836
0x00401838
0x00401839
0x0040183a
0x0040183c
0x0040183f
0x00401845
0x00401847
0x0040184d
0x0040184e
0x00401850
0x00401851
0x00401852
0x00401854
0x00401855
0x00401856
0x00401858
0x00401859
0x0040185a
0x0040185c
0x0040185d
0x00401861
0x00401863
0x00401865
0x00401867
0x00401869
0x0040186b
0x0040186d
0x0040186f
0x00401871
0x00401873
0x00401875
0x00401877
0x00401879
0x0040187b
0x0040187d
0x0040187f
0x00401881
0x00401883
0x00401885
0x00401887
0x00401889
0x0040188b
0x0040188d
0x0040188f
0x00401895
0x0040189a
0x0040189b
0x004018a3
0x004018ae
0x004018ae

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401205

Strings

VB5!6&*, xrefs: 00401200

Memory Dump Source

Source File: 00000000.00000002.1272538755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1272507500.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1272617633.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1272656837.0000000000410000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 1c7eef170450f86ff290baa7a19b93e91e5fe2e2634bed302f525af48a6a7857
Instruction ID: 2ee603e4af7d80dd5fa350c09aa7dbd8f8b8c25347cc25a8858e5b2b51e28c9a
Opcode Fuzzy Hash: 1c7eef170450f86ff290baa7a19b93e91e5fe2e2634bed302f525af48a6a7857
Instruction Fuzzy Hash: A551E82148E3C04FD31787B4582A0923FB19D5322475A86EBC8C1EF5F3D1AE484AC7A6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00781BD9, Relevance: 3.3, Strings: 2, Instructions: 828COMMON

Download Yara Rule

Strings

1.!T, xrefs: 007807A3
Msi.dll, xrefs: 007845AB

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: 1.!T$Msi.dll
API String ID: 0-1822015534
Opcode ID: fd472903a01feaca2d83fe65413104f3bef39554348e42e16a94b0bc2ca4a153
Instruction ID: a8d0589e5a6c2428e373f02b14a497e8634c0d1d68d53444c685ddb83dfcc520
Opcode Fuzzy Hash: fd472903a01feaca2d83fe65413104f3bef39554348e42e16a94b0bc2ca4a153
Instruction Fuzzy Hash: DF426B71780306EFEB14AF28CC95BEA73A6FF45760F644229FD4597281D778E8858B80

Uniqueness

Uniqueness Score: -1.00%

Function 007867C1, Relevance: 2.9, Strings: 2, Instructions: 390COMMON

Download Yara Rule

Strings

1.!T, xrefs: 007807A3
Msi.dll, xrefs: 007845AB

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: 1.!T$Msi.dll
API String ID: 0-1822015534
Opcode ID: 90b6ee0e68ddf07af05c1d51df8aeee75433839701ec3f93577967d217effb5f
Instruction ID: 058f88be81e7d4643a8e4f710a9ba29860bc270e5a83785e150ad95c6353dfe2
Opcode Fuzzy Hash: 90b6ee0e68ddf07af05c1d51df8aeee75433839701ec3f93577967d217effb5f
Instruction Fuzzy Hash: 1DC189717843458EDF21EF2CD8947D87792DF46330FA482AAD8928B1D6C3788846C752

Uniqueness

Uniqueness Score: -1.00%

Function 00786A19, Relevance: 2.8, Strings: 2, Instructions: 307COMMON

Download Yara Rule

Strings

1.!T, xrefs: 007807A3
Msi.dll, xrefs: 007845AB

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: 1.!T$Msi.dll
API String ID: 0-1822015534
Opcode ID: 77e02b4f22880fb314c12e6a5d32f536390231b88dc60f8f53345af7785e5f3d
Instruction ID: 24849c523955ae8ef110ef826f1abb557219540677abe2ea320be2539f79526a
Opcode Fuzzy Hash: 77e02b4f22880fb314c12e6a5d32f536390231b88dc60f8f53345af7785e5f3d
Instruction Fuzzy Hash: 26A16970784346DEDF20EF28C8947D977919F56330FA483AAD8969B2D6C378C886C752

Uniqueness

Uniqueness Score: -1.00%

Function 007825F7, Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

1.!T, xrefs: 007807A3
Msi.dll, xrefs: 007845AB

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: 1.!T$Msi.dll
API String ID: 0-1822015534
Opcode ID: 500cdc880bafe47627c8f06b154b54f7fbb086690422f2409f8adca37c22e668
Instruction ID: 7e8752861ddc41ec0abdb79bfad0b40d45a00abf3996cf0ffa6f13ba18baabbb
Opcode Fuzzy Hash: 500cdc880bafe47627c8f06b154b54f7fbb086690422f2409f8adca37c22e668
Instruction Fuzzy Hash: B0817671784306EFEB21BE2CDC59BD93391AF45760FA08256FC85AB1D2D7B8C8858781

Uniqueness

Uniqueness Score: -1.00%

Function 00784049, Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

0={,, xrefs: 0078418A

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: 8f51c18db89b584e4d5b5e2662a8472b41fdb1f2a05f380dee55b745c82f7551
Instruction ID: 4deae9110a1cf567154e342d3e6c9928f9328b207c496944062295d3b804fef2
Opcode Fuzzy Hash: 8f51c18db89b584e4d5b5e2662a8472b41fdb1f2a05f380dee55b745c82f7551
Instruction Fuzzy Hash: 8881F47574424ACBCF21EF2CE8947DE3762EF88360F60876ADC468B245DB74D8468B81

Uniqueness

Uniqueness Score: -1.00%

Function 007840FD, Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

0={,, xrefs: 0078418A

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: a02c86fcd8dba7c9f995969f741fec177f04263a4f73025ef526a8f8427ecf80
Instruction ID: 39d173f2428719f5ce803060da84da33e19a612b9daec3ab90e66308e517815c
Opcode Fuzzy Hash: a02c86fcd8dba7c9f995969f741fec177f04263a4f73025ef526a8f8427ecf80
Instruction Fuzzy Hash: D961E47574464ACBCF21EF2CE8547DE7762EF88330F60876AD8468B285D774D8468B82

Uniqueness

Uniqueness Score: -1.00%

Function 00784094, Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

0={,, xrefs: 0078418A

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: 56c83341b41a981c112a4d7113102d52678bea6c0bb387b567c6213ef88a3d11
Instruction ID: 01c4fd324a365392573c2bafd3a6a2dde290169b8251fc7026861ad2b10f83a0
Opcode Fuzzy Hash: 56c83341b41a981c112a4d7113102d52678bea6c0bb387b567c6213ef88a3d11
Instruction Fuzzy Hash: C861D37474064ACFCF25FF28D8957DE37A2EF88360F60862ADC464B245DB74D8468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00782870, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

=Y'Q, xrefs: 00782916

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: =Y'Q
API String ID: 0-2260810072
Opcode ID: 6b92693efb24b3956d285f2039bc60afbddc40acc763139742d3c1dddb91ff43
Instruction ID: 23c0b597117ce8e7a0261f5c0e4def4bb52e8e21408bc06582dda9eb7a7683bd
Opcode Fuzzy Hash: 6b92693efb24b3956d285f2039bc60afbddc40acc763139742d3c1dddb91ff43
Instruction Fuzzy Hash: B63157B0240302AFD7046F28C8D8BD97791BF163A0F614264FC968B1E2D778C9C5CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007838D0, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316c637545f1125d1f73f7e229413869da80830efdce2bae5f72e0bcf7a606aa
Instruction ID: 22310447ba2a6037abebdc2a99062b3412cf02fb70b88683ba84f3c118e374f4
Opcode Fuzzy Hash: 316c637545f1125d1f73f7e229413869da80830efdce2bae5f72e0bcf7a606aa
Instruction Fuzzy Hash: F1915D757843429EDB21AF3CC8947D877D1DF52330FA882AAD9928F1D6D3788482C756

Uniqueness

Uniqueness Score: -1.00%

Function 00786A35, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f274c4c6cd8fca055e85290b116288104e31c0f1f398531acbeae0bf33271de
Instruction ID: 586a9293f1c02f72b61a04ca20253621c26813b2dd8d6bb87ccdfb09e5c2cc35
Opcode Fuzzy Hash: 8f274c4c6cd8fca055e85290b116288104e31c0f1f398531acbeae0bf33271de
Instruction Fuzzy Hash: 066106717843468EDB21EF2CD8947987791DF56330F64C2EAC8968F2E6D3788486C762

Uniqueness

Uniqueness Score: -1.00%

Function 007825FF, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4327115a5440aed2de26112ce0c79f8d7497409c6427f10102c4b614b85178b6
Instruction ID: 9e51aef4ce721af3b354c64c3f3cca132db7ff882eecee3e3bd4338f2b7fb2d3
Opcode Fuzzy Hash: 4327115a5440aed2de26112ce0c79f8d7497409c6427f10102c4b614b85178b6
Instruction Fuzzy Hash: CC415A35784345DFEB32AA0CDC59BCC7362EF81721FA48666E805AF0D6D7B888868741

Uniqueness

Uniqueness Score: -1.00%

Function 0078232A, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4aca8908523b673e115fdf281a9c03ac8055f855c4310e3de6e4bf1c2394a0
Instruction ID: 91f1c6a30d2013a5b371aba80c5dc3ae54a7347ec6220d7e7ec9ac59b22c5158
Opcode Fuzzy Hash: fc4aca8908523b673e115fdf281a9c03ac8055f855c4310e3de6e4bf1c2394a0
Instruction Fuzzy Hash: 723179757C0302ABDB64BA1CCCA5BE673A5FF513B0F258229EC99D3242DB28DC468751

Uniqueness

Uniqueness Score: -1.00%

Function 00782368, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4648c5a18dcae2f2f4ddc31a4437e2eea01bfe0c2688aa8f46164c127778d880
Instruction ID: 65bdd0de43976dfb5fc9ecae015df3c4bbe1445393c9da03477eff0c338fc902
Opcode Fuzzy Hash: 4648c5a18dcae2f2f4ddc31a4437e2eea01bfe0c2688aa8f46164c127778d880
Instruction Fuzzy Hash: 2D319971780302ABDB64BA1CCC66BE673A5FF413B0F248229EC99D3242DB299C468751

Uniqueness

Uniqueness Score: -1.00%

Function 007823AE, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddd518f61276781a807c1ebbe2caea65e750c85521ca76f2c32e1fb32664591
Instruction ID: 79d5c8ed8fbc8fb37b81be271889178d9f3e1a9da53aecb082676ca136040210
Opcode Fuzzy Hash: bddd518f61276781a807c1ebbe2caea65e750c85521ca76f2c32e1fb32664591
Instruction Fuzzy Hash: CE317971780202ABDB64BA1CCC56BEA73A5FF51370F258229EC99D3242DB28DC468751

Uniqueness

Uniqueness Score: -1.00%

Function 00784E29, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937b5045f745465620de08ead8a4873d48dc262df96812fb270b55a39483e0a0
Instruction ID: 55c08363b5336d1eaa7e5604a42dbd0ebba19374015578cd140efd7a847d82d1
Opcode Fuzzy Hash: 937b5045f745465620de08ead8a4873d48dc262df96812fb270b55a39483e0a0
Instruction Fuzzy Hash: 18F046111CC706EEEB15353045913B6379A1B16794F3441599DC387182E29E8C082372

Uniqueness

Uniqueness Score: -1.00%

Function 00785F14, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc492df58d2bc3975843730cba07e8a4ffe4d8bafc3ab680be52dee7e87a045
Instruction ID: 61020a14e3e698169368bf1324d74d4869389c532e9d9eb6c845e9833ec89cac
Opcode Fuzzy Hash: ebc492df58d2bc3975843730cba07e8a4ffe4d8bafc3ab680be52dee7e87a045
Instruction Fuzzy Hash: D4F039303416109FC205EA18C9D4F8AB3A5AF29790B568A64AE409B265C339EC40C725

Uniqueness

Uniqueness Score: -1.00%

Function 0078346F, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2919f6c49dd5a45543f9af0cf03306abb7a1362142c8532498a8ef8215319fc7
Instruction ID: a46f054670f403bb99333bc11ba835c72e054a241929beb664d603110da69ced
Opcode Fuzzy Hash: 2919f6c49dd5a45543f9af0cf03306abb7a1362142c8532498a8ef8215319fc7
Instruction Fuzzy Hash: 6FC04CBFAA55818FE711DE48D881FE07362F721A54BCC0490F0069B621D228EE44C700

Uniqueness

Uniqueness Score: -1.00%

Function 007859D7, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1273943775.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b61e6f040394f1ff620e13aa6e6907f1c9b9df7e4d8e73b3d7bc56a12b9d2a
Instruction ID: 0d8e7dc5bf4b1f71c074479b7cfa9aa3770f68b607dab77aa7d4d858f09673da
Opcode Fuzzy Hash: 76b61e6f040394f1ff620e13aa6e6907f1c9b9df7e4d8e73b3d7bc56a12b9d2a
Instruction Fuzzy Hash: EFB092353126408FC651CE29C180FC173B0FF10A90B024484A84287E11C328E800C900

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe PID: 6072 Parent PID: 5648

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exe PID: 6072 Parent PID: 5648 SPPG contract 9200355_Acma Engineers SP Power_Contract No 9200355.exeCOMMON

Executed Functions

Function 0040CEF4, Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 204COMMON

Function 00401200, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 672COMMON

Function 0040CEF4, Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 204
COMMON

Function 00401200, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 672
COMMON