Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Generic.mg.354e60543438661b.7014

Overview

General Information

Sample Name:	SecuriteInfo.com.Generic.mg.354e60543438661b.7014 (renamed file extension from 7014 to exe)
Analysis ID:	343148
MD5:	354e60543438661b75246f39f6cde70d
SHA1:	f698e89c2f16c02de7183a2c47ac31fda700ce3c
SHA256:	e5aac8a58f55ef2a6ac7aa5997a05a240fd09d8e856f95209b7e499beb4c4d57
Tags:	GuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

SecuriteInfo.com.Generic.mg.354e60543438661b.exe (PID: 1340 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe' MD5: 354E60543438661B75246F39F6CDE70D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Virustotal: Detection: 17%

Perma Link

Compliance:

Uses 32bit PE files

Show sources

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAltrets8.exe vs SecuriteInfo.com.Generic.mg.354e60543438661b.exe
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514536414.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Generic.mg.354e60543438661b.exe
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Binary or memory string: OriginalFilenameAltrets8.exe vs SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

File created: C:\Users\user\AppData\Local\Temp\~DF787D259C8D513009.TMP

Jump to behavior

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Virustotal: Detection: 17%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_0040742D pushfd ; ret	0_2_00407440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_0040368F push cs; retf	0_2_00403690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B120A2 push ss; retf	0_2_02B120AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B1207B push ss; retf	0_2_02B12085
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11EDC push ss; retf	0_2_02B11EE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11F03 push ss; retf	0_2_02B11F0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B14D8C push esi; iretd	0_2_02B14D8D

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11A68	0_2_02B11A68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11A6D	0_2_02B11A6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11B15	0_2_02B11B15
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11B64	0_2_02B11B64
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B12820	0_2_02B12820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B1286A	0_2_02B1286A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B159C5	0_2_02B159C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B126AE	0_2_02B126AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B1264C	0_2_02B1264C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11F55	0_2_02B11F55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B125C2	0_2_02B125C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B125C4	0_2_02B125C4

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B10593 second address: 0000000002B10593 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B1691D second address: 0000000002B1691D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B169E0 second address: 0000000002B169E0 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B16A8F second address: 0000000002B16A8F instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B10593 second address: 0000000002B10593 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B1691D second address: 0000000002B1691D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B169E0 second address: 0000000002B169E0 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B16A8F second address: 0000000002B16A8F instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B165F8 second address: 0000000002B165F8 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9F88BAB418h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F9F88BAB406h 0x0000001f test ebx, 410FB02Fh 0x00000025 add edi, edx 0x00000027 test ax, cx 0x0000002a dec dword ptr [ebp+000000F8h] 0x00000030 cmp al, cl 0x00000032 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000039 jne 00007F9F88BAB359h 0x0000003b cmp bl, cl 0x0000003d call 00007F9F88BAB43Ch 0x00000042 call 00007F9F88BAB428h 0x00000047 lfence 0x0000004a mov edx, dword ptr [7FFE0014h] 0x00000050 lfence 0x00000053 ret 0x00000054 mov esi, edx 0x00000056 pushad 0x00000057 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Code function: 0_2_02B172A2 rdtsc

0_2_02B172A2

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Code function: 0_2_02B172A2 rdtsc

0_2_02B172A2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B162F3 mov eax, dword ptr fs:[00000030h]	0_2_02B162F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B12820 mov eax, dword ptr fs:[00000030h]	0_2_02B12820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B1286A mov eax, dword ptr fs:[00000030h]	0_2_02B1286A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B137B6 mov eax, dword ptr fs:[00000030h]	0_2_02B137B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11F55 mov eax, dword ptr fs:[00000030h]	0_2_02B11F55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B16D8A mov eax, dword ptr fs:[00000030h]	0_2_02B16D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B16D34 mov eax, dword ptr fs:[00000030h]	0_2_02B16D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B15D47 mov eax, dword ptr fs:[00000030h]	0_2_02B15D47

HIPS / PFW / Operating System Protection Evasion:

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	Security Software Discovery411	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Generic.mg.354e60543438661b.exe	18%	Virustotal		Browse
SecuriteInfo.com.Generic.mg.354e60543438661b.exe	7%	ReversingLabs	Win32.Infostealer.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	343148
Start date:	22.01.2021
Start time:	12:07:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Generic.mg.354e60543438661b.7014 (renamed file extension from 7014 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.1% (good quality ratio 10.5%) Quality average: 30.8% Quality standard deviation: 31.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, MusNotifyIcon.exe, conhost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7832273639812195
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Generic.mg.354e60543438661b.exe
File size:	69632
MD5:	354e60543438661b75246f39f6cde70d
SHA1:	f698e89c2f16c02de7183a2c47ac31fda700ce3c
SHA256:	e5aac8a58f55ef2a6ac7aa5997a05a240fd09d8e856f95209b7e499beb4c4d57
SHA512:	76830c145ae3d4dc481f54f8f6082a4f3342c7f3b38c484ad3130e0a91e55a3795e7a9a59f0af3591f66bb2e0a75dc5a6d2c47e5b889aef59e9460f4494d4c78
SSDEEP:	768:24XCdZhk6uHDQ6wJf1k4CtQHFRXrNMCL5g5eucYJJzx6L:tXC7QH8RJCVtQjX+CO5FcYJJzM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....}Q.....................0......T.............@................

File Icon


Icon Hash:	f030f0c6f030b100

Static PE Info

General
Entrypoint:	0x401354
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x517D149C [Sun Apr 28 12:22:52 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e22238527efb5691a1dfa3f0e707406a

Entrypoint Preview

Instruction
push 00401FE4h
call 00007F9F88C88BD5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dl, bh
mov bh, byte ptr [ecx]
fdivr dword ptr [ebx-77h]
dec esi
dec ebx
wait
das
push cs
sbb eax, dword ptr [eax+0000E2DFh]
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc ecx
add byte ptr [esi+50018250h], al
jc 00007F9F88C88C51h
push 00000065h
arpl word ptr [ecx+esi+00h], si
add byte ptr [eax], al
add byte ptr [ecx+edi+11h], ch
add eax, dword ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add al, 02h
shr dword ptr [edi], cl
pop ecx
jle 00007F9F88C88BF1h
nop
inc edi
test edi, ecx
xchg byte ptr [F4F67CEAh], bh
pextrw ebp, dqword ptr [ebp+0C1DBC99h], 4Dh
mov edi, 40483208h
xlatb
dec edi
pop ebx
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
fimul word ptr [ebx]
add byte ptr [eax], al
inc edx
or eax, dword ptr [eax]
add byte ptr [eax], al
or eax, dword ptr [eax]
jo 00007F9F88C88C51h
insb
imul ebp, dword ptr [edi+72h], 65746D61h
jnc 00007F9F88C88BE2h
or eax, 46000B01h
outsd
jc 00007F9F88C88C52h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xea04	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x938	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xfc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xde58	0xe000	False	0.534127371652	data	6.44198752835	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xf000	0x1180	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x938	0x1000	False	0.14208984375	data	1.43341163181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x113d0	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x113bc	0x14	data
RT_VERSION	0x110f0	0x2cc	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaLenBstr, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaFpI4, _CIatan, __vbaCastObj, __vbaStrMove, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Calc Theory
InternalName	Altrets8
FileVersion	1.00
CompanyName	Calc Theory
Comments	Calc Theory
ProductName	Calc Theory
ProductVersion	1.00
FileDescription	Calc Theory
OriginalFilename	Altrets8.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340 Parent PID: 6084

General

Start time:	12:08:30
Start date:	22/01/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe'
Imagebase:	0x400000
File size:	69632 bytes
MD5 hash:	354E60543438661B75246F39F6CDE70D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340 Parent PID: 6084 SecuriteInfo.com.Generic.mg.354e60543438661b.exeCOMMON

Executed Functions

Function 0040D7D4, Relevance: 103.8, APIs: 56, Strings: 3, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040D7D4(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				short _v44;
				intOrPtr _v48;
				long long _v52;
				intOrPtr _v56;
				char _v60;
				short _v64;
				short _v84;
				long long _v92;
				signed int _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v116;
				char _v124;
				char* _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				signed int _v164;
				char _v172;
				void* _v176;
				char _v180;
				char _v184;
				intOrPtr _v188;
				long long _v192;
				signed int _v196;
				signed int _v200;
				signed int* _v204;
				signed int _v208;
				signed int _v212;
				char _v228;
				char _v244;
				signed int _v256;
				intOrPtr _v260;
				intOrPtr* _v264;
				intOrPtr* _v268;
				signed int _v272;
				signed int _v276;
				intOrPtr* _v280;
				signed int _v284;
				char _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				char _v308;
				signed int _v312;
				intOrPtr* _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				char _v332;
				signed int _v336;
				intOrPtr _t296;
				char* _t297;
				signed int _t305;
				signed int _t309;
				char* _t310;
				signed int _t325;
				signed int _t329;
				signed int _t337;
				signed int _t346;
				signed int _t351;
				signed int _t356;
				signed int _t360;
				signed int* _t364;
				signed int _t368;
				signed int _t372;
				signed int _t378;
				char* _t385;
				signed int _t386;
				signed char _t392;
				char* _t395;
				signed int _t399;
				void* _t400;
				char* _t428;
				signed int _t433;
				void* _t435;
				void* _t436;
				void* _t438;
				void* _t440;
				void* _t442;
				intOrPtr _t443;
				void* _t445;
				void* _t446;
				signed long long _t454;

				_t443 = _t442 - 0xc;
				 *[fs:0x0] = _t443;
				L004011E0();
				_v16 = _t443;
				_v12 = 0x401140;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				_t296 =  *((intOrPtr*)( *_a4 + 4))(_a4, _t436, _t438, _t400,  *[fs:0x0], 0x4011e6, _t440);
				L00401330();
				_v116 = _t296;
				_v124 = 8;
				_t297 =  &_v124;
				_push(_t297); // executed
				L00401336(); // executed
				_v196 =  ~(0 | _t297 != 0x0000ffff);
				L0040132A();
				if(_v196 != 0) {
					if( *0x40f33c != 0) {
						_v264 = 0x40f33c;
					} else {
						_push(0x40f33c);
						_push(0x402e18);
						L00401324();
						_v264 = 0x40f33c;
					}
					_v264 =  *_v264;
					_v204 =  *_v264;
					if( *0x40f010 != 0) {
						_v268 = 0x40f010;
					} else {
						_push(0x40f010);
						_push(0x40274c);
						L00401324();
						_v268 = 0x40f010;
					}
					_v268 =  *_v268;
					__eax =  *((intOrPtr*)( *((intOrPtr*)( *_v268)) + 0x304))( *_v268);
					__eax =  &_v104;
					L0040131E();
					_v196 = __eax;
					__eax =  &_v96;
					_v196 =  *_v196;
					__eax =  *((intOrPtr*)( *_v196 + 0x188))(_v196,  &_v96, __eax,  *_v268);
					asm("fclex");
					_v200 = __eax;
					if(_v200 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0x188);
						_push(0x402dd8);
						_push(_v196);
						_push(_v200);
						L00401318();
						_v272 = __eax;
					}
					L00401312();
					__eax =  &_v108;
					L0040131E();
					_v204 =  *_v204;
					__eax =  *((intOrPtr*)( *_v204 + 0x40))(_v204, __eax, __eax, __eax, _v56, 0x402de8, _v96);
					asm("fclex");
					_v208 = __eax;
					if(_v208 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x402e08);
						_push(_v204);
						_push(_v208);
						L00401318();
						_v276 = __eax;
					}
					L0040130C();
					__eax =  &_v108;
					_push( &_v108);
					__eax =  &_v104;
					_push( &_v104);
					_push(2);
					L00401306();
					__esp = __esp + 0xc;
				}
				 *((intOrPtr*)( *_a4 + 0x710))(_a4);
				if( *0x40f010 != 0) {
					_v280 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x40274c);
					L00401324();
					_v280 = 0x40f010;
				}
				_t305 =  &_v104;
				L0040131E();
				_v196 = _t305;
				_t309 =  *((intOrPtr*)( *_v196 + 0x130))(_v196,  &_v108, _t305,  *((intOrPtr*)( *((intOrPtr*)( *_v280)) + 0x304))( *_v280));
				asm("fclex");
				_v200 = _t309;
				if(_v200 >= 0) {
					_v284 = _v284 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x402dd8);
					_push(_v196);
					_push(_v200);
					L00401318();
					_v284 = _t309;
				}
				_t310 =  &_v124;
				L004012FA();
				L00401300();
				_v184 = _t310;
				_v180 =  *0x40113c;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v180,  &_v184, _t310, _t310, _v108, 0, 0);
				L00401306();
				_t445 = _t443 + 0x1c;
				L0040132A();
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v180, 2,  &_v104,  &_v108);
				_v60 = _v180;
				if( *0x40f010 != 0) {
					_v288 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x40274c);
					L00401324();
					_v288 = 0x40f010;
				}
				_t325 =  &_v104;
				L0040131E();
				_v196 = _t325;
				_t329 =  *((intOrPtr*)( *_v196 + 0x48))(_v196,  &_v96, _t325,  *((intOrPtr*)( *((intOrPtr*)( *_v288)) + 0x300))( *_v288));
				asm("fclex");
				_v200 = _t329;
				if(_v200 >= 0) {
					_v292 = _v292 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x402e28);
					_push(_v196);
					_push(_v200);
					L00401318();
					_v292 = _t329;
				}
				L004012F4();
				_v256 = _v96;
				_v96 = _v96 & 0x00000000;
				_v116 = _v256;
				_v124 = 8;
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t337 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x10,  &_v100,  &_v192);
				_v204 = _t337;
				if(_v204 >= 0) {
					_v296 = _v296 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402c84);
					_push(_a4);
					_push(_v204);
					L00401318();
					_v296 = _t337;
				}
				_v52 = _v192;
				_v48 = _v188;
				L0040130C();
				L004012EE();
				L0040132A();
				_v132 = L"yWwcUJLP2nVmMuZiSL220";
				_v140 = 8;
				L004012E8();
				_t433 = L"YKyT2IjOTG5HP140";
				L004012F4();
				_v180 = 0x50c61e;
				_t346 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v180,  &_v96,  &_v124,  &_v176);
				_v196 = _t346;
				if(_v196 >= 0) {
					_v300 = _v300 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402c84);
					_push(_a4);
					_push(_v196);
					L00401318();
					_v300 = _t346;
				}
				_v64 = _v176;
				L0040130C();
				L0040132A();
				_t351 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v176);
				_v196 = _t351;
				if(_v196 >= 0) {
					_v304 = _v304 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402c84);
					_push(_a4);
					_push(_v196);
					L00401318();
					_v304 = _t351;
				}
				_v44 = _v176;
				if( *0x40f010 != 0) {
					_v308 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x40274c);
					L00401324();
					_v308 = 0x40f010;
				}
				_t356 =  &_v104;
				L0040131E();
				_v196 = _t356;
				_t360 =  *((intOrPtr*)( *_v196 + 0x50))(_v196,  &_v176, _t356,  *((intOrPtr*)( *((intOrPtr*)( *_v308)) + 0x308))( *_v308));
				asm("fclex");
				_v200 = _t360;
				if(_v200 >= 0) {
					_v312 = _v312 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x402dd8);
					_push(_v196);
					_push(_v200);
					L00401318();
					_v312 = _t360;
				}
				if( *0x40f010 != 0) {
					_v316 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x40274c);
					L00401324();
					_v316 = 0x40f010;
				}
				_t364 =  &_v108;
				L0040131E();
				_v204 = _t364;
				_t368 =  *((intOrPtr*)( *_v204 + 0x160))(_v204,  &_v180, _t364,  *((intOrPtr*)( *((intOrPtr*)( *_v316)) + 0x308))( *_v316));
				asm("fclex");
				_v208 = _t368;
				if(_v208 >= 0) {
					_v320 = _v320 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x402dd8);
					_push(_v204);
					_push(_v208);
					L00401318();
					_v320 = _t368;
				}
				_t372 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, _v176, 0x347c, _v180,  &_v192);
				_v212 = _t372;
				if(_v212 >= 0) {
					_v324 = _v324 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x402c84);
					_push(_a4);
					_push(_v212);
					L00401318();
					_v324 = _t372;
				}
				_v92 = _v192;
				L00401306();
				_t446 = _t445 + 0xc;
				_t378 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v176, 2,  &_v104,  &_v108);
				_v196 = _t378;
				if(_v196 >= 0) {
					_v328 = _v328 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x402c84);
					_push(_a4);
					_push(_v196);
					L00401318();
					_v328 = _t378;
				}
				_v84 = _v176;
				_v132 = 1;
				_v140 = 2;
				_v148 = 0x18013;
				_v156 = 3;
				_v164 = _v164 & 0x00000000;
				_v172 = 2;
				_push( &_v140);
				_push( &_v156);
				_push( &_v172);
				_push( &_v244);
				_push( &_v228);
				_t385 =  &_v40;
				_push(_t385);
				L004012E2();
				_v260 = _t385;
				while(_v260 != 0) {
					_v116 = 2;
					_v124 = 2;
					_t386 =  &_v124;
					_push(_t386);
					_push(1);
					_push(0x402ec8);
					_push(0x402ec8);
					L004012CA();
					L004012D6();
					_push(_t386);
					L004012D0();
					_t433 = _t386;
					L004012D6();
					_push(_t386);
					_push(0x402ed4);
					L004012DC();
					asm("sbb eax, eax");
					_v196 =  ~( ~( ~_t386));
					_push( &_v100);
					_push( &_v96);
					_push(2);
					L004012C4();
					_t446 = _t446 + 0xc;
					_t428 =  &_v124;
					L0040132A();
					_t392 = _v196;
					if(_t392 == 0) {
						L63:
						_push( &_v244);
						_push( &_v228);
						_t395 =  &_v40;
						_push(_t395);
						L004012B8();
						_v260 = _t395;
						continue;
					}
					_push(_t428);
					_v276 =  *0x401138;
					_t454 =  *0x401130 *  *0x401128;
					if( *0x40f000 != 0) {
						_push( *0x401124);
						_push( *0x401120);
						L00401204();
					} else {
						_t454 = _t454 /  *0x401120;
					}
					asm("fnstsw ax");
					if((_t392 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					} else {
						_v332 = _t454;
						_v288 = _v332;
						_v292 =  *0x401118;
						L004012BE();
						_v300 =  *0x401108;
						_v304 =  *0x401104;
						_v308 =  *0x401100;
						_t399 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t428, _t428, _t428, _t392, _t428, _t428);
						asm("fclex");
						_v196 = _t399;
						if(_v196 >= 0) {
							_v336 = _v336 & 0x00000000;
						} else {
							_push(0x2c0);
							_push(0x402c54);
							_push(_a4);
							_push(_v196);
							L00401318();
							_v336 = _t399;
						}
						goto L63;
					}
				}
				_v132 = 0xaa;
				_t435 =  >=  ? 0x403348 : _t433;
				goto __edx;
			}

0x0040d7d7
0x0040d7e6
0x0040d7f2
0x0040d7fa
0x0040d7fd
0x0040d80a
0x0040d812
0x0040d81d
0x0040d820
0x0040d825
0x0040d828
0x0040d82f
0x0040d832
0x0040d833
0x0040d843
0x0040d84d
0x0040d85b
0x0040d868
0x0040d885
0x0040d86a
0x0040d86a
0x0040d86f
0x0040d874
0x0040d879
0x0040d879
0x0040d895
0x0040d897
0x0040d8a4
0x0040d8c1
0x0040d8a6
0x0040d8a6
0x0040d8ab
0x0040d8b0
0x0040d8b5
0x0040d8b5
0x0040d8d1
0x0040d8de
0x0040d8e5
0x0040d8e9
0x0040d8ee
0x0040d8f4
0x0040d8fe
0x0040d906
0x0040d90c
0x0040d90e
0x0040d91b
0x0040d940
0x0040d91d
0x0040d91d
0x0040d922
0x0040d927
0x0040d92d
0x0040d933
0x0040d938
0x0040d938
0x0040d952
0x0040d958
0x0040d95c
0x0040d968
0x0040d970
0x0040d973
0x0040d975
0x0040d982
0x0040d9a4
0x0040d984
0x0040d984
0x0040d986
0x0040d98b
0x0040d991
0x0040d997
0x0040d99c
0x0040d99c
0x0040d9ae
0x0040d9b3
0x0040d9b6
0x0040d9b7
0x0040d9ba
0x0040d9bb
0x0040d9bd
0x0040d9c2
0x0040d9c2
0x0040d9cd
0x0040d9da
0x0040d9f7
0x0040d9dc
0x0040d9dc
0x0040d9e1
0x0040d9e6
0x0040d9eb
0x0040d9eb
0x0040da1b
0x0040da1f
0x0040da24
0x0040da3c
0x0040da42
0x0040da44
0x0040da51
0x0040da76
0x0040da53
0x0040da53
0x0040da58
0x0040da5d
0x0040da63
0x0040da69
0x0040da6e
0x0040da6e
0x0040da84
0x0040da88
0x0040da91
0x0040da96
0x0040daa2
0x0040dabe
0x0040dace
0x0040dad3
0x0040dad9
0x0040daed
0x0040daf9
0x0040db03
0x0040db20
0x0040db05
0x0040db05
0x0040db0a
0x0040db0f
0x0040db14
0x0040db14
0x0040db44
0x0040db48
0x0040db4d
0x0040db65
0x0040db68
0x0040db6a
0x0040db77
0x0040db99
0x0040db79
0x0040db79
0x0040db7b
0x0040db80
0x0040db86
0x0040db8c
0x0040db91
0x0040db91
0x0040dba8
0x0040dbb0
0x0040dbb6
0x0040dbc0
0x0040dbc3
0x0040dbd8
0x0040dbe2
0x0040dbe3
0x0040dbe4
0x0040dbe5
0x0040dbee
0x0040dbf4
0x0040dc01
0x0040dc23
0x0040dc03
0x0040dc03
0x0040dc08
0x0040dc0d
0x0040dc10
0x0040dc16
0x0040dc1b
0x0040dc1b
0x0040dc30
0x0040dc39
0x0040dc3f
0x0040dc47
0x0040dc4f
0x0040dc54
0x0040dc5b
0x0040dc6e
0x0040dc73
0x0040dc7b
0x0040dc80
0x0040dca8
0x0040dcae
0x0040dcbb
0x0040dcdd
0x0040dcbd
0x0040dcbd
0x0040dcc2
0x0040dcc7
0x0040dcca
0x0040dcd0
0x0040dcd5
0x0040dcd5
0x0040dceb
0x0040dcf2
0x0040dcfa
0x0040dd0e
0x0040dd14
0x0040dd21
0x0040dd43
0x0040dd23
0x0040dd23
0x0040dd28
0x0040dd2d
0x0040dd30
0x0040dd36
0x0040dd3b
0x0040dd3b
0x0040dd51
0x0040dd5c
0x0040dd79
0x0040dd5e
0x0040dd5e
0x0040dd63
0x0040dd68
0x0040dd6d
0x0040dd6d
0x0040dd9d
0x0040dda1
0x0040dda6
0x0040ddc1
0x0040ddc4
0x0040ddc6
0x0040ddd3
0x0040ddf5
0x0040ddd5
0x0040ddd5
0x0040ddd7
0x0040dddc
0x0040dde2
0x0040dde8
0x0040dded
0x0040dded
0x0040de03
0x0040de20
0x0040de05
0x0040de05
0x0040de0a
0x0040de0f
0x0040de14
0x0040de14
0x0040de44
0x0040de48
0x0040de4d
0x0040de68
0x0040de6e
0x0040de70
0x0040de7d
0x0040dea2
0x0040de7f
0x0040de7f
0x0040de84
0x0040de89
0x0040de8f
0x0040de95
0x0040de9a
0x0040de9a
0x0040dec9
0x0040decf
0x0040dedc
0x0040defe
0x0040dede
0x0040dede
0x0040dee3
0x0040dee8
0x0040deeb
0x0040def1
0x0040def6
0x0040def6
0x0040df0b
0x0040df18
0x0040df1d
0x0040df2f
0x0040df35
0x0040df42
0x0040df64
0x0040df44
0x0040df44
0x0040df49
0x0040df4e
0x0040df51
0x0040df57
0x0040df5c
0x0040df5c
0x0040df72
0x0040df76
0x0040df7d
0x0040df87
0x0040df91
0x0040df9b
0x0040dfa2
0x0040dfb2
0x0040dfb9
0x0040dfc0
0x0040dfc7
0x0040dfce
0x0040dfcf
0x0040dfd2
0x0040dfd3
0x0040dfd8
0x0040e151
0x0040dfe3
0x0040dfea
0x0040dff1
0x0040dff4
0x0040dff5
0x0040dff7
0x0040dffc
0x0040e001
0x0040e00b
0x0040e010
0x0040e011
0x0040e016
0x0040e01b
0x0040e020
0x0040e021
0x0040e026
0x0040e02d
0x0040e033
0x0040e03d
0x0040e041
0x0040e042
0x0040e044
0x0040e049
0x0040e04c
0x0040e04f
0x0040e054
0x0040e05d
0x0040e134
0x0040e13a
0x0040e141
0x0040e142
0x0040e145
0x0040e146
0x0040e14b
0x00000000
0x0040e14b
0x0040e069
0x0040e06a
0x0040e073
0x0040e080
0x0040e08a
0x0040e090
0x0040e096
0x0040e082
0x0040e082
0x0040e082
0x0040e09b
0x0040e09f
0x004011ec
0x0040e0a5
0x0040e0a5
0x0040e0b2
0x0040e0bc
0x0040e0c5
0x0040e0d2
0x0040e0dc
0x0040e0e6
0x0040e0f6
0x0040e0fc
0x0040e0fe
0x0040e10b
0x0040e12d
0x0040e10d
0x0040e10d
0x0040e112
0x0040e117
0x0040e11a
0x0040e120
0x0040e125
0x0040e125
0x00000000
0x0040e10b
0x0040e09f
0x0040e15e
0x0040e16d
0x0040e170

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040D7F2
#609.MSVBVM60(?,?,?,?,004011E6), ref: 0040D820
#557.MSVBVM60(00000008), ref: 0040D833
__vbaFreeVar.MSVBVM60(00000008), ref: 0040D84D
__vbaNew2.MSVBVM60(00402E18,0040F33C,00000008), ref: 0040D874
__vbaNew2.MSVBVM60(0040274C,0040F010), ref: 0040D8B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D8E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DD8,00000188), ref: 0040D933
__vbaCastObj.MSVBVM60(?,00402DE8,?), ref: 0040D952
__vbaObjSet.MSVBVM60(?,00000000,?,00402DE8,?), ref: 0040D95C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E08,00000040), ref: 0040D997
__vbaFreeStr.MSVBVM60(00000000,?,00402E08,00000040), ref: 0040D9AE
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D9BD
__vbaNew2.MSVBVM60(0040274C,0040F010), ref: 0040D9E6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DA1F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DD8,00000130), ref: 0040DA69
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000), ref: 0040DA88
__vbaI4Var.MSVBVM60(00000000,?,?,?,004011E6), ref: 0040DA91
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,004011E6), ref: 0040DACE
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,004011E6), ref: 0040DAD9
__vbaNew2.MSVBVM60(0040274C,0040F010,?,?,?,?,?,?,004011E6), ref: 0040DB0F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DB48
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E28,00000048), ref: 0040DB8C
__vbaStrCopy.MSVBVM60(00000000,?,00402E28,00000048), ref: 0040DBA8
__vbaChkstk.MSVBVM60(?,?), ref: 0040DBD8
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C84,000006F8), ref: 0040DC16
__vbaFreeStr.MSVBVM60(00000000,00401140,00402C84,000006F8), ref: 0040DC3F
__vbaFreeObj.MSVBVM60(00000000,00401140,00402C84,000006F8), ref: 0040DC47
__vbaFreeVar.MSVBVM60(00000000,00401140,00402C84,000006F8), ref: 0040DC4F
__vbaVarDup.MSVBVM60(00000000,00401140,00402C84,000006F8), ref: 0040DC6E
__vbaStrCopy.MSVBVM60(00000000,00401140,00402C84,000006F8), ref: 0040DC7B
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C84,000006FC), ref: 0040DCD0
__vbaFreeStr.MSVBVM60(00000000,00401140,00402C84,000006FC), ref: 0040DCF2
__vbaFreeVar.MSVBVM60(00000000,00401140,00402C84,000006FC), ref: 0040DCFA
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C84,00000700), ref: 0040DD36
__vbaNew2.MSVBVM60(0040274C,0040F010), ref: 0040DD68
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DDA1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402DD8,00000050), ref: 0040DDE8
__vbaNew2.MSVBVM60(0040274C,0040F010), ref: 0040DE0F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DE48
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402DD8,00000160), ref: 0040DE95
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C84,00000704), ref: 0040DEF1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040DF18
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C84,00000708), ref: 0040DF57
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002), ref: 0040DFD3
__vbaStrCat.MSVBVM60(00402EC8,00402EC8,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040E001
__vbaStrMove.MSVBVM60(00402EC8,00402EC8,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040E00B
#628.MSVBVM60(00000000,00402EC8,00402EC8,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040E011
__vbaStrMove.MSVBVM60(00000000,00402EC8,00402EC8,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040E01B
__vbaStrCmp.MSVBVM60(00402ED4,00000000,00000000,00402EC8,00402EC8,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040E026
__vbaFreeStrList.MSVBVM60(00000002,?,?,00402ED4,00000000,00000000,00402EC8,00402EC8,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040E044
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E04F
_adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E096
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E0C5
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C54,000002C0), ref: 0040E120
__vbaVarForNext.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E146

Strings

yWwcUJLP2nVmMuZiSL220, xrefs: 0040DC54
UcScmXD96757qJJZGyR8162, xrefs: 0040DBA0
YKyT2IjOTG5HP140, xrefs: 0040DC73

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$List$ChkstkCopyMove$#557#609#628CallCastInitLateNext_adj_fdiv_m64
String ID: UcScmXD96757qJJZGyR8162$YKyT2IjOTG5HP140$yWwcUJLP2nVmMuZiSL220
API String ID: 2886871742-4112685389
Opcode ID: d48a26c02e494863c80c4c0d3d82828c07632737032ea6e601e407caf55c10b7
Instruction ID: fe9f5dbe461000a38a0d1a93f260a76bd30927296b7ae032bb8177fe396df0e7
Opcode Fuzzy Hash: d48a26c02e494863c80c4c0d3d82828c07632737032ea6e601e407caf55c10b7
Instruction Fuzzy Hash: 6A42C571900218DFEB219F90CC45BDDBBB4BB08304F1041FAE549BB2A1DB795A99DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401354, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 641
COMMON

Download Yara Rule

C-Code - Quality: 80%

			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, unsigned int* __edi, void* __esi) {
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed char _t34;
				signed char _t35;
				signed char _t36;
				signed int _t37;
				intOrPtr* _t38;
				intOrPtr* _t39;
				intOrPtr* _t42;
				intOrPtr _t43;
				signed int _t44;
				signed char _t48;
				signed char _t49;
				void* _t51;
				intOrPtr* _t54;
				signed int _t57;
				void* _t60;
				signed char _t68;

				_t55 = __edi;
				_push("VB5!6&*"); // executed
				L0040134E(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t28 = __eax + 1;
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				_t51 = __edx + __ebx;
				asm("fdivr dword [ebx-0x77]");
				_t57 = __esi - 1;
				_t42 =  *__ecx - 1;
				asm("wait");
				asm("das");
				_push(cs);
				asm("sbb eax, [cs:eax+0xe2df]");
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				_t48 = __ecx + 1;
				_t1 = _t57 + 0x50018250;
				 *_t1 =  *((intOrPtr*)(_t57 + 0x50018250)) + _t28;
				if( *_t1 >= 0) {
					asm("arpl [ecx+esi], si");
					 *_t28 =  *_t28 + _t28;
					 *((intOrPtr*)( &(__edi[4]) + _t48)) =  *((intOrPtr*)( &(__edi[4]) + _t48)) + _t48;
					_t37 = _t28 +  *_t28;
					 *_t37 =  *_t37 + _t37;
					_t43 = _t42 + _t42;
					asm("int3");
					 *_t37 =  *_t37 ^ _t37;
					_t38 = _t37 + 2;
					 *__edi =  *__edi >> _t48;
					_t49 = 0x65;
					if( *__edi > 0) {
						_t55 =  &(__edi[0]);
						 *0xf4f67cea = _t43;
						asm("invalid");
					}
					asm("sbb eax, 0x8bf4d0c");
					_t48 = _t49 ^  *(_t38 + 0x40);
					asm("xlatb");
					_t55 = _t55 - 1;
					_pop(_t44);
					_t39 = _t38;
					asm("stosb");
					 *((intOrPtr*)(_t39 - 0x2d)) =  *((intOrPtr*)(_t39 - 0x2d)) + _t39;
					_t28 = _t44 ^  *(_t48 - 0x48ee309a);
					_t42 = _t39;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 + _t28;
					asm("fimul word [ebx]");
					 *_t28 =  *_t28 + _t28;
					_t51 = _t51 + 1;
				}
				_t29 = _t28 |  *_t28;
				 *_t29 =  *_t29 + _t29;
				_t30 = _t29 |  *_t29;
				if(_t30 < 0) {
					L9:
					 *((intOrPtr*)(_t55 - 0x5eff6061)) =  *((intOrPtr*)(_t55 - 0x5eff6061)) + _t42;
					asm("movsd");
					 *((intOrPtr*)(_t51 - 0x4dff5556)) =  *((intOrPtr*)(_t51 - 0x4dff5556)) + _t48;
					goto L10;
				} else {
					asm("insb");
					if (_t55[0x1c] * 0x65746d61 >= 0) goto L6;
					_t34 = _t30 | 0x46000b01;
					_t68 = _t34;
					asm("outsd");
					if(_t68 < 0) {
						L10:
					} else {
						asm("popad");
						asm("a16 jz 0x68");
						if(_t68 >= 0) {
							 *[gs:ecx] =  *[gs:ecx] + _t42;
							 *_t34 =  *_t34 + _t34;
							_t54 = _t51 + 1;
							 *_t54 =  *_t54 + _t34;
							 *_t42 =  *_t42 + _t60;
							asm("out dx, al");
							_t35 = _t34 |  *_t34;
							 *((intOrPtr*)(_t60 + _t57 * 2)) =  *((intOrPtr*)(_t60 + _t57 * 2)) + _t48;
							_t51 = _t54 + _t35;
							_t36 = _t35 |  *_t35;
							 *_t36 =  *_t36 + _t36;
							 *_t48 =  *_t48 + _t36;
							 *_t48 =  *_t48 + _t36;
							 *_t36 =  *_t36 + _t51;
							asm("adc [eax], al");
							 *_t48 =  *_t48 + _t36;
							 *_t36 =  *_t36 + _t48;
							 *((intOrPtr*)(_t36 + 5)) =  *((intOrPtr*)(_t36 + 5)) + _t48;
							 *_t36 =  *_t36 + _t36;
							_push(ss);
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t48;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t51;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t48 =  *_t48 + _t36;
							 *_t36 =  *_t36 + _t48;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							 *_t36 =  *_t36 + _t36;
							goto L9;
						}
					}
				}
				return 0;
			}

0x00401354
0x00401354
0x00401359
0x0040135e
0x00401360
0x00401362
0x00401364
0x00401366
0x00401368
0x00401369
0x0040136b
0x0040136d
0x0040136f
0x00401373
0x00401376
0x00401377
0x00401378
0x00401379
0x0040137a
0x0040137b
0x00401382
0x00401384
0x00401386
0x00401388
0x0040138a
0x0040138b
0x0040138b
0x00401391
0x00401395
0x00401399
0x0040139b
0x0040139f
0x004013a1
0x004013a3
0x004013a5
0x004013a6
0x004013a8
0x004013aa
0x004013ac
0x004013ad
0x004013b0
0x004013b3
0x004013b9
0x004013b9
0x004013be
0x004013c3
0x004013c6
0x004013c7
0x004013c8
0x004013d2
0x004013d4
0x004013d5
0x004013d8
0x004013d8
0x004013d9
0x004013db
0x004013dd
0x004013df
0x004013e1
0x004013e3
0x004013e5
0x004013e7
0x004013e9
0x004013eb
0x004013ed
0x004013ef
0x004013f1
0x004013f3
0x004013f5
0x004013f7
0x004013f9
0x004013fb
0x004013fd
0x004013ff
0x00401401
0x00401401
0x00401402
0x00401404
0x00401406
0x00401408
0x00401479
0x00401479
0x00401484
0x00401485
0x00000000
0x0040140a
0x0040140a
0x00401412
0x00401414
0x00401414
0x00401419
0x0040141a
0x0040148c
0x0040141c
0x0040141c
0x0040141d
0x00401420
0x00401422
0x00401425
0x00401427
0x00401428
0x0040142a
0x0040142c
0x0040142d
0x0040142f
0x00401433
0x00401435
0x00401437
0x00401439
0x0040143b
0x0040143d
0x0040143f
0x00401441
0x00401443
0x00401445
0x00401448
0x0040144a
0x0040144b
0x0040144d
0x0040144f
0x00401451
0x00401453
0x00401455
0x00401457
0x00401459
0x0040145b
0x0040145d
0x0040145f
0x00401461
0x00401463
0x00401465
0x00401467
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401471
0x00401473
0x00401475
0x00401477
0x00000000
0x00401477
0x00401420
0x0040141a
0x00401497

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401359

Strings

VB5!6&*, xrefs: 00401354

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 37a52e1d8eaa7d18d4fcc441169052e165ba037087074f6de3634e4656e1d43d
Instruction ID: 687c8285d99a8222425a40b240f679762b97096890f5c9b1b38a2e84272b5ca3
Opcode Fuzzy Hash: 37a52e1d8eaa7d18d4fcc441169052e165ba037087074f6de3634e4656e1d43d
Instruction Fuzzy Hash: 8051FC2254E3C14FD703877488765827FB1AE5322874A49EBC4C1CF5B3D66E8C0ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040352E, Relevance: 1.4, APIs: 1, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,-000010C6,FFFFFEEF), ref: 00403627

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 27bc5298acd4c37e4d5e29f897efc5946e267836dd71f00f71d3c2cf9c9c3ed2
Instruction ID: 2569508ad4945d6280f69fb93fcf67b77e4d4c9a145b0cef97aec1a536584581
Opcode Fuzzy Hash: 27bc5298acd4c37e4d5e29f897efc5946e267836dd71f00f71d3c2cf9c9c3ed2
Instruction Fuzzy Hash: 171126522276117BC7301CB4CCD85A66B99DF87F16720AE6BC509E7B90CE2E87CB411A

Uniqueness

Uniqueness Score: -1.00%

Function 004034D7, Relevance: 1.4, APIs: 1, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,-000010C6,FFFFFEEF), ref: 00403627

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e7bf47bb910d252d67513881d938bce14da985384eb6692661903b2a096fbeff
Instruction ID: 935798557f8c8b9b4260806ed9f748c81acbf3c501b8bdb30a5290e9f26a2f81
Opcode Fuzzy Hash: e7bf47bb910d252d67513881d938bce14da985384eb6692661903b2a096fbeff
Instruction Fuzzy Hash: A1210162623711BBC7305DB8C8C81666B99CF83F15720AEBBC909E7390CE2D47C7511A

Uniqueness

Uniqueness Score: -1.00%

Function 004034B2, Relevance: 1.4, APIs: 1, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,-000010C6,FFFFFEEF), ref: 00403627

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c8bcfa91f87382635a2a77f4000a169c3aa4810533276fd1d61188b7ba24c342
Instruction ID: 3512d390e05f3cd8c4b12aeb68b498abd67f09968d6f1acd76b7ac5b4cb60087
Opcode Fuzzy Hash: c8bcfa91f87382635a2a77f4000a169c3aa4810533276fd1d61188b7ba24c342
Instruction Fuzzy Hash: 6421ED62627311BBC3310CB4C8C416A6B99DF87F16B24AD7BC90AE7391CE6E47C7511A

Uniqueness

Uniqueness Score: -1.00%

Function 00403551, Relevance: 1.4, APIs: 1, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,-000010C6,FFFFFEEF), ref: 00403627

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1b75228bcffb0a93099fb8291f73f3227f2a7590ed547869f8016b861c067bb8
Instruction ID: d8759b9a3170d426bc487f4e4fd5a134750f0b75b95b391252ff6c0cfb53a45a
Opcode Fuzzy Hash: 1b75228bcffb0a93099fb8291f73f3227f2a7590ed547869f8016b861c067bb8
Instruction Fuzzy Hash: 3F1102622272117BD3301CF488D41666B99DF83F16714ADA7C909E6791CD2E87C79119

Uniqueness

Uniqueness Score: -1.00%

Function 00403599, Relevance: 1.4, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,-000010C6,FFFFFEEF), ref: 00403627

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fd056b1f79fb2550960b08cf65926651ffae15a621919e461001e52b7a8c31da
Instruction ID: 711f3b60d254597436ee172a0ad7a74bb1d722d5fcd293fea416a57bf5f590ff
Opcode Fuzzy Hash: fd056b1f79fb2550960b08cf65926651ffae15a621919e461001e52b7a8c31da
Instruction Fuzzy Hash: C601D2623273117FC3201DF488D41A56B99DF83F167207E7BC509E6791CE2E46C7451A

Uniqueness

Uniqueness Score: -1.00%

Function 004035E9, Relevance: 1.3, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,-000010C6,FFFFFEEF), ref: 00403627

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 909505ec2c126cf2ff2ffe6710eacf3af9ab7904b774cbc014922b42ef3b5a87
Instruction ID: 6d193511ab8c4606e603a6a6e3542a353e1085dd47ed2736a5799c0d57f3b8c4
Opcode Fuzzy Hash: 909505ec2c126cf2ff2ffe6710eacf3af9ab7904b774cbc014922b42ef3b5a87
Instruction Fuzzy Hash: A401D6217233117BC7201DF488D41AA6B99DF83F16B206D7BC905F6791CD2E47C7561A

Uniqueness

Uniqueness Score: -1.00%

Function 004035C4, Relevance: 1.3, APIs: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,-000010C6,FFFFFEEF), ref: 00403627

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 61b5ff93b15ac2641ed551a384e5f31fc6bc0e8cb4bc96193d68d2d85a43a521
Instruction ID: e6a49a832835c51e0b5f723641c025f039fc6a92dd0d3481dece94ad5566ec54
Opcode Fuzzy Hash: 61b5ff93b15ac2641ed551a384e5f31fc6bc0e8cb4bc96193d68d2d85a43a521
Instruction Fuzzy Hash: 8B0176623233107FC7301DE088C44A66B9ADF83F16720BD6BC20AA7380CE2E06C75229

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B1264C, Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

\, xrefs: 02B12684

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 2441d57532ca99a3b31897b8cf9db38c26b7539415bc6fe486ad59c98ae766b4
Instruction ID: b329faf3f44a23f4d6b360461d12305e61453fe3515cc29d5001710d19246dca
Opcode Fuzzy Hash: 2441d57532ca99a3b31897b8cf9db38c26b7539415bc6fe486ad59c98ae766b4
Instruction Fuzzy Hash: 58318C62600622AFD7219B2CCC51BDAB396FF06330FA542B0EC95D32D1DB15DC898B80

Uniqueness

Uniqueness Score: -1.00%

Function 02B16D8A, Relevance: .7, Instructions: 717COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313a5ddfcd1b65710613ef61c2f82ffc156e219b8f8ada1da06485a09e2a16e5
Instruction ID: fdd99385b47d6a2f442042c034f33c836475b02cdafa176fee18dc6394de2142
Opcode Fuzzy Hash: 313a5ddfcd1b65710613ef61c2f82ffc156e219b8f8ada1da06485a09e2a16e5
Instruction Fuzzy Hash: 00327770640305AFEF219E24CC95BE97B93EF42360FD482A8EE958B2D5D77584CACB11

Uniqueness

Uniqueness Score: -1.00%

Function 02B11F55, Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29be97599fcbf21a3a657626f11c6d9bea167b6784fadba2b3110aa581fc20d9
Instruction ID: 8d7a171774cc34c52789deb52277cf4bf46c65410181d527e80fe4e0d68bee11
Opcode Fuzzy Hash: 29be97599fcbf21a3a657626f11c6d9bea167b6784fadba2b3110aa581fc20d9
Instruction Fuzzy Hash: F9E12671B40716EFE7149F28CCA0BD6B3A6FF05350FD54269EC9993281D734A895CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B159C5, Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fe8ce84a212e55b913e7d8c8a399f9163557bf52f2b250d53c7a45fb1c8b50
Instruction ID: e78f7186446b216e3c36058b2cac273ac0fb0be23432f23feada3a9a5a5f4f83
Opcode Fuzzy Hash: 60fe8ce84a212e55b913e7d8c8a399f9163557bf52f2b250d53c7a45fb1c8b50
Instruction Fuzzy Hash: 50C155B1680209AFFF211E64CD81BE53B93EF46754FE08198EE855B280D3B954C9CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02B16D34, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdaae600a11dfa01b13c5fd074a37830f1d90705908d033cebc9bd2e523b3c75
Instruction ID: e617f1430fc8136204fa0c9f5c20e19f15b73b1d5061e2b77a56a98a3decc778
Opcode Fuzzy Hash: cdaae600a11dfa01b13c5fd074a37830f1d90705908d033cebc9bd2e523b3c75
Instruction Fuzzy Hash: 847128746443469FCB21CF2488A4796BBD29F27320FD8C2D9D8E98F2E6D7358482C706

Uniqueness

Uniqueness Score: -1.00%

Function 02B1286A, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcd4c20b08e3a96bea42fe49d8fec9bbb9c62d772baaa83dc4c29cdb43c8694
Instruction ID: e5a0dc42e304b5126aef895682adef8c21c3d0246300b617bd658beabb0e7752
Opcode Fuzzy Hash: 5fcd4c20b08e3a96bea42fe49d8fec9bbb9c62d772baaa83dc4c29cdb43c8694
Instruction Fuzzy Hash: D5515470204305AFEB306F348D98BEC3296EF063A4FE182D9EC469B1E5D36598C5CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B125C4, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4a406fd1edb1dbea9c8fc95628e9a1781f9c1b1ffef89b5da65f38496d1883
Instruction ID: 3a4b74f6eac3a7fac513febde346c54937c77a8bd4b97523ad0789a33bcf83e3
Opcode Fuzzy Hash: ba4a406fd1edb1dbea9c8fc95628e9a1781f9c1b1ffef89b5da65f38496d1883
Instruction Fuzzy Hash: C4414721704726AFDB209F288C11BD67791AF17730FA543A9ECAC972E2D7159886CB44

Uniqueness

Uniqueness Score: -1.00%

Function 02B12820, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903f612cb4659398fe11b8cbdde30913ced88b7cae6ba250774220331197ac02
Instruction ID: 60cb3480017c992de65c3e9b77901a16f1ebbb5dcce88968ce28f61bd4a0e175
Opcode Fuzzy Hash: 903f612cb4659398fe11b8cbdde30913ced88b7cae6ba250774220331197ac02
Instruction Fuzzy Hash: 4A413620258356AEDB31AF249C05BD43B91AF07774FE442C5ED5A1F1F6D35194C2C30A

Uniqueness

Uniqueness Score: -1.00%

Function 02B126AE, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c460e3b7143634f717f86045c3664ab92e129d0cf1a7a465f3c85bc71ef2115e
Instruction ID: 09f583877a146847a476ff86447a5433041162634e55ddd05259c9e2432c69d1
Opcode Fuzzy Hash: c460e3b7143634f717f86045c3664ab92e129d0cf1a7a465f3c85bc71ef2115e
Instruction Fuzzy Hash: E9316710348B57BBDB60EF288C51BD6A781AF07730FB443A4ECBC962F2D70588868708

Uniqueness

Uniqueness Score: -1.00%

Function 02B125C2, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab5d16ba24905cd6001fe265d840687dacb22063507680be6eedd8fd2c775e9
Instruction ID: 445c1f3198c0290776e377c0c632732d4582c942fe1b2dd5ca3781442ab35bb1
Opcode Fuzzy Hash: 4ab5d16ba24905cd6001fe265d840687dacb22063507680be6eedd8fd2c775e9
Instruction Fuzzy Hash: 47314C71B40622AFDB259A28CD51BD67296FF06370FA542B9EC59D32D1CB14DC89CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02B11A6D, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4843cabdda0444954a58dd3484062877155b9352a8d8e156cd182e87fed1601d
Instruction ID: 18acd1979dbcec2a6dd4872403633623ac7f6a29f2a922a9e4011ce0441c86cc
Opcode Fuzzy Hash: 4843cabdda0444954a58dd3484062877155b9352a8d8e156cd182e87fed1601d
Instruction Fuzzy Hash: E2214C366102069BFB311E288D44BC63B26DF83760FA44261FD5D5B1C2E66585828711

Uniqueness

Uniqueness Score: -1.00%

Function 02B11B64, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed327699827c47da338af9e0dbd60c8fc1f4e98a73b0a329985106c52f1988c3
Instruction ID: 293350ed4c327a487c9349fcdb7fe4ef014eedf75974cb1ba6b08a7ec54dea9e
Opcode Fuzzy Hash: ed327699827c47da338af9e0dbd60c8fc1f4e98a73b0a329985106c52f1988c3
Instruction Fuzzy Hash: 3B21682D62834AAADB719F288D017C63F509F57770FA48294E8AC5E1F2E32684C3C309

Uniqueness

Uniqueness Score: -1.00%

Function 02B11A68, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99137e78f583149869a1ed35885a7f8b1f3a38456b340abf4e59625f2e119eb
Instruction ID: 22ddf5c18f657de60ccbbb6274a6e53610a21a867cd9f8d7585f56f3c40d8582
Opcode Fuzzy Hash: a99137e78f583149869a1ed35885a7f8b1f3a38456b340abf4e59625f2e119eb
Instruction Fuzzy Hash: 2A112662A5020A9BFF711A088D44BDB372AEF93750FE48051ED4D4B181F7A98AC4D322

Uniqueness

Uniqueness Score: -1.00%

Function 02B11B15, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a028d590a5bc4de63cd6a8a4902c3d6383502fa76419aee9da07bb1c465be4
Instruction ID: 5343bdf52aa59c1af962cafc4d4af765311a95d2e65741ccd2f0f9156f7a25c9
Opcode Fuzzy Hash: 99a028d590a5bc4de63cd6a8a4902c3d6383502fa76419aee9da07bb1c465be4
Instruction Fuzzy Hash: 2011260976878AB9EB709F184D017D66B909F67B30FA44284E99C4E1F6F35644C3C31A

Uniqueness

Uniqueness Score: -1.00%

Function 02B172A2, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae8c2db4ebf4b79c60d6be2a5aa3d0b6b461cf416bffd93b20d97e0cfb08312
Instruction ID: b3f17ae9432dbc45d1ba7ad5e39b2757f8aee29944f9ab44a4ade4a70049c25d
Opcode Fuzzy Hash: fae8c2db4ebf4b79c60d6be2a5aa3d0b6b461cf416bffd93b20d97e0cfb08312
Instruction Fuzzy Hash: 9C012B0872CB8A78DB50EF285D91799AFC05F57634B2493A8D5FD5E5F7D31540838309

Uniqueness

Uniqueness Score: -1.00%

Function 02B162F3, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14c5deb337747a037edcc0d1841ef24f0b240a3de7b45d0049ac2755c55dc30
Instruction ID: 46bf6c2718fc7e6e6fc41859b94bc5edc01fd80b2e00987d753ef7ba6c99736e
Opcode Fuzzy Hash: f14c5deb337747a037edcc0d1841ef24f0b240a3de7b45d0049ac2755c55dc30
Instruction Fuzzy Hash: 4AF08C303002008FD718CB1CE6E4B96B3EFAF95340F85C4A9D915CB621E730D880C610

Uniqueness

Uniqueness Score: -1.00%

Function 02B137B6, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d534d22ea79ddab0df448df324044177942140f445521ab6f8cf822e67945b
Instruction ID: 09008eafbbaf1ebb5cab70b1860f472a0e183ea11e787b004d8adfc9fcf0a65f
Opcode Fuzzy Hash: 29d534d22ea79ddab0df448df324044177942140f445521ab6f8cf822e67945b
Instruction Fuzzy Hash: E5C04CB6345581CFF611DB18D462B5173B0E715694B8544D0D8428B711D328ED01C700

Uniqueness

Uniqueness Score: -1.00%

Function 02B15D47, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc913e99de5db931b0e67bb28fcf22f0942b015185078c76c60382555e411f4
Instruction ID: 480fe9c97b5af4a1ffa14c4f1bcfa46a8bdc3d803e2813ed4a1daf671a123fb7
Opcode Fuzzy Hash: 7cc913e99de5db931b0e67bb28fcf22f0942b015185078c76c60382555e411f4
Instruction Fuzzy Hash: A4B092B8216642CFC265CF08C180E5173B0FB84690F8104C0E8028BE15C328E800CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0040E736, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040E736(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v32;
				char _v48;
				char* _v56;
				intOrPtr _v64;
				short _v68;
				signed int _t21;
				char* _t25;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t38 = _t37 - 0xc;
				 *[fs:0x0] = _t38;
				L004011E0();
				_v16 = _t38;
				_v12 = 0x4011a8;
				_v8 = 0;
				_t21 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x4011e6, _t35);
				_push(2);
				_push(0x402f20);
				L00401282();
				L004012D6();
				_push(_t21);
				_push(0x402f2c);
				L004012DC();
				asm("sbb eax, eax");
				_v68 =  ~( ~( ~_t21));
				L0040130C();
				_t25 = _v68;
				if(_t25 != 0) {
					_v56 = L"Uza4XqOLcUXEH6vTy4hPhy6LxQaW8WzS7UbN40";
					_v64 = 8;
					L004012E8();
					_t25 =  &_v48;
					_push(_t25);
					L0040127C();
					L0040132A();
				}
				_push(0x40e7f6);
				return _t25;
			}

0x0040e739
0x0040e748
0x0040e752
0x0040e75a
0x0040e75d
0x0040e764
0x0040e773
0x0040e776
0x0040e778
0x0040e77d
0x0040e787
0x0040e78c
0x0040e78d
0x0040e792
0x0040e799
0x0040e79f
0x0040e7a6
0x0040e7ab
0x0040e7b1
0x0040e7b3
0x0040e7ba
0x0040e7c7
0x0040e7cc
0x0040e7cf
0x0040e7d0
0x0040e7d8
0x0040e7d8
0x0040e7dd
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E752
#512.MSVBVM60(00402F20,00000002,?,?,?,?,004011E6), ref: 0040E77D
__vbaStrMove.MSVBVM60(00402F20,00000002,?,?,?,?,004011E6), ref: 0040E787
__vbaStrCmp.MSVBVM60(00402F2C,00000000,00402F20,00000002,?,?,?,?,004011E6), ref: 0040E792
__vbaFreeStr.MSVBVM60(00402F2C,00000000,00402F20,00000002,?,?,?,?,004011E6), ref: 0040E7A6
__vbaVarDup.MSVBVM60 ref: 0040E7C7
#529.MSVBVM60(00000000), ref: 0040E7D0
__vbaFreeVar.MSVBVM60(00000000), ref: 0040E7D8

Strings

Uza4XqOLcUXEH6vTy4hPhy6LxQaW8WzS7UbN40, xrefs: 0040E7B3

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#512#529ChkstkMove
String ID: Uza4XqOLcUXEH6vTy4hPhy6LxQaW8WzS7UbN40
API String ID: 3639670698-2977998
Opcode ID: 7c6947db048fe2eb1a5a4bbded5a8be8bab990f069879996c401297bf9a22884
Instruction ID: e5a8163a30ca18772af3007cebf77b72d81643835eb790e973267c3740dd2c17
Opcode Fuzzy Hash: 7c6947db048fe2eb1a5a4bbded5a8be8bab990f069879996c401297bf9a22884
Instruction Fuzzy Hash: B3111F30D40209ABCB14EBE6C846B9EBBB4AF04744F50857AF501FB1E1DB7C9905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E33F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040E33F(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t29;
				signed int _t33;
				intOrPtr _t46;

				_push(0x4011e6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x28);
				L004011E0();
				_v12 = _t46;
				_v8 = 0x401160;
				if( *0x40f010 != 0) {
					_v56 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x40274c);
					L00401324();
					_v56 = 0x40f010;
				}
				_t29 =  &_v24;
				L0040131E();
				_v44 = _t29;
				_v32 = 0x80020004;
				_v40 = 0xa;
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t33 =  *((intOrPtr*)( *_v44 + 0x1ec))(_v44, L"s9rH0uOE9h2umGS100", 0x10, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x308))( *_v56));
				asm("fclex");
				_v48 = _t33;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x402dd8);
					_push(_v44);
					_push(_v48);
					L00401318();
					_v60 = _t33;
				}
				L004012EE();
				_push(0x40e428);
				return _t33;
			}

0x0040e344
0x0040e34f
0x0040e350
0x0040e357
0x0040e35a
0x0040e362
0x0040e365
0x0040e373
0x0040e38d
0x0040e375
0x0040e375
0x0040e37a
0x0040e37f
0x0040e384
0x0040e384
0x0040e3a8
0x0040e3ac
0x0040e3b1
0x0040e3b4
0x0040e3bb
0x0040e3c5
0x0040e3cf
0x0040e3d0
0x0040e3d1
0x0040e3d2
0x0040e3e0
0x0040e3e6
0x0040e3e8
0x0040e3ef
0x0040e40b
0x0040e3f1
0x0040e3f1
0x0040e3f6
0x0040e3fb
0x0040e3fe
0x0040e401
0x0040e406
0x0040e406
0x0040e412
0x0040e417
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E35A
__vbaNew2.MSVBVM60(0040274C,0040F010,?,?,?,?,004011E6), ref: 0040E37F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E3AC
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E3C5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DD8,000001EC,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E401
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E412

Strings

s9rH0uOE9h2umGS100, xrefs: 0040E3D3

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: s9rH0uOE9h2umGS100
API String ID: 3189907775-4180807193
Opcode ID: 8f41d9d16f83e771c74495251c3d7e11f1ee40b66aece4f5fdfc0016a602a215
Instruction ID: 42be225a32c20cb37b82dac12fa2abed5a44b17c9053aa6b03e88cee13610d2b
Opcode Fuzzy Hash: 8f41d9d16f83e771c74495251c3d7e11f1ee40b66aece4f5fdfc0016a602a215
Instruction Fuzzy Hash: 05214A70940208AFCB11DFA5D98ABDDBBB9EB09714F20443AF501BB2E1C7B91945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5CD, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040E5CD(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v100;
				signed int _v104;
				char* _t42;
				signed int _t48;
				intOrPtr _t52;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L004011E0();
				_v16 = _t65;
				_v12 = 0x401198;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x4011e6, _t62);
				if( *0x40f010 != 0) {
					_v100 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x40274c);
					L00401324();
					_v100 = 0x40f010;
				}
				_t52 =  *((intOrPtr*)( *_v100));
				_t42 =  &_v32;
				L0040131E();
				_v84 = _t42;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v56 =  *0x401194;
				_t48 =  *((intOrPtr*)( *_v84 + 0x204))(_v84, _t52, 0x10, 0x10, 0x10, _t42,  *((intOrPtr*)(_t52 + 0x304))( *_v100));
				asm("fclex");
				_v88 = _t48;
				if(_v88 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x204);
					_push(0x402dd8);
					_push(_v84);
					_push(_v88);
					L00401318();
					_v104 = _t48;
				}
				L004012EE();
				asm("wait");
				_push(0x40e70d);
				return _t48;
			}

0x0040e5d0
0x0040e5df
0x0040e5e9
0x0040e5f1
0x0040e5f4
0x0040e5fb
0x0040e60a
0x0040e614
0x0040e62e
0x0040e616
0x0040e616
0x0040e61b
0x0040e620
0x0040e625
0x0040e625
0x0040e63f
0x0040e649
0x0040e64d
0x0040e652
0x0040e655
0x0040e65c
0x0040e663
0x0040e66a
0x0040e671
0x0040e678
0x0040e682
0x0040e68c
0x0040e68d
0x0040e68e
0x0040e68f
0x0040e693
0x0040e69d
0x0040e69e
0x0040e69f
0x0040e6a0
0x0040e6a4
0x0040e6ae
0x0040e6af
0x0040e6b0
0x0040e6b1
0x0040e6b9
0x0040e6c4
0x0040e6ca
0x0040e6cc
0x0040e6d3
0x0040e6ef
0x0040e6d5
0x0040e6d5
0x0040e6da
0x0040e6df
0x0040e6e2
0x0040e6e5
0x0040e6ea
0x0040e6ea
0x0040e6f6
0x0040e6fb
0x0040e6fc
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E5E9
__vbaNew2.MSVBVM60(0040274C,0040F010,?,?,?,?,004011E6), ref: 0040E620
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E64D
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E682
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E693
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E6A4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DD8,00000204,?,?,00000000), ref: 0040E6E5
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0040E6F6

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 8e9ce116f69be036fd89f572eabac32405e932e62a97d85f4fc7cf5026998b6b
Instruction ID: 3b56a19c954ac9234e712439c5b6f03ad7fef0bb84f073526c047b0a31903fe6
Opcode Fuzzy Hash: 8e9ce116f69be036fd89f572eabac32405e932e62a97d85f4fc7cf5026998b6b
Instruction Fuzzy Hash: 07312770900708EBCB11DFD5D949B9DBBB6BF09704F20482AFA01BF2A1C7BA5905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E81F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040E81F(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				char _v56;
				char* _v64;
				intOrPtr _v72;
				char* _t18;
				void* _t25;
				void* _t27;
				intOrPtr _t28;

				_t28 = _t27 - 0xc;
				 *[fs:0x0] = _t28;
				L004011E0();
				_v16 = _t28;
				_v12 = 0x4011b8;
				_v8 = 0;
				_t18 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x4011e6, _t25);
				_push(0x402f88);
				L00401276();
				if(_t18 != 1) {
					_v64 = L"auWNn4TduPCda2qIaQXA176";
					_v72 = 8;
					L004012E8();
					_push(2);
					_t18 =  &_v56;
					_push(_t18);
					L00401270();
					_v32 = __fp0;
					L0040132A();
				}
				asm("wait");
				_push(0x40e8af);
				return _t18;
			}

0x0040e822
0x0040e831
0x0040e83b
0x0040e843
0x0040e846
0x0040e84d
0x0040e85c
0x0040e85f
0x0040e864
0x0040e86c
0x0040e86e
0x0040e875
0x0040e882
0x0040e887
0x0040e889
0x0040e88c
0x0040e88d
0x0040e892
0x0040e898
0x0040e898
0x0040e89d
0x0040e89e
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E83B
__vbaLenBstr.MSVBVM60(00402F88,?,?,?,?,004011E6), ref: 0040E864
__vbaVarDup.MSVBVM60 ref: 0040E882
#600.MSVBVM60(?,00000002), ref: 0040E88D
__vbaFreeVar.MSVBVM60(?,00000002), ref: 0040E898

Strings

auWNn4TduPCda2qIaQXA176, xrefs: 0040E86E

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#600BstrChkstkFree
String ID: auWNn4TduPCda2qIaQXA176
API String ID: 2986526412-1228655893
Opcode ID: 739d694b6d2a7d3c248f4ea6c29514df192a9cff2b10139021355534adfd3fb1
Instruction ID: 423f8e4d165a55d1644aef763926013719b4ecd8828eadfa88f77dafad99db20
Opcode Fuzzy Hash: 739d694b6d2a7d3c248f4ea6c29514df192a9cff2b10139021355534adfd3fb1
Instruction Fuzzy Hash: 83012171941209BBDB00EFD5C98AB8DBBB8BF05744F50886AF100BB1E1DB7C5A05CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0040E21C, Relevance: 9.1, APIs: 6, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040E21C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				short _v52;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v68;
				signed int _t45;
				signed int _t50;
				short _t54;
				intOrPtr _t62;

				_push(0x4011e6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_push(0x30);
				L004011E0();
				_v12 = _t62;
				_v8 = 0x401150;
				if( *0x40f33c != 0) {
					_v60 = 0x40f33c;
				} else {
					_push(0x40f33c);
					_push(0x402e18);
					L00401324();
					_v60 = 0x40f33c;
				}
				_v36 =  *_v60;
				_t45 =  *((intOrPtr*)( *_v36 + 0x14))(_v36,  &_v28);
				asm("fclex");
				_v40 = _t45;
				if(_v40 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x402e08);
					_push(_v36);
					_push(_v40);
					L00401318();
					_v64 = _t45;
				}
				_v44 = _v28;
				_t50 =  *((intOrPtr*)( *_v44 + 0x100))(_v44,  &_v32);
				asm("fclex");
				_v48 = _t50;
				if(_v48 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x402ed8);
					_push(_v44);
					_push(_v48);
					L00401318();
					_v68 = _t50;
				}
				_v52 =  ~(0 | _v32 != 0x00400000);
				L004012EE();
				_t54 = _v52;
				if(_t54 != 0) {
					_push(6);
					L004012A0();
					_v24 = _t54;
				}
				_push(0x40e32c);
				return _t54;
			}

0x0040e221
0x0040e22c
0x0040e22d
0x0040e234
0x0040e237
0x0040e23f
0x0040e242
0x0040e250
0x0040e26a
0x0040e252
0x0040e252
0x0040e257
0x0040e25c
0x0040e261
0x0040e261
0x0040e276
0x0040e285
0x0040e288
0x0040e28a
0x0040e291
0x0040e2aa
0x0040e293
0x0040e293
0x0040e295
0x0040e29a
0x0040e29d
0x0040e2a0
0x0040e2a5
0x0040e2a5
0x0040e2b1
0x0040e2c0
0x0040e2c6
0x0040e2c8
0x0040e2cf
0x0040e2eb
0x0040e2d1
0x0040e2d1
0x0040e2d6
0x0040e2db
0x0040e2de
0x0040e2e1
0x0040e2e6
0x0040e2e6
0x0040e2fd
0x0040e304
0x0040e309
0x0040e30f
0x0040e311
0x0040e313
0x0040e318
0x0040e318
0x0040e31b
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E237
__vbaNew2.MSVBVM60(00402E18,0040F33C,?,?,?,?,004011E6), ref: 0040E25C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E08,00000014,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E2A0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ED8,00000100,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E2E1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E304
#569.MSVBVM60(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E313

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$#569ChkstkFreeNew2
String ID:
API String ID: 1758081487-0
Opcode ID: d3e7f9733a5fe96c621e43f5b9b57c484151c4fa4dffac9b13051bc18e703d35
Instruction ID: 3a5fca95501fe4cd7b93f0743afdfc651b6e3e7cd4c38c95b214f00430a6f2bf
Opcode Fuzzy Hash: d3e7f9733a5fe96c621e43f5b9b57c484151c4fa4dffac9b13051bc18e703d35
Instruction Fuzzy Hash: B9311271D00208EFDB00DBA6C846BEEBBF4BB08754F10447AF501B62A0C7B85855CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8D6, Relevance: 9.1, APIs: 6, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040E8D6(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				signed int _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				char* _t37;
				signed int _t41;
				void* _t51;
				void* _t53;
				intOrPtr _t54;

				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				L004011E0();
				_v16 = _t54;
				_v12 = 0x4011c8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x4011e6, _t51);
				if( *0x40f010 != 0) {
					_v68 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x40274c);
					L00401324();
					_v68 = 0x40f010;
				}
				_t37 =  &_v32;
				L0040131E();
				_v52 = _t37;
				_v40 = _v40 & 0x00000000;
				_v48 = 2;
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t41 =  *((intOrPtr*)( *_v52 + 0x200))(_v52, 0x10, _t37,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x308))( *_v68));
				asm("fclex");
				_v56 = _t41;
				if(_v56 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x200);
					_push(0x402dd8);
					_push(_v52);
					_push(_v56);
					L00401318();
					_v72 = _t41;
				}
				L004012EE();
				_push(0x40e9ca);
				return _t41;
			}

0x0040e8d9
0x0040e8e8
0x0040e8f2
0x0040e8fa
0x0040e8fd
0x0040e904
0x0040e913
0x0040e91d
0x0040e937
0x0040e91f
0x0040e91f
0x0040e924
0x0040e929
0x0040e92e
0x0040e92e
0x0040e952
0x0040e956
0x0040e95b
0x0040e95e
0x0040e962
0x0040e96c
0x0040e976
0x0040e977
0x0040e978
0x0040e979
0x0040e982
0x0040e988
0x0040e98a
0x0040e991
0x0040e9ad
0x0040e993
0x0040e993
0x0040e998
0x0040e99d
0x0040e9a0
0x0040e9a3
0x0040e9a8
0x0040e9a8
0x0040e9b4
0x0040e9b9
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E8F2
__vbaNew2.MSVBVM60(0040274C,0040F010,?,?,?,?,004011E6), ref: 0040E929
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E956
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E96C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DD8,00000200), ref: 0040E9A3
__vbaFreeObj.MSVBVM60 ref: 0040E9B4

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 3234cafec0c6c747e7b1c603077cd2b30fb3d1e4fc86e6afd90c7fda9064773e
Instruction ID: ab2bbe3b2f9386bc6239f7f91000ebf253aa8bc514e9d8f6c852ec51ab0079d5
Opcode Fuzzy Hash: 3234cafec0c6c747e7b1c603077cd2b30fb3d1e4fc86e6afd90c7fda9064773e
Instruction Fuzzy Hash: EA2146B0900208EFCB11EFA1D94AB9DBBB5BF08704F20443AF401BB2E1C7B95945DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E43B, Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040E43B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, long long __fp0) {
				intOrPtr _v8;
				long long* _v12;
				intOrPtr _v24;
				intOrPtr _v36;
				char _v44;
				intOrPtr _v52;
				char _v60;
				short _v96;
				signed int _v104;
				short _t26;
				long long* _t33;

				_push(0x4011e6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t33;
				_push(0x54);
				L004011E0();
				_v12 = _t33;
				_v8 = 0x401178;
				_v52 = 0x80020004;
				_v60 = 0xa;
				_v36 = 0x80020004;
				_v44 = 0xa;
				_push( &_v60);
				_push( &_v44);
				asm("fld1");
				 *_t33 = __fp0;
				asm("fld1");
				 *_t33 = __fp0;
				asm("fld1");
				 *_t33 = __fp0;
				L00401294();
				L0040129A();
				asm("fcomp qword [0x401170]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t10 =  &_v104;
					 *_t10 = _v104 & 0x00000000;
					__eflags =  *_t10;
				} else {
					_v104 = 1;
				}
				_v96 =  ~_v104;
				_push( &_v60);
				_push( &_v44);
				_push(2);
				L004012A6();
				_t26 = _v96;
				if(_t26 != 0) {
					_push(0xa9);
					L0040128E();
					_v24 = _t26;
				}
				asm("wait");
				_push(0x40e50f);
				return _t26;
			}

0x0040e440
0x0040e44b
0x0040e44c
0x0040e453
0x0040e456
0x0040e45e
0x0040e461
0x0040e468
0x0040e46f
0x0040e476
0x0040e47d
0x0040e487
0x0040e48b
0x0040e48c
0x0040e490
0x0040e493
0x0040e497
0x0040e49a
0x0040e49e
0x0040e4a1
0x0040e4a6
0x0040e4ab
0x0040e4b1
0x0040e4b3
0x0040e4b4
0x0040e4bf
0x0040e4bf
0x0040e4bf
0x0040e4b6
0x0040e4b6
0x0040e4b6
0x0040e4c8
0x0040e4cf
0x0040e4d3
0x0040e4d4
0x0040e4d6
0x0040e4de
0x0040e4e4
0x0040e4e6
0x0040e4eb
0x0040e4f0
0x0040e4f0
0x0040e4f3
0x0040e4f4
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E456
#679.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040E4A1
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040E4A6
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 0040E4D6
#570.MSVBVM60(000000A9), ref: 0040E4EB

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#570#679ChkstkFreeList
String ID:
API String ID: 1921519738-0
Opcode ID: 0e0c497f2af05801f35b5444c8c1933521ca1f49816112ba53129901472298b5
Instruction ID: 1a81a05e4b35e57d24fe7fffe6deccc1764311825e509b9771549aacb02a8b3b
Opcode Fuzzy Hash: 0e0c497f2af05801f35b5444c8c1933521ca1f49816112ba53129901472298b5
Instruction Fuzzy Hash: 4D113DB1950308AADB05DFD2DD4ABEEBBB8EB04B04F10456FF104BA290D7B855508769

Uniqueness

Uniqueness Score: -1.00%

Function 0040E52A, Relevance: 7.5, APIs: 5, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040E52A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _t15;
				void* _t22;
				void* _t24;
				intOrPtr _t25;

				_t25 = _t24 - 0xc;
				 *[fs:0x0] = _t25;
				L004011E0();
				_v16 = _t25;
				_v12 = 0x401188;
				_v8 = 0;
				_t15 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x4011e6, _t22);
				L004012E8();
				_push(0x402f18);
				L00401288();
				if(_t15 != 0x61) {
					_push(0xb0);
					L004012A0();
					_v52 = _t15;
				}
				_push(0x40e5a0);
				L0040132A();
				return _t15;
			}

0x0040e52d
0x0040e53c
0x0040e546
0x0040e54e
0x0040e551
0x0040e558
0x0040e567
0x0040e570
0x0040e575
0x0040e57a
0x0040e583
0x0040e585
0x0040e58a
0x0040e58f
0x0040e58f
0x0040e592
0x0040e59a
0x0040e59f

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E546
__vbaVarDup.MSVBVM60(?,?,?,?,004011E6), ref: 0040E570
#696.MSVBVM60(00402F18,?,?,?,?,004011E6), ref: 0040E57A
#569.MSVBVM60(000000B0,00402F18,?,?,?,?,004011E6), ref: 0040E58A
__vbaFreeVar.MSVBVM60(0040E5A0,00402F18,?,?,?,?,004011E6), ref: 0040E59A

Memory Dump Source

Source File: 00000000.00000002.1514085267.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1514072350.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1514097577.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#569#696ChkstkFree
String ID:
API String ID: 3176559447-0
Opcode ID: 008888f2c62829c96fc71555d143c7723503bf2fc7e9311ca083a7ec0a69575d
Instruction ID: eb5a624b1584e6e01ee416d420e264a352389bfb9fc79ad93a6548814df87836
Opcode Fuzzy Hash: 008888f2c62829c96fc71555d143c7723503bf2fc7e9311ca083a7ec0a69575d
Instruction Fuzzy Hash: 91F03C30940209BBDB00AFE9CD46B8D7BB4EB04748F90C47AF504BA2E1D7BC5A058B99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Generic.mg.354e60543438661b.7014

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340 Parent PID: 6084

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340 Parent PID: 6084 SecuriteInfo.com.Generic.mg.354e60543438661b.exeCOMMON

Executed Functions

Function 0040D7D4, Relevance: 103.8, APIs: 56, Strings: 3, Instructions: 592COMMON

Function 00401354, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 641COMMON

Function 0040352E, Relevance: 1.4, APIs: 1, Instructions: 157memoryCOMMON

Function 004034D7, Relevance: 1.4, APIs: 1, Instructions: 156memoryCOMMON

Function 004034B2, Relevance: 1.4, APIs: 1, Instructions: 150memoryCOMMON

Function 0040D7D4, Relevance: 103.8, APIs: 56, Strings: 3, Instructions: 592
COMMON

Function 00401354, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 641
COMMON

Function 0040E736, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 52
COMMON

Function 0040E33F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69
COMMON

Function 0040E5CD, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Function 0040E81F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMON

Function 0040E21C, Relevance: 9.1, APIs: 6, Instructions: 81
COMMON

Function 0040E8D6, Relevance: 9.1, APIs: 6, Instructions: 72
COMMON

Function 0040E43B, Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Function 0040E52A, Relevance: 7.5, APIs: 5, Instructions: 34
COMMON