Play interactive tour

Edit tour

Analysis Report AAKANDEVAND.exe

Overview

General Information

Sample Name:	AAKANDEVAND.exe
Analysis ID:	343165
MD5:	2c36dcd4149f0ac440632b7fefb30415
SHA1:	50c69661aad974ef9852b1eaaf498ad2181a19d7
SHA256:	4fc39458be70fe1ff6dba1459b565e7bfd171125a189521a7c309c55bef19037
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

AAKANDEVAND.exe (PID: 6676 cmdline: 'C:\Users\user\Desktop\AAKANDEVAND.exe' MD5: 2C36DCD4149F0AC440632B7FEFB30415)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: AAKANDEVAND.exe PID: 6676	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: AAKANDEVAND.exe PID: 6676	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: AAKANDEVAND.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: AAKANDEVAND.exe	Virustotal: Detection: 18%			Perma Link
Source: AAKANDEVAND.exe	ReversingLabs: Detection: 10%

Compliance:

Uses 32bit PE files

Show sources

Source: AAKANDEVAND.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: AAKANDEVAND.exe, 00000000.00000002.1584014073.000000000067A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Source: C:\Users\user\Desktop\AAKANDEVAND.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_00403449	0_2_00403449
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_00403275	0_2_00403275
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_00403363	0_2_00403363
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_004033D8	0_2_004033D8
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_0040338C	0_2_0040338C

Source: AAKANDEVAND.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: AAKANDEVAND.exe, 00000000.00000002.1584595101.0000000002140000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs AAKANDEVAND.exe

Source: AAKANDEVAND.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\AAKANDEVAND.exe

File created: C:\Users\user\AppData\Local\Temp\~DFB85E2DCFB304C2D4.TMP

Jump to behavior

Source: AAKANDEVAND.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AAKANDEVAND.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\AAKANDEVAND.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AAKANDEVAND.exe	Virustotal: Detection: 18%
Source: AAKANDEVAND.exe	ReversingLabs: Detection: 10%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: AAKANDEVAND.exe PID: 6676, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: AAKANDEVAND.exe PID: 6676, type: MEMORY

Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_00405C46 push eax; retf	0_2_00405C47
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_00404E92 push esp; retf	0_2_00404E93
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_0040472B push edi; retf	0_2_00404733
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_021851B3 push CCB1CE10h; ret	0_2_021851C9

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\AAKANDEVAND.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\AAKANDEVAND.exe

Code function: 0_2_02181DF6

0_2_02181DF6

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\AAKANDEVAND.exe

RDTSC instruction interceptor: First address: 00000000021862D2 second address: 00000000021862D2 instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: AAKANDEVAND.exe, 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE=
Source: AAKANDEVAND.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\AAKANDEVAND.exe	RDTSC instruction interceptor: First address: 00000000021862D2 second address: 00000000021862D2 instructions:
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	RDTSC instruction interceptor: First address: 0000000002186999 second address: 0000000002186999 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F07288DA538h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dh, ch 0x00000027 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002e jne 00007F07288DA509h 0x00000030 pushad 0x00000031 mov cx, C521h 0x00000035 cmp cx, C521h 0x0000003a jne 00007F07288D4356h 0x00000040 popad 0x00000041 call 00007F07288DA559h 0x00000046 call 00007F07288DA548h 0x0000004b lfence 0x0000004e mov edx, dword ptr [7FFE0014h] 0x00000054 lfence 0x00000057 ret 0x00000058 mov esi, edx 0x0000005a pushad 0x0000005b rdtsc

Source: C:\Users\user\Desktop\AAKANDEVAND.exe

Code function: 0_2_0218167E rdtsc

0_2_0218167E

Source: AAKANDEVAND.exe, 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe=
Source: AAKANDEVAND.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Source: C:\Users\user\Desktop\AAKANDEVAND.exe

Code function: 0_2_0218167E rdtsc

0_2_0218167E

Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_0218665B mov eax, dword ptr fs:[00000030h]	0_2_0218665B
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_0218367C mov eax, dword ptr fs:[00000030h]	0_2_0218367C
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_0218278B mov eax, dword ptr fs:[00000030h]	0_2_0218278B
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_0218705A mov eax, dword ptr fs:[00000030h]	0_2_0218705A
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_0218609C mov eax, dword ptr fs:[00000030h]	0_2_0218609C
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_02182502 mov eax, dword ptr fs:[00000030h]	0_2_02182502
Source: C:\Users\user\Desktop\AAKANDEVAND.exe	Code function: 0_2_02181DF6 mov eax, dword ptr fs:[00000030h]	0_2_02181DF6

HIPS / PFW / Operating System Protection Evasion:

Source: AAKANDEVAND.exe, 00000000.00000002.1584126126.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: AAKANDEVAND.exe, 00000000.00000002.1584126126.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: AAKANDEVAND.exe, 00000000.00000002.1584126126.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: AAKANDEVAND.exe, 00000000.00000002.1584126126.0000000000C40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\AAKANDEVAND.exe

Code function: 0_2_02183916 cpuid

0_2_02183916

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Process Injection1	Input Capture1	Security Software Discovery411	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery311	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AAKANDEVAND.exe	19%	Virustotal		Browse
AAKANDEVAND.exe	11%	ReversingLabs	Win32.Trojan.Generic
AAKANDEVAND.exe	100%	Avira	HEUR/AGEN.1136443

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.AAKANDEVAND.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1136443		Download File
0.2.AAKANDEVAND.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1136443		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	343165
Start date:	22.01.2021
Start time:	13:01:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	AAKANDEVAND.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 29.8% (good quality ratio 17.3%) Quality average: 31.3% Quality standard deviation: 31.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, conhost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.720231484578821
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AAKANDEVAND.exe
File size:	69632
MD5:	2c36dcd4149f0ac440632b7fefb30415
SHA1:	50c69661aad974ef9852b1eaaf498ad2181a19d7
SHA256:	4fc39458be70fe1ff6dba1459b565e7bfd171125a189521a7c309c55bef19037
SHA512:	7a35953d90f05f0bf88ebef342ceb7bb36c38b6958dd639b81bf1a65907ee23aa1df76da2dc5da5c306a79b47490426bb2a6d6c0433cb8be98d5dd429acd296e
SSDEEP:	768:xIisFjh8oPDYl1elzOOU8oLfVm+hVNs5UQPL5g5euc8RZz9SueQ:xNsFjNbYlIlzOON4VruLPO5Fc8RZz9d
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....yP.....................0......T.............@................

File Icon


Icon Hash:	f030f0c6f030b100

Static PE Info

General
Entrypoint:	0x401354
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5079FFFE [Sat Oct 13 23:57:50 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e22238527efb5691a1dfa3f0e707406a

Entrypoint Preview

Instruction
push 00401FDCh
call 00007F07287FA3D5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+ebx*2-5063138Ah], bl
sub eax, 012EBD42h
jc 00007F07287FA37Eh
adc eax, 00008660h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc ecx
add byte ptr [esi+50018250h], al
jc 00007F07287FA451h
push 00000065h
arpl word ptr [ecx+esi+00h], si
add byte ptr [eax], al
add byte ptr [ecx+edi+1Ah], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add al, 3Fh
bound ebx, dword ptr [edi+79h]
and byte ptr [ebx-6Fh], ch
inc esp
cdq
mov ss, word ptr [eax-75A5582Ah]
or edi, dword ptr [edi]
int3
fcmovnbe st(0), st(1)
sahf
inc ecx
xchg byte ptr [ecx-67h], al
jmp far 9524h : 9EC42827h
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xlatb
or eax, dword ptr [eax]
add byte ptr [ebx], bh
or eax, dword ptr [eax]
add byte ptr [eax], al
push es
add byte ptr [ebp+edx*2+4Eh], al
dec esi
inc ebp
push edx
add byte ptr [55000A01h], cl
dec esi
push ebx
push ebp
inc esi
inc esi
push ebp
push ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe9f4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x940	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xfc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xde48	0xe000	False	0.527901785714	data	6.37787982544	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xf000	0x1180	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x940	0x1000	False	0.141357421875	data	1.44166791875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x113d8	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x113c4	0x14	data
RT_VERSION	0x110f0	0x2d4	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaLenBstr, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaFpI4, _CIatan, __vbaCastObj, __vbaStrMove, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Calc Theory
InternalName	AAKANDEVAND
FileVersion	1.00
CompanyName	Calc Theory
Comments	Calc Theory
ProductName	Calc Theory
ProductVersion	1.00
FileDescription	Calc Theory
OriginalFilename	AAKANDEVAND.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: AAKANDEVAND.exe PID: 6676 Parent PID: 5640

General

Start time:	13:02:26
Start date:	22/01/2021
Path:	C:\Users\user\Desktop\AAKANDEVAND.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\AAKANDEVAND.exe'
Imagebase:	0x400000
File size:	69632 bytes
MD5 hash:	2C36DCD4149F0AC440632B7FEFB30415
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: AAKANDEVAND.exe PID: 6676 Parent PID: 5640 AAKANDEVAND.exeCOMMON

Executed Functions

Function 00403275, Relevance: 1.6, APIs: 1, Instructions: 332memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,FFFF8AC4,-00000040,00403668), ref: 004035F3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8f9cf6b76d464de9e6f641804e4f22dfb58c233a605676e26aa55e37131db29b
Instruction ID: 563ff836ee500e88003023e1aa0114724b382601108a4ad06e405464e28cf220
Opcode Fuzzy Hash: 8f9cf6b76d464de9e6f641804e4f22dfb58c233a605676e26aa55e37131db29b
Instruction Fuzzy Hash: 1B61693150B242FBC3268E78C8D15A53FA8EF07F1931859BFC981DA381DE2D4687D606

Uniqueness

Uniqueness Score: -1.00%

Function 00403363, Relevance: 1.6, APIs: 1, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c298546bea91c59de45bcbe7fdd96a249b26ed0835df91b51c37ae6e80b2518
Instruction ID: b59ee893bf737c3e50f7188bd5108a892ed23251283765e5df310379d516e632
Opcode Fuzzy Hash: 7c298546bea91c59de45bcbe7fdd96a249b26ed0835df91b51c37ae6e80b2518
Instruction Fuzzy Hash: 01512321A8B511EAC2365D7488D206A5E5CDB82F07724693BD915BA3C19EBE4B83D0CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040338C, Relevance: 1.5, APIs: 1, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb45b368ae4b39a273b0521c222514c8acd561bcbf4a36baf840e03515e5a058
Instruction ID: 969ba7aeb6521a9aed7a0568984cca4af5d2a68d670ffb87cd2eaeb77eea3fa4
Opcode Fuzzy Hash: cb45b368ae4b39a273b0521c222514c8acd561bcbf4a36baf840e03515e5a058
Instruction Fuzzy Hash: 9D412660E07611B6C3369DB48C945BA2E5CEF46F0AB14693BC915FA3C0DD3E4F834019

Uniqueness

Uniqueness Score: -1.00%

Function 004033D8, Relevance: 1.4, APIs: 1, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1cb3647163f3e4207e096b60138cab7b927dd8ab211f1a987f43756a843013b
Instruction ID: 64c522fe2a0af20cecad941a45cafc2a34231bf41c072c72aecc65acc57d9295
Opcode Fuzzy Hash: e1cb3647163f3e4207e096b60138cab7b927dd8ab211f1a987f43756a843013b
Instruction Fuzzy Hash: 27316A6061B612FBC7358DB8CC8456A2E98EF07F0A714AA3FCA45E73C0DD6E46C38015

Uniqueness

Uniqueness Score: -1.00%

Function 00403449, Relevance: 1.4, APIs: 1, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,FFFF8AC4,-00000040,00403668), ref: 004035F3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9b9b5c4fbd69ea8413a5d0e020d2f7be3544e71c2fae6a4d58c03f5492ca12ef
Instruction ID: 05e9a66a77b583e6d0c2cddf6f5958273f1f0658e11ade3a4be5cea5f24c39bc
Opcode Fuzzy Hash: 9b9b5c4fbd69ea8413a5d0e020d2f7be3544e71c2fae6a4d58c03f5492ca12ef
Instruction Fuzzy Hash: 2631476060B712FAC7358DB8CC8456A3A9CDF06F0AB14A93FDD45E63C1DE2E46838515

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7C4, Relevance: 103.8, APIs: 56, Strings: 3, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040D7C4(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				short _v44;
				intOrPtr _v48;
				long long _v52;
				intOrPtr _v56;
				char _v60;
				short _v64;
				short _v84;
				long long _v92;
				signed int _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v116;
				char _v124;
				char* _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				signed int _v164;
				char _v172;
				void* _v176;
				char _v180;
				char _v184;
				intOrPtr _v188;
				long long _v192;
				signed int _v196;
				signed int _v200;
				signed int* _v204;
				signed int _v208;
				signed int _v212;
				char _v228;
				char _v244;
				signed int _v256;
				intOrPtr _v260;
				intOrPtr* _v264;
				intOrPtr* _v268;
				signed int _v272;
				signed int _v276;
				intOrPtr* _v280;
				signed int _v284;
				char _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				char _v308;
				signed int _v312;
				intOrPtr* _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				char _v332;
				signed int _v336;
				intOrPtr _t296;
				char* _t297;
				signed int _t305;
				signed int _t309;
				char* _t310;
				signed int _t325;
				signed int _t329;
				signed int _t337;
				signed int _t346;
				signed int _t351;
				signed int _t356;
				signed int _t360;
				signed int* _t364;
				signed int _t368;
				signed int _t372;
				signed int _t378;
				char* _t385;
				signed int _t386;
				signed char _t392;
				char* _t395;
				signed int _t399;
				void* _t400;
				char* _t428;
				signed int _t433;
				void* _t435;
				void* _t436;
				void* _t438;
				void* _t440;
				void* _t442;
				intOrPtr _t443;
				void* _t445;
				void* _t446;
				signed long long _t454;

				_t443 = _t442 - 0xc;
				 *[fs:0x0] = _t443;
				L004011E0();
				_v16 = _t443;
				_v12 = 0x401140;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				_t296 =  *((intOrPtr*)( *_a4 + 4))(_a4, _t436, _t438, _t400,  *[fs:0x0], 0x4011e6, _t440);
				L00401330();
				_v116 = _t296;
				_v124 = 8;
				_t297 =  &_v124;
				_push(_t297); // executed
				L00401336(); // executed
				_v196 =  ~(0 | _t297 != 0x0000ffff);
				L0040132A();
				if(_v196 != 0) {
					if( *0x40f33c != 0) {
						_v264 = 0x40f33c;
					} else {
						_push(0x40f33c);
						_push(0x402e10);
						L00401324();
						_v264 = 0x40f33c;
					}
					_v264 =  *_v264;
					_v204 =  *_v264;
					if( *0x40f010 != 0) {
						_v268 = 0x40f010;
					} else {
						_push(0x40f010);
						_push(0x402748);
						L00401324();
						_v268 = 0x40f010;
					}
					_v268 =  *_v268;
					__eax =  *((intOrPtr*)( *((intOrPtr*)( *_v268)) + 0x304))( *_v268);
					__eax =  &_v104;
					L0040131E();
					_v196 = __eax;
					__eax =  &_v96;
					_v196 =  *_v196;
					__eax =  *((intOrPtr*)( *_v196 + 0x188))(_v196,  &_v96, __eax,  *_v268);
					asm("fclex");
					_v200 = __eax;
					if(_v200 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0x188);
						_push(0x402dd0);
						_push(_v196);
						_push(_v200);
						L00401318();
						_v272 = __eax;
					}
					L00401312();
					__eax =  &_v108;
					L0040131E();
					_v204 =  *_v204;
					__eax =  *((intOrPtr*)( *_v204 + 0x40))(_v204, __eax, __eax, __eax, _v56, 0x402de0, _v96);
					asm("fclex");
					_v208 = __eax;
					if(_v208 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x402e00);
						_push(_v204);
						_push(_v208);
						L00401318();
						_v276 = __eax;
					}
					L0040130C();
					__eax =  &_v108;
					_push( &_v108);
					__eax =  &_v104;
					_push( &_v104);
					_push(2);
					L00401306();
					__esp = __esp + 0xc;
				}
				 *((intOrPtr*)( *_a4 + 0x710))(_a4);
				if( *0x40f010 != 0) {
					_v280 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x402748);
					L00401324();
					_v280 = 0x40f010;
				}
				_t305 =  &_v104;
				L0040131E();
				_v196 = _t305;
				_t309 =  *((intOrPtr*)( *_v196 + 0x130))(_v196,  &_v108, _t305,  *((intOrPtr*)( *((intOrPtr*)( *_v280)) + 0x304))( *_v280));
				asm("fclex");
				_v200 = _t309;
				if(_v200 >= 0) {
					_v284 = _v284 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x402dd0);
					_push(_v196);
					_push(_v200);
					L00401318();
					_v284 = _t309;
				}
				_t310 =  &_v124;
				L004012FA();
				L00401300();
				_v184 = _t310;
				_v180 =  *0x40113c;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v180,  &_v184, _t310, _t310, _v108, 0, 0);
				L00401306();
				_t445 = _t443 + 0x1c;
				L0040132A();
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v180, 2,  &_v104,  &_v108);
				_v60 = _v180;
				if( *0x40f010 != 0) {
					_v288 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x402748);
					L00401324();
					_v288 = 0x40f010;
				}
				_t325 =  &_v104;
				L0040131E();
				_v196 = _t325;
				_t329 =  *((intOrPtr*)( *_v196 + 0x48))(_v196,  &_v96, _t325,  *((intOrPtr*)( *((intOrPtr*)( *_v288)) + 0x300))( *_v288));
				asm("fclex");
				_v200 = _t329;
				if(_v200 >= 0) {
					_v292 = _v292 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x402e20);
					_push(_v196);
					_push(_v200);
					L00401318();
					_v292 = _t329;
				}
				L004012F4();
				_v256 = _v96;
				_v96 = _v96 & 0x00000000;
				_v116 = _v256;
				_v124 = 8;
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t337 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x10,  &_v100,  &_v192);
				_v204 = _t337;
				if(_v204 >= 0) {
					_v296 = _v296 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402c7c);
					_push(_a4);
					_push(_v204);
					L00401318();
					_v296 = _t337;
				}
				_v52 = _v192;
				_v48 = _v188;
				L0040130C();
				L004012EE();
				L0040132A();
				_v132 = L"yWwcUJLP2nVmMuZiSL220";
				_v140 = 8;
				L004012E8();
				_t433 = L"YKyT2IjOTG5HP140";
				L004012F4();
				_v180 = 0x50c61e;
				_t346 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v180,  &_v96,  &_v124,  &_v176);
				_v196 = _t346;
				if(_v196 >= 0) {
					_v300 = _v300 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402c7c);
					_push(_a4);
					_push(_v196);
					L00401318();
					_v300 = _t346;
				}
				_v64 = _v176;
				L0040130C();
				L0040132A();
				_t351 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v176);
				_v196 = _t351;
				if(_v196 >= 0) {
					_v304 = _v304 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402c7c);
					_push(_a4);
					_push(_v196);
					L00401318();
					_v304 = _t351;
				}
				_v44 = _v176;
				if( *0x40f010 != 0) {
					_v308 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x402748);
					L00401324();
					_v308 = 0x40f010;
				}
				_t356 =  &_v104;
				L0040131E();
				_v196 = _t356;
				_t360 =  *((intOrPtr*)( *_v196 + 0x50))(_v196,  &_v176, _t356,  *((intOrPtr*)( *((intOrPtr*)( *_v308)) + 0x308))( *_v308));
				asm("fclex");
				_v200 = _t360;
				if(_v200 >= 0) {
					_v312 = _v312 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x402dd0);
					_push(_v196);
					_push(_v200);
					L00401318();
					_v312 = _t360;
				}
				if( *0x40f010 != 0) {
					_v316 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x402748);
					L00401324();
					_v316 = 0x40f010;
				}
				_t364 =  &_v108;
				L0040131E();
				_v204 = _t364;
				_t368 =  *((intOrPtr*)( *_v204 + 0x160))(_v204,  &_v180, _t364,  *((intOrPtr*)( *((intOrPtr*)( *_v316)) + 0x308))( *_v316));
				asm("fclex");
				_v208 = _t368;
				if(_v208 >= 0) {
					_v320 = _v320 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x402dd0);
					_push(_v204);
					_push(_v208);
					L00401318();
					_v320 = _t368;
				}
				_t372 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, _v176, 0x347c, _v180,  &_v192);
				_v212 = _t372;
				if(_v212 >= 0) {
					_v324 = _v324 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x402c7c);
					_push(_a4);
					_push(_v212);
					L00401318();
					_v324 = _t372;
				}
				_v92 = _v192;
				L00401306();
				_t446 = _t445 + 0xc;
				_t378 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v176, 2,  &_v104,  &_v108);
				_v196 = _t378;
				if(_v196 >= 0) {
					_v328 = _v328 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x402c7c);
					_push(_a4);
					_push(_v196);
					L00401318();
					_v328 = _t378;
				}
				_v84 = _v176;
				_v132 = 1;
				_v140 = 2;
				_v148 = 0x18013;
				_v156 = 3;
				_v164 = _v164 & 0x00000000;
				_v172 = 2;
				_push( &_v140);
				_push( &_v156);
				_push( &_v172);
				_push( &_v244);
				_push( &_v228);
				_t385 =  &_v40;
				_push(_t385);
				L004012E2();
				_v260 = _t385;
				while(_v260 != 0) {
					_v116 = 2;
					_v124 = 2;
					_t386 =  &_v124;
					_push(_t386);
					_push(1);
					_push(0x402ec0);
					_push(0x402ec0);
					L004012CA();
					L004012D6();
					_push(_t386);
					L004012D0();
					_t433 = _t386;
					L004012D6();
					_push(_t386);
					_push(0x402ecc);
					L004012DC();
					asm("sbb eax, eax");
					_v196 =  ~( ~( ~_t386));
					_push( &_v100);
					_push( &_v96);
					_push(2);
					L004012C4();
					_t446 = _t446 + 0xc;
					_t428 =  &_v124;
					L0040132A();
					_t392 = _v196;
					if(_t392 == 0) {
						L63:
						_push( &_v244);
						_push( &_v228);
						_t395 =  &_v40;
						_push(_t395);
						L004012B8();
						_v260 = _t395;
						continue;
					}
					_push(_t428);
					_v276 =  *0x401138;
					_t454 =  *0x401130 *  *0x401128;
					if( *0x40f000 != 0) {
						_push( *0x401124);
						_push( *0x401120);
						L00401204();
					} else {
						_t454 = _t454 /  *0x401120;
					}
					asm("fnstsw ax");
					if((_t392 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					} else {
						_v332 = _t454;
						_v288 = _v332;
						_v292 =  *0x401118;
						L004012BE();
						_v300 =  *0x401108;
						_v304 =  *0x401104;
						_v308 =  *0x401100;
						_t399 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t428, _t428, _t428, _t392, _t428, _t428);
						asm("fclex");
						_v196 = _t399;
						if(_v196 >= 0) {
							_v336 = _v336 & 0x00000000;
						} else {
							_push(0x2c0);
							_push(0x402c4c);
							_push(_a4);
							_push(_v196);
							L00401318();
							_v336 = _t399;
						}
						goto L63;
					}
				}
				_v132 = 0xaa;
				_t435 =  >=  ? 0x403342 : _t433;
				goto __edx;
			}

0x0040d7c7
0x0040d7d6
0x0040d7e2
0x0040d7ea
0x0040d7ed
0x0040d7fa
0x0040d802
0x0040d80d
0x0040d810
0x0040d815
0x0040d818
0x0040d81f
0x0040d822
0x0040d823
0x0040d833
0x0040d83d
0x0040d84b
0x0040d858
0x0040d875
0x0040d85a
0x0040d85a
0x0040d85f
0x0040d864
0x0040d869
0x0040d869
0x0040d885
0x0040d887
0x0040d894
0x0040d8b1
0x0040d896
0x0040d896
0x0040d89b
0x0040d8a0
0x0040d8a5
0x0040d8a5
0x0040d8c1
0x0040d8ce
0x0040d8d5
0x0040d8d9
0x0040d8de
0x0040d8e4
0x0040d8ee
0x0040d8f6
0x0040d8fc
0x0040d8fe
0x0040d90b
0x0040d930
0x0040d90d
0x0040d90d
0x0040d912
0x0040d917
0x0040d91d
0x0040d923
0x0040d928
0x0040d928
0x0040d942
0x0040d948
0x0040d94c
0x0040d958
0x0040d960
0x0040d963
0x0040d965
0x0040d972
0x0040d994
0x0040d974
0x0040d974
0x0040d976
0x0040d97b
0x0040d981
0x0040d987
0x0040d98c
0x0040d98c
0x0040d99e
0x0040d9a3
0x0040d9a6
0x0040d9a7
0x0040d9aa
0x0040d9ab
0x0040d9ad
0x0040d9b2
0x0040d9b2
0x0040d9bd
0x0040d9ca
0x0040d9e7
0x0040d9cc
0x0040d9cc
0x0040d9d1
0x0040d9d6
0x0040d9db
0x0040d9db
0x0040da0b
0x0040da0f
0x0040da14
0x0040da2c
0x0040da32
0x0040da34
0x0040da41
0x0040da66
0x0040da43
0x0040da43
0x0040da48
0x0040da4d
0x0040da53
0x0040da59
0x0040da5e
0x0040da5e
0x0040da74
0x0040da78
0x0040da81
0x0040da86
0x0040da92
0x0040daae
0x0040dabe
0x0040dac3
0x0040dac9
0x0040dadd
0x0040dae9
0x0040daf3
0x0040db10
0x0040daf5
0x0040daf5
0x0040dafa
0x0040daff
0x0040db04
0x0040db04
0x0040db34
0x0040db38
0x0040db3d
0x0040db55
0x0040db58
0x0040db5a
0x0040db67
0x0040db89
0x0040db69
0x0040db69
0x0040db6b
0x0040db70
0x0040db76
0x0040db7c
0x0040db81
0x0040db81
0x0040db98
0x0040dba0
0x0040dba6
0x0040dbb0
0x0040dbb3
0x0040dbc8
0x0040dbd2
0x0040dbd3
0x0040dbd4
0x0040dbd5
0x0040dbde
0x0040dbe4
0x0040dbf1
0x0040dc13
0x0040dbf3
0x0040dbf3
0x0040dbf8
0x0040dbfd
0x0040dc00
0x0040dc06
0x0040dc0b
0x0040dc0b
0x0040dc20
0x0040dc29
0x0040dc2f
0x0040dc37
0x0040dc3f
0x0040dc44
0x0040dc4b
0x0040dc5e
0x0040dc63
0x0040dc6b
0x0040dc70
0x0040dc98
0x0040dc9e
0x0040dcab
0x0040dccd
0x0040dcad
0x0040dcad
0x0040dcb2
0x0040dcb7
0x0040dcba
0x0040dcc0
0x0040dcc5
0x0040dcc5
0x0040dcdb
0x0040dce2
0x0040dcea
0x0040dcfe
0x0040dd04
0x0040dd11
0x0040dd33
0x0040dd13
0x0040dd13
0x0040dd18
0x0040dd1d
0x0040dd20
0x0040dd26
0x0040dd2b
0x0040dd2b
0x0040dd41
0x0040dd4c
0x0040dd69
0x0040dd4e
0x0040dd4e
0x0040dd53
0x0040dd58
0x0040dd5d
0x0040dd5d
0x0040dd8d
0x0040dd91
0x0040dd96
0x0040ddb1
0x0040ddb4
0x0040ddb6
0x0040ddc3
0x0040dde5
0x0040ddc5
0x0040ddc5
0x0040ddc7
0x0040ddcc
0x0040ddd2
0x0040ddd8
0x0040dddd
0x0040dddd
0x0040ddf3
0x0040de10
0x0040ddf5
0x0040ddf5
0x0040ddfa
0x0040ddff
0x0040de04
0x0040de04
0x0040de34
0x0040de38
0x0040de3d
0x0040de58
0x0040de5e
0x0040de60
0x0040de6d
0x0040de92
0x0040de6f
0x0040de6f
0x0040de74
0x0040de79
0x0040de7f
0x0040de85
0x0040de8a
0x0040de8a
0x0040deb9
0x0040debf
0x0040decc
0x0040deee
0x0040dece
0x0040dece
0x0040ded3
0x0040ded8
0x0040dedb
0x0040dee1
0x0040dee6
0x0040dee6
0x0040defb
0x0040df08
0x0040df0d
0x0040df1f
0x0040df25
0x0040df32
0x0040df54
0x0040df34
0x0040df34
0x0040df39
0x0040df3e
0x0040df41
0x0040df47
0x0040df4c
0x0040df4c
0x0040df62
0x0040df66
0x0040df6d
0x0040df77
0x0040df81
0x0040df8b
0x0040df92
0x0040dfa2
0x0040dfa9
0x0040dfb0
0x0040dfb7
0x0040dfbe
0x0040dfbf
0x0040dfc2
0x0040dfc3
0x0040dfc8
0x0040e141
0x0040dfd3
0x0040dfda
0x0040dfe1
0x0040dfe4
0x0040dfe5
0x0040dfe7
0x0040dfec
0x0040dff1
0x0040dffb
0x0040e000
0x0040e001
0x0040e006
0x0040e00b
0x0040e010
0x0040e011
0x0040e016
0x0040e01d
0x0040e023
0x0040e02d
0x0040e031
0x0040e032
0x0040e034
0x0040e039
0x0040e03c
0x0040e03f
0x0040e044
0x0040e04d
0x0040e124
0x0040e12a
0x0040e131
0x0040e132
0x0040e135
0x0040e136
0x0040e13b
0x00000000
0x0040e13b
0x0040e059
0x0040e05a
0x0040e063
0x0040e070
0x0040e07a
0x0040e080
0x0040e086
0x0040e072
0x0040e072
0x0040e072
0x0040e08b
0x0040e08f
0x004011ec
0x0040e095
0x0040e095
0x0040e0a2
0x0040e0ac
0x0040e0b5
0x0040e0c2
0x0040e0cc
0x0040e0d6
0x0040e0e6
0x0040e0ec
0x0040e0ee
0x0040e0fb
0x0040e11d
0x0040e0fd
0x0040e0fd
0x0040e102
0x0040e107
0x0040e10a
0x0040e110
0x0040e115
0x0040e115
0x00000000
0x0040e0fb
0x0040e08f
0x0040e14e
0x0040e15d
0x0040e160

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040D7E2
#609.MSVBVM60(?,?,?,?,004011E6), ref: 0040D810
#557.MSVBVM60(00000008), ref: 0040D823
__vbaFreeVar.MSVBVM60(00000008), ref: 0040D83D
__vbaNew2.MSVBVM60(00402E10,0040F33C,00000008), ref: 0040D864
__vbaNew2.MSVBVM60(00402748,0040F010), ref: 0040D8A0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D8D9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DD0,00000188), ref: 0040D923
__vbaCastObj.MSVBVM60(?,00402DE0,?), ref: 0040D942
__vbaObjSet.MSVBVM60(?,00000000,?,00402DE0,?), ref: 0040D94C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E00,00000040), ref: 0040D987
__vbaFreeStr.MSVBVM60(00000000,?,00402E00,00000040), ref: 0040D99E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D9AD
__vbaNew2.MSVBVM60(00402748,0040F010), ref: 0040D9D6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DA0F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DD0,00000130), ref: 0040DA59
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000), ref: 0040DA78
__vbaI4Var.MSVBVM60(00000000,?,?,?,004011E6), ref: 0040DA81
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,004011E6), ref: 0040DABE
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,004011E6), ref: 0040DAC9
__vbaNew2.MSVBVM60(00402748,0040F010,?,?,?,?,?,?,004011E6), ref: 0040DAFF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DB38
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E20,00000048), ref: 0040DB7C
__vbaStrCopy.MSVBVM60(00000000,?,00402E20,00000048), ref: 0040DB98
__vbaChkstk.MSVBVM60(?,?), ref: 0040DBC8
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C7C,000006F8), ref: 0040DC06
__vbaFreeStr.MSVBVM60(00000000,00401140,00402C7C,000006F8), ref: 0040DC2F
__vbaFreeObj.MSVBVM60(00000000,00401140,00402C7C,000006F8), ref: 0040DC37
__vbaFreeVar.MSVBVM60(00000000,00401140,00402C7C,000006F8), ref: 0040DC3F
__vbaVarDup.MSVBVM60(00000000,00401140,00402C7C,000006F8), ref: 0040DC5E
__vbaStrCopy.MSVBVM60(00000000,00401140,00402C7C,000006F8), ref: 0040DC6B
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C7C,000006FC), ref: 0040DCC0
__vbaFreeStr.MSVBVM60(00000000,00401140,00402C7C,000006FC), ref: 0040DCE2
__vbaFreeVar.MSVBVM60(00000000,00401140,00402C7C,000006FC), ref: 0040DCEA
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C7C,00000700), ref: 0040DD26
__vbaNew2.MSVBVM60(00402748,0040F010), ref: 0040DD58
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DD91
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402DD0,00000050), ref: 0040DDD8
__vbaNew2.MSVBVM60(00402748,0040F010), ref: 0040DDFF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DE38
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402DD0,00000160), ref: 0040DE85
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C7C,00000704), ref: 0040DEE1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040DF08
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C7C,00000708), ref: 0040DF47
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002), ref: 0040DFC3
__vbaStrCat.MSVBVM60(00402EC0,00402EC0,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040DFF1
__vbaStrMove.MSVBVM60(00402EC0,00402EC0,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040DFFB
#628.MSVBVM60(00000000,00402EC0,00402EC0,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040E001
__vbaStrMove.MSVBVM60(00000000,00402EC0,00402EC0,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040E00B
__vbaStrCmp.MSVBVM60(00402ECC,00000000,00000000,00402EC0,00402EC0,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040E016
__vbaFreeStrList.MSVBVM60(00000002,?,?,00402ECC,00000000,00000000,00402EC0,00402EC0,00000001,00000002,?,?,?,00000002,00000003,00000002), ref: 0040E034
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E03F
_adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E086
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E0B5
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402C4C,000002C0), ref: 0040E110
__vbaVarForNext.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E136

Strings

YKyT2IjOTG5HP140, xrefs: 0040DC63
UcScmXD96757qJJZGyR8162, xrefs: 0040DB90
yWwcUJLP2nVmMuZiSL220, xrefs: 0040DC44

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$List$ChkstkCopyMove$#557#609#628CallCastInitLateNext_adj_fdiv_m64
String ID: UcScmXD96757qJJZGyR8162$YKyT2IjOTG5HP140$yWwcUJLP2nVmMuZiSL220
API String ID: 2886871742-4112685389
Opcode ID: 98780f4ebd2a85b44e011565e46ed80ded34ba479bf24c35645b76cb18c99b53
Instruction ID: 9e8ef441b5455199dd77a2f53bccf8d9a33e9e4a9881233076be6a93c58355cd
Opcode Fuzzy Hash: 98780f4ebd2a85b44e011565e46ed80ded34ba479bf24c35645b76cb18c99b53
Instruction Fuzzy Hash: 6D42D571900218EFEB219F90CC49BDDBBB4BB08304F1041FAE549BB2A1D7785A99DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401354, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 611
COMMON

Download Yara Rule

C-Code - Quality: 90%

			_entry_(signed int __eax, signed int __ebx, void* __ecx, signed int __edx, signed int __edi, void* __esi) {
				signed char _t59;
				signed char _t60;
				signed char _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t75;
				intOrPtr* _t81;
				signed char _t82;
				signed char _t83;
				signed int _t85;
				signed int _t88;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				intOrPtr* _t92;
				void* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t99;
				signed int _t100;
				signed int* _t101;
				void* _t103;
				signed int _t105;
				void* _t106;
				signed char _t107;
				void* _t108;
				intOrPtr* _t111;
				signed int _t119;
				signed int _t120;
				intOrPtr* _t121;
				void* _t122;
				signed int* _t124;
				signed int _t126;
				void* _t127;
				signed int _t131;
				void* _t134;
				void* _t135;
				void* _t137;
				void* _t139;
				void* _t140;
				void* _t142;
				intOrPtr _t145;

				_t127 = __esi;
				_t126 = __edi;
				_t120 = __edx;
				_t106 = __ecx;
				_t100 = __ebx;
				_t57 = __eax;
				_push("VB5!6&*"); // executed
				L0040134E(); // executed
				 *__eax =  *__eax + __eax;
				do {
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 ^ _t58;
					 *_t58 =  *_t58 + _t58;
					_t58 = _t58 + 1;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					_t1 = _t120 + _t100 * 2 - 0x5063138a;
					 *_t1 =  *((intOrPtr*)(_t120 + _t100 * 2 - 0x5063138a)) + _t100;
					_t145 =  *_t1;
					asm("pushfd");
					_pop(_t120);
				} while (_t145 <= 0);
				asm("pushfd");
				asm("scasd");
				_t57 = _t58 - 0x12ebd42;
				if(_t57 < 0) {
					_t58 = _t57 &  &__imp____vbaHresultCheckObj;
				}
				asm("adc eax, 0x8660");
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				_t107 = _t106 + 1;
				_t7 = _t127 + 0x50018250;
				 *_t7 =  *((intOrPtr*)(_t127 + 0x50018250)) + _t57;
				if( *_t7 >= 0) {
					_push(0x65);
					asm("arpl [ecx+esi], si");
					 *_t57 =  *_t57 + _t57;
					 *((intOrPtr*)(_t107 + _t126 + 0x1a)) =  *((intOrPtr*)(_t107 + _t126 + 0x1a)) + _t57;
					_t97 = _t57 +  *_t57;
					 *_t97 =  *_t97 + _t97;
					_t105 = _t100 + _t100;
					asm("int3");
					 *_t97 =  *_t97 ^ _t97;
					_t98 = _t97 + 0x3f;
					asm("bound ebx, [edi+0x79]");
					 *(_t105 - 0x6f) =  *(_t105 - 0x6f) & _t107;
					_t139 = _t139 + 1;
					asm("cdq");
					ss =  *((intOrPtr*)(_t98 - 0x75a5582a));
					_t126 = _t126 |  *_t126;
					asm("int3");
					asm("fcmovnbe st0, st1");
					asm("sahf");
					_t107 = _t107 + 1;
					_t16 = _t107 - 0x67;
					_t99 =  *_t16;
					 *_t16 = _t98;
					goto 0x9524;
					_t100 = _t105 ^  *(_t107 - 0x48ee309a);
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					 *_t99 =  *_t99 + _t99;
					asm("xlatb");
					_t57 = _t99 |  *_t99;
					 *_t100 =  *_t100 + _t100;
				}
				_t59 = _t57 |  *_t57;
				 *_t59 =  *_t59 + _t59;
				_push(es);
				 *((intOrPtr*)(_t134 + 0x4e + _t120 * 2)) =  *((intOrPtr*)(_t134 + 0x4e + _t120 * 2)) + _t59;
				_t135 = _t134 + 1;
				_push(_t120);
				 *0x55000a01 =  *0x55000a01 + _t107;
				_push(_t100);
				_push(_t135);
				_t131 = _t127 + 2;
				_push(_t135);
				_push(_t100);
				_t140 = _t139 + 1;
				 *_t107 =  *_t107 + _t100;
				 *_t59 =  *_t59 + _t59;
				_t121 = _t120 + 1;
				 *_t121 =  *_t121 + _t59;
				 *_t100 =  *_t100 + _t140;
				asm("out dx, al");
				_t60 = _t59 |  *_t59;
				 *((intOrPtr*)(_t140 + _t131 * 2)) =  *((intOrPtr*)(_t140 + _t131 * 2)) + _t107;
				_t122 = _t121 + _t60;
				_t61 = _t60 |  *_t60;
				 *_t61 =  *_t61 + _t61;
				 *_t107 =  *_t107 + _t61;
				 *_t107 =  *_t107 + _t61;
				 *_t61 =  *_t61 + _t122;
				asm("adc [eax], al");
				 *_t107 =  *_t107 + _t61;
				 *_t61 =  *_t61 + _t107;
				 *((intOrPtr*)(_t61 + 5)) =  *((intOrPtr*)(_t61 + 5)) + _t107;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t107;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t122;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t107 =  *_t107 + _t61;
				 *_t61 =  *_t61 + _t107;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *((intOrPtr*)(_t126 - 0x5eff6061)) =  *((intOrPtr*)(_t126 - 0x5eff6061)) + _t100;
				_t62 =  *0xa5a500a1;
				asm("movsd");
				 *((intOrPtr*)(_t122 - 0x4dff5556)) =  *((intOrPtr*)(_t122 - 0x4dff5556)) + _t107;
				 *((intOrPtr*)(_t140 + _t131 * 4 - 0x4141ff4c)) =  *((intOrPtr*)(_t140 + _t131 * 4 - 0x4141ff4c)) + 0xb2;
				_t108 = _t107 + _t107;
				_t137 = ss;
				_t142 = _t137;
				_t124 = 0xb2 + _t108;
				asm("into");
				asm("into");
				asm("rcl ecx, 1");
				asm("aad 0xd5");
				_t111 = _t108 + 0x164 + _t62;
				asm("loope 0xffffffe3");
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				_t101 = _t100 + _t100;
				asm("invalid");
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *_t124 =  *_t124 + _t62;
				_t63 = _t62 +  *_t124;
				 *_t63 =  *_t63 + _t63;
				 *_t63 =  *_t63 + _t63;
				 *_t63 =  *_t63 + _t63;
				 *_t63 =  *_t63 + _t63;
				 *_t63 =  *_t63 + _t63;
				 *_t63 =  *_t63 + _t63;
				_push(es);
				_push(es);
				_t65 = _t63 +  *0xc3c3c300 +  *((intOrPtr*)(_t63 +  *0xc3c3c300));
				 *_t65 =  *_t65 + _t65;
				 *_t65 =  *_t65 + _t65;
				 *_t65 =  *_t65 + _t65;
				 *_t65 =  *_t65 + _t65;
				 *_t65 =  *_t65 + _t65;
				_t66 = _t65 +  *_t111;
				 *_t111 =  *_t111 + _t66;
				_t67 = _t66 +  *_t66;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				_t70 = _t67 +  *_t124 +  *_t124 +  *((intOrPtr*)(_t67 +  *_t124 +  *_t124));
				 *_t70 =  *_t70 + _t70;
				 *_t70 =  *_t70 + _t70;
				 *_t70 =  *_t70 + _t70;
				 *_t124 =  *_t124 + _t70;
				_t75 = _t70 +  *_t124 +  *_t124 +  *((intOrPtr*)(_t124 + _t70 +  *_t124 +  *_t124)) +  *_t124 +  *((intOrPtr*)(_t70 +  *_t124 +  *_t124 +  *((intOrPtr*)(_t124 + _t70 +  *_t124 +  *_t124)) +  *_t124));
				 *_t75 =  *_t75 + _t75;
				 *_t124 =  *_t124 + _t75;
				_t81 = _t75 + 0x16;
				 *_t81 =  *_t81 + _t81;
				 *_t124 =  *_t124 + _t81;
				_push(es);
				_push(es);
				_push(es);
				_push(es);
				_push(es);
				_push(es);
				_push(es);
				_push(es);
				_push(es);
				_t82 = _t81 +  *_t81;
				 *_t82 =  *_t82 + _t82;
				es = es;
				_t83 = _t82 |  *_t124;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				_t85 = _t83 +  *_t124 +  *_t124;
				_t88 = (_t85 |  *_t124) +  *_t124 +  *((intOrPtr*)((_t85 |  *_t124) +  *_t124));
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t124 =  *_t124 + _t88;
				_t89 = _t88 |  *_t124;
				 *_t89 =  *_t89 + _t89;
				 *_t89 =  *_t89 + _t89;
				 *_t89 =  *_t89 + _t89;
				 *_t89 =  *_t89 + _t89;
				 *_t89 =  *_t89 + _t89;
				 *_t124 =  *_t124 + _t89;
				_t119 = _t111 +  *_t101 |  *_t101 |  *_t82 |  *_t124 |  *_t101 |  *_t85 |  *_t124 |  *_t124;
				_t90 = _t89 |  *_t124;
				 *_t90 =  *_t90 + _t90;
				 *_t90 =  *_t90 + _t90;
				 *_t90 =  *_t90 + _t90;
				 *_t90 =  *_t90 + _t90;
				 *_t90 =  *_t90 + _t90;
				 *_t124 =  *_t124 + _t90;
				_t91 = _t90 | 0x00020d0d;
				 *_t91 =  *_t91 + _t91;
				 *_t91 =  *_t91 + _t91;
				 *_t91 =  *_t91 + _t91;
				 *_t91 =  *_t91 + _t91;
				 *_t91 =  *_t91 + _t91;
				 *_t124 =  *_t124 + _t91;
				_t92 = _t91 +  *_t124;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + 1;
				_t103 = _t101 + _t101 + _t101 + _t101;
				 *_t92 =  *_t92 + 1;
				_t93 = _t92 + _t103;
				if (_t93 > 0) goto L9;
				_t94 = _t93 + _t103;
				asm("aas");
				 *_t94 =  *_t94 + _t94;
				asm("clc");
				asm("aas");
				 *_t94 =  *_t94 + _t94;
				asm("clc");
				asm("aas");
				 *_t94 =  *_t94 + _t94;
				asm("rol byte [edi], 0x0");
				 *((intOrPtr*)(_t94 - 0x7ffffffd)) =  *((intOrPtr*)(_t94 - 0x7ffffffd)) + _t94;
				_t95 = _t94 +  *_t94;
				 *((intOrPtr*)(_t95 - 0x3ffffffd)) =  *((intOrPtr*)(_t95 - 0x3ffffffd)) + _t95;
				es = es;
				 *_t95 =  *_t95 + _t95;
				asm("clc");
				asm("aas");
				 *_t95 =  *_t95 + _t95;
				asm("clc");
				asm("aas");
				 *_t95 =  *_t95 + _t95;
				asm("clc");
				asm("aas");
				 *_t95 =  *_t95 + _t95;
				asm("cld");
				if ( *_t95 > 0) goto L10;
				 *_t95 =  *_t95 + 1;
				 *_t95 =  *_t95 + _t119;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t124;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t119 =  *_t119 + _t95;
				 *_t95 =  *_t95 + _t119;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *((intOrPtr*)(_t126 - 0x5eff6061)) =  *((intOrPtr*)(_t126 - 0x5eff6061)) + _t103 + _t103;
				_t96 =  *0xa5a500a1;
				asm("movsd");
				 *((intOrPtr*)(_t124 - 0x4dff5556)) =  *((intOrPtr*)(_t124 - 0x4dff5556)) + _t119;
				 *((intOrPtr*)(_t142 + 0xfffffffecdcd0cb4)) =  *((intOrPtr*)(_t142 + 0xfffffffecdcd0cb4)) + 0xb2;
				return _t96;
			}

0x00401354
0x00401354
0x00401354
0x00401354
0x00401354
0x00401354
0x00401354
0x00401359
0x0040135e
0x00401360
0x00401360
0x00401362
0x00401364
0x00401366
0x00401368
0x00401369
0x0040136b
0x0040136d
0x0040136f
0x0040136f
0x0040136f
0x00401370
0x00401371
0x00401371
0x00401374
0x00401375
0x00401376
0x0040137b
0x00401319
0x00401319
0x0040137d
0x00401382
0x00401384
0x00401386
0x00401388
0x0040138a
0x0040138b
0x0040138b
0x00401391
0x00401393
0x00401395
0x00401399
0x0040139b
0x0040139f
0x004013a1
0x004013a3
0x004013a5
0x004013a6
0x004013a8
0x004013aa
0x004013ad
0x004013b0
0x004013b1
0x004013b2
0x004013b8
0x004013ba
0x004013bb
0x004013bd
0x004013be
0x004013bf
0x004013bf
0x004013bf
0x004013c2
0x004013cc
0x004013cd
0x004013ce
0x004013d0
0x004013d6
0x004013d7
0x004013dd
0x004013df
0x004013e1
0x004013e3
0x004013e5
0x004013e7
0x004013e9
0x004013eb
0x004013ed
0x004013ef
0x004013f1
0x004013f3
0x004013f5
0x004013f7
0x004013f9
0x004013fb
0x004013fd
0x004013fe
0x00401400
0x00401400
0x00401402
0x00401404
0x00401406
0x00401407
0x0040140c
0x0040140d
0x0040140e
0x00401415
0x00401416
0x00401418
0x00401419
0x0040141a
0x0040141c
0x0040141d
0x0040141f
0x00401421
0x00401422
0x00401424
0x00401426
0x00401427
0x00401429
0x0040142d
0x0040142f
0x00401431
0x00401433
0x00401435
0x00401437
0x00401439
0x0040143b
0x0040143d
0x0040143f
0x00401442
0x00401445
0x00401447
0x00401449
0x0040144b
0x0040144d
0x0040144f
0x00401451
0x00401453
0x00401455
0x00401457
0x00401459
0x0040145b
0x0040145d
0x0040145f
0x00401461
0x00401463
0x00401465
0x00401467
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401471
0x00401473
0x00401479
0x0040147e
0x0040147f
0x00401487
0x00401493
0x00401495
0x00401496
0x00401497
0x00401499
0x0040149a
0x0040149d
0x004014a1
0x004014a3
0x004014a5
0x004014a7
0x004014a9
0x004014ab
0x004014ad
0x004014af
0x004014b1
0x004014b3
0x004014b5
0x004014b7
0x004014b9
0x004014bb
0x004014bd
0x004014bf
0x004014c1
0x004014c3
0x004014c5
0x004014c7
0x004014c9
0x004014cb
0x004014cd
0x004014cf
0x004014d1
0x004014d3
0x004014d5
0x004014d7
0x004014d9
0x004014db
0x004014dd
0x004014df
0x004014e1
0x004014e3
0x004014e5
0x004014e7
0x004014e9
0x004014eb
0x004014ed
0x004014ef
0x004014f1
0x004014f3
0x004014f5
0x004014f7
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401503
0x00401505
0x00401507
0x00401509
0x0040150b
0x0040150d
0x0040150f
0x00401511
0x00401513
0x00401515
0x00401517
0x00401519
0x0040151b
0x0040151d
0x0040151f
0x00401521
0x00401523
0x00401525
0x00401527
0x00401529
0x0040152b
0x0040152d
0x0040152f
0x00401531
0x00401533
0x00401535
0x00401537
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x00401545
0x00401547
0x00401549
0x0040154b
0x0040154d
0x0040154f
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155d
0x0040155f
0x00401561
0x00401563
0x00401565
0x00401567
0x00401569
0x0040156b
0x0040156d
0x0040156f
0x00401571
0x00401573
0x00401575
0x00401577
0x00401579
0x0040157b
0x0040157d
0x0040157f
0x00401581
0x00401583
0x00401585
0x00401587
0x00401589
0x0040158b
0x0040158d
0x0040158f
0x00401591
0x00401593
0x00401595
0x00401597
0x00401599
0x0040159b
0x0040159d
0x0040159f
0x004015a1
0x004015a3
0x004015a5
0x004015a7
0x004015a9
0x004015ab
0x004015ad
0x004015af
0x004015b1
0x004015b3
0x004015b5
0x004015b7
0x004015b9
0x004015bb
0x004015bd
0x004015bf
0x004015c1
0x004015c3
0x004015c5
0x004015c7
0x004015c9
0x004015cb
0x004015cd
0x004015cf
0x004015d1
0x004015d3
0x004015d5
0x004015d7
0x004015d9
0x004015db
0x004015dd
0x004015df
0x004015e1
0x004015e3
0x004015e5
0x004015e7
0x004015e9
0x004015eb
0x004015ed
0x004015ef
0x004015f1
0x004015f3
0x004015f5
0x004015f7
0x004015f9
0x004015fb
0x004015fd
0x004015ff
0x00401601
0x00401603
0x00401605
0x00401607
0x00401609
0x0040160b
0x0040160d
0x0040160f
0x00401611
0x00401613
0x00401615
0x00401617
0x00401619
0x0040161b
0x0040161d
0x0040161f
0x00401621
0x00401623
0x00401625
0x00401627
0x00401629
0x0040162b
0x0040162d
0x0040162f
0x00401631
0x00401633
0x00401635
0x00401637
0x00401639
0x0040163b
0x0040163d
0x0040163f
0x00401641
0x00401643
0x00401645
0x00401647
0x00401649
0x0040164b
0x0040164d
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401657
0x00401659
0x0040165b
0x0040165d
0x0040165f
0x00401661
0x00401663
0x00401665
0x00401667
0x00401669
0x0040166b
0x0040166d
0x0040166f
0x00401671
0x00401673
0x00401675
0x00401677
0x00401679
0x0040167b
0x0040167d
0x0040167f
0x00401681
0x00401683
0x00401685
0x00401687
0x00401689
0x0040168b
0x0040168d
0x0040168f
0x00401691
0x00401693
0x00401695
0x00401697
0x00401699
0x0040169b
0x0040169d
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016a9
0x004016ab
0x004016ad
0x004016af
0x004016b1
0x004016b3
0x004016b5
0x004016b7
0x004016b9
0x004016bb
0x004016bd
0x004016bf
0x004016c1
0x004016c3
0x004016c5
0x004016c7
0x004016c9
0x004016cb
0x004016cd
0x004016cf
0x004016d1
0x004016d3
0x004016d5
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ef
0x004016f1
0x004016f3
0x004016f5
0x004016f7
0x004016f9
0x004016fb
0x004016fd
0x004016ff
0x00401701
0x00401703
0x00401705
0x00401707
0x00401709
0x0040170b
0x0040170d
0x0040170f
0x00401711
0x00401713
0x00401715
0x00401717
0x00401719
0x0040171b
0x0040171d
0x0040171f
0x00401721
0x00401723
0x00401725
0x00401727
0x00401729
0x0040172b
0x0040172d
0x0040172f
0x00401731
0x00401733
0x00401735
0x00401737
0x00401739
0x0040173b
0x0040173d
0x0040173f
0x00401741
0x00401743
0x00401745
0x00401747
0x00401749
0x0040174b
0x0040174d
0x0040174f
0x00401751
0x00401753
0x00401755
0x00401757
0x00401759
0x0040175b
0x0040175d
0x0040175f
0x00401761
0x00401763
0x00401765
0x00401767
0x00401769
0x0040176b
0x0040176d
0x0040176f
0x00401771
0x00401773
0x00401775
0x00401777
0x00401779
0x0040177b
0x0040177d
0x0040177f
0x00401781
0x00401783
0x00401785
0x00401787
0x00401789
0x0040178b
0x0040178d
0x0040178f
0x00401791
0x00401793
0x00401795
0x00401797
0x00401799
0x0040179b
0x0040179d
0x0040179f
0x004017a1
0x004017a3
0x004017a5
0x004017a7
0x004017a9
0x004017ab
0x004017ad
0x004017af
0x004017b1
0x004017b3
0x004017b5
0x004017b7
0x004017b9
0x004017bb
0x004017bd
0x004017bf
0x004017c1
0x004017c3
0x004017c5
0x004017c7
0x004017c9
0x004017cb
0x004017cd
0x004017cf
0x004017d1
0x004017d3
0x004017d5
0x004017d7
0x004017d9
0x004017db
0x004017dd
0x004017df
0x004017e1
0x004017e3
0x004017e5
0x004017e7
0x004017e9
0x004017eb
0x004017ed
0x004017ef
0x004017f1
0x004017f3
0x004017f5
0x004017f7
0x004017f9
0x004017fb
0x004017fd
0x004017ff
0x00401801
0x00401803
0x00401805
0x00401807
0x00401809
0x0040180b
0x0040180d
0x0040180f
0x00401811
0x00401813
0x00401815
0x00401817
0x00401819
0x0040181b
0x0040181d
0x0040181f
0x00401821
0x00401823
0x00401825
0x00401827
0x00401829
0x0040182b
0x0040182d
0x0040182f
0x00401831
0x00401833
0x00401835
0x00401837
0x00401839
0x0040183b
0x0040183d
0x0040183f
0x00401841
0x00401843
0x00401845
0x00401847
0x00401849
0x0040184b
0x0040184d
0x0040184f
0x00401851
0x00401853
0x00401855
0x00401857
0x00401859
0x0040185b
0x0040185d
0x0040185f
0x00401861
0x00401863
0x00401865
0x00401867
0x00401869
0x0040186b
0x0040186d
0x0040186f
0x00401871
0x00401873
0x00401875
0x00401877
0x00401879
0x0040187b
0x0040187d
0x0040187f
0x00401881
0x00401883
0x00401885
0x00401887
0x00401889
0x0040188b
0x0040188d
0x0040188f
0x00401891
0x00401893
0x00401895
0x00401897
0x00401899
0x0040189b
0x0040189d
0x0040189f
0x004018a1
0x004018a3
0x004018a7
0x004018a8
0x004018a9
0x004018ab
0x004018ad
0x004018af
0x004018b1
0x004018b3
0x004018b5
0x004018b7
0x004018b9
0x004018bb
0x004018bd
0x004018bf
0x004018c1
0x004018c3
0x004018c9
0x004018cb
0x004018cd
0x004018cf
0x004018d1
0x004018dc
0x004018de
0x004018e0
0x004018ec
0x004018ee
0x004018f0
0x004018f2
0x004018f3
0x004018f4
0x004018f5
0x004018f6
0x004018f7
0x004018f8
0x004018f9
0x004018fa
0x004018fd
0x004018ff
0x00401907
0x0040190c
0x0040190e
0x00401910
0x00401914
0x0040191c
0x0040191e
0x00401920
0x00401922
0x00401924
0x00401928
0x0040192a
0x0040192c
0x0040192e
0x00401930
0x00401932
0x00401934
0x00401936
0x00401938
0x0040193a
0x0040193c
0x0040193e
0x00401940
0x00401942
0x00401944
0x00401946
0x0040194b
0x0040194d
0x0040194f
0x00401951
0x00401953
0x00401955
0x00401957
0x00401959
0x0040195b
0x0040195d
0x0040195f
0x00401961
0x00401963
0x00401965
0x00401967
0x00401969
0x0040196b
0x0040196d
0x00401971
0x00401973
0x00401975
0x00401977
0x00401979
0x0040197b
0x0040197d
0x0040197e
0x00401980
0x00401981
0x00401982
0x00401984
0x00401985
0x00401986
0x00401988
0x0040198b
0x00401991
0x00401993
0x00401999
0x0040199a
0x0040199c
0x0040199d
0x0040199e
0x004019a0
0x004019a1
0x004019a2
0x004019a4
0x004019a5
0x004019a6
0x004019a8
0x004019a9
0x004019ad
0x004019af
0x004019b1
0x004019b3
0x004019b5
0x004019b7
0x004019b9
0x004019bb
0x004019bd
0x004019bf
0x004019c1
0x004019c3
0x004019c5
0x004019c7
0x004019c9
0x004019cb
0x004019cd
0x004019cf
0x004019d1
0x004019d3
0x004019d5
0x004019d7
0x004019d9
0x004019db
0x004019e1
0x004019e6
0x004019e7
0x004019ef
0x004019fa

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401359

Strings

VB5!6&*, xrefs: 00401354

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 2dff0a0ca4d1aab4dc9ead865f9b91d2161f618cfb467453a74e60d4bcfaf121
Instruction ID: 893b1400a3f49b66ffc030fbf30b0a15cc0f3044aa62cd4049cfafcb79fa465a
Opcode Fuzzy Hash: 2dff0a0ca4d1aab4dc9ead865f9b91d2161f618cfb467453a74e60d4bcfaf121
Instruction Fuzzy Hash: F941DB6254E3C15FD3038B718C665823FB0AE5326874E48EBC4C1DF4B3D25D985AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 004034B1, Relevance: 1.4, APIs: 1, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,FFFF8AC4,-00000040,00403668), ref: 004035F3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23455a8ffde6f5d8f23292de9b645575fe9190404d91132c71c630f49277307
Instruction ID: b7c2fd42d31bfccd9714641c683ee296034dfbc3593d67bb0a11078afbeb927b
Opcode Fuzzy Hash: d23455a8ffde6f5d8f23292de9b645575fe9190404d91132c71c630f49277307
Instruction Fuzzy Hash: 4921882150B612FAC7348DB8CC8456A3E98DF07F09714A97FCE49E33D0DE6E46878115

Uniqueness

Uniqueness Score: -1.00%

Function 0040346D, Relevance: 1.4, APIs: 1, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,FFFF8AC4,-00000040,00403668), ref: 004035F3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c70f3611f1a3943682132af7cce7f196ec70db434b067b36e40d8250ed1131e2
Instruction ID: bcc4df22fd709d45f48208851f8834bff45a3b86b41e22cd737949020d87d015
Opcode Fuzzy Hash: c70f3611f1a3943682132af7cce7f196ec70db434b067b36e40d8250ed1131e2
Instruction Fuzzy Hash: 98317A2260B712FBC7348DB4CC8916A7BA8DF07F09B14697FCD05DA381DE6E86878505

Uniqueness

Uniqueness Score: -1.00%

Function 00403507, Relevance: 1.4, APIs: 1, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,FFFF8AC4,-00000040,00403668), ref: 004035F3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d5e223400f19657484d0ac8d1d7e1c904d2e935454cfae1a258f96436858f7ba
Instruction ID: 609d46932b3653de870a17bf3b821f593e0ba007adb60ba05904469739c4eb52
Opcode Fuzzy Hash: d5e223400f19657484d0ac8d1d7e1c904d2e935454cfae1a258f96436858f7ba
Instruction Fuzzy Hash: A2219B21207612FECB348DB8CC845AA7E98DF06F0A714A93FD945D3390DE2E47869515

Uniqueness

Uniqueness Score: -1.00%

Function 004035B8, Relevance: 1.4, APIs: 1, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,FFFF8AC4,-00000040,00403668), ref: 004035F3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1a944fce42924f4b4272f571a5fe8bf2ff1f5ed4b8b853f61d89b5c872938071
Instruction ID: f526c0105e3c5615ff19a732922dc999c1355edaf09434db7ef352c4358cf3d3
Opcode Fuzzy Hash: 1a944fce42924f4b4272f571a5fe8bf2ff1f5ed4b8b853f61d89b5c872938071
Instruction Fuzzy Hash: CE019C60107634BEC738DEF588C80667A98DF06F093106D3FD55562391DE6B074AD604

Uniqueness

Uniqueness Score: -1.00%

Function 00403543, Relevance: 1.4, APIs: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,FFFF8AC4,-00000040,00403668), ref: 004035F3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2be735eebd6a9fce3f5b690fc4c7007f2f6f481703976b54c504405dfe673700
Instruction ID: ae31c721c87795e6ee634c9966555c7b69863494006f21a99ba4ab4b987377b1
Opcode Fuzzy Hash: 2be735eebd6a9fce3f5b690fc4c7007f2f6f481703976b54c504405dfe673700
Instruction Fuzzy Hash: 6C119B21207A12BEC7349DF8CCC81A97E98DF0AF0A7146A3FD945D33C0DE6E02879504

Uniqueness

Uniqueness Score: -1.00%

Function 00403529, Relevance: 1.4, APIs: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,FFFF8AC4,-00000040,00403668), ref: 004035F3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4c7964a3e4236220e661c6f1ea84cb5b0a89d09d06b9f4b1a2d818222fdd16ee
Instruction ID: ff536a1ea7f99eb8272e2edd02ebf9984a77eff60e27855aeba0c8baa9d2efb9
Opcode Fuzzy Hash: 4c7964a3e4236220e661c6f1ea84cb5b0a89d09d06b9f4b1a2d818222fdd16ee
Instruction Fuzzy Hash: 97118C2150B911BECB349DB8CC895A93E98DF07F097146A7FDA45E2391CE6E46879101

Uniqueness

Uniqueness Score: -1.00%

Function 00403597, Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000D000,FFFF8AC4,-00000040,00403668), ref: 004035F3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 525c5b1ca3db9a6ee1e291d150564a3fd6b616948357b21e8b5c5e8807e24246
Instruction ID: 29c90249ddca8824d3fae1574e0c365f95850b7f72cf265fa712d857e77b3981
Opcode Fuzzy Hash: 525c5b1ca3db9a6ee1e291d150564a3fd6b616948357b21e8b5c5e8807e24246
Instruction Fuzzy Hash: B1016B6120B625BEC7349EF588881767A98DF06F0A3106D3FD55A92381CF6E0687D515

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02181DF6, Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

@TW, xrefs: 02181EFA

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: @TW
API String ID: 0-1373642500
Opcode ID: 2f4e8067be4d6b240ec967973d43c6eb1f9299a5ea76078556b9c411461b4444
Instruction ID: d7e179d64fea6dec1fbd42a84a9a8937f2a11cbb1f53676f231d9cb2d8e76fb6
Opcode Fuzzy Hash: 2f4e8067be4d6b240ec967973d43c6eb1f9299a5ea76078556b9c411461b4444
Instruction Fuzzy Hash: 5DE12B71780707AFE719AE28CCE0BE673A6FF15790F954229DC9983680D735A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0218705A, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c71ce1081cb2bf13b36dfd3952431ec546df14d347c5f14edd6e0463b1108f
Instruction ID: fbf443288f07782e9ea566ee5cd343af7b6bca1c1d0d0da5b6f763eacd421a26
Opcode Fuzzy Hash: 76c71ce1081cb2bf13b36dfd3952431ec546df14d347c5f14edd6e0463b1108f
Instruction Fuzzy Hash: CAA1C638A843428EDB24EE3888D4795FBD29F56364F588299DCA58B2D6D3318487CF13

Uniqueness

Uniqueness Score: -1.00%

Function 0218278B, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9236649413648461c9f3c58f2e915c3082d2997993c5e79100819123a347263
Instruction ID: 5a1d902db9ae35ff605db08bb2849df90d94e0c8b6bf4ad13f561c2be316c0d3
Opcode Fuzzy Hash: c9236649413648461c9f3c58f2e915c3082d2997993c5e79100819123a347263
Instruction Fuzzy Hash: 8A416474284741DEFB297E38C8D9BD577D2AF02BA0F594259EDA65B0D2C379C480CE12

Uniqueness

Uniqueness Score: -1.00%

Function 02182502, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc3ffb752335c4566af23555be23972da49bd428c5493a8ac4e9191c84840f9
Instruction ID: 1656a899bba3f79c69d27245d48ef3de9fe64c80fc52234df79055b2e80c457d
Opcode Fuzzy Hash: dbc3ffb752335c4566af23555be23972da49bd428c5493a8ac4e9191c84840f9
Instruction Fuzzy Hash: 71312671780A029FD7196A2CCCA4BE673E6BF057B0F594228EC6683680DB25D8818F90

Uniqueness

Uniqueness Score: -1.00%

Function 02183916, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18837f891f895de33464b77d87214a83033e742a7d4fd9510b9e1f1dc2094e63
Instruction ID: 9a478d8cbab66b7ac17d31aa597f981c6500482f946b3fe177df8dc9789b24da
Opcode Fuzzy Hash: 18837f891f895de33464b77d87214a83033e742a7d4fd9510b9e1f1dc2094e63
Instruction Fuzzy Hash: 3701D6706443005FDB21AE58CDC9B993655DF0ABB4F2A42A1EC31C72E6D374C4858D21

Uniqueness

Uniqueness Score: -1.00%

Function 0218665B, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdf8f4812db65f7cec913faa1156423e6711acefde06bf2c9982e1e8432cf9d
Instruction ID: aab7a4b749ee7569998ae1227341e1eea7917f6f0eecc15b9e809ecb0605f1af
Opcode Fuzzy Hash: 4cdf8f4812db65f7cec913faa1156423e6711acefde06bf2c9982e1e8432cf9d
Instruction Fuzzy Hash: 880126357403818FC718EE28C5E0F967397AF95740F32807AE942CB251D331DC80CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0218167E, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b651f931f594aaef20c251d2f710379bd8c3444c8cad12e6ecf11687c07409f
Instruction ID: e037b35e35fa71e38fce0ae48e756eb8523cf3e56c48b44759b1e729ceffcfda
Opcode Fuzzy Hash: 0b651f931f594aaef20c251d2f710379bd8c3444c8cad12e6ecf11687c07409f
Instruction Fuzzy Hash: 65E0463924208A9FEF31AF488B503D83B73AF16395F985054DCCC4A249C3766B83CA15

Uniqueness

Uniqueness Score: -1.00%

Function 0218367C, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1348b544ed315c35cd93c37c1da3d5c63bd9f3e31f3ab78056cc7703b6065aed
Instruction ID: 69409a722b10d60e9fa0e9a5856dfcc19862c47bfa08d3896a554e679f3afa2a
Opcode Fuzzy Hash: 1348b544ed315c35cd93c37c1da3d5c63bd9f3e31f3ab78056cc7703b6065aed
Instruction Fuzzy Hash: 8BB092B22009818FFF02DF08C582B4073B0FF24A88B0804E0E002CB612D224E900CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0218609C, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1444cd18442c629ee4ab636efd1d85110f41ecc6240a14778b4a652a46f44a
Instruction ID: 677bfde11644fa4d16b8a6cda7b9fc0afeb4a51313a66f79c864f438f7ddce90
Opcode Fuzzy Hash: dd1444cd18442c629ee4ab636efd1d85110f41ecc6240a14778b4a652a46f44a
Instruction Fuzzy Hash: 29B00179662A80CFCE96CF19C295F81B3B5FF59B90F4259D4EC118BB22C369E900CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0040E726, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040E726(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v32;
				char _v48;
				char* _v56;
				intOrPtr _v64;
				short _v68;
				signed int _t21;
				char* _t25;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t38 = _t37 - 0xc;
				 *[fs:0x0] = _t38;
				L004011E0();
				_v16 = _t38;
				_v12 = 0x4011a8;
				_v8 = 0;
				_t21 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x4011e6, _t35);
				_push(2);
				_push(0x402f18);
				L00401282();
				L004012D6();
				_push(_t21);
				_push(0x402f24);
				L004012DC();
				asm("sbb eax, eax");
				_v68 =  ~( ~( ~_t21));
				L0040130C();
				_t25 = _v68;
				if(_t25 != 0) {
					_v56 = L"Uza4XqOLcUXEH6vTy4hPhy6LxQaW8WzS7UbN40";
					_v64 = 8;
					L004012E8();
					_t25 =  &_v48;
					_push(_t25);
					L0040127C();
					L0040132A();
				}
				_push(0x40e7e6);
				return _t25;
			}

0x0040e729
0x0040e738
0x0040e742
0x0040e74a
0x0040e74d
0x0040e754
0x0040e763
0x0040e766
0x0040e768
0x0040e76d
0x0040e777
0x0040e77c
0x0040e77d
0x0040e782
0x0040e789
0x0040e78f
0x0040e796
0x0040e79b
0x0040e7a1
0x0040e7a3
0x0040e7aa
0x0040e7b7
0x0040e7bc
0x0040e7bf
0x0040e7c0
0x0040e7c8
0x0040e7c8
0x0040e7cd
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E742
#512.MSVBVM60(00402F18,00000002,?,?,?,?,004011E6), ref: 0040E76D
__vbaStrMove.MSVBVM60(00402F18,00000002,?,?,?,?,004011E6), ref: 0040E777
__vbaStrCmp.MSVBVM60(00402F24,00000000,00402F18,00000002,?,?,?,?,004011E6), ref: 0040E782
__vbaFreeStr.MSVBVM60(00402F24,00000000,00402F18,00000002,?,?,?,?,004011E6), ref: 0040E796
__vbaVarDup.MSVBVM60 ref: 0040E7B7
#529.MSVBVM60(00000000), ref: 0040E7C0
__vbaFreeVar.MSVBVM60(00000000), ref: 0040E7C8

Strings

Uza4XqOLcUXEH6vTy4hPhy6LxQaW8WzS7UbN40, xrefs: 0040E7A3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#512#529ChkstkMove
String ID: Uza4XqOLcUXEH6vTy4hPhy6LxQaW8WzS7UbN40
API String ID: 3639670698-2977998
Opcode ID: ec50d62f19250f883d8f0122ae1205c6b69b61d3eb4c83c3bbaa1d8ff4f0739f
Instruction ID: 0250114d1136a2b449dcbc01117a6b69ee299c336e3d019696da8016dc0d80bd
Opcode Fuzzy Hash: ec50d62f19250f883d8f0122ae1205c6b69b61d3eb4c83c3bbaa1d8ff4f0739f
Instruction Fuzzy Hash: 62114F30940209ABCB10EBE6C946B9DB7B8AF08744F50857AF401FB1E1DBBC5905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E32F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040E32F(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t29;
				signed int _t33;
				intOrPtr _t46;

				_push(0x4011e6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x28);
				L004011E0();
				_v12 = _t46;
				_v8 = 0x401160;
				if( *0x40f010 != 0) {
					_v56 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x402748);
					L00401324();
					_v56 = 0x40f010;
				}
				_t29 =  &_v24;
				L0040131E();
				_v44 = _t29;
				_v32 = 0x80020004;
				_v40 = 0xa;
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t33 =  *((intOrPtr*)( *_v44 + 0x1ec))(_v44, L"s9rH0uOE9h2umGS100", 0x10, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x308))( *_v56));
				asm("fclex");
				_v48 = _t33;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x402dd0);
					_push(_v44);
					_push(_v48);
					L00401318();
					_v60 = _t33;
				}
				L004012EE();
				_push(0x40e418);
				return _t33;
			}

0x0040e334
0x0040e33f
0x0040e340
0x0040e347
0x0040e34a
0x0040e352
0x0040e355
0x0040e363
0x0040e37d
0x0040e365
0x0040e365
0x0040e36a
0x0040e36f
0x0040e374
0x0040e374
0x0040e398
0x0040e39c
0x0040e3a1
0x0040e3a4
0x0040e3ab
0x0040e3b5
0x0040e3bf
0x0040e3c0
0x0040e3c1
0x0040e3c2
0x0040e3d0
0x0040e3d6
0x0040e3d8
0x0040e3df
0x0040e3fb
0x0040e3e1
0x0040e3e1
0x0040e3e6
0x0040e3eb
0x0040e3ee
0x0040e3f1
0x0040e3f6
0x0040e3f6
0x0040e402
0x0040e407
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E34A
__vbaNew2.MSVBVM60(00402748,0040F010,?,?,?,?,004011E6), ref: 0040E36F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E39C
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E3B5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DD0,000001EC,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E3F1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E402

Strings

s9rH0uOE9h2umGS100, xrefs: 0040E3C3

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: s9rH0uOE9h2umGS100
API String ID: 3189907775-4180807193
Opcode ID: 14815204e314258f01d45f306fb227362457a76290f333585ca7acb0a426c395
Instruction ID: 668b51294062f945631b64990fa9e49503156129b500e6bfa0ad1c0feaa6f972
Opcode Fuzzy Hash: 14815204e314258f01d45f306fb227362457a76290f333585ca7acb0a426c395
Instruction Fuzzy Hash: 71214870900608AFCB10DFA5D98ABDDBBB9FB49714F20047AF501BB2E1C7B91944DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5BD, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040E5BD(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v100;
				signed int _v104;
				char* _t42;
				signed int _t48;
				intOrPtr _t52;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L004011E0();
				_v16 = _t65;
				_v12 = 0x401198;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x4011e6, _t62);
				if( *0x40f010 != 0) {
					_v100 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x402748);
					L00401324();
					_v100 = 0x40f010;
				}
				_t52 =  *((intOrPtr*)( *_v100));
				_t42 =  &_v32;
				L0040131E();
				_v84 = _t42;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v56 =  *0x401194;
				_t48 =  *((intOrPtr*)( *_v84 + 0x204))(_v84, _t52, 0x10, 0x10, 0x10, _t42,  *((intOrPtr*)(_t52 + 0x304))( *_v100));
				asm("fclex");
				_v88 = _t48;
				if(_v88 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x204);
					_push(0x402dd0);
					_push(_v84);
					_push(_v88);
					L00401318();
					_v104 = _t48;
				}
				L004012EE();
				asm("wait");
				_push(0x40e6fd);
				return _t48;
			}

0x0040e5c0
0x0040e5cf
0x0040e5d9
0x0040e5e1
0x0040e5e4
0x0040e5eb
0x0040e5fa
0x0040e604
0x0040e61e
0x0040e606
0x0040e606
0x0040e60b
0x0040e610
0x0040e615
0x0040e615
0x0040e62f
0x0040e639
0x0040e63d
0x0040e642
0x0040e645
0x0040e64c
0x0040e653
0x0040e65a
0x0040e661
0x0040e668
0x0040e672
0x0040e67c
0x0040e67d
0x0040e67e
0x0040e67f
0x0040e683
0x0040e68d
0x0040e68e
0x0040e68f
0x0040e690
0x0040e694
0x0040e69e
0x0040e69f
0x0040e6a0
0x0040e6a1
0x0040e6a9
0x0040e6b4
0x0040e6ba
0x0040e6bc
0x0040e6c3
0x0040e6df
0x0040e6c5
0x0040e6c5
0x0040e6ca
0x0040e6cf
0x0040e6d2
0x0040e6d5
0x0040e6da
0x0040e6da
0x0040e6e6
0x0040e6eb
0x0040e6ec
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E5D9
__vbaNew2.MSVBVM60(00402748,0040F010,?,?,?,?,004011E6), ref: 0040E610
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E63D
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E672
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E683
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E694
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DD0,00000204,?,?,00000000), ref: 0040E6D5
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0040E6E6

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 6aa05d5b97a415273587f9f24205cfc94f614f67923fe500f27bba51af4c627d
Instruction ID: 4ff383b10531b12a6ad7561ab9dd11252d46665e592c4c5a48ce3abcc8989413
Opcode Fuzzy Hash: 6aa05d5b97a415273587f9f24205cfc94f614f67923fe500f27bba51af4c627d
Instruction Fuzzy Hash: E8313870900708AFCB11DFD5D949B9DBBB6BF09704F20482AF901BF2A1C7BA5905DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E80F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040E80F(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				char _v56;
				char* _v64;
				intOrPtr _v72;
				char* _t18;
				void* _t25;
				void* _t27;
				intOrPtr _t28;

				_t28 = _t27 - 0xc;
				 *[fs:0x0] = _t28;
				L004011E0();
				_v16 = _t28;
				_v12 = 0x4011b8;
				_v8 = 0;
				_t18 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x4011e6, _t25);
				_push(0x402f80);
				L00401276();
				if(_t18 != 1) {
					_v64 = L"auWNn4TduPCda2qIaQXA176";
					_v72 = 8;
					L004012E8();
					_push(2);
					_t18 =  &_v56;
					_push(_t18);
					L00401270();
					_v32 = __fp0;
					L0040132A();
				}
				asm("wait");
				_push(0x40e89f);
				return _t18;
			}

0x0040e812
0x0040e821
0x0040e82b
0x0040e833
0x0040e836
0x0040e83d
0x0040e84c
0x0040e84f
0x0040e854
0x0040e85c
0x0040e85e
0x0040e865
0x0040e872
0x0040e877
0x0040e879
0x0040e87c
0x0040e87d
0x0040e882
0x0040e888
0x0040e888
0x0040e88d
0x0040e88e
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E82B
__vbaLenBstr.MSVBVM60(00402F80,?,?,?,?,004011E6), ref: 0040E854
__vbaVarDup.MSVBVM60 ref: 0040E872
#600.MSVBVM60(?,00000002), ref: 0040E87D
__vbaFreeVar.MSVBVM60(?,00000002), ref: 0040E888

Strings

auWNn4TduPCda2qIaQXA176, xrefs: 0040E85E

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#600BstrChkstkFree
String ID: auWNn4TduPCda2qIaQXA176
API String ID: 2986526412-1228655893
Opcode ID: 6bd8d97491a71fb72ddf0f2b74fe59ec262659684a8f92e6750869a3157d3b79
Instruction ID: fe75c6627292e8c2e6c98e699fd5422e76c2d7dad2fa45098cbb9df88d79f766
Opcode Fuzzy Hash: 6bd8d97491a71fb72ddf0f2b74fe59ec262659684a8f92e6750869a3157d3b79
Instruction Fuzzy Hash: 39011E71941209ABCB04EFD5C986B9DBBB8AF05744F50846AF500BB1E1DB785A05CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0040E20C, Relevance: 9.1, APIs: 6, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040E20C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				short _v52;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v68;
				signed int _t45;
				signed int _t50;
				short _t54;
				intOrPtr _t62;

				_push(0x4011e6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_push(0x30);
				L004011E0();
				_v12 = _t62;
				_v8 = 0x401150;
				if( *0x40f33c != 0) {
					_v60 = 0x40f33c;
				} else {
					_push(0x40f33c);
					_push(0x402e10);
					L00401324();
					_v60 = 0x40f33c;
				}
				_v36 =  *_v60;
				_t45 =  *((intOrPtr*)( *_v36 + 0x14))(_v36,  &_v28);
				asm("fclex");
				_v40 = _t45;
				if(_v40 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x402e00);
					_push(_v36);
					_push(_v40);
					L00401318();
					_v64 = _t45;
				}
				_v44 = _v28;
				_t50 =  *((intOrPtr*)( *_v44 + 0x100))(_v44,  &_v32);
				asm("fclex");
				_v48 = _t50;
				if(_v48 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x402ed0);
					_push(_v44);
					_push(_v48);
					L00401318();
					_v68 = _t50;
				}
				_v52 =  ~(0 | _v32 != 0x00400000);
				L004012EE();
				_t54 = _v52;
				if(_t54 != 0) {
					_push(6);
					L004012A0();
					_v24 = _t54;
				}
				_push(0x40e31c);
				return _t54;
			}

0x0040e211
0x0040e21c
0x0040e21d
0x0040e224
0x0040e227
0x0040e22f
0x0040e232
0x0040e240
0x0040e25a
0x0040e242
0x0040e242
0x0040e247
0x0040e24c
0x0040e251
0x0040e251
0x0040e266
0x0040e275
0x0040e278
0x0040e27a
0x0040e281
0x0040e29a
0x0040e283
0x0040e283
0x0040e285
0x0040e28a
0x0040e28d
0x0040e290
0x0040e295
0x0040e295
0x0040e2a1
0x0040e2b0
0x0040e2b6
0x0040e2b8
0x0040e2bf
0x0040e2db
0x0040e2c1
0x0040e2c1
0x0040e2c6
0x0040e2cb
0x0040e2ce
0x0040e2d1
0x0040e2d6
0x0040e2d6
0x0040e2ed
0x0040e2f4
0x0040e2f9
0x0040e2ff
0x0040e301
0x0040e303
0x0040e308
0x0040e308
0x0040e30b
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E227
__vbaNew2.MSVBVM60(00402E10,0040F33C,?,?,?,?,004011E6), ref: 0040E24C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E00,00000014,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E290
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ED0,00000100,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E2D1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E2F4
#569.MSVBVM60(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0040E303

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$#569ChkstkFreeNew2
String ID:
API String ID: 1758081487-0
Opcode ID: 473aa8300d3ab1ea92620126d12cc0183f301c752d409cd15667d1334c75b170
Instruction ID: a8cb261cd0b4f3096ebf40cfabef420f5d24a3ab86ffda73136b5a8817070333
Opcode Fuzzy Hash: 473aa8300d3ab1ea92620126d12cc0183f301c752d409cd15667d1334c75b170
Instruction Fuzzy Hash: AB31F271940208EFDB10DBE6C94ABEEBBF4BB08754F10447AF501B62A0D7B859558B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8C6, Relevance: 9.1, APIs: 6, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040E8C6(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				signed int _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				char* _t37;
				signed int _t41;
				void* _t51;
				void* _t53;
				intOrPtr _t54;

				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				L004011E0();
				_v16 = _t54;
				_v12 = 0x4011c8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x4011e6, _t51);
				if( *0x40f010 != 0) {
					_v68 = 0x40f010;
				} else {
					_push(0x40f010);
					_push(0x402748);
					L00401324();
					_v68 = 0x40f010;
				}
				_t37 =  &_v32;
				L0040131E();
				_v52 = _t37;
				_v40 = _v40 & 0x00000000;
				_v48 = 2;
				L004011E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t41 =  *((intOrPtr*)( *_v52 + 0x200))(_v52, 0x10, _t37,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x308))( *_v68));
				asm("fclex");
				_v56 = _t41;
				if(_v56 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x200);
					_push(0x402dd0);
					_push(_v52);
					_push(_v56);
					L00401318();
					_v72 = _t41;
				}
				L004012EE();
				_push(0x40e9ba);
				return _t41;
			}

0x0040e8c9
0x0040e8d8
0x0040e8e2
0x0040e8ea
0x0040e8ed
0x0040e8f4
0x0040e903
0x0040e90d
0x0040e927
0x0040e90f
0x0040e90f
0x0040e914
0x0040e919
0x0040e91e
0x0040e91e
0x0040e942
0x0040e946
0x0040e94b
0x0040e94e
0x0040e952
0x0040e95c
0x0040e966
0x0040e967
0x0040e968
0x0040e969
0x0040e972
0x0040e978
0x0040e97a
0x0040e981
0x0040e99d
0x0040e983
0x0040e983
0x0040e988
0x0040e98d
0x0040e990
0x0040e993
0x0040e998
0x0040e998
0x0040e9a4
0x0040e9a9
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E8E2
__vbaNew2.MSVBVM60(00402748,0040F010,?,?,?,?,004011E6), ref: 0040E919
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E946
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E95C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DD0,00000200), ref: 0040E993
__vbaFreeObj.MSVBVM60 ref: 0040E9A4

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 0d71400c9b72d861440d4ff7bc626ad380b76fa3fdb9cb1b02d4eba7e3d000bc
Instruction ID: 32eb57d43538a0d3b2f9523789c53ab8fd187798198a3ef8271a362bb2e590a0
Opcode Fuzzy Hash: 0d71400c9b72d861440d4ff7bc626ad380b76fa3fdb9cb1b02d4eba7e3d000bc
Instruction Fuzzy Hash: 5B214470900208EFDB10DF95D98AB9DBBB5BF48704F20443AF500BB2E1C7B96945DB58

Uniqueness

Uniqueness Score: -1.00%

Function 02187C67, Relevance: 8.9, Strings: 7, Instructions: 156COMMON

Download Yara Rule

Strings

ag2, xrefs: 02182E40
~K, xrefs: 02183093
t:, xrefs: 0218810B
c$w, xrefs: 02182E82
32, xrefs: 021831CB
u)j, xrefs: 0218337F
qH, xrefs: 021833A0

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: ag2$c$w$u)j$32$qH$t:$~K
API String ID: 0-3472699449
Opcode ID: d6a9cd7424be4a4ea2e2026d148a1ff2417b1e36a82b49051c6ddaa9d721b54c
Instruction ID: 307892339d81428e6e7ddc6c0b7a49e8ad100e0defffaee8831bf48bbc29b7bd
Opcode Fuzzy Hash: d6a9cd7424be4a4ea2e2026d148a1ff2417b1e36a82b49051c6ddaa9d721b54c
Instruction Fuzzy Hash: ED414835B8060E9EEB297968C9E43FA7693DB45370FFA9229CE22470D1E37584C1CE41

Uniqueness

Uniqueness Score: -1.00%

Function 02182D42, Relevance: 7.8, Strings: 6, Instructions: 348COMMON

Download Yara Rule

Strings

ag2, xrefs: 02182E40
~K, xrefs: 02183093
c$w, xrefs: 02182E82
32, xrefs: 021831CB
u)j, xrefs: 0218337F
qH, xrefs: 021833A0

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: ag2$c$w$u)j$32$qH$~K
API String ID: 0-3310839833
Opcode ID: 9a84d75e23772524eed7fbe83b7599a20c459672bb22f8680988abec16ee462a
Instruction ID: d437a51f2b2dd8b16da513409fd8b677ea5351e13953a2e5db5a19b906fbe6d3
Opcode Fuzzy Hash: 9a84d75e23772524eed7fbe83b7599a20c459672bb22f8680988abec16ee462a
Instruction Fuzzy Hash: 6BB1497178074AAFFB252E24CDD1BFA3766EF42750F648128ED8597190C7B988C68F50

Uniqueness

Uniqueness Score: -1.00%

Function 02182CFF, Relevance: 7.8, Strings: 6, Instructions: 330COMMON

Download Yara Rule

Strings

ag2, xrefs: 02182E40
~K, xrefs: 02183093
c$w, xrefs: 02182E82
32, xrefs: 021831CB
u)j, xrefs: 0218337F
qH, xrefs: 021833A0

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: ag2$c$w$u)j$32$qH$~K
API String ID: 0-3310839833
Opcode ID: 2e532eaff29f004d5c9de20fc188c8d2df31058c2b9b17fd1147930a493eca39
Instruction ID: d3907d05fe4093dd2c0971f4c6fcd38b88841e27da77c0d986a74b66aefbc96c
Opcode Fuzzy Hash: 2e532eaff29f004d5c9de20fc188c8d2df31058c2b9b17fd1147930a493eca39
Instruction Fuzzy Hash: EDA1267578030AAEFF252E14CDD1BEA3767AF81750FA48128EE95AB1C0C7B994C58F01

Uniqueness

Uniqueness Score: -1.00%

Function 02182DEC, Relevance: 7.8, Strings: 6, Instructions: 314COMMON

Download Yara Rule

Strings

ag2, xrefs: 02182E40
~K, xrefs: 02183093
c$w, xrefs: 02182E82
32, xrefs: 021831CB
u)j, xrefs: 0218337F
qH, xrefs: 021833A0

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: ag2$c$w$u)j$32$qH$~K
API String ID: 0-3310839833
Opcode ID: 5362f1a94a847e0dcf5bcec9d88cb753c09ec651a1424adb17d53fcf9c80658b
Instruction ID: 2203312e977eb522a382321f73c416b4e6ae3f641176fa2a151895790d512b86
Opcode Fuzzy Hash: 5362f1a94a847e0dcf5bcec9d88cb753c09ec651a1424adb17d53fcf9c80658b
Instruction Fuzzy Hash: 9BA136B528074AAFFB252F24CDD17FA77A6EF42750FA48128ED8597190C7B988C58F40

Uniqueness

Uniqueness Score: -1.00%

Function 0040E42B, Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040E42B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, long long __fp0) {
				intOrPtr _v8;
				long long* _v12;
				intOrPtr _v24;
				intOrPtr _v36;
				char _v44;
				intOrPtr _v52;
				char _v60;
				short _v96;
				signed int _v104;
				short _t26;
				long long* _t33;

				_push(0x4011e6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t33;
				_push(0x54);
				L004011E0();
				_v12 = _t33;
				_v8 = 0x401178;
				_v52 = 0x80020004;
				_v60 = 0xa;
				_v36 = 0x80020004;
				_v44 = 0xa;
				_push( &_v60);
				_push( &_v44);
				asm("fld1");
				 *_t33 = __fp0;
				asm("fld1");
				 *_t33 = __fp0;
				asm("fld1");
				 *_t33 = __fp0;
				L00401294();
				L0040129A();
				asm("fcomp qword [0x401170]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t10 =  &_v104;
					 *_t10 = _v104 & 0x00000000;
					__eflags =  *_t10;
				} else {
					_v104 = 1;
				}
				_v96 =  ~_v104;
				_push( &_v60);
				_push( &_v44);
				_push(2);
				L004012A6();
				_t26 = _v96;
				if(_t26 != 0) {
					_push(0xa9);
					L0040128E();
					_v24 = _t26;
				}
				asm("wait");
				_push(0x40e4ff);
				return _t26;
			}

0x0040e430
0x0040e43b
0x0040e43c
0x0040e443
0x0040e446
0x0040e44e
0x0040e451
0x0040e458
0x0040e45f
0x0040e466
0x0040e46d
0x0040e477
0x0040e47b
0x0040e47c
0x0040e480
0x0040e483
0x0040e487
0x0040e48a
0x0040e48e
0x0040e491
0x0040e496
0x0040e49b
0x0040e4a1
0x0040e4a3
0x0040e4a4
0x0040e4af
0x0040e4af
0x0040e4af
0x0040e4a6
0x0040e4a6
0x0040e4a6
0x0040e4b8
0x0040e4bf
0x0040e4c3
0x0040e4c4
0x0040e4c6
0x0040e4ce
0x0040e4d4
0x0040e4d6
0x0040e4db
0x0040e4e0
0x0040e4e0
0x0040e4e3
0x0040e4e4
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E446
#679.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040E491
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040E496
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 0040E4C6
#570.MSVBVM60(000000A9), ref: 0040E4DB

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#570#679ChkstkFreeList
String ID:
API String ID: 1921519738-0
Opcode ID: 992f70c3317e9672dc9cd3cc16a2095457a577a5e9d9f774a1ddb178ccb916d2
Instruction ID: 4deacc27b47e900a2b727703435e47afd96e9bb03e1eb4063fe8f4596657b98c
Opcode Fuzzy Hash: 992f70c3317e9672dc9cd3cc16a2095457a577a5e9d9f774a1ddb178ccb916d2
Instruction Fuzzy Hash: 26114FB1950308AADB05DFD2D946BEEBBBCEB04B10F14452FF100BA290D7B855548769

Uniqueness

Uniqueness Score: -1.00%

Function 0040E51A, Relevance: 7.5, APIs: 5, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040E51A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _t15;
				void* _t22;
				void* _t24;
				intOrPtr _t25;

				_t25 = _t24 - 0xc;
				 *[fs:0x0] = _t25;
				L004011E0();
				_v16 = _t25;
				_v12 = 0x401188;
				_v8 = 0;
				_t15 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x4011e6, _t22);
				L004012E8();
				_push(0x402f10);
				L00401288();
				if(_t15 != 0x61) {
					_push(0xb0);
					L004012A0();
					_v52 = _t15;
				}
				_push(0x40e590);
				L0040132A();
				return _t15;
			}

0x0040e51d
0x0040e52c
0x0040e536
0x0040e53e
0x0040e541
0x0040e548
0x0040e557
0x0040e560
0x0040e565
0x0040e56a
0x0040e573
0x0040e575
0x0040e57a
0x0040e57f
0x0040e57f
0x0040e582
0x0040e58a
0x0040e58f

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0040E536
__vbaVarDup.MSVBVM60(?,?,?,?,004011E6), ref: 0040E560
#696.MSVBVM60(00402F10,?,?,?,?,004011E6), ref: 0040E56A
#569.MSVBVM60(000000B0,00402F10,?,?,?,?,004011E6), ref: 0040E57A
__vbaFreeVar.MSVBVM60(0040E590,00402F10,?,?,?,?,004011E6), ref: 0040E58A

Memory Dump Source

Source File: 00000000.00000002.1583303868.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1583276892.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1583359021.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1583381000.0000000000411000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#569#696ChkstkFree
String ID:
API String ID: 3176559447-0
Opcode ID: 624f2495b12169ad1806a741611e35111173ecc2fb434da9f8c2d1895ea13984
Instruction ID: 0e6206d563a2256eb563d5052e3d751f780fcc6ea05b067a2610959b843f7132
Opcode Fuzzy Hash: 624f2495b12169ad1806a741611e35111173ecc2fb434da9f8c2d1895ea13984
Instruction Fuzzy Hash: DAF03130940209BBCB00AFD5C946B8D7BB4EB04748F90C57AF900BA1E1D7785A058B59

Uniqueness

Uniqueness Score: -1.00%

Function 02182EA9, Relevance: 5.3, Strings: 4, Instructions: 277COMMON

Download Yara Rule

Strings

~K, xrefs: 02183093
32, xrefs: 021831CB
u)j, xrefs: 0218337F
qH, xrefs: 021833A0

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: u)j$32$qH$~K
API String ID: 0-875238352
Opcode ID: adb91c2037a16de6afacbbd7de9934f7a2e99f0c177c2e27e9da9039ed16592f
Instruction ID: 01caadae69c63233ae7755d51c2e416cdfc82b63609e8ebd6f5d019d58210900
Opcode Fuzzy Hash: adb91c2037a16de6afacbbd7de9934f7a2e99f0c177c2e27e9da9039ed16592f
Instruction Fuzzy Hash: C791137128074AAFFB252F24CCD17FA77A6FF42750FA48128ED859B190C7B988C58B40

Uniqueness

Uniqueness Score: -1.00%

Function 02182F7F, Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

~K, xrefs: 02183093
32, xrefs: 021831CB
u)j, xrefs: 0218337F
qH, xrefs: 021833A0

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: u)j$32$qH$~K
API String ID: 0-875238352
Opcode ID: 080995ed3acbc3c857be485b47df02df52a35a9292f5a1afe8d92dfcffb079cd
Instruction ID: b5b9a7e790925ef232f0df18c7cd523b12f9b92cf57d273d2d17d7a620217045
Opcode Fuzzy Hash: 080995ed3acbc3c857be485b47df02df52a35a9292f5a1afe8d92dfcffb079cd
Instruction Fuzzy Hash: 9B712775380649AFFF262E20CCD2BFA3756EF46750FA44168FE819A190C7B948C59F40

Uniqueness

Uniqueness Score: -1.00%

Function 02182F12, Relevance: 5.2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

Strings

~K, xrefs: 02183093
32, xrefs: 021831CB
u)j, xrefs: 0218337F
qH, xrefs: 021833A0

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: u)j$32$qH$~K
API String ID: 0-875238352
Opcode ID: 9ccfd0a557050a979ea510dc27b43b0366d54cf1e30b8e591f0571070ce2ad04
Instruction ID: cf0246793cb7f8cf45f82bcfa8d3f316690852c0e3697429b96c70f3492919ca
Opcode Fuzzy Hash: 9ccfd0a557050a979ea510dc27b43b0366d54cf1e30b8e591f0571070ce2ad04
Instruction Fuzzy Hash: 3A713470280209AFFF252E14CCD1BFA37A7EF45750FA48128EE969B180C7B988C48F41

Uniqueness

Uniqueness Score: -1.00%

Function 02183045, Relevance: 5.2, Strings: 4, Instructions: 202COMMON

Download Yara Rule

Strings

~K, xrefs: 02183093
32, xrefs: 021831CB
u)j, xrefs: 0218337F
qH, xrefs: 021833A0

Memory Dump Source

Source File: 00000000.00000002.1584660965.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: u)j$32$qH$~K
API String ID: 0-875238352
Opcode ID: 070211335849a50dedb417f8677e797155610a80fe6520f449a186644dd0b1cd
Instruction ID: 9e2356a636d42ea7521e574bf8d0ad8de2900a44cf803b70bbd8669a12d8a343
Opcode Fuzzy Hash: 070211335849a50dedb417f8677e797155610a80fe6520f449a186644dd0b1cd
Instruction Fuzzy Hash: 33512671280649AFFF262F20CDD17FA7766FF46764FA44168ED81961A0C77948C68F40

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AAKANDEVAND.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: AAKANDEVAND.exe PID: 6676 Parent PID: 5640

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: AAKANDEVAND.exe PID: 6676 Parent PID: 5640 AAKANDEVAND.exeCOMMON

Executed Functions

Function 00403275, Relevance: 1.6, APIs: 1, Instructions: 332memoryCOMMON

Function 00403363, Relevance: 1.6, APIs: 1, Instructions: 303COMMON

Function 0040338C, Relevance: 1.5, APIs: 1, Instructions: 226COMMON

Function 0040D7C4, Relevance: 103.8, APIs: 56, Strings: 3, Instructions: 592
COMMON

Function 00401354, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 611
COMMON

Function 0040E726, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 52
COMMON

Function 0040E32F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69
COMMON

Function 0040E5BD, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Function 0040E80F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMON

Function 0040E20C, Relevance: 9.1, APIs: 6, Instructions: 81
COMMON

Function 0040E8C6, Relevance: 9.1, APIs: 6, Instructions: 72
COMMON

Function 0040E42B, Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Function 0040E51A, Relevance: 7.5, APIs: 5, Instructions: 34
COMMON