Create Interactive Tour

Analysis Report PmsDView.exe

Overview

General Information

Sample Name:	PmsDView.exe
Analysis ID:	400503
MD5:	8b4c4de5dcd615e4e67356d78a905eec
SHA1:	aaa350c40591d6c64886c1320e25d766193cf16e
SHA256:	c5265f4825f6787ece500c20c10c8cefc32b452be8f0aa3f1a71ccc650439b2f
Infos:
Most interesting Screenshot:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Startup

System is w10x64

PmsDView.exe (PID: 4852 cmdline: 'C:\Users\user\Desktop\PmsDView.exe' -install MD5: 8B4C4DE5DCD615E4E67356D78A905EEC)

PmsDView.exe (PID: 3012 cmdline: 'C:\Users\user\Desktop\PmsDView.exe' /install MD5: 8B4C4DE5DCD615E4E67356D78A905EEC)

PmsDView.exe (PID: 240 cmdline: 'C:\Users\user\Desktop\PmsDView.exe' /load MD5: 8B4C4DE5DCD615E4E67356D78A905EEC)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 3.2.PmsDView.exe.1f0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.PmsDView.exe.1f0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.PmsDView.exe.14d0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: PmsDView.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PmsDView.exe

Static PE information: certificate valid

Source:

Binary string: C:\bamboo-home\xml-data\build-dir\SPOONVM-VM34-JOB1\vm\Build\Output\x86\StubExe.pdb source: PmsDView.exe

Source: PmsDView.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PmsDView.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PmsDView.exe	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: PmsDView.exe	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: PmsDView.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: PmsDView.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: PmsDView.exe	String found in binary or memory: https://sectigo.com/CPS0B

Source: C:\Users\user\Desktop\PmsDView.exe	Code function: 0_2_00403493 NtWow64QueryInformationProcess64,		0_2_00403493
Source: C:\Users\user\Desktop\PmsDView.exe	Code function: 0_2_0040342C NtQueryInformationProcess,MapViewOfFile,OpenProcess,GetLastError,		0_2_0040342C

Source: C:\Users\user\Desktop\PmsDView.exe	Code function: 0_2_00402884	0_2_00402884
Source: C:\Users\user\Desktop\PmsDView.exe	Code function: 0_2_00403974	0_2_00403974
Source: C:\Users\user\Desktop\PmsDView.exe	Code function: 0_2_00404A00	0_2_00404A00
Source: C:\Users\user\Desktop\PmsDView.exe	Code function: 0_2_00403B94	0_2_00403B94

Source: PmsDView.exe, 00000000.00000000.208083683.0000000000407000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStubExe.exeL vs PmsDView.exe
Source: PmsDView.exe, 00000000.00000002.495737738.0000000004860000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs PmsDView.exe
Source: PmsDView.exe, 00000002.00000002.485448351.0000000000407000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStubExe.exeL vs PmsDView.exe
Source: PmsDView.exe, 00000003.00000002.485594130.0000000000407000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStubExe.exeL vs PmsDView.exe
Source: PmsDView.exe	Binary or memory string: OriginalFilenameStubExe.exeL vs PmsDView.exe

Source: PmsDView.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: clean3.winEXE@3/0@0/0

Source: PmsDView.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PmsDView.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PmsDView.exe

String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: unknown	Process created: C:\Users\user\Desktop\PmsDView.exe 'C:\Users\user\Desktop\PmsDView.exe' -install
Source: unknown	Process created: C:\Users\user\Desktop\PmsDView.exe 'C:\Users\user\Desktop\PmsDView.exe' /install
Source: unknown	Process created: C:\Users\user\Desktop\PmsDView.exe 'C:\Users\user\Desktop\PmsDView.exe' /load

Source: C:\Users\user\Desktop\PmsDView.exe	Automated click: OK
Source: C:\Users\user\Desktop\PmsDView.exe	Automated click: OK
Source: C:\Users\user\Desktop\PmsDView.exe	Automated click: OK

Source: PmsDView.exe

Static PE information: certificate valid

Source: PmsDView.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\bamboo-home\xml-data\build-dir\SPOONVM-VM34-JOB1\vm\Build\Output\x86\StubExe.pdb source: PmsDView.exe

Source: C:\Users\user\Desktop\PmsDView.exe

Code function: 0_2_00402884 EntryPoint,RtlEnterCriticalSection,GetTickCount,GetTickCount,GetTickCount,VirtualAlloc,UnmapViewOfFile,CloseHandle,GetCommandLineW,GetCommandLineW,wcsstr,GetCommandLineW,wcsstr,MapViewOfFile,MapViewOfFile,MapViewOfFile,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,RtlInitUnicodeString,memcpy,RtlInitUnicodeString,GetCommandLineW,wcscpy,GetCommandLineA,memset,RtlUnicodeStringToAnsiString,strcpy,GetModuleFileNameW,memcpy,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,GetFileSizeEx,MapViewOfFile,UnmapViewOfFile,CloseHandle,CreateFileMappingW,MapViewOfFile,GetLastError,VirtualFree,GetModuleHandleW,CreateFileMappingW,CloseHandle,LoadLibraryW,GetProcAddress,MessageBoxW,ExitProcess,

0_2_00402884

Source: C:\Users\user\Desktop\PmsDView.exe

Code function: 0_2_00402322 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,

0_2_00402322

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\PmsDView.exe

Code function: 0_2_00402627 VirtualAlloc,GetLastError,memcpy,memcpy,GetModuleHandleA,strlen,LdrGetProcedureAddress,

0_2_00402627

Source: C:\Users\user\Desktop\PmsDView.exe

0_2_00402884

Source: C:\Users\user\Desktop\PmsDView.exe

0_2_00402884

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: PmsDView.exe, 00000000.00000002.486370367.0000000001C20000.00000002.00000001.sdmp, PmsDView.exe, 00000002.00000002.486390978.0000000001C60000.00000002.00000001.sdmp, PmsDView.exe, 00000003.00000002.486476155.0000000001D00000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: PmsDView.exe, 00000000.00000002.486370367.0000000001C20000.00000002.00000001.sdmp, PmsDView.exe, 00000002.00000002.486390978.0000000001C60000.00000002.00000001.sdmp, PmsDView.exe, 00000003.00000002.486476155.0000000001D00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PmsDView.exe, 00000000.00000002.486370367.0000000001C20000.00000002.00000001.sdmp, PmsDView.exe, 00000002.00000002.486390978.0000000001C60000.00000002.00000001.sdmp, PmsDView.exe, 00000003.00000002.486476155.0000000001D00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PmsDView.exe, 00000000.00000002.486370367.0000000001C20000.00000002.00000001.sdmp, PmsDView.exe, 00000002.00000002.486390978.0000000001C60000.00000002.00000001.sdmp, PmsDView.exe, 00000003.00000002.486476155.0000000001D00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Application Shimming1	Process Injection2	Software Packing1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Application Shimming1	Process Injection2	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
PmsDView.exe	1%	Virustotal	Browse
PmsDView.exe	3%	Metadefender	Browse
PmsDView.exe	3%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.PmsDView.exe.1f0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.2.PmsDView.exe.1f0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.PmsDView.exe.14d0000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r	0%	URL Reputation	safe
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r	0%	URL Reputation	safe
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r	0%	URL Reputation	safe
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://sectigo.com/CPS0B	0%	URL Reputation	safe
https://sectigo.com/CPS0B	0%	URL Reputation	safe
https://sectigo.com/CPS0B	0%	URL Reputation	safe
https://sectigo.com/CPS0B	0%	URL Reputation	safe
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r	PmsDView.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	PmsDView.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0B	PmsDView.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#	PmsDView.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	400503
Start date:	29.04.2021
Start time:	23:06:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PmsDView.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean3.winEXE@3/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 94.5% (good quality ratio 90.9%) Quality average: 83.9% Quality standard deviation: 23.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.647083349641152
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PmsDView.exe
File size:	28840
MD5:	8b4c4de5dcd615e4e67356d78a905eec
SHA1:	aaa350c40591d6c64886c1320e25d766193cf16e
SHA256:	c5265f4825f6787ece500c20c10c8cefc32b452be8f0aa3f1a71ccc650439b2f
SHA512:	ecea814c5df73b0d1d4e002bf9ea3871c96ae4431b4f6dbee070de3651786b70ff779e4538f9fca3f248b12812e7b817a4728c395cafa19ae6ddd8bbd09423f2
SSDEEP:	768:PIORUXzxqSx/x56f2uH53OFhXhwcpXi0xDi:PIOOXdDhpy0xDi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....PD].................F...........(.......`....@.................................C......................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x402884
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5D4450FB [Fri Aug 2 15:04:27 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6080bfe3235cf25f8aae61b780e07a41

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	1/6/2019 4:00:00 PM 12/30/2021 3:59:59 PM
Subject Chain	CN=Code Systems Corporation, O=Code Systems Corporation, STREET=568 1st AVE S, STREET=STE 550, L=Seattle, S=Washington, PostalCode=98104, C=US
Version:	3
Thumbprint MD5:	2FEA9BF95C5820D25BBB119B972433B7
Thumbprint SHA-1:	89EBF0A05123E8267C231F5C46AB6B9C1EFE8BF0
Thumbprint SHA-256:	A2D32136D84DCBAA90EB5AD515FB268793DA5B48048E05A8576D0D73FA8C4E81
Serial:	00AF745D39C1CAC80B504EE2C82B2CF70B

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
and esp, FFFFFFF8h
sub esp, 00000884h
xor ecx, ecx
push ebx
push esi
mov ebx, ecx
push edi
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+3Ch], ecx
mov dword ptr [esp+2Ch], ecx
mov dword ptr [esp+28h], ecx
mov dword ptr [esp+30h], ecx
mov dword ptr [esp+48h], ecx
mov dword ptr [esp+1Ch], ecx
mov dword ptr [esp+38h], ecx
call 00007F8F7C956D3Bh
mov eax, dword ptr fs:[00000018h]
mov eax, dword ptr [eax+30h]
push dword ptr [eax+000000A0h]
call dword ptr [0040602Ch]
mov esi, dword ptr [00401014h]
call esi
and eax, 11h
mov dword ptr [esp+4Ch], 00000003h
cmp eax, 00000111h
je 00007F8F7C9572F6h
call esi
mov esi, dword ptr [esp+1Ch]
mov dword ptr [00406040h], eax
mov eax, dword ptr [esp+1Ch]
mov dword ptr [esp+0Ch], eax
mov eax, dword ptr [esp+1Ch]
mov dword ptr [esp+18h], esi
mov dword ptr [esp+20h], eax
jmp 00007F8F7C9573AEh
mov eax, dword ptr [esp+1Ch]
mov esi, dword ptr [esp+1Ch]
mov ecx, dword ptr [esp+1Ch]
mov dword ptr [esp+0Ch], eax
mov dword ptr [esp+18h], esi
mov dword ptr [esp+20h], ecx
push 00000004h
push 00001000h
push eax
push 00000000h
call dword ptr [00401058h]
mov edi, eax
call 00007F8F7C957EBCh
mov ecx, eax
sub ecx, dword ptr [00406040h]
xor edx, edx
mov eax, ecx
div dword ptr [eax+eax+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x52ec	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0x3b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5200	0x1ea8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x248	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1070	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x70	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x455c	0x4600	False	0.5703125	data	6.35403909654	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x6000	0x460	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x7000	0x3b8	0x400	False	0.404296875	data	3.17559460488	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xff8000	0x400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x7060	0x354	data	English	United States

Imports

DLL

Import

KERNEL32.dll

HeapAlloc, GetProcessHeap, HeapFree, GetProcAddress, GetModuleHandleW, GetTickCount, GetModuleFileNameW, SetEnvironmentVariableW, IsWow64Process, OpenProcess, GetLastError, DuplicateHandle, GetCommandLineW, OpenFileMappingW, MapViewOfFile, SetEvent, UnmapViewOfFile, CloseHandle, GetCommandLineA, CreateFileW, CreateFileMappingW, GetFileSizeEx, VirtualAlloc, VirtualFree, LoadLibraryW, ExitProcess, GetModuleHandleA

Version Infos

Description	Data
LegalCopyright	Copyright 2017 Code Systems Corporation
InternalName	StubExe.exe
FileVersion	19.6.1427.11
CompanyName	Code Systems Corporation
ProductName	Turbo Virtual Machine
ProductVersion	19.6.1427.11
FileDescription	Turbo Virtual Machine Executable
OriginalFilename	StubExe.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• PmsDView.exe
• PmsDView.exe
• PmsDView.exe

Click to jump to process

Memory Usage

• PmsDView.exe
• PmsDView.exe
• PmsDView.exe

Click to jump to process

Behavior

• PmsDView.exe
• PmsDView.exe
• PmsDView.exe

Click to jump to process

System Behavior

Analysis Process: PmsDView.exe PID: 4852 Parent PID: 5540

Function Logs

General

Start time:	23:10:24
Start date:	29/04/2021
Path:	C:\Users\user\Desktop\PmsDView.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PmsDView.exe' -install
Imagebase:	0x400000
File size:	28840 bytes
MD5 hash:	8B4C4DE5DCD615E4E67356D78A905EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Section Activities

Sections loaded by Windows

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: PmsDView.exe PID: 3012 Parent PID: 5540

Function Logs

General

Start time:	23:10:27
Start date:	29/04/2021
Path:	C:\Users\user\Desktop\PmsDView.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PmsDView.exe' /install
Imagebase:	0x400000
File size:	28840 bytes
MD5 hash:	8B4C4DE5DCD615E4E67356D78A905EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: PmsDView.exe PID: 240 Parent PID: 5540

Function Logs

General

Start time:	23:10:29
Start date:	29/04/2021
Path:	C:\Users\user\Desktop\PmsDView.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PmsDView.exe' /load
Imagebase:	0x400000
File size:	28840 bytes
MD5 hash:	8B4C4DE5DCD615E4E67356D78A905EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: PmsDView.exe PID: 4852 Parent PID: 5540 PmsDView.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	62.5%
Total number of Nodes:	152
Total number of Limit Nodes:	3

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00402884, Relevance: 144.2, APIs: 48, Strings: 34, Instructions: 738
memoryfilelibraryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			_entry_() {
				intOrPtr _v2046;
				void _v2048;
				void _v2056;
				struct _SECURITY_ATTRIBUTES* _v2088;
				struct _SECURITY_ATTRIBUTES* _v2092;
				long _v2096;
				void* _v2100;
				void* _v2108;
				char _v2112;
				struct _SECURITY_ATTRIBUTES* _v2124;
				void* _v2128;
				intOrPtr _v2132;
				struct _SECURITY_ATTRIBUTES* _v2136;
				struct _SECURITY_ATTRIBUTES* _v2140;
				signed int* _v2144;
				long _v2148;
				struct _SECURITY_ATTRIBUTES* _v2152;
				struct _SECURITY_ATTRIBUTES* _v2156;
				void* _v2160;
				signed int _v2161;
				intOrPtr _v2164;
				void* _v2168;
				void* _v2172;
				struct _SECURITY_ATTRIBUTES* _v2176;
				intOrPtr _v2180;
				char _v2181;
				signed int _v2184;
				long _v2188;
				signed int _v2192;
				intOrPtr _v2196;
				signed int _v2204;
				void* __ebx;
				signed int _t199;
				long _t201;
				struct HINSTANCE__* _t211;
				void* _t222;
				signed int _t230;
				void* _t242;
				signed int _t245;
				signed int _t247;
				void* _t248;
				void* _t257;
				struct _SECURITY_ATTRIBUTES* _t258;
				void* _t259;
				void* _t260;
				signed int _t263;
				signed int _t268;
				void* _t273;
				void* _t280;
				signed int _t286;
				signed int* _t287;
				signed int _t301;
				signed int _t302;
				void* _t306;
				signed int _t330;
				void* _t352;
				struct _SECURITY_ATTRIBUTES* _t353;
				void* _t356;
				WCHAR* _t357;
				void* _t358;
				void* _t361;
				signed int _t365;
				char* _t366;
				signed int _t369;
				long _t376;
				void* _t378;
				void* _t380;
				intOrPtr _t384;
				intOrPtr _t385;
				intOrPtr _t386;
				intOrPtr _t387;
				signed int _t389;
				void* _t390;
				signed int* _t391;
				void* _t394;
				signed int _t395;
				intOrPtr _t398;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				long _t415;
				signed int _t417;
				signed int _t418;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t431;
				void* _t433;
				void* _t434;
				void* _t435;
				long _t437;
				void* _t439;
				void* _t440;
				signed int _t441;
				unsigned int _t444;
				void* _t446;
				intOrPtr _t447;
				struct _EXCEPTION_RECORD _t448;
				void* _t449;
				void* _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				long _t457;
				WCHAR* _t459;
				signed int _t460;
				intOrPtr* _t461;
				intOrPtr* _t462;
				signed int* _t463;
				intOrPtr* _t464;
				intOrPtr* _t465;
				signed int* _t466;
				signed int* _t467;
				signed int _t468;
				wchar_t* _t469;
				char* _t470;
				signed int _t472;
				void* _t474;

				_t474 = (_t472 & 0xfffffff8) - 0x884;
				_t353 = 0;
				_v2176 = 0;
				_v2136 = 0;
				_v2152 = 0;
				_v2156 = 0;
				_v2148 = 0;
				_v2124 = 0;
				_v2168 = 0;
				_v2140 = 0;
				E00402322();
				 *0x40602c( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xa0)), _t433, _t449, _t352);
				_t199 = GetTickCount();
				_v2124 = 3;
				_t476 = (_t199 & 0x00000011) - 0x111;
				if((_t199 & 0x00000011) == 0x111) {
					_t201 = _v2172;
					_t451 = _v2172;
					_v2188 = _t201;
					_v2176 = _t451;
					_v2168 = _v2172;
					goto L3;
				} else {
					 *0x406040 = GetTickCount();
					_v2188 = _v2172;
					_v2176 = _v2172;
					_v2168 = _v2172;
					goto L11;
					do {
						do {
							L11:
							_t437 = 3;
							do {
								_t369 = E00403525(_t476) -  *0x406040;
								_t412 = _t369 % _t437;
								_t477 = _t369 & 0xffff8000;
								if((_t369 & 0xffff8000) != 0) {
									L61:
									__eflags = _t412;
									if(_t412 == 0) {
										L112:
										_t435 = _v2156;
										_t455 = CreateFileMappingW(_t435, 0, 2, 0, 0, 0);
										__eflags = _t455;
										if(_t455 != 0) {
											CloseHandle(_t435);
											_t230 = _v2168 + 0x0000ffff & 0xffff0000;
											__eflags = _t230;
											return _v2172(_v2144, _t455, _v2136, _v2132, _t230, _t353, _v2140);
										}
										_push(_t369);
										_push(L"0x00042: ");
										L92:
										E004024AA();
										_push(GetLastError());
										L117:
										E00402443(0x406048);
										L118:
										_t211 = LoadLibraryW(L"user32.dll"); // executed
										GetProcAddress(_t211, "MessageBoxW");
										MessageBoxW(0, "There has been an error starting this application.  Error code: \\?\C:\Users\hardz\Desktop\PmsDView.exe, 0x00E00", L"Turbo Virtual Machine", 0x10); // executed
										ExitProcess(0xffffffff);
									}
									goto L62;
								}
								E004024F2(_t369, _t369);
								_t369 = E00403525(_t477) -  *0x406040;
								_t412 = _t369 % _t437;
								_t478 = _t369 & 0xffff8000;
								if((_t369 & 0xffff8000) != 0) {
									goto L61;
								}
								_t242 = E00403493(_t369, _t478); // executed
								_t62 = _t242 + 0xfe0; // 0xfe0
								_t457 = _t62;
								_t245 = wcsstr(GetCommandLineW(), L" /864A627C-C6B2-464A-AA13-25D62F282BD8 ") & 0xffffff00 | _t244 != 0x00000000;
								_v2161 = _t245;
								if(_t245 == 0 || wcsstr(GetCommandLineW(), L" /ElevatedInjectInfo=") == 0) {
									_t376 = 0;
									__eflags =  *_t457 - 0x696d7678;
									_v2181 = 0;
									if( *_t457 != 0x696d7678) {
										L20:
										_t457 = _t376;
										goto L21;
									}
									__eflags =  *((intOrPtr*)(_t457 + 4)) - 0x74636a6e;
									if( *((intOrPtr*)(_t457 + 4)) == 0x74636a6e) {
										goto L21;
									}
									goto L20;
								} else {
									_v2181 = 1;
									if(E004031ED(_t457) == 0) {
										goto L118;
									}
									_t376 = 0;
									L21:
									if(_t457 == 0) {
										_t247 = GetModuleFileNameW(_t376,  &_v2048, 0x3fc);
										__eflags = _t247;
										if(_t247 == 0) {
											L54:
											_push(_t376);
											_push(L"0x00065: ");
											goto L92;
										}
										__eflags = _t247 - 0x3fc;
										if(_t247 != 0x3fc) {
											L56:
											_t248 = 0x5c;
											__eflags = _v2048 - _t248;
											if(__eflags != 0) {
												L59:
												memcpy( &_v2056, L"\\\\?\\", 8);
												_t474 = _t474 + 0xc;
												_t459 =  &_v2056;
												L60:
												_t369 = E00403525(__eflags) -  *0x406040;
												_t437 = 3;
												_t412 = _t369 % _t437;
												__eflags = _t369 & 0xffff8000;
												if((_t369 & 0xffff8000) == 0) {
													_push(_t369);
													E004024AA(_t459);
													_push(_t369);
													E004024AA(L", ");
													_t257 = CreateFileW(_t459, 0x80000000, 7, 0, _t437, 0, 0); // executed
													_t439 = _t257;
													_v2172 = _t439;
													__eflags = _t439 - 0xffffffff;
													if(_t439 == 0xffffffff) {
														_push(_t369);
														_push(L"0x0003: ");
														goto L92;
													}
													goto L65;
												}
												goto L61;
											}
											__eflags = _v2046 - _t248;
											if(__eflags != 0) {
												goto L59;
											}
											_t459 =  &_v2048;
											goto L60;
										}
										goto L54;
									}
									_t446 = MapViewOfFile( *(_t457 + 0x18), 6, _t376, _t376, _t376);
									_v2180 = _t446;
									if(_t446 == 0) {
										_push(_t376);
										_push(L"0x00020: ");
										goto L92;
									}
									_t356 = MapViewOfFile( *(_t446 + 0x1c), 6, 0, 0, 0);
									_v2140 = _t356;
									if(_t356 == 0) {
										_push(_t376);
										_push(L"0x00021: ");
										goto L92;
									}
									_t395 =  *(_t356 + 0x48);
									if(_t395 >= 0x3fc) {
										_push(_t395);
										E004024AA(L"0x00022: ");
										_push(0xa);
										_push( *(_t356 + 0x48));
										goto L117;
									}
									memcpy( &_v2048,  *((intOrPtr*)(_t356 + 0x4c)) + _t356, _t395 + _t395);
									_t397 = 0;
									 *((short*)(_t474 + 0xa4 +  *(_t356 + 0x48) * 2)) = 0;
									_t301 =  *(_t446 + 0x40);
									_t469 = 0;
									_t474 = _t474 + 0xc;
									_t357 = 0;
									_v2148 = 0;
									if(_t301 == 0 ||  *((intOrPtr*)(_t446 + 0x44)) == 0) {
										__eflags = _v2181 - _t397;
										if(_v2181 != _t397) {
											_push(_t397);
											_push(L"0x10090: ");
											goto L110;
										}
										goto L30;
									} else {
										_t357 = HeapAlloc(GetProcessHeap(), 0, 2 + _t301 * 2);
										if(_t357 != 0) {
											L30:
											_t302 =  *(_t446 + 0x50);
											__eflags = _t302;
											if(_t302 == 0) {
												L34:
												__eflags = _v2161;
												if(_v2161 != 0) {
													_push(_t397);
													_push(L"0x20090: ");
													L110:
													E004024AA();
													goto L118;
												}
												L35:
												_t447 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x10));
												__eflags = _t357;
												if(_t357 != 0) {
													memcpy(_t357,  *((intOrPtr*)(_v2180 + 0x44)) + _v2180,  *((intOrPtr*)(_t403 + 0x40)) +  *((intOrPtr*)(_t403 + 0x40)));
													_t474 = _t474 + 0xc;
													_t397 = 0;
													__eflags = 0;
													_t357[ *(_v2180 + 0x40)] = 0;
													RtlInitUnicodeString(_t447 + 0x38, _t357);
												}
												__eflags = _t469;
												if(_t469 != 0) {
													memcpy(_t469,  *((intOrPtr*)(_v2180 + 0x54)) + _v2180,  *((intOrPtr*)(_t399 + 0x50)) +  *((intOrPtr*)(_t399 + 0x50)));
													_t474 = _t474 + 0xc;
													_t448 = _t447 + 0x40;
													 *((short*)(_t469 +  *(_v2180 + 0x50) * 2)) = 0;
													RtlInitUnicodeString(_t448, _t469);
													wcscpy(GetCommandLineW(), _t469);
													_pop(_t397);
													_t470 = GetCommandLineA();
													__eflags = _t470;
													if(_t470 != 0) {
														memset( &_v2128, 0, 8);
														_t474 = _t474 + 0xc;
														_t330 = RtlUnicodeStringToAnsiString( &_v2128, _t448, 1);
														__eflags = _t330;
														if(_t330 < 0) {
															 *_t470 = 0;
														} else {
															strcpy(_t470, _v2136);
															_pop(_t397);
														}
													}
													_t469 = _v2156;
												}
												__eflags = E004034CF(_t397);
												if(__eflags == 0) {
													L55:
													_t353 = _v2180;
													goto L56;
												} else {
													_t306 = E00403493(_t397, __eflags);
													_t398 =  *((intOrPtr*)(_t306 + 0x20));
													__eflags =  *(_t306 + 0x24);
													if(__eflags > 0) {
														goto L55;
													}
													if(__eflags < 0) {
														L47:
														__eflags = _t357;
														if(_t357 == 0) {
															_t353 = _v2180;
														} else {
															 *(_t398 + 0x68) = _t357;
															_t353 = _v2180;
															 *((intOrPtr*)(_t398 + 0x6c)) = 0;
															 *((short*)(_t398 + 0x60)) =  *((intOrPtr*)(_t353 + 0x40)) +  *((intOrPtr*)(_t353 + 0x40));
															 *((short*)(_t398 + 0x62)) =  *((intOrPtr*)(_t353 + 0x40)) + 1 +  *((intOrPtr*)(_t353 + 0x40)) + 1;
														}
														__eflags = _t469;
														if(_t469 != 0) {
															 *(_t398 + 0x78) = _t469;
															 *((intOrPtr*)(_t398 + 0x7c)) = 0;
															 *((short*)(_t398 + 0x70)) =  *((intOrPtr*)(_t353 + 0x50)) +  *((intOrPtr*)(_t353 + 0x50));
															 *((short*)(_t398 + 0x72)) =  *((intOrPtr*)(_t353 + 0x50)) + 1 +  *((intOrPtr*)(_t353 + 0x50)) + 1;
														}
														goto L56;
													}
													__eflags = _t398 - 0x7fff0000;
													if(_t398 >= 0x7fff0000) {
														goto L55;
													}
													goto L47;
												}
											}
											__eflags =  *((intOrPtr*)(_t446 + 0x54)) - _t469;
											if( *((intOrPtr*)(_t446 + 0x54)) == _t469) {
												goto L34;
											}
											_t469 = HeapAlloc(GetProcessHeap(), 0, 2 + _t302 * 2);
											_v2148 = _t469;
											__eflags = _t469;
											if(_t469 != 0) {
												goto L35;
											}
											_push(_t397);
											_push(L"0x20059: ");
											goto L110;
										}
										_push(0);
										_push(L"0x10059: ");
										goto L110;
									}
								}
								L62:
								__eflags = _t412 - 1;
							} while (__eflags == 0);
							goto L76;
							L65:
							_t258 = E00403546();
							__eflags = _t258;
						} while (__eflags != 0);
						_t259 = CreateFileMappingW(_t439, _t258, 2, _t258, _t258, _t258); // executed
						_v2168 = _t259;
						__eflags = _t259;
						if(_t259 == 0) {
							_push(_t369);
							_push(L"0x00040: ");
							goto L92;
						}
						_t260 = MapViewOfFile(_t259, 4, 0, 0, 0x1000); // executed
						_t440 = _t260;
						__eflags = _t440;
						if(_t440 == 0) {
							_push(_t369);
							_push(L"0x00050: ");
							goto L92;
						}
						_t378 = _t440;
						_t452 = E00402547(_t378);
						UnmapViewOfFile(_t440);
						_t263 =  &_v2144;
						__imp__GetFileSizeEx(_v2164, _t263);
						__eflags = _t263;
						if(_t263 == 0) {
							_push(_t378);
							_push(L"0x00053: ");
							goto L92;
						}
						_push(0);
						_t380 = _t452 + 0x1000;
						_pop(_t415);
						asm("adc eax, edx");
						__eflags = _v2148;
						if(__eflags < 0) {
							L102:
							_push(_t380);
							E004024AA(L"0x00054: ");
							E00402443(0x406048, _v2160, 0xa);
							_push(0x406048);
							_push(L", ");
							L116:
							E004024AA();
							_push(0xa);
							_push(_t452);
							goto L117;
						}
						if(__eflags > 0) {
							L72:
							_t148 = _t452 + 0x1000; // 0x1000
							_t268 = MapViewOfFile(_v2176, 4, _t415, _t415, _t148); // executed
							_t441 = _t268;
							_v2168 = _t441;
							__eflags = _t441;
							if(__eflags == 0) {
								_push(_t380);
								_push(L"0x00051: ");
								goto L92;
							}
							_t369 = E00403525(__eflags) -  *0x406040;
							_t460 = 3;
							_t417 = _t369 % _t460;
							__eflags = _t369 & 0xffff8000;
							if((_t369 & 0xffff8000) == 0) {
								_t461 = _t441 + E00402547(_t441);
								_t384 =  *_t461;
								_t358 = 4;
								_t462 = _t461 + _t358;
								__eflags = _t384 - 0x6d7678;
								if(_t384 != 0x6d7678) {
									_push(_t384);
									_push(L"0x00E00");
									goto L110;
								}
								_t385 =  *_t462;
								_t273 = 3;
								_t463 = _t462 + _t358;
								__eflags = _t385 - _t273;
								if(_t385 != _t273) {
									_push(_t385);
									_push(L"0x00E01");
									goto L110;
								}
								_t418 =  *_t463;
								_t464 = _t463 + _t358;
								_t444 = 1 + _t418 * 0x8088405;
								_t386 =  *_t464;
								_t465 = _t464 + _t358;
								__eflags = (_t444 ^ _t418) - _t386;
								if((_t444 ^ _t418) != _t386) {
									_push(_t386);
									_push(L"0x00E1");
									goto L110;
								}
								_t387 =  *_t465;
								_t421 = 1 + _t444 * 0x8088405;
								_t466 = _t465 + _t358;
								__eflags = (_t421 ^ _t444) - _t387;
								if((_t421 ^ _t444) != _t387) {
									_push(_t387);
									_push(L"0x00E2");
									goto L110;
								}
								_t423 = 1 + _t421 * 0x8088405;
								_t467 = _t466 + _t358;
								_t425 = 1 + _t423 * 0x8088405;
								_t389 =  *_t467 ^ _t425;
								_v2184 = 0x8088406;
								_v2184 = _v2184 - _t425 * 0x2b9ad7e7;
								_v2204 =  *_t466 ^ _t423;
								_t280 = _v2168;
								_t166 =  &(_t467[2]); // 0xb
								_t361 = _t166 - _t280 + 4;
								_v2192 = _t389;
								_v2184 = (_v2184 ^ _t467[2]) + _t361 + _t389;
								UnmapViewOfFile(_t280);
								CloseHandle(_v2176);
								_t390 = CreateFileMappingW(_v2172, 0, 8, 0, 0, 0);
								_v2176 = _t390;
								__eflags = _t390;
								if(_t390 == 0) {
									_push(_t390);
									_push(L"0x00041: ");
									goto L92;
								}
								_t468 = _v2192;
								_t286 = MapViewOfFile(_t390, 1, 0, 0, _t361 + _t468);
								_v2168 = _t286;
								__eflags = _t286;
								if(_t286 == 0) {
									_push(_t390);
									_push(L"0x00052: ");
									goto L92;
								}
								_t287 = _t286 + _t361;
								_v2144 = _t287;
								_t391 = _t287;
								__eflags = _t468;
								if(_t468 == 0) {
									L86:
									_push(_t391);
									_v2096 = 0;
									_v2092 = 0;
									_v2088 = 0;
									_v2124 = 0;
									_v2128 = 0;
									_t452 = E004036E0( &_v2128);
									_t394 = _t391;
									__eflags = _t452;
									if(__eflags != 0) {
										_push(_t394);
										_push(L"Z1: ");
										goto L116;
									}
									_t353 = _v2196;
									break;
								}
								_t431 = _t468;
								do {
									_t444 = 0x269ec3 + _t444 * 0x343fd;
									 *_t391 =  *_t391 ^ _t444 >> 0x00000010;
									_t391 =  &(_t391[0]);
									_t431 = _t431 - 1;
									__eflags = _t431;
								} while (_t431 != 0);
								goto L86;
							}
							__eflags = _t417;
							if(_t417 == 0) {
								goto L112;
							}
							goto L75;
						}
						__eflags = _v2152 - _t380;
						if(_v2152 <= _t380) {
							goto L102;
						}
						goto L72;
						L75:
						__eflags = _t417 - 1;
					} while (__eflags == 0);
					L76:
					_t451 = _v2176;
					L6:
					_t201 = _v2188;
					while(1) {
						L3:
						_t434 = VirtualAlloc(0, _t201, 0x1000, 4);
						_t365 = E00403525(__eflags) -  *0x406040;
						_t408 = _t365 % _v2124;
						__eflags = _t365 & 0xffff8000;
						if((_t365 & 0xffff8000) != 0) {
							break;
						}
						_v2112 = _v2128;
						_t366 =  &_v2112;
						_v2108 = _t451;
						_v2096 = _v2188;
						_v2100 = _t434;
						_t452 = E00403800(_t366);
						__eflags = _t452 - 1;
						if(__eflags != 0) {
							_push(_t366);
							_push(L"Z2: ");
							goto L116;
						}
						UnmapViewOfFile(_v2152);
						CloseHandle(_v2160);
						_t369 = E00403525(__eflags) -  *0x406040;
						_t453 = 3;
						_t410 = _t369 % _t453;
						__eflags = _t369 & 0xffff8000;
						if((_t369 & 0xffff8000) == 0) {
							_t454 = E00402627(_t434);
							VirtualFree(_t434, _v2188, 0x8000);
							__eflags = _t454;
							if(_t454 == 0) {
								goto L118;
							}
							E004034ED(_t454);
							_t369 = _t454;
							_t222 = E0040259E(_t353, _t369);
							_v2172 = _t222;
							__eflags = _t222;
							if(_t222 != 0) {
								_v2144 = GetModuleHandleW(0);
								goto L112;
							}
							_push(_t369);
							_push(L"0x0006");
							goto L110;
						}
						__eflags = _t410;
						if(_t410 == 0) {
							goto L112;
						}
						_t451 = _v2176;
						_t201 = _v2188;
						__eflags = _t410 - 1;
						if(__eflags != 0) {
							continue;
						}
						goto L11;
					}
					__eflags = _t408;
					if(_t408 == 0) {
						goto L112;
					}
					__eflags = _t408 - 1;
					if(__eflags == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0040288a
0x00402894
0x00402897
0x0040289b
0x0040289f
0x004028a3
0x004028a7
0x004028ab
0x004028af
0x004028b3
0x004028b7
0x004028cb
0x004028d7
0x004028dc
0x004028e4
0x004028e9
0x0040290f
0x00402913
0x0040291b
0x0040291f
0x00402923
0x00000000
0x004028eb
0x004028f1
0x004028fa
0x00402902
0x00402906
0x0040290a
0x004029e8
0x004029e8
0x004029e8
0x004029ea
0x004029eb
0x004029f2
0x004029fc
0x004029fe
0x00402a04
0x00402d75
0x00402d75
0x00402d77
0x00403146
0x00403146
0x00403159
0x0040315b
0x0040315d
0x0040316b
0x00403180
0x00403180
0x004031a0
0x004031a0
0x0040315f
0x00403160
0x0040303a
0x0040303a
0x00403047
0x004031af
0x004031b4
0x004031b9
0x004031c3
0x004031ca
0x004031de
0x004031e2
0x004031e2
0x00000000
0x00402d77
0x00402a0b
0x00402a17
0x00402a21
0x00402a23
0x00402a29
0x00000000
0x00000000
0x00402a2f
0x00402a3f
0x00402a3f
0x00402a50
0x00402a55
0x00402a5b
0x00402a89
0x00402a8b
0x00402a91
0x00402a95
0x00402aa0
0x00402aa0
0x00000000
0x00402aa0
0x00402a97
0x00402a9e
0x00000000
0x00000000
0x00000000
0x00402a71
0x00402a73
0x00402a7f
0x00000000
0x00000000
0x00402a85
0x00402aa2
0x00402aa4
0x00402cfb
0x00402d01
0x00402d03
0x00402d09
0x00402d09
0x00402d0a
0x00000000
0x00402d0a
0x00402d05
0x00402d07
0x00402d18
0x00402d1a
0x00402d1b
0x00402d23
0x00402d38
0x00402d47
0x00402d4d
0x00402d50
0x00402d57
0x00402d5e
0x00402d6a
0x00402d6b
0x00402d6d
0x00402d73
0x00402d8b
0x00402d8d
0x00402d92
0x00402d98
0x00402dab
0x00402db1
0x00402db3
0x00402db7
0x00402dba
0x004030eb
0x004030ec
0x00000000
0x004030ec
0x00000000
0x00402dba
0x00000000
0x00402d73
0x00402d25
0x00402d2d
0x00000000
0x00000000
0x00402d2f
0x00000000
0x00402d2f
0x00000000
0x00402d07
0x00402aba
0x00402abc
0x00402ac2
0x0040304d
0x0040304e
0x00000000
0x0040304e
0x00402ad4
0x00402ad6
0x00402adc
0x00403034
0x00403035
0x00000000
0x00403035
0x00402ae2
0x00402aeb
0x0040301f
0x00403025
0x0040302a
0x0040302c
0x00000000
0x0040302c
0x00402b02
0x00402b0b
0x00402b0d
0x00402b15
0x00402b18
0x00402b1a
0x00402b1d
0x00402b1f
0x00402b25
0x00402b53
0x00402b57
0x00403014
0x00403015
0x00000000
0x00403015
0x00000000
0x00402b2c
0x00402b42
0x00402b46
0x00402b5d
0x00402b5d
0x00402b60
0x00402b62
0x00402b95
0x00402b95
0x00402b9a
0x00403009
0x0040300a
0x00403133
0x00403133
0x00000000
0x00403133
0x00402ba0
0x00402ba9
0x00402bac
0x00402bae
0x00402bc1
0x00402bcb
0x00402bd1
0x00402bd1
0x00402bd3
0x00402bdc
0x00402bdc
0x00402be2
0x00402be4
0x00402bfb
0x00402c05
0x00402c0e
0x00402c12
0x00402c16
0x00402c24
0x00402c2b
0x00402c32
0x00402c34
0x00402c36
0x00402c41
0x00402c47
0x00402c52
0x00402c58
0x00402c5a
0x00402c6b
0x00402c5c
0x00402c61
0x00402c68
0x00402c68
0x00402c5a
0x00402c6e
0x00402c6e
0x00402c77
0x00402c79
0x00402d14
0x00402d14
0x00000000
0x00402c7f
0x00402c7f
0x00402c84
0x00402c89
0x00402c8c
0x00000000
0x00000000
0x00402c92
0x00402c9c
0x00402c9c
0x00402c9e
0x00402cc4
0x00402ca0
0x00402ca0
0x00402ca3
0x00402ca7
0x00402cb1
0x00402cbe
0x00402cbe
0x00402cc8
0x00402cca
0x00402ccc
0x00402ccf
0x00402cd9
0x00402ce6
0x00402ce6
0x00000000
0x00402cca
0x00402c94
0x00402c9a
0x00000000
0x00000000
0x00000000
0x00402c9a
0x00402c79
0x00402b64
0x00402b67
0x00000000
0x00000000
0x00402b80
0x00402b82
0x00402b86
0x00402b88
0x00000000
0x00000000
0x00402b8a
0x00402b8b
0x00000000
0x00402b8b
0x00402b48
0x00402b49
0x00000000
0x00402b49
0x00402b25
0x00402d7d
0x00402d7d
0x00402d7d
0x00000000
0x00402dc0
0x00402dc0
0x00402dc5
0x00402dc5
0x00402dd4
0x00402dda
0x00402dde
0x00402de0
0x004030e0
0x004030e1
0x00000000
0x004030e1
0x00402df2
0x00402df8
0x00402dfa
0x00402dfc
0x004030d5
0x004030d6
0x00000000
0x004030d6
0x00402e02
0x00402e0a
0x00402e0c
0x00402e12
0x00402e1b
0x00402e21
0x00402e23
0x004030ca
0x004030cb
0x00000000
0x004030cb
0x00402e2b
0x00402e2e
0x00402e34
0x00402e35
0x00402e37
0x00402e3b
0x004030a4
0x004030a4
0x004030aa
0x004030ba
0x004030bf
0x004030c0
0x004031a7
0x004031a7
0x004031ac
0x004031ae
0x00000000
0x004031ae
0x00402e41
0x00402e4d
0x00402e4d
0x00402e5c
0x00402e62
0x00402e64
0x00402e68
0x00402e6a
0x0040309c
0x0040309d
0x00000000
0x0040309d
0x00402e77
0x00402e83
0x00402e84
0x00402e86
0x00402e8c
0x00402eaf
0x00402eb4
0x00402eb6
0x00402eb7
0x00402eb9
0x00402ebf
0x00403091
0x00403092
0x00000000
0x00403092
0x00402ec5
0x00402ec9
0x00402eca
0x00402ecc
0x00402ece
0x00403086
0x00403087
0x00000000
0x00403087
0x00402ed4
0x00402ede
0x00402ee0
0x00402ee1
0x00402ee7
0x00402ee9
0x00402eeb
0x0040307b
0x0040307c
0x00000000
0x0040307c
0x00402ef1
0x00402efb
0x00402f00
0x00402f02
0x00402f04
0x00403070
0x00403071
0x00000000
0x00403071
0x00402f12
0x00402f1b
0x00402f1d
0x00402f20
0x00402f28
0x00402f30
0x00402f3b
0x00402f3f
0x00402f43
0x00402f48
0x00402f50
0x00402f54
0x00402f58
0x00402f62
0x00402f7a
0x00402f7c
0x00402f80
0x00402f82
0x00403068
0x00403069
0x00000000
0x00403069
0x00402f88
0x00402f97
0x00402f9d
0x00402fa1
0x00402fa3
0x00403060
0x00403061
0x00000000
0x00403061
0x00402fa9
0x00402fab
0x00402faf
0x00402fb1
0x00402fb3
0x00402fce
0x00402fd0
0x00402fd6
0x00402fdd
0x00402fe4
0x00402feb
0x00402fef
0x00402ff8
0x00402ffb
0x00402ffc
0x00402ffe
0x00403055
0x00403056
0x00000000
0x00403056
0x00403000
0x00000000
0x00403000
0x00402fb5
0x00402fb7
0x00402fbd
0x00402fc8
0x00402fca
0x00402fcb
0x00402fcb
0x00402fcb
0x00000000
0x00402fb7
0x00402e8e
0x00402e90
0x00000000
0x00000000
0x00000000
0x00402e90
0x00402e43
0x00402e47
0x00000000
0x00000000
0x00000000
0x00402e96
0x00402e96
0x00402e96
0x00402e9f
0x00402e9f
0x00402967
0x00402967
0x00402927
0x00402927
0x00402937
0x00402940
0x0040294a
0x0040294e
0x00402954
0x00000000
0x00000000
0x00402971
0x00402979
0x0040297d
0x00402981
0x00402985
0x0040298e
0x00402990
0x00402993
0x004031a1
0x004031a2
0x00000000
0x004031a2
0x0040299d
0x004029a7
0x004029b4
0x004029c0
0x004029c1
0x004029c3
0x004029c9
0x00403106
0x00403109
0x0040310f
0x00403111
0x00000000
0x00000000
0x00403119
0x0040311e
0x00403120
0x00403125
0x00403129
0x0040312b
0x00403142
0x00000000
0x00403142
0x0040312d
0x0040312e
0x00000000
0x0040312e
0x004029cf
0x004029d1
0x00000000
0x00000000
0x004029d7
0x004029db
0x004029df
0x004029e2
0x00000000
0x00000000
0x00000000
0x004029e2
0x00402956
0x00402958
0x00000000
0x00000000
0x0040295e
0x00402961
0x00000000
0x00000000
0x00000000
0x00402961

APIs

Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,LdrGetProcedureAddress,?,?,00000000,004028BC), ref: 00402336
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 0040233F
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,RtlInitUnicodeString,?,?,00000000,004028BC), ref: 0040234C
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 0040234F
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,RtlUnicodeStringToAnsiString,?,?,00000000,004028BC), ref: 0040235C
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 0040235F
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,RtlEnterCriticalSection,?,?,00000000,004028BC), ref: 0040236C
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 0040236F
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,NtQueryInformationProcess,?,?,00000000,004028BC), ref: 0040237C
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 0040237F
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,NtWow64QueryInformationProcess64,?,?,00000000,004028BC), ref: 0040238C
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 0040238F
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,memcpy,?,?,00000000,004028BC), ref: 0040239C
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 0040239F
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,memset,?,?,00000000,004028BC), ref: 004023AC
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 004023AF
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,strlen,?,?,00000000,004028BC), ref: 004023BC
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 004023BF
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,strcmp,?,?,00000000,004028BC), ref: 004023CC
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 004023CF
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,strcpy,?,?,00000000,004028BC), ref: 004023DC
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 004023DF
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,wcslen,?,?,00000000,004028BC), ref: 004023EC
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 004023EF
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,wcsstr,?,?,00000000,004028BC), ref: 004023FC
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 004023FF
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,wcschr,?,?,00000000,004028BC), ref: 0040240C
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 0040240F
Part of subcall function 00402322: GetModuleHandleW.KERNEL32(ntdll,wcscpy,?,?,00000000,004028BC), ref: 0040241C
Part of subcall function 00402322: GetProcAddress.KERNEL32(00000000), ref: 0040241F

RtlEnterCriticalSection.NTDLL(?), ref: 004028CB
GetTickCount.KERNEL32 ref: 004028D7
GetTickCount.KERNEL32 ref: 004028EB

Part of subcall function 004031ED: GetCommandLineW.KERNEL32( /ElevatedInjectInfo=,74B049F0,00000FE0), ref: 00403203
Part of subcall function 004031ED: wcsstr.NTDLL ref: 00403206

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00402931
UnmapViewOfFile.KERNEL32(?,00000003), ref: 0040299D
CloseHandle.KERNEL32(?), ref: 004029A7
GetCommandLineW.KERNEL32( /864A627C-C6B2-464A-AA13-25D62F282BD8 ,-00406040), ref: 00402A45
wcsstr.NTDLL ref: 00402A48
GetCommandLineW.KERNEL32( /ElevatedInjectInfo=), ref: 00402A62
wcsstr.NTDLL ref: 00402A65
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00000000), ref: 00402AB8
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00000000), ref: 00402AD2
memcpy.NTDLL(?,?,?), ref: 00402B02
GetProcessHeap.KERNEL32(00000000,?), ref: 00402B35
HeapAlloc.KERNEL32(00000000), ref: 00402B3C
GetProcessHeap.KERNEL32(00000000,?), ref: 00402B73
HeapAlloc.KERNEL32(00000000), ref: 00402B7A
memcpy.NTDLL(00000000,?,?), ref: 00402BC1
RtlInitUnicodeString.NTDLL(?,00000000), ref: 00402BDC
memcpy.NTDLL(00000000,?,?), ref: 00402BFB
RtlInitUnicodeString.NTDLL(?,00000000), ref: 00402C16
GetCommandLineW.KERNEL32(00000000), ref: 00402C1D
wcscpy.NTDLL ref: 00402C24
GetCommandLineA.KERNEL32 ref: 00402C2C
memset.NTDLL ref: 00402C41
RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 00402C52
strcpy.NTDLL ref: 00402C61
GetModuleFileNameW.KERNEL32(00000000,?,000003FC), ref: 00402CFB
GetLastError.KERNEL32(0000000A,0x00065: ), ref: 00403041
GetModuleHandleW.KERNEL32(00000000), ref: 0040313C
CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00403153
CloseHandle.KERNEL32(?), ref: 0040316B
LoadLibraryW.KERNELBASE(user32.dll,MessageBoxW,00000000,0000000A,Z2: ,?,00000003), ref: 004031C3
GetProcAddress.KERNEL32(00000000), ref: 004031CA
MessageBoxW.USER32(00000000,There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00,Turbo Virtual Machine,00000010,?,00000003), ref: 004031DE
ExitProcess.KERNEL32 ref: 004031E2

Strings

0x00E00, xrefs: 00403092
\\?\, xrefs: 00402D41
njct, xrefs: 00402A97
0x0003: , xrefs: 004030EC
0x00022: , xrefs: 00403020
0x00021: , xrefs: 00403035
/ElevatedInjectInfo=, xrefs: 00402A5D
0x00E01, xrefs: 00403087
0x00E1, xrefs: 0040307C
user32.dll, xrefs: 004031BE
0x00040: , xrefs: 004030E1
0x00053: , xrefs: 004030CB
0x0006, xrefs: 0040312E
0x00052: , xrefs: 00403061
Z2: , xrefs: 004031A2
0x00E2, xrefs: 00403071
0x00050: , xrefs: 004030D6
Turbo Virtual Machine, xrefs: 004031D2
MessageBoxW, xrefs: 004031B9
0x00041: , xrefs: 00403069
0x20059: , xrefs: 00402B8B
0x00054: , xrefs: 004030A5
/864A627C-C6B2-464A-AA13-25D62F282BD8 , xrefs: 00402A3A
0x10059: , xrefs: 00402B49
There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00, xrefs: 004030B5, 004031AF, 004031D7
Z1: , xrefs: 00403056
0x00020: , xrefs: 0040304E
0x00065: , xrefs: 00402D0A
0x00042: , xrefs: 00403160
0x20090: , xrefs: 0040300A
xvmi, xrefs: 00402A8B
xvm, xrefs: 00402EB9
0x10090: , xrefs: 00403015
0x00051: , xrefs: 0040309D

Memory Dump Source

Source File: 00000000.00000002.485475697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.485462442.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.485493918.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.485502615.0000000000407000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PmsDView.jbxd

Similarity

API ID: Handle$Module$AddressProc$CommandFileLine$HeapString$AllocProcessUnicodeViewmemcpywcsstr$CloseCountInitTick$AnsiCreateCriticalEnterErrorExitLastLibraryLoadMappingMessageNameSectionUnmapVirtualmemsetstrcpywcscpy
String ID: /864A627C-C6B2-464A-AA13-25D62F282BD8 $ /ElevatedInjectInfo=$0x00020: $0x00021: $0x00022: $0x0003: $0x00040: $0x00041: $0x00042: $0x00050: $0x00051: $0x00052: $0x00053: $0x00054: $0x0006$0x00065: $0x00E00$0x00E01$0x00E1$0x00E2$0x10059: $0x10090: $0x20059: $0x20090: $MessageBoxW$There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00$Turbo Virtual Machine$Z1: $Z2: $\\?\$njct$user32.dll$xvm$xvmi
API String ID: 293816476-3498450676
Opcode ID: b781d70acb233f0658b9cf1676bd2e2f02b227328b33274268238622bcaa17ab
Instruction ID: fb4a8c0b681a889dc99ef3fe2c71277e376b8c54dd0a7a01fd6acf7d1de6a9f1
Opcode Fuzzy Hash: b781d70acb233f0658b9cf1676bd2e2f02b227328b33274268238622bcaa17ab
Instruction Fuzzy Hash: 3342CE71604301AFD7249F24CD49B2B7BA8BF88705F14453EF986F72E4E6B89D018B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403493, Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00403493(void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _v52;
				char _v60;

				if(E004034CF(__ecx) != 0) {
					 *0x406024(0xffffffff, 0,  &_v60, 0x30,  &_v8); // executed
					_t14 =  !=  ? 0 : _v52;
					_t9 =  !=  ? 0 : _v52;
					return  !=  ? 0 : _v52;
				} else {
					return  *((intOrPtr*)( *[fs:0x18] + 0x30));
				}
			}

0x004034a0
0x004034bb
0x004034c8
0x004034cb
0x004034ce
0x004034a2
0x004034ac
0x004034ac

APIs

Part of subcall function 004034CF: IsWow64Process.KERNEL32(000000FF,00000000,-00406040), ref: 004034DD

NtWow64QueryInformationProcess64.NTDLL(000000FF,00000000,?,00000030,?), ref: 004034BB

Memory Dump Source

Source File: 00000000.00000002.485475697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.485462442.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.485493918.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.485502615.0000000000407000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PmsDView.jbxd

Similarity

API ID: Wow64$InformationProcessProcess64Query
String ID:
API String ID: 1389890571-0
Opcode ID: 6c811b1eaa05a7cf961cd6d1944476c91ad420f7107ba410a4b757d17daa8a17
Instruction ID: ad3374b1c5026cc57afc47631942e65ba287e69acada3c05ff5f010cc03de8a3
Opcode Fuzzy Hash: 6c811b1eaa05a7cf961cd6d1944476c91ad420f7107ba410a4b757d17daa8a17
Instruction Fuzzy Hash: 4BE02631B10608ABDB04EBADED41F9977FCAF88718F000170B912EB2D0D634EE048760

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402322, Relevance: 80.6, APIs: 30, Strings: 16, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00402322() {
				_Unknown_base(*)()* _t30;
				WCHAR* _t31;

				_t31 = L"ntdll";
				 *0x406038 = GetProcAddress(GetModuleHandleW(_t31), "LdrGetProcedureAddress");
				 *0x406034 = GetProcAddress(GetModuleHandleW(_t31), "RtlInitUnicodeString");
				 *0x406030 = GetProcAddress(GetModuleHandleW(_t31), "RtlUnicodeStringToAnsiString");
				 *0x40602c = GetProcAddress(GetModuleHandleW(_t31), "RtlEnterCriticalSection");
				 *0x406028 = GetProcAddress(GetModuleHandleW(_t31), "NtQueryInformationProcess");
				 *0x406024 = GetProcAddress(GetModuleHandleW(_t31), "NtWow64QueryInformationProcess64");
				 *0x406020 = GetProcAddress(GetModuleHandleW(_t31), "memcpy");
				 *0x40601c = GetProcAddress(GetModuleHandleW(_t31), "memset");
				 *0x406018 = GetProcAddress(GetModuleHandleW(_t31), "strlen");
				 *0x406014 = GetProcAddress(GetModuleHandleW(_t31), "strcmp");
				 *0x406010 = GetProcAddress(GetModuleHandleW(_t31), "strcpy");
				 *0x40600c = GetProcAddress(GetModuleHandleW(_t31), "wcslen");
				 *0x406008 = GetProcAddress(GetModuleHandleW(_t31), "wcsstr");
				 *0x406004 = GetProcAddress(GetModuleHandleW(_t31), "wcschr");
				_t30 = GetProcAddress(GetModuleHandleW(_t31), "wcscpy");
				 *0x406000 = _t30;
				return _t30;
			}

0x00402330
0x00402347
0x00402357
0x00402367
0x00402377
0x00402387
0x00402397
0x004023a7
0x004023b7
0x004023c7
0x004023d7
0x004023e7
0x004023f7
0x00402407
0x00402417
0x0040241f
0x00402423
0x00402429

APIs

GetModuleHandleW.KERNEL32(ntdll,LdrGetProcedureAddress,?,?,00000000,004028BC), ref: 00402336
GetProcAddress.KERNEL32(00000000), ref: 0040233F
GetModuleHandleW.KERNEL32(ntdll,RtlInitUnicodeString,?,?,00000000,004028BC), ref: 0040234C
GetProcAddress.KERNEL32(00000000), ref: 0040234F
GetModuleHandleW.KERNEL32(ntdll,RtlUnicodeStringToAnsiString,?,?,00000000,004028BC), ref: 0040235C
GetProcAddress.KERNEL32(00000000), ref: 0040235F
GetModuleHandleW.KERNEL32(ntdll,RtlEnterCriticalSection,?,?,00000000,004028BC), ref: 0040236C
GetProcAddress.KERNEL32(00000000), ref: 0040236F
GetModuleHandleW.KERNEL32(ntdll,NtQueryInformationProcess,?,?,00000000,004028BC), ref: 0040237C
GetProcAddress.KERNEL32(00000000), ref: 0040237F
GetModuleHandleW.KERNEL32(ntdll,NtWow64QueryInformationProcess64,?,?,00000000,004028BC), ref: 0040238C
GetProcAddress.KERNEL32(00000000), ref: 0040238F
GetModuleHandleW.KERNEL32(ntdll,memcpy,?,?,00000000,004028BC), ref: 0040239C
GetProcAddress.KERNEL32(00000000), ref: 0040239F
GetModuleHandleW.KERNEL32(ntdll,memset,?,?,00000000,004028BC), ref: 004023AC
GetProcAddress.KERNEL32(00000000), ref: 004023AF
GetModuleHandleW.KERNEL32(ntdll,strlen,?,?,00000000,004028BC), ref: 004023BC
GetProcAddress.KERNEL32(00000000), ref: 004023BF
GetModuleHandleW.KERNEL32(ntdll,strcmp,?,?,00000000,004028BC), ref: 004023CC
GetProcAddress.KERNEL32(00000000), ref: 004023CF
GetModuleHandleW.KERNEL32(ntdll,strcpy,?,?,00000000,004028BC), ref: 004023DC
GetProcAddress.KERNEL32(00000000), ref: 004023DF
GetModuleHandleW.KERNEL32(ntdll,wcslen,?,?,00000000,004028BC), ref: 004023EC
GetProcAddress.KERNEL32(00000000), ref: 004023EF
GetModuleHandleW.KERNEL32(ntdll,wcsstr,?,?,00000000,004028BC), ref: 004023FC
GetProcAddress.KERNEL32(00000000), ref: 004023FF
GetModuleHandleW.KERNEL32(ntdll,wcschr,?,?,00000000,004028BC), ref: 0040240C
GetProcAddress.KERNEL32(00000000), ref: 0040240F
GetModuleHandleW.KERNEL32(ntdll,wcscpy,?,?,00000000,004028BC), ref: 0040241C
GetProcAddress.KERNEL32(00000000), ref: 0040241F

Strings

wcsstr, xrefs: 004023F1
RtlInitUnicodeString, xrefs: 00402341
strcmp, xrefs: 004023C1
RtlUnicodeStringToAnsiString, xrefs: 00402351
memcpy, xrefs: 00402391
wcscpy, xrefs: 00402411
ntdll, xrefs: 00402330, 00402335, 00402346, 00402356, 00402366, 00402376, 00402386, 00402396, 004023A6, 004023B6, 004023C6, 004023D6, 004023E6, 004023F6, 00402406, 00402416
RtlEnterCriticalSection, xrefs: 00402361
wcslen, xrefs: 004023E1
strlen, xrefs: 004023B1
LdrGetProcedureAddress, xrefs: 0040232B
memset, xrefs: 004023A1
strcpy, xrefs: 004023D1
NtQueryInformationProcess, xrefs: 00402371
wcschr, xrefs: 00402401
NtWow64QueryInformationProcess64, xrefs: 00402381

Memory Dump Source

Source File: 00000000.00000002.485475697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.485462442.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.485493918.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.485502615.0000000000407000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PmsDView.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: LdrGetProcedureAddress$NtQueryInformationProcess$NtWow64QueryInformationProcess64$RtlEnterCriticalSection$RtlInitUnicodeString$RtlUnicodeStringToAnsiString$memcpy$memset$ntdll$strcmp$strcpy$strlen$wcschr$wcscpy$wcslen$wcsstr
API String ID: 1646373207-3522212714
Opcode ID: f3333e4f95044ca3e3dc8f91a31a823101f9ac5fb09f6f8b1a64a306f6375e86
Instruction ID: 85279a423c8cb46e76a5c65a2c3bb82e58be774233738397f379ccab96681db5
Opcode Fuzzy Hash: f3333e4f95044ca3e3dc8f91a31a823101f9ac5fb09f6f8b1a64a306f6375e86
Instruction Fuzzy Hash: 8E21BCF4D80358B5CA24BBB75D8DE0B6EDCE9C87543524837B209F71A0DA7C8050CEA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402627, Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 205
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00402627(void* __ecx) {
				unsigned int _v8;
				int _v10;
				int _v12;
				void** _v16;
				void* _v20;
				void* _v24;
				signed short _v28;
				signed int _t64;
				void* _t65;
				void* _t70;
				void* _t71;
				void* _t73;
				void* _t75;
				void** _t79;
				void* _t80;
				char* _t82;
				int _t83;
				signed short _t86;
				signed int _t87;
				void* _t89;
				void** _t91;
				void* _t95;
				void* _t102;
				CHAR* _t103;
				signed short* _t105;
				void* _t107;
				signed short _t110;
				void* _t111;
				unsigned int _t116;
				void* _t118;
				void* _t119;
				int* _t122;
				void* _t124;
				intOrPtr* _t126;
				void* _t128;
				void* _t130;
				int* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t109 = __ecx;
				_t102 = __ecx;
				_t126 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
				if( *_t126 == 0x4550) {
					L3:
					_t135 = VirtualAlloc(0,  *(_t126 + 0x50), 0x1000, 0x40);
					__eflags = _t135;
					if(_t135 != 0) {
						memcpy(_t135, _t102,  *(_t126 + 0x54));
						_t118 =  *(_t126 + 6) & 0x0000ffff;
						_t64 =  *(_t126 + 0x14) & 0x0000ffff;
						_t137 = _t136 + 0xc;
						_v20 = _t118;
						__eflags = _t118;
						if(__eflags == 0) {
							L10:
							_t128 =  *((intOrPtr*)(_t135 + 0x3c)) + _t135;
							_v20 = _t128;
							_t65 = E00403525(__eflags);
							__eflags = _t65 -  *0x406040 - 0x7fff;
							if(_t65 -  *0x406040 > 0x7fff) {
								L39:
								return 0;
							}
							_t119 =  *(_t128 + 0xa4);
							__eflags = _t119;
							if(_t119 == 0) {
								L20:
								__eflags =  *(_t128 + 0x84);
								if( *(_t128 + 0x84) == 0) {
									L22:
									return _t135;
								}
								_t130 =  *((intOrPtr*)(_t128 + 0x80)) + _t135;
								__eflags = _t130;
								if(_t130 != 0) {
									while(1) {
										_t70 =  *(_t130 + 0xc);
										__eflags = _t70;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t70 + _t135;
										_t71 = E00403525(__eflags);
										__eflags = _t71 -  *0x406040 - 0x7fff;
										if(_t71 -  *0x406040 > 0x7fff) {
											goto L39;
										}
										_t73 = GetModuleHandleA(_t103);
										_v24 = _t73;
										__eflags = _t73;
										if(_t73 == 0) {
											_push(_t109);
											_push(L"0x0014");
											L38:
											E004024AA();
											goto L39;
										}
										_t105 = _t135 +  *_t130;
										_v16 =  *((intOrPtr*)(_t130 + 0x10)) + _t135;
										while(1) {
											_t109 =  *_t105;
											__eflags = _t109;
											if(_t109 == 0) {
												break;
											}
											_t75 = 0;
											_t122 = 0;
											_v28 = 0;
											__eflags = _t109;
											if(_t109 < 0) {
												_t110 =  *_t105 & 0x0000ffff;
											} else {
												_t49 = _t135 + 2; // 0x2
												_t82 = _t49 + _t109;
												_v8 = _t82;
												_t83 = strlen(_t82);
												_t110 = _v28;
												_v12 = _t83;
												_v10 = _t83;
												_t122 =  &_v12;
												_t75 = 0;
											}
											_v20 = _t75;
											 *0x406038(_v24, _t122, _t110 & 0x0000ffff,  &_v20);
											_t111 = _v20;
											__eflags = _t111;
											if(_t111 == 0) {
												_push(_t111);
												_push(L"0x0015");
												goto L38;
											}
											_t79 = _v16;
											_t105 =  &(_t105[2]);
											 *_t79 = _t111;
											_t80 =  &(_t79[1]);
											__eflags = _t80;
											_v16 = _t80;
										}
										_t130 = _t130 + 0x14;
										__eflags = _t130;
									}
								}
								goto L22;
							}
							_t109 =  *((intOrPtr*)(_t128 + 0xa0)) + _t135;
							_v16 = _t135 -  *((intOrPtr*)(_t128 + 0x34));
							__eflags = _t119;
							if(_t119 == 0) {
								goto L20;
							} else {
								goto L13;
							}
							do {
								L13:
								_t86 = _t109 + 4;
								_v24 =  *_t109;
								_t128 = _v20;
								_v28 = _t86;
								_t109 = _t109 + 8;
								_t107 =  *_t86 - 8;
								__eflags = _t107;
								if(_t107 == 0) {
									goto L19;
								} else {
									goto L14;
								}
								do {
									L14:
									_t87 =  *_t109 & 0x0000ffff;
									_v8 = _t87;
									_v8 = _v8 >> 0xc;
									__eflags = _v8;
									if(_v8 == 0) {
										goto L17;
									}
									__eflags = _v8 - 3;
									if(_v8 != 3) {
										_push(_t109);
										_push(L"0x0013");
										goto L38;
									}
									_t89 = _v24 + (_t87 & 0x00000fff);
									_t38 = _t89 + _t135;
									 *_t38 =  *(_t89 + _t135) + _v16;
									__eflags =  *_t38;
									_t128 = _v20;
									L17:
									_t109 = _t109 + 2;
									_t107 = _t107;
									__eflags = _t107;
								} while (_t107 != 0);
								_t86 = _v28;
								L19:
								_t119 = _t119 -  *_t86;
								__eflags = _t119;
							} while (_t119 != 0);
							goto L20;
						}
						_t91 = _t64 + 0x2c + _t126;
						_t134 = _t126 + 0x28 + ( *(_t126 + 0x14) & 0x0000ffff);
						__eflags = _t134;
						_t124 = _v20;
						_v8 = _t126 + 0x24 + _t64;
						_v16 = _t91;
						do {
							__eflags =  *_t91;
							_t116 = _v8;
							if( *_t91 != 0) {
								_t95 =  *_t116 + _t135;
								__eflags = _t95;
								memcpy(_t95,  *_t91 + _t102,  *_t134);
								_t91 = _v16;
								_t116 = _v8;
								_t124 = _v20;
								_t137 = _t137 + 0xc;
							}
							_t91 =  &(_t91[0xa]);
							_t109 = _t116 + 0x28;
							_t134 =  &(_t134[0xa]);
							_t124 = _t124 - 1;
							__eflags = _t124;
							_v8 = _t109;
							_v16 = _t91;
							_v20 = _t124;
						} while (__eflags != 0);
						goto L10;
					}
					_push(_t109);
					E004024AA(L"0x0012: ");
					E00402443(0x406048, GetLastError(), 0xa);
					goto L39;
				}
				_t109 = 0x111;
				if(( *(__ecx + 0xa) & 0x00000011) == 0x111) {
					goto L3;
				}
				_push(0x111);
				_push(L"0x0011");
				goto L38;
			}

0x00402627
0x0040262e
0x00402635
0x0040263d
0x0040265c
0x0040266e
0x00402670
0x00402672
0x0040269c
0x004026a2
0x004026a6
0x004026aa
0x004026ad
0x004026b0
0x004026b2
0x0040270b
0x0040270e
0x00402710
0x00402713
0x0040271e
0x00402723
0x00402875
0x00000000
0x00402875
0x00402729
0x0040272f
0x00402731
0x00402794
0x00402796
0x0040279c
0x004027ac
0x00000000
0x004027ac
0x004027a4
0x004027a4
0x004027a6
0x0040285a
0x0040285a
0x0040285d
0x0040285f
0x00000000
0x00000000
0x004027be
0x004027c1
0x004027cc
0x004027d1
0x00000000
0x00000000
0x004027d8
0x004027de
0x004027e1
0x004027e3
0x0040287c
0x0040287d
0x00402870
0x00402870
0x00000000
0x00402870
0x004027ee
0x004027f2
0x00402851
0x00402851
0x00402853
0x00402855
0x00000000
0x00000000
0x004027f7
0x004027f9
0x004027fb
0x004027fe
0x00402800
0x00402824
0x00402802
0x00402802
0x00402805
0x00402808
0x0040280b
0x00402812
0x00402815
0x00402819
0x0040281d
0x00402820
0x00402820
0x00402827
0x00402836
0x0040283c
0x0040283f
0x00402841
0x0040286a
0x0040286b
0x00000000
0x0040286b
0x00402843
0x00402846
0x00402849
0x0040284b
0x0040284b
0x0040284e
0x0040284e
0x00402857
0x00402857
0x00402857
0x00402865
0x00000000
0x004027a6
0x0040273e
0x00402740
0x00402743
0x00402745
0x00000000
0x00000000
0x00000000
0x00000000
0x00402747
0x00402747
0x00402749
0x0040274c
0x00402751
0x00402754
0x00402757
0x0040275a
0x0040275a
0x0040275d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040275f
0x0040275f
0x0040275f
0x00402762
0x00402765
0x00402769
0x0040276d
0x00000000
0x00000000
0x0040276f
0x00402773
0x004027b3
0x004027b4
0x00000000
0x004027b4
0x0040277d
0x00402780
0x00402780
0x00402780
0x00402783
0x00402786
0x00402787
0x0040278a
0x0040278a
0x0040278a
0x0040278d
0x00402790
0x00402790
0x00402790
0x00402790
0x00000000
0x00402747
0x004026c0
0x004026c5
0x004026c5
0x004026c7
0x004026ca
0x004026cd
0x004026d0
0x004026d0
0x004026d3
0x004026d6
0x004026e1
0x004026e1
0x004026e4
0x004026ea
0x004026ed
0x004026f0
0x004026f3
0x004026f3
0x004026f6
0x004026f9
0x004026fc
0x004026ff
0x004026ff
0x00402700
0x00402703
0x00402706
0x00402706
0x00000000
0x004026d0
0x00402674
0x0040267a
0x0040268d
0x00000000
0x0040268d
0x00402647
0x0040264f
0x00000000
0x00000000
0x00402651
0x00402652
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,00000000,00000003,00000000), ref: 00402668
GetLastError.KERNEL32(0000000A,0x0012: ), ref: 00402681
memcpy.NTDLL(00000000,00000000,?), ref: 0040269C
memcpy.NTDLL(?,?,?), ref: 004026E4

Strings

0x0013, xrefs: 004027B4
0x0014, xrefs: 0040287D
0x0012: , xrefs: 00402675
0x0015, xrefs: 0040286B
0x0011, xrefs: 00402652
There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00, xrefs: 00402688

Memory Dump Source

Source File: 00000000.00000002.485475697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.485462442.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.485493918.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.485502615.0000000000407000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PmsDView.jbxd

Similarity

API ID: memcpy$AllocErrorLastVirtual
String ID: 0x0011$0x0012: $0x0013$0x0014$0x0015$There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00
API String ID: 2681243397-3509012180
Opcode ID: 65a1308b43b782f8236cba530f05e2d774aa71cd2ba2b3fe2e2606012093deeb
Instruction ID: 13371dcdbc3f8ffb8a3713947ce6e6ca430aac33957342fb0586d7852e587468
Opcode Fuzzy Hash: 65a1308b43b782f8236cba530f05e2d774aa71cd2ba2b3fe2e2606012093deeb
Instruction Fuzzy Hash: 56719075A00216AFCB04DF69CE49AAAB7B5FF44304F24853AD405B73D0E7B8E951CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403B94, Relevance: 10.9, Strings: 8, Instructions: 859
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E00403B94(signed int __ebx, unsigned int __edx, signed char* __edi, signed int __esi) {
				signed int _t545;
				signed int _t571;
				signed int _t573;
				signed int _t577;
				signed int _t579;
				signed int _t585;
				signed int _t588;
				signed int _t720;
				signed int _t721;
				signed int* _t723;
				signed int* _t752;
				signed int* _t766;
				unsigned int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t896;
				signed int* _t905;
				signed char* _t927;
				signed char** _t929;
				signed int* _t961;
				signed int _t962;
				intOrPtr _t964;
				signed int _t965;
				void* _t968;
				void* _t972;

				L0:
				while(1) {
					L0:
					_t962 = __esi;
					_t927 = __edi;
					_t884 = __edx;
					_t721 = __ebx;
					if(__esi >= 0xe) {
						goto L48;
					}
					L44:
					while(1) {
						L45:
						if(__ebx == 0) {
							break;
						}
						L46:
						__eax =  *__edi & 0x000000ff;
						__ecx = __esi;
						__eax = ( *__edi & 0x000000ff) << __cl;
						__ebx = __ebx - 1;
						__edi = __edi + 1;
						__esi = __esi + 8;
						__edx = __edx + __eax;
						 *(__ebp - 0xc) = __ebx;
						 *(__ebp - 4) = __edx;
						 *(__ebp - 0x10) = __edi;
						if(__esi < 0xe) {
							continue;
						} else {
							L47:
							__ecx =  *(__ebp - 8);
							goto L48;
						}
						L200:
					}
					L189:
					_t571 =  *(_t968 - 0xc);
					L190:
					_t929 =  *(_t968 - 0x14);
					_t723 =  *(_t968 - 8);
					_t896 =  *(_t968 - 0x18);
					_t929[3] =  *(_t968 - 0x1c);
					_t929[1] = _t571;
					_t723[0xf] = _t962;
					_t964 =  *((intOrPtr*)(_t968 - 0x20));
					_t929[4] = _t896;
					 *_t929 =  *(_t968 - 0x10);
					_t723[0xe] =  *(_t968 - 4);
					if(_t723[0xa] != 0) {
						L193:
						_t573 = E00403590(_t929, _t964);
						if(_t573 == 0) {
							goto L196;
						} else {
							L194:
							 *_t723 = 0x1c;
							L195:
							return 0xfffffffc;
						}
					} else {
						L191:
						if( *_t723 >= 0x18) {
							L196:
							_t965 = _t964 - _t929[4];
							_t929[5] =  &(_t929[5][_t965]);
							_t929[2] =  &(_t929[2][ *((intOrPtr*)(_t968 - 0x3c)) - _t929[1]]);
							_t723[7] = _t723[7] + _t965;
							if(_t723[2] != 0) {
								if(_t965 != 0) {
									_t579 = E00404790(_t723[6], _t929[3] - _t965, _t965);
									_t723[6] = _t579;
									_t929[0xc] = _t579;
								}
							}
							asm("sbb edx, edx");
							_t762 =  ==  ? 0x80 : 0;
							_t577 =  *(_t968 - 0x28);
							_t901 = ( ~(_t723[1]) & 0x00000040) + ( ==  ? 0x80 : 0);
							_t902 = ( ~(_t723[1]) & 0x00000040) + ( ==  ? 0x80 : 0) + _t723[0xf];
							_t929[0xb] = ( ~(_t723[1]) & 0x00000040) + ( ==  ? 0x80 : 0) + _t723[0xf];
							_t578 =  ==  ? 0xfffffffb : _t577;
							return  ==  ? 0xfffffffb : _t577;
						} else {
							L192:
							if(_t964 == _t896) {
								goto L196;
							} else {
								goto L193;
							}
						}
					}
					goto L200;
					L48:
					_t752[0x18] = (_t884 & 0x0000001f) + 0x101;
					_t885 = _t884 >> 5;
					_t886 = _t885 >> 5;
					_t752[0x19] = (_t885 & 0x0000001f) + 1;
					_t884 = _t886 >> 4;
					_t962 = _t962 - 0xe;
					_t752[0x17] = (_t886 & 0x0000000f) + 4;
					 *(_t968 - 4) = _t884;
					if(_t752[0x18] > 0x11e) {
						L61:
						( *(_t968 - 0x14))[6] = "too many length or distance symbols";
						goto L181;
					} else {
						L49:
						if(_t752[0x19] > 0x1e) {
							goto L61;
						} else {
							L50:
							_t752[0x1a] = 0;
							 *_t752 = 0x10;
							L51:
							if(_t752[0x1a] >= _t752[0x17]) {
								L56:
								while(_t752[0x1a] < 0x13) {
									L58:
									 *((short*)(_t752 + 0x70 + ( *(0x401e88 + _t752[0x1a] * 2) & 0x0000ffff) * 2)) = 0;
									_t752[0x1a] = _t752[0x1a] + 1;
								}
								L59:
								_t905 =  &(_t752[0x1b]);
								_t585 =  &(_t752[0x14c]);
								 *_t905 = _t585;
								_t752[0x13] = _t585;
								_t766 =  &(_t752[0x15]);
								_push( &(( *(_t968 - 8))[0xbc]));
								_push(_t766);
								_push(_t905);
								 *_t766 = 7;
								_push(0x13);
								_t588 = L00404E80(_t721, 0,  &(( *(_t968 - 8))[0x1c]), _t927, _t962);
								_t752 =  *(_t968 - 8);
								_t884 =  *(_t968 - 4);
								_t972 = _t972 + 0x10;
								 *(_t968 - 0x28) = _t588;
								if(_t588 == 0) {
									L62:
									_t752[0x1a] = 0;
									 *_t752 = 0x11;
									goto L63;
								} else {
									L60:
									( *(_t968 - 0x14))[6] = "invalid code lengths set";
									L181:
									 *_t752 = 0x1b;
									while(1) {
										L182:
										_t545 =  *_t752;
										if(_t545 > 0x1c) {
											break;
										}
										L1:
										switch( *((intOrPtr*)(_t545 * 4 +  &M00404704))) {
											case 0:
												L2:
												if(_t752[2] != 0) {
													L4:
													__eflags = _t962 - 0x10;
													if(_t962 >= 0x10) {
														L8:
														_t558 = (_t884 >> 8) + ((_t884 & 0x000000ff) << 8);
														__eflags = _t558 %  *(_t968 - 0x38);
														_t884 =  *(_t968 - 4);
														if(_t558 %  *(_t968 - 0x38) == 0) {
															L10:
															_t752 =  *(_t968 - 8);
															__eflags = (_t884 & 0x0000000f) - 8;
															if((_t884 & 0x0000000f) == 8) {
																L12:
																_t884 = _t884 >> 4;
																_t564 = (_t884 & 0x0000000f) + 8;
																_t962 = _t962 - 4;
																 *(_t968 - 4) = _t884;
																 *(_t968 - 0x34) = _t564;
																__eflags = _t564 - _t752[9];
																if(_t564 <= _t752[9]) {
																	L14:
																	( *(_t968 - 8))[5] = 1 <<  *(_t968 - 0x34);
																	_t567 = E00404790(0, 0, 0);
																	_t752 =  *(_t968 - 8);
																	( *(_t968 - 0x14))[0xc] = _t567;
																	 *_t752 =  !( *(_t968 - 4) >> 8) & 0x00000002 | 0x00000009;
																	_t884 = 0;
																	_t972 = _t972 + 4;
																	_t752[6] = _t567;
																	 *(_t968 - 4) = 0;
																	_t962 = 0;
																} else {
																	L13:
																	( *(_t968 - 0x14))[6] = "invalid window size";
																	goto L181;
																}
															} else {
																L11:
																( *(_t968 - 0x14))[6] = "unknown compression method";
																goto L181;
															}
														} else {
															L9:
															( *(_t968 - 0x14))[6] = "incorrect header check";
															goto L180;
														}
														goto L182;
													} else {
														L5:
														while(1) {
															L6:
															__eflags = _t721;
															if(_t721 == 0) {
																goto L189;
															}
															L7:
															_t582 = ( *_t927 & 0x000000ff) << _t962;
															_t721 = _t721 - 1;
															_t927 =  &(_t927[1]);
															_t962 = _t962 + 8;
															_t884 = _t884 + _t582;
															 *(_t968 - 0xc) = _t721;
															 *(_t968 - 4) = _t884;
															 *(_t968 - 0x10) = _t927;
															__eflags = _t962 - 0x10;
															if(_t962 < 0x10) {
																continue;
															} else {
																goto L8;
															}
															goto L200;
														}
														goto L189;
													}
												} else {
													 *_t752 = 0xc;
													goto L182;
												}
												goto L200;
											case 1:
												goto L183;
											case 2:
												L15:
												__eflags = __esi - 0x20;
												if(__esi >= 0x20) {
													L19:
													__ecx = __edx;
													__edx = __edx << 0x10;
													__edx & 0x0000ff00 = (__edx & 0x0000ff00) + (__edx << 0x10);
													__edx = __edx >> 8;
													__ecx = (__edx & 0x0000ff00) + (__edx << 0x10) << 8;
													__eax = __edx >> 0x00000008 & 0x0000ff00;
													__edx = __edx >> 0x18;
													__eax = __eax + __ecx;
													__ecx =  *(__ebp - 8);
													__eax = __eax + __edx;
													__edx =  *(__ebp - 0x14);
													 *(__ecx + 0x18) = __eax;
													 *( *(__ebp - 0x14) + 0x30) = __eax;
													__edx = 0;
													 *(__ebp - 4) = 0;
													__esi = 0;
													__eflags = 0;
													 *__ecx = 0xa;
													goto L20;
												} else {
													L16:
													while(1) {
														L17:
														__eflags = __ebx;
														if(__ebx == 0) {
															goto L189;
														}
														L18:
														__eax =  *__edi & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__edi & 0x000000ff) << __cl;
														__ebx = __ebx - 1;
														__edi = __edi + 1;
														__esi = __esi + 8;
														__edx = __edx + __eax;
														 *(__ebp - 0xc) = __ebx;
														 *(__ebp - 4) = __edx;
														 *(__ebp - 0x10) = __edi;
														__eflags = __esi - 0x20;
														if(__esi < 0x20) {
															continue;
														} else {
															goto L19;
														}
														goto L200;
													}
													goto L189;
												}
												goto L200;
											case 3:
												L20:
												__eflags =  *(__ecx + 0xc);
												if( *(__ecx + 0xc) == 0) {
													L184:
													__ecx =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x1c);
													 *(__ecx + 0xc) =  *(__ebp - 0x1c);
													__eax = __ecx;
													__ecx =  *(__ebp - 0x18);
													 *(__eax + 0x10) =  *(__ebp - 0x18);
													__ecx =  *(__ebp - 8);
													 *(__eax + 4) = __ebx;
													 *(__ecx + 0x3c) = __esi;
													_pop(__esi);
													 *__eax = __edi;
													_pop(__ebx);
													 *(__ecx + 0x38) = __edx;
													__eax = 2;
													_pop(__edi);
													__esp = __ebp;
													_pop(__ebp);
													return 2;
												} else {
													L21:
													__edx = 0;
													__ecx = 0;
													__eflags = 0;
													__eax = E00404790(0, 0, 0);
													__edx =  *(__ebp - 0x14);
													__ecx =  *(__ebp - 8);
													 *( *(__ebp - 0x14) + 0x30) = __eax;
													__edx =  *(__ebp - 4);
													 *(__ecx + 0x18) = __eax;
													 *__ecx = 0xb;
													goto L22;
												}
												goto L200;
											case 4:
												L22:
												__eflags =  *(__ecx + 4);
												if( *(__ecx + 4) == 0) {
													L24:
													__eflags = __esi - 3;
													if(__esi >= 3) {
														L28:
														__eax = __edx;
														__eax = __edx & 0x00000001;
														__edx = __edx >> 1;
														 *(__ecx + 4) = __eax;
														__eax = __edx;
														__eax = __edx & 0x00000003;
														__eflags = __eax - 3;
														if(__eax > 3) {
															L34:
															__edx = __edx >> 2;
															 *(__ebp - 4) = __edx;
															__esi = __esi - 3;
														} else {
															L29:
															switch( *((intOrPtr*)(__eax * 4 +  &M00404778))) {
																case 0:
																	L30:
																	__edx = __edx >> 2;
																	 *__ecx = 0xd;
																	 *(__ebp - 4) = __edx;
																	__esi = __esi - 3;
																	goto L182;
																case 1:
																	L31:
																	__eax = E004036C0(__eax, __ebx, __ecx, __edx, __esi);
																	__edx = __edx >> 2;
																	 *__ecx = 0x12;
																	 *(__ebp - 4) = __edx;
																	__esi = __esi - 3;
																	goto L182;
																case 2:
																	L32:
																	__edx = __edx >> 2;
																	 *__ecx = 0xf;
																	 *(__ebp - 4) = __edx;
																	__esi = __esi - 3;
																	goto L182;
																case 3:
																	L33:
																	__eax =  *(__ebp - 0x14);
																	 *__ecx = 0x1b;
																	 *(__eax + 0x18) = "invalid block type";
																	goto L34;
															}
														}
														goto L182;
													} else {
														while(1) {
															L25:
															__eflags = __ebx;
															if(__ebx == 0) {
																goto L189;
															}
															L26:
															__eax =  *__edi & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__edi & 0x000000ff) << __cl;
															__ebx = __ebx - 1;
															__edi = __edi + 1;
															__esi = __esi + 8;
															__edx = __edx + __eax;
															 *(__ebp - 0xc) = __ebx;
															 *(__ebp - 4) = __edx;
															 *(__ebp - 0x10) = __edi;
															__eflags = __esi - 3;
															if(__esi < 3) {
																continue;
															} else {
																L27:
																__ecx =  *(__ebp - 8);
																goto L28;
															}
															goto L200;
														}
														goto L189;
													}
												} else {
													L23:
													__esi = __esi & 0x00000007;
													__edx = __edx >> __cl;
													__esi = __esi - (__esi & 0x00000007);
													__ecx =  *(__ebp - 8);
													 *(__ebp - 4) = __edx;
													 *__ecx = 0x18;
													goto L182;
												}
												goto L200;
											case 5:
												L35:
												__ecx = __esi;
												__ecx = __esi & 0x00000007;
												__edx = __edx >> __cl;
												__esi = __esi - __ecx;
												 *(__ebp - 4) = __edx;
												__eflags = __esi - 0x20;
												if(__esi >= 0x20) {
													L38:
													__eax = __edx;
													__ecx = __edx;
													__ecx = __edx & 0x0000ffff;
													 !__edx =  !__edx >> 0x10;
													 *(__ebp - 0x34) = __ecx;
													__eflags = __ecx -  !__edx >> 0x10;
													__ecx =  *(__ebp - 8);
													if(__eflags == 0) {
														L40:
														__eax =  *(__ebp - 0x34);
														__edx = 0;
														 *(__ecx + 0x40) =  *(__ebp - 0x34);
														 *(__ebp - 4) = 0;
														__esi = 0;
														__eflags = 0;
														 *__ecx = 0xe;
														goto L41;
													} else {
														L39:
														__eax =  *(__ebp - 0x14);
														 *(__eax + 0x18) = "invalid stored block lengths";
														goto L181;
													}
												} else {
													while(1) {
														L36:
														__eflags = __ebx;
														if(__ebx == 0) {
															goto L189;
														}
														L37:
														__eax =  *__edi & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__edi & 0x000000ff) << __cl;
														__ebx = __ebx - 1;
														__edi = __edi + 1;
														__esi = __esi + 8;
														__edx = __edx + __eax;
														 *(__ebp - 0xc) = __ebx;
														 *(__ebp - 4) = __edx;
														 *(__ebp - 0x10) = __edi;
														__eflags = __esi - 0x20;
														if(__esi < 0x20) {
															continue;
														} else {
															goto L38;
														}
														goto L200;
													}
													goto L189;
												}
												goto L200;
											case 6:
												L41:
												__eax =  *(__ecx + 0x40);
												__eflags = __eax;
												if(__eax == 0) {
													goto L123;
												} else {
													L42:
													__eflags = __eax - __ebx;
													__eax =  >  ? __ebx : __eax;
													__eflags = __eax -  *(__ebp - 0x18);
													__eax =  >  ?  *(__ebp - 0x18) : __eax;
													 *(__ebp - 0x34) = __eax;
													__eflags = __eax;
													if(__eax == 0) {
														goto L189;
													} else {
														L43:
														__ecx =  *(__ebp - 0x1c);
														__edx = __edi;
														__eax = E00404E20( *(__ebp - 0x1c), __edi, __eax);
														__eax =  *(__ebp - 0x34);
														__ecx =  *(__ebp - 8);
														 *(__ebp - 0x18) =  *(__ebp - 0x18) - __eax;
														 *(__ebp - 0x1c) =  *(__ebp - 0x1c) + __eax;
														__edx =  *(__ebp - 4);
														__ebx = __ebx - __eax;
														__edi = __edi + __eax;
														 *(__ecx + 0x40) =  *(__ecx + 0x40) - __eax;
														 *(__ebp - 0xc) = __ebx;
														 *(__ebp - 0x10) = __edi;
														goto L182;
													}
												}
												goto L200;
											case 7:
												goto L0;
											case 8:
												goto L51;
											case 9:
												L63:
												_t927 =  *(_t968 - 0x10);
												 *(_t968 - 0x24) = _t752[0x1a];
												__eflags =  *(_t968 - 0x24) - _t752[0x19] + _t752[0x18];
												if( *(_t968 - 0x24) >= _t752[0x19] + _t752[0x18]) {
													L98:
													__eflags =  *_t752 - 0x1b;
													if( *_t752 == 0x1b) {
														goto L182;
													} else {
														L99:
														_t908 =  &(_t752[0x1b]);
														_t592 =  &(_t752[0x14c]);
														_t932 =  &(_t752[0xbc]);
														 *_t908 = _t592;
														_t752[0x13] = _t592;
														_t593 =  &(_t752[0x15]);
														_push(_t932);
														_push(_t593);
														_push(_t908);
														_push(_t752[0x18]);
														 *(_t968 - 0x34) = _t908;
														 *_t593 = 9;
														 *(_t968 - 0x30) = _t932;
														_t594 = L00404E80(_t721, 1,  &(_t752[0x1c]), _t932, _t962);
														_t927 =  *(_t968 - 0x10);
														_t752 =  *(_t968 - 8);
														_t972 = _t972 + 0x10;
														 *(_t968 - 0x28) = _t594;
														__eflags = _t594;
														if(_t594 == 0) {
															L103:
															_t910 =  *(_t968 - 0x34);
															_push( *(_t968 - 0x30));
															_t752[0x14] =  *_t910;
															_t596 =  &(_t752[0x16]);
															_push(_t596);
															_push(_t910);
															_push(_t752[0x19]);
															 *_t596 = 6;
															_t598 = L00404E80(_t721, 2,  &(_t752[0x1c]) + _t752[0x18] * 2, _t927, _t962);
															_t752 =  *(_t968 - 8);
															_t884 =  *(_t968 - 4);
															_t972 = _t972 + 0x10;
															 *(_t968 - 0x28) = _t598;
															__eflags = _t598;
															if(_t598 == 0) {
																L105:
																 *_t752 = 0x12;
																goto L106;
															} else {
																L104:
																( *(_t968 - 0x14))[6] = "invalid distances set";
																goto L181;
															}
														} else {
															L100:
															_t884 =  *(_t968 - 4);
															( *(_t968 - 0x14))[6] = "invalid literal/lengths set";
															goto L181;
														}
													}
												} else {
													L64:
													do {
														L65:
														_t151 = (1 << _t752[0x15]) - 1; // 0x0
														_t849 = _t151;
														 *(_t968 - 0x34) = _t849;
														 *(_t968 - 0x30) = ( *(_t968 - 8))[0x13];
														_t680 =  *( *(_t968 - 0x30) + (_t849 & _t884) * 4);
														 *(_t968 - 0x2c) = _t680;
														__eflags = (_t680 >> 0x00000008 & 0x000000ff) - _t962;
														if((_t680 >> 0x00000008 & 0x000000ff) <= _t962) {
															L68:
															__eflags = _t680 >> 0x10 - 0x10;
															if(_t680 >> 0x10 >= 0x10) {
																L74:
																_t856 =  *(_t968 - 0x2a);
																__eflags = _t856 - 0x10;
																if(_t856 != 0x10) {
																	L80:
																	__eflags = _t856 - 0x11;
																	_t857 = _t680 & 0x000000ff;
																	if(_t856 != 0x11) {
																		L85:
																		 *(_t968 - 0x34) = _t857;
																		__eflags = _t962 - _t857 + 7;
																		if(_t962 >= _t857 + 7) {
																			L89:
																			_t922 = _t884 >> _t857;
																			_t860 = (_t922 & 0x0000007f) + 0xb;
																			_t884 = _t922 >> 7;
																			_t683 = 0xfffffff9 -  *(_t968 - 0x34);
																			__eflags = 0xfffffff9;
																			goto L90;
																		} else {
																			L86:
																			while(1) {
																				L87:
																				__eflags = _t721;
																				if(_t721 == 0) {
																					goto L189;
																				}
																				L88:
																				_t693 = ( *_t927 & 0x000000ff) << _t962;
																				_t857 =  *(_t968 - 0x34);
																				_t721 = _t721 - 1;
																				_t927 =  &(_t927[1]);
																				_t884 = _t884 + _t693;
																				_t962 = _t962 + 8;
																				 *(_t968 - 0xc) = _t721;
																				 *(_t968 - 4) = _t884;
																				 *(_t968 - 0x10) = _t927;
																				__eflags = _t962 - _t857 + 7;
																				if(_t962 < _t857 + 7) {
																					continue;
																				} else {
																					goto L89;
																				}
																				goto L200;
																			}
																			goto L189;
																		}
																	} else {
																		L81:
																		 *(_t968 - 0x34) = _t857;
																		__eflags = _t962 - _t857 + 3;
																		if(_t962 >= _t857 + 3) {
																			L84:
																			_t923 = _t884 >> _t857;
																			_t860 = (_t923 & 0x00000007) + 3;
																			_t884 = _t923 >> 3;
																			_t683 = 0xfffffffd -  *(_t968 - 0x34);
																			L90:
																			_t962 = _t962 + _t683;
																			__eflags = _t962;
																			 *(_t968 - 0x30) = 0;
																			goto L91;
																		} else {
																			while(1) {
																				L82:
																				__eflags = _t721;
																				if(_t721 == 0) {
																					goto L189;
																				}
																				L83:
																				_t698 = ( *_t927 & 0x000000ff) << _t962;
																				_t857 =  *(_t968 - 0x34);
																				_t721 = _t721 - 1;
																				_t927 =  &(_t927[1]);
																				_t884 = _t884 + _t698;
																				_t962 = _t962 + 8;
																				 *(_t968 - 0xc) = _t721;
																				 *(_t968 - 4) = _t884;
																				 *(_t968 - 0x10) = _t927;
																				__eflags = _t962 - _t857 + 3;
																				if(_t962 < _t857 + 3) {
																					continue;
																				} else {
																					goto L84;
																				}
																				goto L200;
																			}
																			goto L189;
																		}
																	}
																} else {
																	L75:
																	_t867 = _t680 & 0x000000ff;
																	 *(_t968 - 0x34) = _t867;
																	__eflags = _t962 - _t867 + 2;
																	if(_t962 >= _t867 + 2) {
																		L78:
																		_t701 =  *(_t968 - 0x24);
																		_t884 = _t884 >> _t867;
																		_t962 = _t962 - _t867;
																		_t752 =  *(_t968 - 8);
																		 *(_t968 - 4) = _t884;
																		__eflags = _t701;
																		if(_t701 == 0) {
																			L101:
																			( *(_t968 - 0x14))[6] = "invalid bit length repeat";
																			goto L181;
																		} else {
																			L79:
																			_t860 = (_t884 & 0x00000003) + 3;
																			_t884 = _t884 >> 2;
																			 *(_t968 - 0x30) =  *(_t752 + 0x6e + _t701 * 2) & 0x0000ffff;
																			_t962 = _t962 - 2;
																			L91:
																			_t684 =  *(_t968 - 8);
																			_t750 =  *(_t968 - 8);
																			_t721 =  *(_t968 - 0xc);
																			 *(_t968 - 0x2c) = _t860;
																			 *(_t968 - 4) = _t884;
																			__eflags = _t860 +  *(_t968 - 0x24) - _t684[0x19] + _t750[0x18];
																			if(_t860 +  *(_t968 - 0x24) > _t684[0x19] + _t750[0x18]) {
																				L102:
																				( *(_t968 - 0x14))[6] = "invalid bit length repeat";
																				goto L180;
																			} else {
																				L92:
																				_t862 =  *(_t968 - 0x2c);
																				__eflags = _t862;
																				if(_t862 != 0) {
																					L93:
																					_t960 =  *(_t968 - 8);
																					_t751 =  *(_t968 - 0x30);
																					do {
																						L94:
																						 *(_t960 + 0x70 + _t960[0x1a] * 2) = _t751;
																						_t960[0x1a] = _t960[0x1a] + 1;
																						_t862 = _t862 - 1;
																						__eflags = _t862;
																					} while (_t862 != 0);
																					_t721 =  *(_t968 - 0xc);
																					_t927 =  *(_t968 - 0x10);
																				}
																				L96:
																				_t752 =  *(_t968 - 8);
																				goto L97;
																			}
																		}
																	} else {
																		while(1) {
																			L76:
																			__eflags = _t721;
																			if(_t721 == 0) {
																				goto L189;
																			}
																			L77:
																			_t705 = ( *_t927 & 0x000000ff) << _t962;
																			_t867 =  *(_t968 - 0x34);
																			_t721 = _t721 - 1;
																			_t927 =  &(_t927[1]);
																			_t884 = _t884 + _t705;
																			_t962 = _t962 + 8;
																			 *(_t968 - 0xc) = _t721;
																			 *(_t968 - 4) = _t884;
																			 *(_t968 - 0x10) = _t927;
																			__eflags = _t962 - _t867 + 2;
																			if(_t962 < _t867 + 2) {
																				continue;
																			} else {
																				goto L78;
																			}
																			goto L200;
																		}
																		goto L189;
																	}
																}
															} else {
																L69:
																_t873 = _t680 >> 0x00000008 & 0x000000ff;
																 *(_t968 - 0x34) = _t873;
																__eflags = _t962 - _t873;
																if(_t962 >= _t873) {
																	L73:
																	_t874 = _t680 & 0x000000ff;
																	_t884 = _t884 >> _t874;
																	_t962 = _t962 - _t874;
																	_t752 =  *(_t968 - 8);
																	 *((short*)(_t752 + 0x70 +  *(_t968 - 0x24) * 2)) =  *(_t968 - 0x2a);
																	_t752[0x1a] = _t752[0x1a] + 1;
																	_t927 =  *(_t968 - 0x10);
																	 *(_t968 - 4) = _t884;
																	goto L97;
																} else {
																	while(1) {
																		L70:
																		__eflags = _t721;
																		if(_t721 == 0) {
																			goto L189;
																		}
																		L71:
																		_t925 = ( *_t927 & 0x000000ff) << _t962;
																		_t721 = _t721 - 1;
																		_t927 =  &(_t927[1]);
																		_t962 = _t962 + 8;
																		 *(_t968 - 4) =  *(_t968 - 4) + _t925;
																		 *(_t968 - 0xc) = _t721;
																		 *(_t968 - 0x10) = _t927;
																		__eflags = _t962 -  *(_t968 - 0x34);
																		if(_t962 <  *(_t968 - 0x34)) {
																			continue;
																		} else {
																			L72:
																			_t884 =  *(_t968 - 4);
																			goto L73;
																		}
																		goto L200;
																	}
																	goto L189;
																}
															}
														} else {
															while(1) {
																L66:
																__eflags = _t721;
																if(_t721 == 0) {
																	goto L189;
																}
																L67:
																_t709 = ( *_t927 & 0x000000ff) << _t962;
																_t721 = _t721 - 1;
																_t927 =  &(_t927[1]);
																_t884 = _t884 + _t709;
																_t962 = _t962 + 8;
																_t680 =  *( *(_t968 - 0x30) + ( *(_t968 - 0x34) & _t884) * 4);
																 *(_t968 - 0xc) = _t721;
																 *(_t968 - 4) = _t884;
																 *(_t968 - 0x10) = _t927;
																 *(_t968 - 0x2c) = _t680;
																__eflags = (_t680 >> 0x00000008 & 0x000000ff) - _t962;
																if((_t680 >> 0x00000008 & 0x000000ff) > _t962) {
																	continue;
																} else {
																	goto L68;
																}
																goto L200;
															}
															goto L189;
														}
														goto L200;
														L97:
														 *(_t968 - 0x24) = _t752[0x1a];
														__eflags =  *(_t968 - 0x24) - _t752[0x19] + _t752[0x18];
													} while ( *(_t968 - 0x24) < _t752[0x19] + _t752[0x18]);
													goto L98;
												}
												goto L200;
											case 0xa:
												L106:
												__eflags = _t721 - 6;
												if(_t721 < 6) {
													L109:
													 *(_t968 - 0x34) = (1 << _t752[0x15]) - 1;
													_t772 = ( *(_t968 - 8))[0x13];
													 *(_t968 - 0x30) = _t772;
													_t605 =  *(_t772 + ( *(_t968 - 0x34) & _t884) * 4);
													__eflags = (_t605 >> 0x00000008 & 0x000000ff) - _t962;
													if((_t605 >> 0x00000008 & 0x000000ff) <= _t962) {
														L113:
														__eflags = _t605;
														if(_t605 == 0) {
															L120:
															_t778 = _t605 >> 0x00000008 & 0x000000ff;
															_t884 = _t884 >> _t778;
															_t962 = _t962 - _t778;
															( *(_t968 - 8))[0x10] = _t605 >> 0x10;
															_t927 =  *(_t968 - 0x10);
															_t752 =  *(_t968 - 8);
															 *(_t968 - 4) = _t884;
															__eflags = _t605;
															if(_t605 != 0) {
																L122:
																__eflags = _t605 & 0x00000020;
																if((_t605 & 0x00000020) == 0) {
																	L124:
																	__eflags = _t605 & 0x00000040;
																	if((_t605 & 0x00000040) == 0) {
																		L126:
																		_t607 = _t605 & 0xf;
																		__eflags = _t607;
																		_t752[0x12] = _t607;
																		 *_t752 = 0x13;
																		goto L127;
																	} else {
																		L125:
																		( *(_t968 - 0x14))[6] = "invalid literal/length code";
																		goto L181;
																	}
																} else {
																	L123:
																	 *_t752 = 0xb;
																	goto L182;
																}
															} else {
																L121:
																 *_t752 = 0x17;
																goto L182;
															}
														} else {
															L114:
															__eflags = _t605 & 0x000000f0;
															if((_t605 & 0x000000f0) != 0) {
																goto L120;
															} else {
																L115:
																_t824 = _t605 >> 8;
																 *(_t968 - 0x34) = _t824;
																_t919 = _t605;
																 *(_t968 - 0x2c) = _t919;
																_t605 =  *( *(_t968 - 0x30) + ((((0x00000001 << (_t605 & 0x000000ff) + (_t824 & 0x000000ff)) - 0x00000001 &  *(_t968 - 4)) >> (_t824 & 0x000000ff)) + (_t605 >> 0x10)) * 4);
																__eflags = (_t605 >> 0x00000008 & 0x000000ff) + ( *(_t968 - 0x34) & 0x000000ff) - _t962;
																if((_t605 >> 0x00000008 & 0x000000ff) + ( *(_t968 - 0x34) & 0x000000ff) <= _t962) {
																	L119:
																	_t721 =  *(_t968 - 0xc);
																	_t833 = _t919 & 0x000000ff;
																	_t884 =  *(_t968 - 4) >> _t833;
																	_t962 = _t962 - _t833;
																	__eflags = _t962;
																	goto L120;
																} else {
																	L116:
																	while(1) {
																		L117:
																		_t571 =  *(_t968 - 0xc);
																		__eflags = _t571;
																		if(_t571 == 0) {
																			goto L190;
																		}
																		L118:
																		_t746 =  *(_t968 - 0x10);
																		 *(_t968 - 0xc) = _t571 - 1;
																		 *(_t968 - 0x10) =  &(_t746[1]);
																		_t748 = _t919 & 0x000000ff;
																		 *(_t968 - 4) =  *(_t968 - 4) + (( *_t746 & 0x000000ff) << _t962);
																		_t962 = _t962 + 8;
																		_t605 =  *( *(_t968 - 0x30) + ((((0x00000001 << (_t919 & 0x000000ff) + _t748) - 0x00000001 &  *(_t968 - 4)) >> _t748) + ( *(_t968 - 0x2a) & 0x0000ffff)) * 4);
																		__eflags = (_t605 >> 0x00000008 & 0x000000ff) + _t748 - _t962;
																		if((_t605 >> 0x00000008 & 0x000000ff) + _t748 > _t962) {
																			continue;
																		} else {
																			goto L119;
																		}
																		goto L200;
																	}
																	goto L190;
																}
															}
														}
													} else {
														L110:
														while(1) {
															L111:
															__eflags = _t721;
															if(_t721 == 0) {
																goto L189;
															}
															L112:
															_t664 = ( *_t927 & 0x000000ff) << _t962;
															_t721 = _t721 - 1;
															_t927 =  &(_t927[1]);
															_t884 = _t884 + _t664;
															_t962 = _t962 + 8;
															_t605 =  *( *(_t968 - 0x30) + ( *(_t968 - 0x34) & _t884) * 4);
															 *(_t968 - 0xc) = _t721;
															 *(_t968 - 4) = _t884;
															 *(_t968 - 0x10) = _t927;
															__eflags = (_t605 >> 0x00000008 & 0x000000ff) - _t962;
															if((_t605 >> 0x00000008 & 0x000000ff) > _t962) {
																continue;
															} else {
																goto L113;
															}
															goto L200;
														}
														goto L189;
													}
												} else {
													L107:
													__eflags =  *(_t968 - 0x18) - 0x102;
													if( *(_t968 - 0x18) < 0x102) {
														goto L109;
													} else {
														L108:
														_t956 =  *(_t968 - 0x14);
														_t956[3] =  *(_t968 - 0x1c);
														_t668 = _t956;
														_t668[1] = _t721;
														_t668[4] =  *(_t968 - 0x18);
														_t752[0xe] = _t884;
														_t749 = _t668;
														_t752[0xf] = _t962;
														 *_t668 =  *(_t968 - 0x10);
														E00404A00(_t749,  *((intOrPtr*)(_t968 - 0x20)));
														_t752 =  *(_t968 - 8);
														_t927 =  *_t749;
														_t884 = _t752[0xe];
														_t962 = _t752[0xf];
														 *(_t968 - 0x1c) = _t749[3];
														_t721 = _t749[1];
														 *(_t968 - 0x18) = _t749[4];
														 *(_t968 - 0x10) = _t927;
														 *(_t968 - 0xc) = _t721;
														 *(_t968 - 4) = _t884;
														goto L182;
													}
												}
												goto L200;
											case 0xb:
												L127:
												_t608 = _t752[0x12];
												 *(_t968 - 0x30) = _t608;
												__eflags = _t608;
												if(_t608 == 0) {
													L133:
													 *_t752 = 0x14;
													goto L134;
												} else {
													L128:
													__eflags = _t962 - _t608;
													if(_t962 >= _t608) {
														L132:
														( *(_t968 - 8))[0x10] = ( *(_t968 - 8))[0x10] + ((0x00000001 <<  *(_t968 - 0x30)) - 0x00000001 & _t884);
														_t821 =  *(_t968 - 0x30);
														_t884 = _t884 >> _t821;
														_t962 = _t962 - _t821;
														__eflags = _t962;
														_t752 =  *(_t968 - 8);
														 *(_t968 - 4) = _t884;
														goto L133;
													} else {
														L129:
														while(1) {
															L130:
															__eflags = _t721;
															if(_t721 == 0) {
																goto L189;
															}
															L131:
															_t655 = ( *_t927 & 0x000000ff) << _t962;
															_t721 = _t721 - 1;
															_t927 =  &(_t927[1]);
															_t962 = _t962 + 8;
															_t884 = _t884 + _t655;
															 *(_t968 - 0xc) = _t721;
															 *(_t968 - 4) = _t884;
															 *(_t968 - 0x10) = _t927;
															__eflags = _t962 -  *(_t968 - 0x30);
															if(_t962 <  *(_t968 - 0x30)) {
																continue;
															} else {
																goto L132;
															}
															goto L200;
														}
														goto L189;
													}
												}
												goto L200;
											case 0xc:
												L134:
												 *(_t968 - 0x34) = (1 << _t752[0x16]) - 1;
												_t782 = ( *(_t968 - 8))[0x14];
												 *(_t968 - 0x30) = _t782;
												_t615 =  *(_t782 + ( *(_t968 - 0x34) & _t884) * 4);
												__eflags = (_t615 >> 0x00000008 & 0x000000ff) - _t962;
												if((_t615 >> 0x00000008 & 0x000000ff) <= _t962) {
													L137:
													__eflags = _t615 & 0x000000f0;
													if((_t615 & 0x000000f0) != 0) {
														L143:
														_t927 =  *(_t968 - 0x10);
														_t788 = _t615 >> 0x00000008 & 0x000000ff;
														_t884 = _t884 >> _t788;
														_t962 = _t962 - _t788;
														 *(_t968 - 4) = _t884;
														__eflags = _t615 & 0x00000040;
														if((_t615 & 0x00000040) == 0) {
															L145:
															_t726 =  *(_t968 - 8);
															_t726[0x11] = _t615 >> 0x10;
															_t752 = _t726;
															_t727 =  *(_t968 - 0xc);
															_t617 = _t615 & 0xf;
															__eflags = _t617;
															_t752[0x12] = _t617;
															 *_t752 = 0x15;
															goto L146;
														} else {
															L144:
															_t721 =  *(_t968 - 0xc);
															( *(_t968 - 0x14))[6] = "invalid distance code";
															L180:
															_t752 =  *(_t968 - 8);
															goto L181;
														}
													} else {
														L138:
														_t796 = _t615 >> 8;
														 *(_t968 - 0x34) = _t796;
														_t917 = _t615;
														 *(_t968 - 0x2c) = _t917;
														_t615 =  *( *(_t968 - 0x30) + ((((0x00000001 << (_t615 & 0x000000ff) + (_t796 & 0x000000ff)) - 0x00000001 &  *(_t968 - 4)) >> (_t796 & 0x000000ff)) + (_t615 >> 0x10)) * 4);
														__eflags = (_t615 >> 0x00000008 & 0x000000ff) + ( *(_t968 - 0x34) & 0x000000ff) - _t962;
														if((_t615 >> 0x00000008 & 0x000000ff) + ( *(_t968 - 0x34) & 0x000000ff) <= _t962) {
															L142:
															_t805 = _t917 & 0x000000ff;
															_t884 =  *(_t968 - 4) >> _t805;
															_t962 = _t962 - _t805;
															__eflags = _t962;
															goto L143;
														} else {
															L139:
															while(1) {
																L140:
																_t571 =  *(_t968 - 0xc);
																__eflags = _t571;
																if(_t571 == 0) {
																	goto L190;
																}
																L141:
																_t737 =  *(_t968 - 0x10);
																 *(_t968 - 0xc) = _t571 - 1;
																 *(_t968 - 0x10) =  &(_t737[1]);
																_t739 = _t917 & 0x000000ff;
																 *(_t968 - 4) =  *(_t968 - 4) + (( *_t737 & 0x000000ff) << _t962);
																_t962 = _t962 + 8;
																_t615 =  *( *(_t968 - 0x30) + ((((0x00000001 << (_t917 & 0x000000ff) + _t739) - 0x00000001 &  *(_t968 - 4)) >> _t739) + ( *(_t968 - 0x2a) & 0x0000ffff)) * 4);
																__eflags = (_t615 >> 0x00000008 & 0x000000ff) + _t739 - _t962;
																if((_t615 >> 0x00000008 & 0x000000ff) + _t739 > _t962) {
																	continue;
																} else {
																	goto L142;
																}
																goto L200;
															}
															goto L190;
														}
													}
												} else {
													while(1) {
														L135:
														__eflags = _t721;
														if(_t721 == 0) {
															goto L189;
														}
														L136:
														_t647 = ( *_t927 & 0x000000ff) << _t962;
														_t721 = _t721 - 1;
														_t927 =  &(_t927[1]);
														_t884 = _t884 + _t647;
														_t962 = _t962 + 8;
														_t615 =  *( *(_t968 - 0x30) + ( *(_t968 - 0x34) & _t884) * 4);
														 *(_t968 - 0xc) = _t721;
														 *(_t968 - 4) = _t884;
														 *(_t968 - 0x10) = _t927;
														__eflags = (_t615 >> 0x00000008 & 0x000000ff) - _t962;
														if((_t615 >> 0x00000008 & 0x000000ff) > _t962) {
															continue;
														} else {
															goto L137;
														}
														goto L200;
													}
													goto L189;
												}
												goto L200;
											case 0xd:
												L146:
												_t618 = _t752[0x12];
												 *(_t968 - 0x30) = _t618;
												__eflags = _t618;
												if(_t618 == 0) {
													L151:
													_t721 =  *(_t968 - 0xc);
													__eflags = _t752[0x11] - _t752[0xb] -  *(_t968 - 0x18) +  *((intOrPtr*)(_t968 - 0x20));
													if(_t752[0x11] <= _t752[0xb] -  *(_t968 - 0x18) +  *((intOrPtr*)(_t968 - 0x20))) {
														L153:
														 *_t752 = 0x16;
														goto L154;
													} else {
														L152:
														( *(_t968 - 0x14))[6] = "invalid distance too far back";
														goto L181;
													}
												} else {
													L147:
													__eflags = _t962 - _t618;
													if(_t962 >= _t618) {
														L150:
														( *(_t968 - 8))[0x11] = ( *(_t968 - 8))[0x11] + ((0x00000001 <<  *(_t968 - 0x30)) - 0x00000001 & _t884);
														_t793 =  *(_t968 - 0x30);
														_t884 = _t884 >> _t793;
														_t962 = _t962 - _t793;
														__eflags = _t962;
														_t752 =  *(_t968 - 8);
														 *(_t968 - 4) = _t884;
														goto L151;
													} else {
														while(1) {
															L148:
															__eflags = _t727;
															if(_t727 == 0) {
																goto L189;
															}
															L149:
															_t638 = ( *_t927 & 0x000000ff) << _t962;
															_t727 = _t727 - 1;
															_t927 =  &(_t927[1]);
															_t962 = _t962 + 8;
															_t884 = _t884 + _t638;
															 *(_t968 - 0xc) = _t727;
															 *(_t968 - 4) = _t884;
															 *(_t968 - 0x10) = _t927;
															__eflags = _t962 -  *(_t968 - 0x30);
															if(_t962 <  *(_t968 - 0x30)) {
																continue;
															} else {
																goto L150;
															}
															goto L200;
														}
														goto L189;
													}
												}
												goto L200;
											case 0xe:
												L154:
												__eflags =  *(_t968 - 0x18);
												if( *(_t968 - 0x18) == 0) {
													goto L189;
												} else {
													L155:
													 *(_t968 - 0x34) =  *((intOrPtr*)(_t968 - 0x20)) -  *(_t968 - 0x18);
													_t624 = _t752[0x11];
													__eflags = _t624 -  *(_t968 - 0x34);
													if(_t624 <=  *(_t968 - 0x34)) {
														L161:
														 *(_t968 - 0x24) =  *(_t968 - 0x1c);
														_t442 = _t968 - 0x24;
														 *_t442 =  *(_t968 - 0x24) - _t624;
														__eflags =  *_t442;
														_t625 = _t752[0x10];
														 *(_t968 - 0x30) = _t625;
														goto L162;
													} else {
														L156:
														_t631 = _t624 -  *(_t968 - 0x34);
														_t936 = _t752[0xc];
														_t913 = _t752[0xd];
														 *(_t968 - 0x2c) = _t631;
														__eflags = _t631 - _t936;
														if(_t631 <= _t936) {
															_t915 = _t913 - _t631 + _t936;
															__eflags = _t915;
														} else {
															_t631 = _t631 - _t936;
															 *(_t968 - 0x2c) = _t631;
															_t915 = _t913 + _t752[0xa] - _t631;
														}
														_t937 = _t752[0x10];
														 *(_t968 - 0x24) = _t915;
														 *(_t968 - 0x30) = _t937;
														__eflags = _t631 - _t937;
														if(_t631 > _t937) {
															L160:
															_t625 = _t937;
															L162:
															 *(_t968 - 0x2c) = _t625;
														}
													}
													L163:
													_t626 =  *(_t968 - 0x18);
													_t934 =  *(_t968 - 0x2c);
													_t912 =  *(_t968 - 0x1c);
													__eflags = _t934 - _t626;
													_t935 =  >  ? _t626 : _t934;
													 *(_t968 - 0x18) = _t626 - _t935;
													_t752[0x10] =  *(_t968 - 0x30) - _t935;
													_t730 =  *(_t968 - 0x24) - _t912;
													do {
														L164:
														 *_t912 =  *((intOrPtr*)(_t730 + _t912));
														_t912 = _t912 + 1;
														_t935 = _t935 - 1;
														__eflags = _t935;
													} while (_t935 != 0);
													__eflags = _t752[0x10];
													_t721 =  *(_t968 - 0xc);
													_t927 =  *(_t968 - 0x10);
													 *(_t968 - 0x1c) = _t912;
													_t884 =  *(_t968 - 4);
													if(_t752[0x10] == 0) {
														 *_t752 = 0x12;
													}
													goto L182;
												}
												goto L200;
											case 0xf:
												L167:
												__eflags =  *(__ebp - 0x18);
												if( *(__ebp - 0x18) == 0) {
													goto L189;
												} else {
													L168:
													__edx =  *(__ebp - 0x1c);
													__al =  *(__ecx + 0x40);
													 *(__ebp - 0x1c) =  *(__ebp - 0x1c) + 1;
													 *(__ebp - 0x18) =  *(__ebp - 0x18) - 1;
													 *( *(__ebp - 0x1c)) = __al;
													__edx =  *(__ebp - 4);
													 *__ecx = 0x12;
													goto L182;
												}
												goto L200;
											case 0x10:
												L169:
												__eflags =  *(__ecx + 8);
												if ( *(__ecx + 8) == 0) goto L186;
												__eflags = __bl & __bh;
												 *__eax =  *__eax + __al;
												_t471 = __ebx + 0x287320fe;
												 *_t471 =  *(__ebx + 0x287320fe) + __al;
												__eflags =  *_t471;
											case 0x11:
												L187:
												 *((intOrPtr*)(__ebp - 0x28)) = 1;
												goto L189;
											case 0x12:
												L188:
												 *((intOrPtr*)(__ebp - 0x28)) = 0xfffffffd;
												goto L189;
											case 0x13:
												goto L195;
										}
									}
									L183:
									return 0xfffffffe;
								}
							} else {
								do {
									L52:
									if(_t962 >= 3) {
										goto L55;
									} else {
										while(1) {
											L53:
											if(_t721 == 0) {
												goto L189;
											}
											L54:
											_t720 = ( *_t927 & 0x000000ff) << _t962;
											_t721 = _t721 - 1;
											_t927 =  &(_t927[1]);
											_t962 = _t962 + 8;
											_t884 = _t884 + _t720;
											 *(_t968 - 0xc) = _t721;
											 *(_t968 - 4) = _t884;
											 *(_t968 - 0x10) = _t927;
											if(_t962 < 3) {
												continue;
											} else {
												goto L55;
											}
											goto L200;
										}
										goto L189;
									}
									goto L200;
									L55:
									_t961 =  *(_t968 - 8);
									 *((short*)(_t961 + 0x70 + ( *(0x401e88 + ( *(_t968 - 8))[0x1a] * 2) & 0x0000ffff) * 2)) = _t884 & 0x00000007;
									_t752 = _t961;
									_t927 =  *(_t968 - 0x10);
									_t752[0x1a] = _t752[0x1a] + 1;
									_t884 = _t884 >> 3;
									_t962 = _t962 - 3;
									 *(_t968 - 4) = _t884;
								} while (_t752[0x1a] < _t752[0x17]);
								goto L56;
							}
						}
					}
					goto L200;
				}
			}

0x00403b94
0x00403b94
0x00403b94
0x00403b94
0x00403b94
0x00403b94
0x00403b94
0x00403b97
0x00000000
0x00000000
0x00000000
0x00403ba0
0x00403ba0
0x00403ba2
0x00000000
0x00000000
0x00403ba8
0x00403ba8
0x00403bab
0x00403bad
0x00403baf
0x00403bb0
0x00403bb1
0x00403bb4
0x00403bb6
0x00403bb9
0x00403bbc
0x00403bc2
0x00000000
0x00403bc4
0x00403bc4
0x00403bc4
0x00000000
0x00403bc4
0x00000000
0x00403bc2
0x0040463b
0x0040463b
0x0040463e
0x0040463e
0x00404644
0x00404647
0x0040464e
0x00404654
0x0040465a
0x0040465d
0x00404660
0x00404663
0x00404665
0x00404668
0x00404673
0x00404677
0x0040467e
0x00000000
0x00404680
0x00404680
0x00404680
0x00404686
0x00404691
0x00404691
0x0040466a
0x0040466a
0x0040466d
0x00404692
0x00404695
0x0040469b
0x0040469e
0x004046a1
0x004046a8
0x004046ac
0x004046b7
0x004046bf
0x004046c2
0x004046c2
0x004046ac
0x004046ca
0x004046d9
0x004046dc
0x004046df
0x004046e1
0x004046ed
0x004046f0
0x004046f7
0x0040466f
0x0040466f
0x00404671
0x00000000
0x00000000
0x00000000
0x00000000
0x00404671
0x0040466d
0x00000000
0x00403bc7
0x00403bd1
0x00403bd4
0x00403bdd
0x00403be0
0x00403beb
0x00403bee
0x00403bf8
0x00403bfb
0x00403bfe
0x00403cfb
0x00403cfe
0x00000000
0x00403c04
0x00403c04
0x00403c08
0x00000000
0x00403c0e
0x00403c0e
0x00403c0e
0x00403c15
0x00403c1b
0x00403c21
0x00403c80
0x00403c84
0x00403c90
0x00403c9d
0x00403ca2
0x00403ca5
0x00403cab
0x00403cab
0x00403cae
0x00403cb4
0x00403cb6
0x00403cbc
0x00403cc4
0x00403cc5
0x00403cc6
0x00403cca
0x00403cd0
0x00403cd7
0x00403cdc
0x00403cdf
0x00403ce2
0x00403ce5
0x00403cea
0x00403d0a
0x00403d0a
0x00403d11
0x00000000
0x00403cec
0x00403cec
0x00403cef
0x004045d2
0x004045d2
0x004045d8
0x004045d8
0x004045d8
0x004045dd
0x00000000
0x00000000
0x00403881
0x00403881
0x00000000
0x00403888
0x0040388c
0x00403899
0x00403899
0x0040389c
0x004038c4
0x004038d1
0x004038d6
0x004038d8
0x004038db
0x004038ec
0x004038ec
0x004038f3
0x004038f5
0x00403906
0x00403906
0x0040390e
0x00403911
0x00403914
0x00403917
0x0040391a
0x0040391d
0x0040392e
0x0040393f
0x00403944
0x0040394c
0x0040394f
0x00403960
0x00403962
0x00403964
0x00403967
0x0040396a
0x0040396d
0x0040391f
0x0040391f
0x00403922
0x00000000
0x00403922
0x004038f7
0x004038f7
0x004038fa
0x00000000
0x004038fa
0x004038dd
0x004038dd
0x004038e0
0x00000000
0x004038e0
0x00000000
0x004038a0
0x00000000
0x004038a0
0x004038a0
0x004038a0
0x004038a2
0x00000000
0x00000000
0x004038a8
0x004038ad
0x004038af
0x004038b0
0x004038b1
0x004038b4
0x004038b6
0x004038b9
0x004038bc
0x004038bf
0x004038c2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004038c2
0x00000000
0x004038a0
0x0040388e
0x0040388e
0x00000000
0x0040388e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403974
0x00403974
0x00403977
0x004039a4
0x004039a4
0x004039a8
0x004039b1
0x004039b5
0x004039b8
0x004039bb
0x004039c0
0x004039c3
0x004039c5
0x004039c8
0x004039ca
0x004039cd
0x004039d0
0x004039d3
0x004039d5
0x004039d8
0x004039d8
0x004039da
0x00000000
0x00403980
0x00000000
0x00403980
0x00403980
0x00403980
0x00403982
0x00000000
0x00000000
0x00403988
0x00403988
0x0040398b
0x0040398d
0x0040398f
0x00403990
0x00403991
0x00403994
0x00403996
0x00403999
0x0040399c
0x0040399f
0x004039a2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004039a2
0x00000000
0x00403980
0x00000000
0x00000000
0x004039e0
0x004039e0
0x004039e4
0x004045ef
0x004045ef
0x004045f2
0x004045f5
0x004045f8
0x004045fa
0x004045fd
0x00404600
0x00404603
0x00404606
0x00404609
0x0040460a
0x0040460c
0x0040460d
0x00404610
0x00404615
0x00404616
0x00404618
0x00404619
0x004039ea
0x004039ea
0x004039ec
0x004039ee
0x004039ee
0x004039f0
0x004039f5
0x004039f8
0x004039fb
0x004039fe
0x00403a04
0x00403a07
0x00000000
0x00403a07
0x00000000
0x00000000
0x00403a0d
0x00403a0d
0x00403a11
0x00403a2d
0x00403a2d
0x00403a30
0x00403a59
0x00403a59
0x00403a5b
0x00403a5e
0x00403a60
0x00403a63
0x00403a65
0x00403a68
0x00403a6b
0x00403ac5
0x00403ac5
0x00403ac8
0x00403acb
0x00403a6d
0x00403a6d
0x00403a6d
0x00000000
0x00403a74
0x00403a74
0x00403a77
0x00403a7d
0x00403a80
0x00000000
0x00000000
0x00403a88
0x00403a88
0x00403a8d
0x00403a90
0x00403a96
0x00403a99
0x00000000
0x00000000
0x00403aa1
0x00403aa1
0x00403aa4
0x00403aaa
0x00403aad
0x00000000
0x00000000
0x00403ab5
0x00403ab5
0x00403ab8
0x00403abe
0x00000000
0x00000000
0x00403a6d
0x00000000
0x00403a32
0x00403a32
0x00403a32
0x00403a32
0x00403a34
0x00000000
0x00000000
0x00403a3a
0x00403a3a
0x00403a3d
0x00403a3f
0x00403a41
0x00403a42
0x00403a43
0x00403a46
0x00403a48
0x00403a4b
0x00403a4e
0x00403a51
0x00403a54
0x00000000
0x00403a56
0x00403a56
0x00403a56
0x00000000
0x00403a56
0x00000000
0x00403a54
0x00000000
0x00403a32
0x00403a13
0x00403a13
0x00403a15
0x00403a18
0x00403a1a
0x00403a1c
0x00403a1f
0x00403a22
0x00000000
0x00403a22
0x00000000
0x00000000
0x00403ad3
0x00403ad3
0x00403ad5
0x00403ad8
0x00403ada
0x00403adc
0x00403adf
0x00403ae2
0x00403b08
0x00403b08
0x00403b0a
0x00403b0c
0x00403b14
0x00403b17
0x00403b1a
0x00403b1c
0x00403b1f
0x00403b30
0x00403b30
0x00403b33
0x00403b35
0x00403b38
0x00403b3b
0x00403b3b
0x00403b3d
0x00000000
0x00403b21
0x00403b21
0x00403b21
0x00403b24
0x00000000
0x00403b24
0x00403ae4
0x00403ae4
0x00403ae4
0x00403ae4
0x00403ae6
0x00000000
0x00000000
0x00403aec
0x00403aec
0x00403aef
0x00403af1
0x00403af3
0x00403af4
0x00403af5
0x00403af8
0x00403afa
0x00403afd
0x00403b00
0x00403b03
0x00403b06
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403b06
0x00000000
0x00403ae4
0x00000000
0x00000000
0x00403b43
0x00403b43
0x00403b46
0x00403b48
0x00000000
0x00403b4e
0x00403b4e
0x00403b4e
0x00403b50
0x00403b53
0x00403b56
0x00403b5a
0x00403b5d
0x00403b5f
0x00000000
0x00403b65
0x00403b65
0x00403b65
0x00403b69
0x00403b6b
0x00403b70
0x00403b73
0x00403b76
0x00403b79
0x00403b7c
0x00403b7f
0x00403b81
0x00403b86
0x00403b89
0x00403b8c
0x00000000
0x00403b8c
0x00403b5f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d17
0x00403d1a
0x00403d1d
0x00403d26
0x00403d29
0x00403f70
0x00403f70
0x00403f73
0x00000000
0x00403f79
0x00403f79
0x00403f79
0x00403f7c
0x00403f82
0x00403f88
0x00403f8a
0x00403f8d
0x00403f90
0x00403f91
0x00403f92
0x00403f93
0x00403f96
0x00403fa1
0x00403fa7
0x00403faa
0x00403faf
0x00403fb2
0x00403fb5
0x00403fb8
0x00403fbb
0x00403fbd
0x00403fef
0x00403fef
0x00403ff2
0x00403ff7
0x00403ffa
0x00403ffd
0x00403ffe
0x00403fff
0x00404002
0x00404016
0x0040401b
0x0040401e
0x00404021
0x00404024
0x00404027
0x00404029
0x0040403a
0x0040403a
0x00000000
0x0040402b
0x0040402b
0x0040402e
0x00000000
0x0040402e
0x00403fbf
0x00403fbf
0x00403fc2
0x00403fc5
0x00000000
0x00403fc5
0x00403fbd
0x00403d30
0x00000000
0x00403d30
0x00403d30
0x00403d3a
0x00403d3a
0x00403d40
0x00403d46
0x00403d50
0x00403d5b
0x00403d5e
0x00403d60
0x00403d9b
0x00403da0
0x00403da3
0x00403dfd
0x00403dfd
0x00403e01
0x00403e05
0x00403e6d
0x00403e6d
0x00403e71
0x00403e74
0x00403ec0
0x00403ec3
0x00403ec6
0x00403ec8
0x00403ef9
0x00403ef9
0x00403f05
0x00403f08
0x00403f0b
0x00403f0b
0x00000000
0x00403ed0
0x00000000
0x00403ed0
0x00403ed0
0x00403ed0
0x00403ed2
0x00000000
0x00000000
0x00403ed8
0x00403edd
0x00403edf
0x00403ee2
0x00403ee3
0x00403ee4
0x00403ee6
0x00403eec
0x00403eef
0x00403ef2
0x00403ef5
0x00403ef7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ef7
0x00000000
0x00403ed0
0x00403e76
0x00403e76
0x00403e79
0x00403e7c
0x00403e7e
0x00403ea9
0x00403ea9
0x00403eb5
0x00403eb8
0x00403ebb
0x00403f0e
0x00403f0e
0x00403f0e
0x00403f10
0x00000000
0x00403e80
0x00403e80
0x00403e80
0x00403e80
0x00403e82
0x00000000
0x00000000
0x00403e88
0x00403e8d
0x00403e8f
0x00403e92
0x00403e93
0x00403e94
0x00403e96
0x00403e9c
0x00403e9f
0x00403ea2
0x00403ea5
0x00403ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ea7
0x00000000
0x00403e80
0x00403e7e
0x00403e07
0x00403e07
0x00403e07
0x00403e0a
0x00403e10
0x00403e12
0x00403e3d
0x00403e3d
0x00403e40
0x00403e42
0x00403e44
0x00403e47
0x00403e4a
0x00403e4c
0x00403fd1
0x00403fd4
0x00000000
0x00403e52
0x00403e52
0x00403e5c
0x00403e5f
0x00403e62
0x00403e65
0x00403f17
0x00403f17
0x00403f1a
0x00403f23
0x00403f26
0x00403f2c
0x00403f2f
0x00403f31
0x00403fe0
0x00403fe3
0x00000000
0x00403f37
0x00403f37
0x00403f37
0x00403f3a
0x00403f3c
0x00403f3e
0x00403f3e
0x00403f41
0x00403f44
0x00403f44
0x00403f47
0x00403f4c
0x00403f4f
0x00403f4f
0x00403f4f
0x00403f52
0x00403f55
0x00403f55
0x00403f58
0x00403f58
0x00000000
0x00403f58
0x00403f31
0x00403e14
0x00403e14
0x00403e14
0x00403e14
0x00403e16
0x00000000
0x00000000
0x00403e1c
0x00403e21
0x00403e23
0x00403e26
0x00403e27
0x00403e28
0x00403e2a
0x00403e30
0x00403e33
0x00403e36
0x00403e39
0x00403e3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403e3b
0x00000000
0x00403e14
0x00403e12
0x00403da5
0x00403da5
0x00403daa
0x00403dad
0x00403db0
0x00403db2
0x00403dd9
0x00403ddc
0x00403de3
0x00403de5
0x00403de7
0x00403dea
0x00403def
0x00403df2
0x00403df5
0x00000000
0x00403db4
0x00403db4
0x00403db4
0x00403db4
0x00403db6
0x00000000
0x00000000
0x00403dbc
0x00403dc1
0x00403dc3
0x00403dc4
0x00403dc5
0x00403dc8
0x00403dcb
0x00403dce
0x00403dd1
0x00403dd4
0x00000000
0x00403dd6
0x00403dd6
0x00403dd6
0x00000000
0x00403dd6
0x00000000
0x00403dd4
0x00000000
0x00403db4
0x00403db2
0x00403d62
0x00403d62
0x00403d62
0x00403d62
0x00403d64
0x00000000
0x00000000
0x00403d6a
0x00403d6f
0x00403d74
0x00403d75
0x00403d76
0x00403d7d
0x00403d80
0x00403d8b
0x00403d8e
0x00403d91
0x00403d94
0x00403d97
0x00403d99
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d99
0x00000000
0x00403d62
0x00000000
0x00403f5b
0x00403f5e
0x00403f67
0x00403f67
0x00000000
0x00403d30
0x00000000
0x00000000
0x00404040
0x00404040
0x00404043
0x004040a1
0x004040ac
0x004040b2
0x004040ba
0x004040bd
0x004040c8
0x004040ca
0x00404106
0x00404106
0x00404108
0x004041c1
0x004041c9
0x004041cc
0x004041ce
0x004041d5
0x004041d8
0x004041db
0x004041de
0x004041e1
0x004041e3
0x004041f0
0x004041f0
0x004041f2
0x004041ff
0x004041ff
0x00404201
0x00404212
0x00404215
0x00404215
0x00404218
0x0040421b
0x00000000
0x00404203
0x00404203
0x00404206
0x00000000
0x00404206
0x004041f4
0x004041f4
0x004041f4
0x00000000
0x004041f4
0x004041e5
0x004041e5
0x004041e5
0x00000000
0x004041e5
0x0040410e
0x0040410e
0x0040410e
0x00404110
0x00000000
0x00404116
0x00404116
0x00404118
0x0040411e
0x0040412f
0x00404138
0x00404142
0x00404155
0x00404157
0x004041b4
0x004041b4
0x004041b7
0x004041bd
0x004041bf
0x004041bf
0x00000000
0x00404160
0x00000000
0x00404160
0x00404160
0x00404160
0x00404163
0x00404165
0x00000000
0x00000000
0x0040416b
0x0040416b
0x0040416f
0x0040417a
0x0040417d
0x00404180
0x00404195
0x004041a3
0x004041b0
0x004041b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004041b2
0x00000000
0x00404160
0x00404157
0x00404110
0x004040d0
0x00000000
0x004040d0
0x004040d0
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d8
0x004040dd
0x004040e2
0x004040e3
0x004040e4
0x004040eb
0x004040ee
0x004040f9
0x004040fc
0x004040ff
0x00404102
0x00404104
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404104
0x00000000
0x004040d0
0x00404045
0x00404045
0x00404045
0x0040404c
0x00000000
0x0040404e
0x0040404e
0x0040404e
0x00404054
0x00404057
0x0040405c
0x0040405f
0x00404065
0x0040406b
0x0040406d
0x00404072
0x00404074
0x0040407c
0x0040407f
0x00404081
0x00404084
0x00404087
0x0040408d
0x00404090
0x00404093
0x00404096
0x00404099
0x00000000
0x00404099
0x0040404c
0x00000000
0x00000000
0x00404221
0x00404221
0x00404224
0x00404227
0x00404229
0x00404274
0x00404274
0x00000000
0x0040422b
0x0040422b
0x0040422b
0x0040422d
0x00404254
0x00404264
0x00404267
0x0040426a
0x0040426c
0x0040426c
0x0040426e
0x00404271
0x00000000
0x00404230
0x00000000
0x00404230
0x00404230
0x00404230
0x00404232
0x00000000
0x00000000
0x00404238
0x0040423d
0x0040423f
0x00404240
0x00404241
0x00404244
0x00404246
0x00404249
0x0040424c
0x0040424f
0x00404252
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404252
0x00000000
0x00404230
0x0040422d
0x00000000
0x00000000
0x0040427a
0x00404285
0x0040428b
0x00404293
0x00404296
0x004042a1
0x004042a3
0x004042db
0x004042db
0x004042dd
0x0040438e
0x0040438e
0x00404396
0x00404399
0x0040439b
0x0040439d
0x004043a0
0x004043a2
0x004043b6
0x004043b6
0x004043c1
0x004043c4
0x004043c6
0x004043c9
0x004043c9
0x004043cc
0x004043cf
0x00000000
0x004043a4
0x004043a4
0x004043a7
0x004043aa
0x004045cf
0x004045cf
0x00000000
0x004045cf
0x004042e3
0x004042e3
0x004042e5
0x004042eb
0x004042fc
0x00404305
0x0040430f
0x00404322
0x00404324
0x00404384
0x00404384
0x0040438a
0x0040438c
0x0040438c
0x00000000
0x00404326
0x00404326
0x00404330
0x00404330
0x00404330
0x00404333
0x00404335
0x00000000
0x00000000
0x0040433b
0x0040433b
0x0040433f
0x0040434a
0x0040434d
0x00404350
0x00404365
0x00404373
0x00404380
0x00404382
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404382
0x00000000
0x00404330
0x00404324
0x004042a5
0x004042a5
0x004042a5
0x004042a5
0x004042a7
0x00000000
0x00000000
0x004042ad
0x004042b2
0x004042b7
0x004042b8
0x004042b9
0x004042c0
0x004042c3
0x004042ce
0x004042d1
0x004042d4
0x004042d7
0x004042d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004042d9
0x00000000
0x004042a5
0x00000000
0x00000000
0x004043d5
0x004043d5
0x004043d8
0x004043db
0x004043dd
0x00404427
0x0040442d
0x00404433
0x00404436
0x00404447
0x00404447
0x00000000
0x00404438
0x00404438
0x0040443b
0x00000000
0x0040443b
0x004043df
0x004043df
0x004043df
0x004043e1
0x00404407
0x00404417
0x0040441a
0x0040441d
0x0040441f
0x0040441f
0x00404421
0x00404424
0x00000000
0x004043e3
0x004043e3
0x004043e3
0x004043e3
0x004043e5
0x00000000
0x00000000
0x004043eb
0x004043f0
0x004043f2
0x004043f3
0x004043f4
0x004043f7
0x004043f9
0x004043fc
0x004043ff
0x00404402
0x00404405
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404405
0x00000000
0x004043e3
0x004043e1
0x00000000
0x00000000
0x0040444d
0x0040444d
0x00404451
0x00000000
0x00404457
0x00404457
0x0040445d
0x00404460
0x00404463
0x00404466
0x00404499
0x0040449c
0x0040449f
0x0040449f
0x0040449f
0x004044a2
0x004044a5
0x00000000
0x00404468
0x00404468
0x00404468
0x0040446b
0x0040446e
0x00404471
0x00404474
0x00404476
0x00404486
0x00404486
0x00404478
0x0040447b
0x0040447d
0x00404480
0x00404480
0x00404488
0x0040448b
0x0040448e
0x00404491
0x00404493
0x00404495
0x00404495
0x004044a8
0x004044a8
0x004044a8
0x00404493
0x004044ab
0x004044ab
0x004044ae
0x004044b4
0x004044b7
0x004044b9
0x004044be
0x004044c6
0x004044c9
0x004044d0
0x004044d0
0x004044d3
0x004044d5
0x004044d6
0x004044d6
0x004044d6
0x004044d9
0x004044dd
0x004044e0
0x004044e3
0x004044e6
0x004044e9
0x004044ef
0x004044ef
0x00000000
0x004044e9
0x00000000
0x00000000
0x004044fa
0x004044fa
0x004044fe
0x00000000
0x00404504
0x00404504
0x00404504
0x00404507
0x0040450a
0x0040450d
0x00404510
0x00404512
0x00404515
0x00000000
0x00404515
0x00000000
0x00000000
0x00404520
0x00404520
0x00404524
0x00404525
0x00404527
0x00404529
0x00404529
0x00404529
0x00000000
0x0040462b
0x0040462b
0x00000000
0x00000000
0x00404634
0x00404634
0x00000000
0x00000000
0x00000000
0x00000000
0x00403881
0x004045e3
0x004045ee
0x004045ee
0x00403c23
0x00403c23
0x00403c23
0x00403c26
0x00000000
0x00403c28
0x00403c28
0x00403c28
0x00403c2a
0x00000000
0x00000000
0x00403c30
0x00403c35
0x00403c37
0x00403c38
0x00403c39
0x00403c3c
0x00403c3e
0x00403c41
0x00403c44
0x00403c4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403c4a
0x00000000
0x00403c28
0x00000000
0x00403c4c
0x00403c4f
0x00403c62
0x00403c67
0x00403c69
0x00403c6c
0x00403c72
0x00403c75
0x00403c78
0x00403c7b
0x00000000
0x00403c23
0x00403c21
0x00403c08
0x00000000
0x00403bfe

Strings

invalid distance code, xrefs: 004043AA
invalid bit length repeat, xrefs: 00403FD4, 00403FE3
too many length or distance symbols, xrefs: 00403CFE
invalid literal/lengths set, xrefs: 00403FC5
invalid distances set, xrefs: 0040402E
invalid distance too far back, xrefs: 0040443B
invalid code lengths set, xrefs: 00403CEF
invalid literal/length code, xrefs: 00404206

Memory Dump Source

Source File: 00000000.00000002.485475697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.485462442.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.485493918.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.485502615.0000000000407000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PmsDView.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-3031085480
Opcode ID: f843559181b3eddef584535979cd46becc40e661da0969ac0c0187d253ca7099
Instruction ID: c3d8636758cc87c69dd868ecd8b18c2958eac614a34282fa84de43e31d21a4c9
Opcode Fuzzy Hash: f843559181b3eddef584535979cd46becc40e661da0969ac0c0187d253ca7099
Instruction Fuzzy Hash: A1724BB1E002199BCB08CF59C9906ADBBF1FF88315F2441AED955BB381D7399E42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040342C, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040342C(void* __ecx) {
				long _v8;
				long _v12;
				void _v32;
				void* _t14;
				void* _t17;

				_t14 = __ecx;
				if(NtQueryInformationProcess(0xffffffff, 0,  &_v32, 0x18,  &_v8) >= 0) {
					_t17 = OpenProcess(0x1f0fff, 0, _v12);
					if(_t17 == 0) {
						_push(_t14);
						E004024AA(L"0x0064: ");
						E00402443(0x406048, GetLastError(), 0xa);
					}
					return _t17;
				} else {
					_push(_t14);
					E004024AA(L"0x0063: ");
					return 0;
				}
			}

0x0040342c
0x00403448
0x0040346a
0x0040346e
0x00403470
0x00403476
0x00403489
0x00403489
0x00403492
0x0040344a
0x0040344a
0x00403450
0x00403458
0x00403458

APIs

NtQueryInformationProcess.NTDLL(000000FF,00000000,?,00000018,004032F8), ref: 00403440
OpenProcess.KERNEL32(001F0FFF,00000000,?,74B05910,?,?,?,?,?,?,004032F8), ref: 00403464
GetLastError.KERNEL32(0000000A,0x0064: ,?,?,?,?,?,?,?,004032F8), ref: 0040347D

Part of subcall function 004024AA: memcpy.NTDLL(00000070,?,?,?,00000000,?,004031AC,Z2: ,?,00000003), ref: 004024CD

Strings

0x0063: , xrefs: 0040344B
0x0064: , xrefs: 00403471
There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00, xrefs: 00403484

Memory Dump Source

Source File: 00000000.00000002.485475697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.485462442.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.485493918.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.485502615.0000000000407000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PmsDView.jbxd

Similarity

API ID: Process$ErrorInformationLastOpenQuerymemcpy
String ID: 0x0063: $0x0064: $There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00
API String ID: 3755100833-3586249592
Opcode ID: 3df8f3208fce2bebf5f42b168975b62d5b38a5c3da433878e18d03a61351feeb
Instruction ID: 2c9048ae54063928d09755c5af14eb6a3490dc81d9ec51edb3402755fe96f836
Opcode Fuzzy Hash: 3df8f3208fce2bebf5f42b168975b62d5b38a5c3da433878e18d03a61351feeb
Instruction Fuzzy Hash: F6F0E971B802147BD71177E59D0BF9A3AAC8B04B65F104276FA11F50D1D7F8D94442AA

Uniqueness

Uniqueness Score: -1.00%

Function 00404A00, Relevance: 4.2, Strings: 3, Instructions: 400
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00404A00(intOrPtr* __ecx, void* __edx) {
				signed int _v8;
				signed char* _v12;
				signed char _v16;
				intOrPtr* _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _t172;
				signed int _t191;
				intOrPtr _t201;
				unsigned int _t208;
				signed char _t210;
				void* _t217;
				signed int _t220;
				intOrPtr* _t223;
				intOrPtr _t224;
				signed int _t231;
				signed int _t233;
				signed int _t236;
				intOrPtr _t237;
				signed int _t238;
				signed int _t241;
				signed char* _t243;
				signed int _t245;
				signed char* _t247;
				signed char* _t258;
				signed char* _t262;
				signed char* _t281;
				unsigned int _t282;
				void* _t284;
				intOrPtr* _t285;
				signed char* _t286;
				unsigned int _t287;
				intOrPtr _t290;
				signed char _t295;
				signed char _t302;
				signed char _t303;
				void* _t305;
				void* _t307;
				intOrPtr _t308;
				void* _t310;
				intOrPtr _t311;
				unsigned int _t317;
				signed char _t318;
				signed char _t321;
				intOrPtr _t323;
				signed char _t326;
				unsigned int _t328;
				signed int _t330;
				intOrPtr* _t331;
				signed char _t336;
				unsigned int _t337;
				signed char _t339;
				signed char _t340;
				signed char _t341;
				void* _t344;
				unsigned int _t349;
				signed int _t355;
				signed int _t356;
				void* _t358;
				signed char* _t359;
				void* _t361;
				signed int* _t364;

				_v20 = __ecx;
				_t290 =  *((intOrPtr*)(__ecx + 0x1c));
				_t281 =  *__ecx - 1;
				_v56 =  *((intOrPtr*)(__ecx + 4)) + 0xfffffffb + _t281;
				_t172 =  *((intOrPtr*)(__ecx + 0x10));
				_t364 =  *((intOrPtr*)(__ecx + 0xc)) - 1;
				_v60 = _t172 + 0xfffffeff + _t364;
				_v48 =  *((intOrPtr*)(_t290 + 0x28));
				_v68 =  *((intOrPtr*)(_t290 + 0x2c));
				_v32 =  *((intOrPtr*)(_t290 + 0x30));
				_v52 =  *((intOrPtr*)(_t290 + 0x34));
				_v40 =  *((intOrPtr*)(_t290 + 0x4c));
				_t328 =  *(_t290 + 0x38);
				_v44 =  *((intOrPtr*)(_t290 + 0x50));
				_v24 = 1;
				_v28 = 1;
				_v64 = _t172 - __edx + _t364;
				_t355 =  *(_t290 + 0x3c);
				_v24 = _v24 <<  *(_t290 + 0x54);
				_v24 = _v24 - 1;
				_v12 = _t281;
				_v28 = (_v28 <<  *( *((intOrPtr*)(_v20 + 0x1c)) + 0x58)) - 1;
				L1:
				while(1) {
					if(_t355 < 0xf) {
						_t286 =  &(_t281[2]);
						_v12 = _t286;
						_t328 = _t328 + ((_t281[1] & 0x000000ff) << _t355) + (( *_t286 & 0x000000ff) << _t355 + 8);
						_t355 = _t355 + 0x10;
					}
					_t282 =  *(_v40 + (_v24 & _t328) * 4);
					_t295 = _t282 >> 0x00000008 & 0x000000ff;
					_t355 = _t355 - _t295;
					_v8 = _t328 >> _t295;
					_t330 = _t282 & 0x000000ff;
					if(_t282 == 0) {
						L7:
						_t364 =  &(_t364[0]);
						 *_t364 = _t282 >> 0x10;
						L46:
						_t281 = _v12;
						if(_t281 >= _v56 || _t364 >= _v60) {
							L61:
							_t331 = _v20;
							_t191 = _t355 >> 3;
							_t284 = _t281 - _t191;
							_t356 = _t355 - (_t191 << 3);
							 *_t331 = _t284 + 1;
							 *(_t331 + 0xc) =  &(_t364[0]);
							_t285 = _t331;
							 *((intOrPtr*)(_t285 + 4)) = _v56 - _t284 + 5;
							_t201 =  *((intOrPtr*)(_t285 + 0x1c));
							 *(_t201 + 0x3c) = _t356;
							 *((intOrPtr*)(_t285 + 0x10)) = _v60 - _t364 + 0x101;
							 *(_t201 + 0x38) = _v8 & (0x00000001 << _t356) - 0x00000001;
							return _t201;
						} else {
							_t328 = _v8;
							continue;
						}
					}
					while((_t330 & 0x00000010) == 0) {
						if((_t330 & 0x00000040) != 0) {
							_t323 = _v20;
							_t281 = _v12;
							_t223 =  *((intOrPtr*)(_t323 + 0x1c));
							if((_t330 & 0x00000020) == 0) {
								 *(_t323 + 0x18) = "invalid literal/length code";
								L60:
								 *_t223 = 0x1b;
								goto L61;
							}
							 *_t223 = 0xb;
							goto L61;
						}
						_t349 = _v8;
						_t282 =  *(_v40 + (((0x00000001 << _t330) - 0x00000001 & _t349) + (_t282 >> 0x10)) * 4);
						_t326 = _t282 >> 0x00000008 & 0x000000ff;
						_t355 = _t355 - _t326;
						_v8 = _t349 >> _t326;
						_t330 = _t282 & 0x000000ff;
						if(_t282 != 0) {
							continue;
						}
						goto L7;
					}
					_t287 = _t282 >> 0x10;
					_t336 = _t330 & 0x0000000f;
					if(_t336 != 0) {
						_t321 = _t336;
						_v8 = _v8 >> _t321;
						_t287 = _t287 + ((0x00000001 << _t321) - 0x00000001 & _v8);
						_t355 = _t355 - _t336;
					}
					_t337 = _v8;
					if(_t355 < 0xf) {
						_t258 =  &(_v12[1]);
						_v12 = _t258;
						_t262 =  &(_v12[1]);
						_v12 = _t262;
						_t337 = _t337 + (( *_t258 & 0x000000ff) << _t355) + (( *_t262 & 0x000000ff) << _t355 + 8);
						_t355 = _t355 + 0x10;
					}
					_t208 =  *(_v44 + (_v28 & _t337) * 4);
					_v16 = _t208;
					_t302 = _t208 >> 0x00000008 & 0x000000ff;
					_t210 = _v16;
					_t355 = _t355 - _t302;
					_v8 = _t337 >> _t302;
					_t339 = _t210 & 0x000000ff;
					if((_t339 & 0x00000010) != 0) {
						L17:
						_t340 = _t339 & 0x0000000f;
						_v16 = _t210 >> 0x10;
						if(_t355 < _t340) {
							_t243 =  &(_v12[1]);
							_v12 = _t243;
							_t245 = ( *_t243 & 0x000000ff) << _t355;
							_t355 = _t355 + 8;
							_v8 = _v8 + _t245;
							if(_t355 < _t340) {
								_t247 =  &(_v12[1]);
								_v12 = _t247;
								_v8 = _v8 + (( *_t247 & 0x000000ff) << _t355);
								_t355 = _t355 + 8;
							}
						}
						_t303 = _t340;
						_t355 = _t355 - _t340;
						_v36 = _t355;
						_v8 = _v8 >> _t303;
						_v16 = _v16 + ((0x00000001 << _t303) - 0x00000001 & _v8);
						_t341 = _v16;
						_t217 = _t364 - _v64;
						if(_t341 <= _t217) {
							_t305 = _t364 - _t341;
							do {
								_t364[0] =  *(_t305 + 1) & 0x000000ff;
								_t364[0] =  *(_t305 + 2) & 0x000000ff;
								_t220 =  *(_t305 + 3) & 0x000000ff;
								_t305 = _t305 + 3;
								_t364 =  &(_t364[0]);
								_t287 = _t287 - 3;
								 *_t364 = _t220;
							} while (_t287 > 2);
							if(_t287 != 0) {
								_t364 =  &(_t364[0]);
								 *_t364 =  *(_t305 + 1);
								if(_t287 > 1) {
									_t364 =  &(_t364[0]);
									 *_t364 =  *(_t305 + 2);
								}
							}
							goto L46;
						} else {
							_t307 = _t341 - _t217;
							if(_t307 > _v68) {
								_t308 = _v20;
								 *(_t308 + 0x18) = "invalid distance too far back";
								goto L59;
							}
							_t224 = _v32;
							_t358 = _v52 - 1;
							if(_t224 != 0) {
								if(_t224 >= _t307) {
									_t359 = _t358 + _t224 - _t307;
									if(_t307 >= _t287) {
										L39:
										if(_t287 <= 2) {
											L42:
											if(_t287 != 0) {
												_t364 =  &(_t364[0]);
												 *_t364 = _t359[1];
												if(_t287 > 1) {
													_t364 =  &(_t364[0]);
													 *_t364 = _t359[2];
												}
											}
											_t355 = _v36;
											goto L46;
										}
										_t344 = (0xaaaaaaab * (_t287 - 3) >> 0x20 >> 1) + 1;
										do {
											_t364[0] = _t359[1] & 0x000000ff;
											_t231 = _t359[2] & 0x000000ff;
											_t359 =  &(_t359[3]);
											_t364[0] = _t231;
											_t364 =  &(_t364[0]);
											_t287 = _t287 - 3;
											 *_t364 =  *_t359 & 0x000000ff;
											_t344 = _t344 - 1;
										} while (_t344 != 0);
										goto L42;
									}
									_t287 = _t287 - _t307;
									do {
										_t233 = _t359[1];
										_t359 =  &(_t359[1]);
										_t364 =  &(_t364[0]);
										 *_t364 = _t233;
										_t307 = _t307 - 1;
									} while (_t307 != 0);
									L38:
									_t359 = _t364 - _t341;
									goto L39;
								}
								_t310 = _t307 - _v32;
								_t359 = _t358 + _t224 - _t307 + _v48;
								if(_t310 >= _t287) {
									goto L39;
								}
								_t287 = _t287 - _t310;
								_t361 = _t359 - _t364;
								do {
									_t236 =  *((intOrPtr*)(_t361 +  &(_t364[0])));
									_t364 =  &(_t364[0]);
									 *_t364 = _t236;
									_t310 = _t310 - 1;
								} while (_t310 != 0);
								_t237 = _v32;
								_t359 = _v52 - 1;
								if(_t237 >= _t287) {
									goto L39;
								}
								_t311 = _t237;
								_t287 = _t287 - _t237;
								do {
									_t238 = _t359[1];
									_t359 =  &(_t359[1]);
									_t364 =  &(_t364[0]);
									 *_t364 = _t238;
									_t311 = _t311 - 1;
								} while (_t311 != 0);
								goto L38;
							}
							_t359 = _t358 + _v48 - _t307;
							if(_t307 >= _t287) {
								goto L39;
							}
							_t287 = _t287 - _t307;
							do {
								_t241 = _t359[1];
								_t359 =  &(_t359[1]);
								_t364 =  &(_t364[0]);
								 *_t364 = _t241;
								_t307 = _t307 - 1;
							} while (_t307 != 0);
							goto L38;
						}
					} else {
						while((_t339 & 0x00000040) == 0) {
							_t317 =  *(_v44 + (((0x00000001 << _t339) - 0x00000001 & _v8) + (_v16 >> 0x10)) * 4);
							_v16 = _t317;
							_t318 = _t317 >> 0x00000008 & 0x000000ff;
							_t210 = _v16;
							_t355 = _t355 - _t318;
							_v8 = _v8 >> _t318;
							_t339 = _t210 & 0x000000ff;
							if((_t339 & 0x00000010) == 0) {
								continue;
							}
							goto L17;
						}
						_t308 = _v20;
						 *(_t308 + 0x18) = "invalid distance code";
						L59:
						_t281 = _v12;
						_t223 =  *((intOrPtr*)(_t308 + 0x1c));
						goto L60;
					}
				}
			}

0x00404a0b
0x00404a13
0x00404a1c
0x00404a1f
0x00404a22
0x00404a2c
0x00404a2f
0x00404a35
0x00404a3b
0x00404a41
0x00404a47
0x00404a4d
0x00404a55
0x00404a58
0x00404a62
0x00404a65
0x00404a6b
0x00404a6e
0x00404a74
0x00404a80
0x00404a85
0x00404a89
0x00000000
0x00404a90
0x00404a93
0x00404a9d
0x00404aa3
0x00404aad
0x00404aaf
0x00404aaf
0x00404aba
0x00404ac2
0x00404ac7
0x00404ac9
0x00404acc
0x00404ad1
0x00404b11
0x00404b11
0x00404b15
0x00404d27
0x00404d27
0x00404d2d
0x00404dca
0x00404dca
0x00404dcf
0x00404dd2
0x00404dd7
0x00404deb
0x00404df0
0x00404df8
0x00404e00
0x00404e03
0x00404e08
0x00404e13
0x00404e16
0x00404e1d
0x00404d3c
0x00404d3c
0x00000000
0x00404d3c
0x00404d2d
0x00404ad3
0x00404adb
0x00404d89
0x00404d8c
0x00404d8f
0x00404d95
0x00404d9f
0x00404dc4
0x00404dc4
0x00000000
0x00404dc4
0x00404d97
0x00000000
0x00404d97
0x00404ae3
0x00404af8
0x00404b00
0x00404b05
0x00404b07
0x00404b0a
0x00404b0f
0x00000000
0x00000000
0x00000000
0x00404b0f
0x00404b1c
0x00404b1f
0x00404b22
0x00404b3c
0x00404b49
0x00404b4c
0x00404b4e
0x00404b4e
0x00404b50
0x00404b56
0x00404b5b
0x00404b5c
0x00404b6e
0x00404b6f
0x00404b77
0x00404b79
0x00404b79
0x00404b84
0x00404b87
0x00404b8d
0x00404b90
0x00404b95
0x00404b97
0x00404b9a
0x00404ba0
0x00404be6
0x00404be9
0x00404bec
0x00404bf1
0x00404bf6
0x00404bf7
0x00404bff
0x00404c01
0x00404c04
0x00404c09
0x00404c0e
0x00404c0f
0x00404c19
0x00404c1c
0x00404c1c
0x00404c09
0x00404c1f
0x00404c28
0x00404c2a
0x00404c31
0x00404c34
0x00404c37
0x00404c3c
0x00404c41
0x00404d46
0x00404d50
0x00404d54
0x00404d5b
0x00404d5e
0x00404d62
0x00404d65
0x00404d68
0x00404d6b
0x00404d6d
0x00404d74
0x00404d79
0x00404d7a
0x00404d7f
0x00404d84
0x00404d85
0x00404d85
0x00404d7f
0x00000000
0x00404c47
0x00404c49
0x00404c4e
0x00404db4
0x00404db7
0x00000000
0x00404db7
0x00404c57
0x00404c5a
0x00404c5d
0x00404c80
0x00404cc0
0x00404cc4
0x00404cd8
0x00404cdb
0x00404d0f
0x00404d11
0x00404d16
0x00404d17
0x00404d1c
0x00404d21
0x00404d22
0x00404d22
0x00404d1c
0x00404d24
0x00000000
0x00404d24
0x00404ce9
0x00404cf0
0x00404cf4
0x00404cf7
0x00404cfb
0x00404cfe
0x00404d04
0x00404d07
0x00404d0a
0x00404d0c
0x00404d0c
0x00000000
0x00404cf0
0x00404cc6
0x00404cc8
0x00404cc8
0x00404ccb
0x00404cce
0x00404ccf
0x00404cd1
0x00404cd1
0x00404cd4
0x00404cd6
0x00000000
0x00404cd6
0x00404c87
0x00404c8a
0x00404c8e
0x00000000
0x00000000
0x00404c90
0x00404c92
0x00404c94
0x00404c94
0x00404c98
0x00404c99
0x00404c9b
0x00404c9b
0x00404ca1
0x00404ca4
0x00404ca7
0x00000000
0x00000000
0x00404ca9
0x00404cab
0x00404cb0
0x00404cb0
0x00404cb3
0x00404cb6
0x00404cb7
0x00404cb9
0x00404cb9
0x00000000
0x00404cbc
0x00404c64
0x00404c68
0x00000000
0x00000000
0x00404c6a
0x00404c70
0x00404c70
0x00404c73
0x00404c76
0x00404c77
0x00404c79
0x00404c79
0x00000000
0x00404c7c
0x00404ba2
0x00404ba2
0x00404bc3
0x00404bce
0x00404bd1
0x00404bd4
0x00404bd9
0x00404bdb
0x00404bde
0x00404be4
0x00000000
0x00000000
0x00000000
0x00404be4
0x00404da8
0x00404dab
0x00404dbe
0x00404dbe
0x00404dc1
0x00000000
0x00404dc1
0x00404ba0

Strings

invalid distance code, xrefs: 00404DAB
invalid distance too far back, xrefs: 00404DB7
invalid literal/length code, xrefs: 00404D9F

Memory Dump Source

Source File: 00000000.00000002.485475697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.485462442.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.485493918.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.485502615.0000000000407000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PmsDView.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: c9fdf100bbad4b70a46570705ac2fe62d91f0e3b016f69b1a88fd9d6bfc3a9c6
Instruction ID: 6fdf266a21d466ff122ec3de38e725f8731117c8df47052ebdb6353bc2ea85f9
Opcode Fuzzy Hash: c9fdf100bbad4b70a46570705ac2fe62d91f0e3b016f69b1a88fd9d6bfc3a9c6
Instruction Fuzzy Hash: 51E1E771A046559FCB08CF6CC5806ADFBF2EFC9300B24816AD595EB382D7399A46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00403974, Relevance: 1.4, Strings: 1, Instructions: 170
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00403974(signed int __ebx, unsigned int __edx, signed char* __edi, void* __esi) {
				signed int _t545;
				signed int _t552;
				signed char** _t554;
				signed int _t556;
				signed int _t560;
				signed int _t576;
				signed int _t578;
				signed int _t582;
				signed int _t584;
				signed int _t590;
				signed int _t591;
				signed int* _t594;
				signed int* _t597;
				signed int* _t602;
				signed char** _t603;
				signed int* _t605;
				signed char _t622;
				unsigned int _t623;
				signed int _t629;
				unsigned int _t630;
				signed char* _t640;
				signed char* _t649;
				signed char** _t652;
				signed int _t656;
				intOrPtr _t659;
				signed int _t660;
				void* _t663;
				void* _t668;

				L0:
				while(1) {
					L0:
					_t649 = __edi;
					_t623 = __edx;
					_t591 = __ebx;
					if(__esi >= 0x20) {
						goto L18;
					}
					L15:
					while(1) {
						L16:
						if(__ebx == 0) {
							break;
						}
						L17:
						__eax =  *__edi & 0x000000ff;
						__ecx = __esi;
						__eax = ( *__edi & 0x000000ff) << __cl;
						__ebx = __ebx - 1;
						__edi = __edi + 1;
						__esi = __esi + 8;
						__edx = __edx + __eax;
						 *(__ebp - 0xc) = __ebx;
						 *(__ebp - 4) = __edx;
						 *(__ebp - 0x10) = __edi;
						if(__esi < 0x20) {
							continue;
						} else {
							goto L18;
						}
						L200:
					}
					L189:
					_t576 =  *(_t663 - 0xc);
					L190:
					_t652 =  *(_t663 - 0x14);
					_t594 =  *(_t663 - 8);
					_t640 =  *(_t663 - 0x18);
					_t652[3] =  *(_t663 - 0x1c);
					_t652[1] = _t576;
					_t594[0xf] = _t656;
					_t659 =  *((intOrPtr*)(_t663 - 0x20));
					_t652[4] = _t640;
					 *_t652 =  *(_t663 - 0x10);
					_t594[0xe] =  *(_t663 - 4);
					if(_t594[0xa] != 0) {
						L193:
						_t578 = E00403590(_t652, _t659);
						if(_t578 == 0) {
							goto L196;
						} else {
							L194:
							 *_t594 = 0x1c;
							L195:
							return 0xfffffffc;
						}
					} else {
						L191:
						if( *_t594 >= 0x18) {
							L196:
							_t660 = _t659 - _t652[4];
							_t652[5] =  &(_t652[5][_t660]);
							_t652[2] =  &(_t652[2][ *((intOrPtr*)(_t663 - 0x3c)) - _t652[1]]);
							_t594[7] = _t594[7] + _t660;
							if(_t594[2] != 0) {
								if(_t660 != 0) {
									_t584 = E00404790(_t594[6], _t652[3] - _t660, _t660);
									_t594[6] = _t584;
									_t652[0xc] = _t584;
								}
							}
							asm("sbb edx, edx");
							_t616 =  ==  ? 0x80 : 0;
							_t582 =  *(_t663 - 0x28);
							_t645 = ( ~(_t594[1]) & 0x00000040) + ( ==  ? 0x80 : 0);
							_t646 = ( ~(_t594[1]) & 0x00000040) + ( ==  ? 0x80 : 0) + _t594[0xf];
							_t652[0xb] = ( ~(_t594[1]) & 0x00000040) + ( ==  ? 0x80 : 0) + _t594[0xf];
							_t583 =  ==  ? 0xfffffffb : _t582;
							return  ==  ? 0xfffffffb : _t582;
						} else {
							L192:
							if(_t659 == _t640) {
								goto L196;
							} else {
								goto L193;
							}
						}
					}
					goto L200;
					L18:
					_t602 =  *(_t663 - 8);
					_t552 = (_t623 >> 0x00000008 & 0x0000ff00) + ((_t623 & 0x0000ff00) + (_t623 << 0x10) << 8) + (_t623 >> 0x18);
					_t602[6] = _t552;
					( *(_t663 - 0x14))[0xc] = _t552;
					 *(_t663 - 4) = 0;
					_t656 = 0;
					 *_t602 = 0xa;
					while(1) {
						L19:
						if(_t602[3] == 0) {
							break;
						}
						L20:
						_t556 = E00404790(0, 0, 0);
						_t597 =  *(_t663 - 8);
						( *(_t663 - 0x14))[0xc] = _t556;
						_t629 =  *(_t663 - 4);
						_t668 = _t668 + 4;
						_t597[6] = _t556;
						 *_t597 = 0xb;
						while(1) {
							L21:
							if(_t597[1] == 0) {
								goto L23;
							}
							L22:
							_t622 = _t656 & 0x00000007;
							_t623 = _t629 >> _t622;
							_t656 = _t656 - _t622;
							_t597 =  *(_t663 - 8);
							 *(_t663 - 4) = _t623;
							 *_t597 = 0x18;
							while(1) {
								L182:
								_t545 =  *_t597;
								if(_t545 > 0x1c) {
									break;
								}
								L1:
								switch( *((intOrPtr*)(_t545 * 4 +  &M00404704))) {
									case 0:
										L2:
										if(_t597[2] != 0) {
											L4:
											__eflags = _t656 - 0x10;
											if(_t656 >= 0x10) {
												L8:
												_t563 = (_t623 >> 8) + ((_t623 & 0x000000ff) << 8);
												__eflags = _t563 %  *(_t663 - 0x38);
												_t623 =  *(_t663 - 4);
												if(_t563 %  *(_t663 - 0x38) == 0) {
													L10:
													_t597 =  *(_t663 - 8);
													__eflags = (_t623 & 0x0000000f) - 8;
													if((_t623 & 0x0000000f) == 8) {
														L12:
														_t623 = _t623 >> 4;
														_t569 = (_t623 & 0x0000000f) + 8;
														_t656 = _t656 - 4;
														 *(_t663 - 4) = _t623;
														 *(_t663 - 0x34) = _t569;
														__eflags = _t569 - _t597[9];
														if(_t569 <= _t597[9]) {
															L14:
															( *(_t663 - 8))[5] = 1 <<  *(_t663 - 0x34);
															_t572 = E00404790(0, 0, 0);
															_t597 =  *(_t663 - 8);
															( *(_t663 - 0x14))[0xc] = _t572;
															 *_t597 =  !( *(_t663 - 4) >> 8) & 0x00000002 | 0x00000009;
															_t623 = 0;
															_t668 = _t668 + 4;
															_t597[6] = _t572;
															 *(_t663 - 4) = 0;
															_t656 = 0;
														} else {
															L13:
															( *(_t663 - 0x14))[6] = "invalid window size";
															goto L181;
														}
													} else {
														L11:
														( *(_t663 - 0x14))[6] = "unknown compression method";
														goto L181;
													}
												} else {
													L9:
													( *(_t663 - 0x14))[6] = "incorrect header check";
													goto L180;
												}
												goto L182;
											} else {
												L5:
												while(1) {
													L6:
													__eflags = _t591;
													if(_t591 == 0) {
														goto L189;
													}
													L7:
													_t587 = ( *_t649 & 0x000000ff) << _t656;
													_t591 = _t591 - 1;
													_t649 =  &(_t649[1]);
													_t656 = _t656 + 8;
													_t623 = _t623 + _t587;
													 *(_t663 - 0xc) = _t591;
													 *(_t663 - 4) = _t623;
													 *(_t663 - 0x10) = _t649;
													__eflags = _t656 - 0x10;
													if(_t656 < 0x10) {
														continue;
													} else {
														goto L8;
													}
													goto L200;
												}
												goto L189;
											}
										} else {
											 *_t597 = 0xc;
											goto L182;
										}
										goto L200;
									case 1:
										goto L183;
									case 2:
										goto L0;
									case 3:
										goto L19;
									case 4:
										L21:
										if(_t597[1] == 0) {
											goto L23;
										}
										goto L200;
									case 5:
										L34:
										__ecx = __esi;
										__ecx = __esi & 0x00000007;
										__edx = __edx >> __cl;
										__esi = __esi - __ecx;
										 *(__ebp - 4) = __edx;
										__eflags = __esi - 0x20;
										if(__esi >= 0x20) {
											L37:
											__eax = __edx;
											__ecx = __edx;
											__ecx = __edx & 0x0000ffff;
											 !__edx =  !__edx >> 0x10;
											 *(__ebp - 0x34) = __ecx;
											__eflags = __ecx -  !__edx >> 0x10;
											__ecx =  *(__ebp - 8);
											if(__eflags == 0) {
												L39:
												__eax =  *(__ebp - 0x34);
												__edx = 0;
												 *(__ecx + 0x40) =  *(__ebp - 0x34);
												 *(__ebp - 4) = 0;
												__esi = 0;
												__eflags = 0;
												 *__ecx = 0xe;
												goto L40;
											} else {
												L38:
												__eax =  *(__ebp - 0x14);
												 *(__eax + 0x18) = "invalid stored block lengths";
												goto L181;
											}
										} else {
											while(1) {
												L35:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L189;
												}
												L36:
												__eax =  *__edi & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__edi & 0x000000ff) << __cl;
												__ebx = __ebx - 1;
												__edi = __edi + 1;
												__esi = __esi + 8;
												__edx = __edx + __eax;
												 *(__ebp - 0xc) = __ebx;
												 *(__ebp - 4) = __edx;
												 *(__ebp - 0x10) = __edi;
												__eflags = __esi - 0x20;
												if(__esi < 0x20) {
													continue;
												} else {
													goto L37;
												}
												goto L200;
											}
											goto L189;
										}
										goto L200;
									case 6:
										L40:
										__eax =  *(__ecx + 0x40);
										__eflags = __eax;
										if(__eax == 0) {
											goto L123;
										} else {
											L41:
											__eflags = __eax - __ebx;
											__eax =  >  ? __ebx : __eax;
											__eflags = __eax -  *(__ebp - 0x18);
											__eax =  >  ?  *(__ebp - 0x18) : __eax;
											 *(__ebp - 0x34) = __eax;
											__eflags = __eax;
											if(__eax == 0) {
												goto L189;
											} else {
												L42:
												__ecx =  *(__ebp - 0x1c);
												__edx = __edi;
												__eax = E00404E20( *(__ebp - 0x1c), __edi, __eax);
												__eax =  *(__ebp - 0x34);
												__ecx =  *(__ebp - 8);
												 *(__ebp - 0x18) =  *(__ebp - 0x18) - __eax;
												 *(__ebp - 0x1c) =  *(__ebp - 0x1c) + __eax;
												__edx =  *(__ebp - 4);
												__ebx = __ebx - __eax;
												__edi = __edi + __eax;
												 *(__ecx + 0x40) =  *(__ecx + 0x40) - __eax;
												 *(__ebp - 0xc) = __ebx;
												 *(__ebp - 0x10) = __edi;
												goto L182;
											}
										}
										goto L200;
									case 7:
										L43:
										__eflags = __esi - 0xe;
										if(__esi >= 0xe) {
											L48:
											__edx = __edx & 0x0000001f;
											__eax = (__edx & 0x0000001f) + 0x101;
											 *(__ecx + 0x60) = (__edx & 0x0000001f) + 0x101;
											__edx = __edx >> 5;
											__edx = __edx & 0x0000001f;
											__eax = (__edx & 0x0000001f) + 1;
											__edx = __edx >> 5;
											 *(__ecx + 0x64) = __eax;
											__edx = __edx & 0x0000000f;
											__eax = (__edx & 0x0000000f) + 4;
											__edx = __edx >> 4;
											__esi = __esi - 0xe;
											__eflags =  *(__ecx + 0x60) - 0x11e;
											 *(__ecx + 0x5c) = __eax;
											 *(__ebp - 4) = __edx;
											if( *(__ecx + 0x60) > 0x11e) {
												L61:
												__eax =  *(__ebp - 0x14);
												 *(__eax + 0x18) = "too many length or distance symbols";
												goto L181;
											} else {
												L49:
												__eflags =  *(__ecx + 0x64) - 0x1e;
												if( *(__ecx + 0x64) > 0x1e) {
													goto L61;
												} else {
													L50:
													 *(__ecx + 0x68) = 0;
													 *__ecx = 0x10;
													goto L51;
												}
											}
										} else {
											L44:
											while(1) {
												L45:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L189;
												}
												L46:
												__eax =  *__edi & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__edi & 0x000000ff) << __cl;
												__ebx = __ebx - 1;
												__edi = __edi + 1;
												__esi = __esi + 8;
												__edx = __edx + __eax;
												 *(__ebp - 0xc) = __ebx;
												 *(__ebp - 4) = __edx;
												 *(__ebp - 0x10) = __edi;
												__eflags = __esi - 0xe;
												if(__esi < 0xe) {
													continue;
												} else {
													L47:
													__ecx =  *(__ebp - 8);
													goto L48;
												}
												goto L200;
											}
											goto L189;
										}
										goto L200;
									case 8:
										L51:
										__eax =  *(__ecx + 0x68);
										__eflags =  *(__ecx + 0x68) -  *(__ecx + 0x5c);
										if( *(__ecx + 0x68) >=  *(__ecx + 0x5c)) {
											L56:
											__eflags =  *(__ecx + 0x68) - 0x13;
											while( *(__ecx + 0x68) < 0x13) {
												L58:
												__eax =  *(__ecx + 0x68);
												__edx = 0;
												__eax =  *(0x401e88 +  *(__ecx + 0x68) * 2) & 0x0000ffff;
												 *((short*)(__ecx + 0x70 + ( *(0x401e88 +  *(__ecx + 0x68) * 2) & 0x0000ffff) * 2)) = __dx;
												 *(__ecx + 0x68) =  *(__ecx + 0x68) + 1;
												__eflags =  *(__ecx + 0x68) - 0x13;
											}
											L59:
											__edx = __ecx + 0x6c;
											__eax = __ecx + 0x530;
											 *__edx = __eax;
											 *(__ecx + 0x4c) = __eax;
											__eax =  *(__ebp - 8);
											__ecx = __ecx + 0x54;
											__eax =  *(__ebp - 8) + 0x2f0;
											_push( *(__ebp - 8) + 0x2f0);
											_push(__ecx);
											_push(__edx);
											__edx =  *(__ebp - 8);
											 *__ecx = 7;
											_push(0x13);
											__edx =  *(__ebp - 8) + 0x70;
											__ecx = 0;
											__eax = L00404E80(__ebx, 0,  *(__ebp - 8) + 0x70, __edi, __esi);
											__ecx =  *(__ebp - 8);
											__edx =  *(__ebp - 4);
											__esp = __esp + 0x10;
											 *(__ebp - 0x28) = __eax;
											__eflags = __eax;
											if(__eax == 0) {
												L62:
												 *(__ecx + 0x68) = 0;
												 *__ecx = 0x11;
												goto L63;
											} else {
												L60:
												__eax =  *(__ebp - 0x14);
												 *(__eax + 0x18) = "invalid code lengths set";
												goto L181;
											}
										} else {
											do {
												L52:
												__eflags = __esi - 3;
												if(__esi >= 3) {
													goto L55;
												} else {
													while(1) {
														L53:
														__eflags = __ebx;
														if(__ebx == 0) {
															goto L189;
														}
														L54:
														__eax =  *__edi & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__edi & 0x000000ff) << __cl;
														__ebx = __ebx - 1;
														__edi = __edi + 1;
														__esi = __esi + 8;
														__edx = __edx + __eax;
														 *(__ebp - 0xc) = __ebx;
														 *(__ebp - 4) = __edx;
														 *(__ebp - 0x10) = __edi;
														__eflags = __esi - 3;
														if(__esi < 3) {
															continue;
														} else {
															goto L55;
														}
														goto L200;
													}
													goto L189;
												}
												goto L200;
												L55:
												__eax =  *(__ebp - 8);
												__edi =  *(__ebp - 8);
												__eax =  *( *(__ebp - 8) + 0x68);
												__ecx = __edx;
												__eax =  *(0x401e88 +  *( *(__ebp - 8) + 0x68) * 2) & 0x0000ffff;
												__ecx = __edx & 0x00000007;
												 *((short*)(__edi + 0x70 + ( *(0x401e88 +  *( *(__ebp - 8) + 0x68) * 2) & 0x0000ffff) * 2)) = __cx;
												__ecx = __edi;
												__edi =  *(__ebp - 0x10);
												 *(__ecx + 0x68) =  *(__ecx + 0x68) + 1;
												__eax =  *(__ecx + 0x68);
												__edx = __edx >> 3;
												__esi = __esi - 3;
												 *(__ebp - 4) = __edx;
												__eflags =  *(__ecx + 0x68) -  *(__ecx + 0x5c);
											} while ( *(__ecx + 0x68) <  *(__ecx + 0x5c));
											goto L56;
										}
										goto L200;
									case 9:
										L63:
										__eax =  *(__ecx + 0x68);
										__edi =  *(__ebp - 0x10);
										 *(__ebp - 0x24) =  *(__ecx + 0x68);
										__eax =  *(__ecx + 0x64);
										__eax =  *(__ecx + 0x64) +  *(__ecx + 0x60);
										__eflags =  *(__ebp - 0x24) - __eax;
										if( *(__ebp - 0x24) >= __eax) {
											L98:
											__eflags =  *__ecx - 0x1b;
											if( *__ecx == 0x1b) {
												goto L182;
											} else {
												L99:
												__edx = __ecx + 0x6c;
												__eax = __ecx + 0x530;
												__edi = __ecx + 0x2f0;
												 *__edx = __eax;
												 *(__ecx + 0x4c) = __eax;
												__eax = __ecx + 0x54;
												_push(__edi);
												_push(__eax);
												_push(__edx);
												_push( *(__ecx + 0x60));
												 *(__ebp - 0x34) = __edx;
												__edx = __ecx + 0x70;
												__ecx = 1;
												 *__eax = 9;
												 *(__ebp - 0x30) = __edi;
												__eax = L00404E80(__ebx, 1, __edx, __edi, __esi);
												__edi =  *(__ebp - 0x10);
												__ecx =  *(__ebp - 8);
												__esp = __esp + 0x10;
												 *(__ebp - 0x28) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													L103:
													__edx =  *(__ebp - 0x34);
													_push( *(__ebp - 0x30));
													__eax =  *__edx;
													 *(__ecx + 0x50) =  *__edx;
													__eax = __ecx + 0x58;
													_push(__eax);
													_push(__edx);
													_push( *(__ecx + 0x64));
													 *__eax = 6;
													__eax =  *(__ecx + 0x60);
													__edx = __ecx + __eax * 2;
													__ecx = 2;
													__eax = L00404E80(__ebx, 2, __edx, __edi, __esi);
													__ecx =  *(__ebp - 8);
													__edx =  *(__ebp - 4);
													__esp = __esp + 0x10;
													 *(__ebp - 0x28) = __eax;
													__eflags = __eax;
													if(__eax == 0) {
														L105:
														 *__ecx = 0x12;
														goto L106;
													} else {
														L104:
														__eax =  *(__ebp - 0x14);
														 *(__eax + 0x18) = "invalid distances set";
														goto L181;
													}
												} else {
													L100:
													__eax =  *(__ebp - 0x14);
													__edx =  *(__ebp - 4);
													 *(__eax + 0x18) = "invalid literal/lengths set";
													goto L181;
												}
											}
										} else {
											L64:
											do {
												L65:
												__ecx =  *(__ecx + 0x54);
												__eax = 1;
												_t151 = (1 << __cl) - 1; // 0x0
												__ecx = _t151;
												__eax =  *(__ebp - 8);
												 *(__ebp - 0x34) = __ecx;
												__eax =  *( *(__ebp - 8) + 0x4c);
												 *(__ebp - 0x30) =  *( *(__ebp - 8) + 0x4c);
												__eax = __ecx;
												__ecx =  *(__ebp - 0x30);
												__eax = __eax & __edx;
												__eax =  *( *(__ebp - 0x30) + __eax * 4);
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												 *(__ebp - 0x2c) = __eax;
												__eflags = __ecx - __esi;
												if(__ecx <= __esi) {
													L68:
													__eax = __eax >> 0x10;
													__eflags = __eax >> 0x10 - 0x10;
													if(__eax >> 0x10 >= 0x10) {
														L74:
														__cx =  *(__ebp - 0x2a);
														__eflags = __cx - 0x10;
														if(__cx != 0x10) {
															L80:
															__eflags = __cx - 0x11;
															__ecx = __ah & 0x000000ff;
															if(__cx != 0x11) {
																L85:
																__eax = __ecx + 7;
																 *(__ebp - 0x34) = __ecx;
																__eflags = __esi - __ecx + 7;
																if(__esi >= __ecx + 7) {
																	L89:
																	__edx = __edx >> __cl;
																	__eax = 0xfffffff9;
																	__edx = __edx & 0x0000007f;
																	__ecx = (__edx & 0x0000007f) + 0xb;
																	__edx = __edx >> 7;
																	__eax = 0xfffffff9 -  *(__ebp - 0x34);
																	__eflags = 0xfffffff9;
																	goto L90;
																} else {
																	L86:
																	while(1) {
																		L87:
																		__eflags = __ebx;
																		if(__ebx == 0) {
																			goto L189;
																		}
																		L88:
																		__eax =  *__edi & 0x000000ff;
																		__ecx = __esi;
																		__eax = ( *__edi & 0x000000ff) << __cl;
																		__ecx =  *(__ebp - 0x34);
																		__ebx = __ebx - 1;
																		__edi = __edi + 1;
																		__edx = __edx + __eax;
																		__esi = __esi + 8;
																		__eax = __ecx + 7;
																		 *(__ebp - 0xc) = __ebx;
																		 *(__ebp - 4) = __edx;
																		 *(__ebp - 0x10) = __edi;
																		__eflags = __esi - __ecx + 7;
																		if(__esi < __ecx + 7) {
																			continue;
																		} else {
																			goto L89;
																		}
																		goto L200;
																	}
																	goto L189;
																}
															} else {
																L81:
																__eax = __ecx + 3;
																 *(__ebp - 0x34) = __ecx;
																__eflags = __esi - __ecx + 3;
																if(__esi >= __ecx + 3) {
																	L84:
																	__edx = __edx >> __cl;
																	__eax = 0xfffffffd;
																	__edx = __edx & 0x00000007;
																	__ecx = (__edx & 0x00000007) + 3;
																	__edx = __edx >> 3;
																	__eax = 0xfffffffd -  *(__ebp - 0x34);
																	L90:
																	__esi = __esi + __eax;
																	__eflags = __esi;
																	 *(__ebp - 0x30) = 0;
																	goto L91;
																} else {
																	while(1) {
																		L82:
																		__eflags = __ebx;
																		if(__ebx == 0) {
																			goto L189;
																		}
																		L83:
																		__eax =  *__edi & 0x000000ff;
																		__ecx = __esi;
																		__eax = ( *__edi & 0x000000ff) << __cl;
																		__ecx =  *(__ebp - 0x34);
																		__ebx = __ebx - 1;
																		__edi = __edi + 1;
																		__edx = __edx + __eax;
																		__esi = __esi + 8;
																		__eax = __ecx + 3;
																		 *(__ebp - 0xc) = __ebx;
																		 *(__ebp - 4) = __edx;
																		 *(__ebp - 0x10) = __edi;
																		__eflags = __esi - __ecx + 3;
																		if(__esi < __ecx + 3) {
																			continue;
																		} else {
																			goto L84;
																		}
																		goto L200;
																	}
																	goto L189;
																}
															}
														} else {
															L75:
															__ecx = __ah & 0x000000ff;
															 *(__ebp - 0x34) = __ecx;
															__eax = __ecx + 2;
															__eflags = __esi - __ecx + 2;
															if(__esi >= __ecx + 2) {
																L78:
																__eax =  *(__ebp - 0x24);
																__edx = __edx >> __cl;
																__esi = __esi - __ecx;
																__ecx =  *(__ebp - 8);
																 *(__ebp - 4) = __edx;
																__eflags = __eax;
																if(__eax == 0) {
																	L101:
																	__eax =  *(__ebp - 0x14);
																	 *(__eax + 0x18) = "invalid bit length repeat";
																	goto L181;
																} else {
																	L79:
																	__eax =  *(__ecx + 0x6e + __eax * 2) & 0x0000ffff;
																	__edx = __edx & 0x00000003;
																	__ecx = (__edx & 0x00000003) + 3;
																	__edx = __edx >> 2;
																	 *(__ebp - 0x30) = __eax;
																	__esi = __esi - 2;
																	L91:
																	__eax =  *(__ebp - 8);
																	__ebx =  *(__ebp - 8);
																	__eax =  *( *(__ebp - 8) + 0x64);
																	__eax =  *( *(__ebp - 8) + 0x64) +  *((intOrPtr*)( *(__ebp - 8) + 0x60));
																	__ebx =  *(__ebp - 0xc);
																	 *(__ebp - 0x2c) = __ecx;
																	__ecx = __ecx +  *(__ebp - 0x24);
																	 *(__ebp - 4) = __edx;
																	__eflags = __ecx - __eax;
																	if(__ecx > __eax) {
																		L102:
																		__eax =  *(__ebp - 0x14);
																		 *(__eax + 0x18) = "invalid bit length repeat";
																		goto L180;
																	} else {
																		L92:
																		__ecx =  *(__ebp - 0x2c);
																		__eflags = __ecx;
																		if(__ecx != 0) {
																			L93:
																			__edi =  *(__ebp - 8);
																			__ebx =  *(__ebp - 0x30);
																			do {
																				L94:
																				__eax =  *(__edi + 0x68);
																				 *((short*)(__edi + 0x70 +  *(__edi + 0x68) * 2)) = __bx;
																				 *(__edi + 0x68) =  *(__edi + 0x68) + 1;
																				__ecx = __ecx - 1;
																				__eflags = __ecx;
																			} while (__ecx != 0);
																			__ebx =  *(__ebp - 0xc);
																			__edi =  *(__ebp - 0x10);
																		}
																		L96:
																		__ecx =  *(__ebp - 8);
																		goto L97;
																	}
																}
															} else {
																while(1) {
																	L76:
																	__eflags = __ebx;
																	if(__ebx == 0) {
																		goto L189;
																	}
																	L77:
																	__eax =  *__edi & 0x000000ff;
																	__ecx = __esi;
																	__eax = ( *__edi & 0x000000ff) << __cl;
																	__ecx =  *(__ebp - 0x34);
																	__ebx = __ebx - 1;
																	__edi = __edi + 1;
																	__edx = __edx + __eax;
																	__esi = __esi + 8;
																	__eax = __ecx + 2;
																	 *(__ebp - 0xc) = __ebx;
																	 *(__ebp - 4) = __edx;
																	 *(__ebp - 0x10) = __edi;
																	__eflags = __esi - __ecx + 2;
																	if(__esi < __ecx + 2) {
																		continue;
																	} else {
																		goto L78;
																	}
																	goto L200;
																}
																goto L189;
															}
														}
													} else {
														L69:
														__eax = __eax >> 8;
														__ecx = __cl & 0x000000ff;
														 *(__ebp - 0x34) = __ecx;
														__eflags = __esi - __ecx;
														if(__esi >= __ecx) {
															L73:
															__edi =  *(__ebp - 0x24);
															__ecx = __ah & 0x000000ff;
															__edx = __edx >> __cl;
															__esi = __esi - (__ah & 0x000000ff);
															__ecx =  *(__ebp - 8);
															 *((short*)(__ecx + 0x70 +  *(__ebp - 0x24) * 2)) =  *(__ebp - 0x2a);
															 *(__ecx + 0x68) =  *(__ecx + 0x68) + 1;
															__edi =  *(__ebp - 0x10);
															 *(__ebp - 4) = __edx;
															goto L97;
														} else {
															while(1) {
																L70:
																__eflags = __ebx;
																if(__ebx == 0) {
																	goto L189;
																}
																L71:
																__edx =  *__edi & 0x000000ff;
																__ecx = __esi;
																__edx = ( *__edi & 0x000000ff) << __cl;
																__ebx = __ebx - 1;
																__edi = __edi + 1;
																__esi = __esi + 8;
																 *(__ebp - 4) =  *(__ebp - 4) + __edx;
																 *(__ebp - 0xc) = __ebx;
																 *(__ebp - 0x10) = __edi;
																__eflags = __esi -  *(__ebp - 0x34);
																if(__esi <  *(__ebp - 0x34)) {
																	continue;
																} else {
																	L72:
																	__edx =  *(__ebp - 4);
																	goto L73;
																}
																goto L200;
															}
															goto L189;
														}
													}
												} else {
													while(1) {
														L66:
														__eflags = __ebx;
														if(__ebx == 0) {
															goto L189;
														}
														L67:
														__eax =  *__edi & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__edi & 0x000000ff) << __cl;
														__ecx =  *(__ebp - 0x30);
														__ebx = __ebx - 1;
														__edi = __edi + 1;
														__edx = __edx + __eax;
														 *(__ebp - 0x34) =  *(__ebp - 0x34) & __edx;
														__esi = __esi + 8;
														__eax =  *( *(__ebp - 0x30) + ( *(__ebp - 0x34) & __edx) * 4);
														__eax = __eax >> 8;
														__ecx = __cl & 0x000000ff;
														 *(__ebp - 0xc) = __ebx;
														 *(__ebp - 4) = __edx;
														 *(__ebp - 0x10) = __edi;
														 *(__ebp - 0x2c) = __eax;
														__eflags = __ecx - __esi;
														if(__ecx > __esi) {
															continue;
														} else {
															goto L68;
														}
														goto L200;
													}
													goto L189;
												}
												goto L200;
												L97:
												__eax =  *(__ecx + 0x68);
												 *(__ebp - 0x24) =  *(__ecx + 0x68);
												__eax =  *(__ecx + 0x64);
												__eax =  *(__ecx + 0x64) +  *(__ecx + 0x60);
												__eflags =  *(__ebp - 0x24) - __eax;
											} while ( *(__ebp - 0x24) < __eax);
											goto L98;
										}
										goto L200;
									case 0xa:
										L106:
										__eflags = __ebx - 6;
										if(__ebx < 6) {
											L109:
											__ecx =  *(__ecx + 0x54);
											1 = 1 << __cl;
											__eax = (1 << __cl) - 1;
											 *(__ebp - 0x34) = (1 << __cl) - 1;
											__eax =  *(__ebp - 8);
											__ecx =  *( *(__ebp - 8) + 0x4c);
											 *(__ebp - 0x34) =  *(__ebp - 0x34) & __edx;
											 *(__ebp - 0x30) = __ecx;
											__eax =  *(__ecx + ( *(__ebp - 0x34) & __edx) * 4);
											__eax = __eax >> 8;
											__ecx = __cl & 0x000000ff;
											__eflags = __ecx - __esi;
											if(__ecx <= __esi) {
												L113:
												__eflags = __al;
												if(__al == 0) {
													L120:
													__edi =  *(__ebp - 8);
													__eax = __eax >> 8;
													__ecx = __cl & 0x000000ff;
													__edx = __edx >> __cl;
													__esi = __esi - (__cl & 0x000000ff);
													__eax = __eax >> 0x10;
													 *( *(__ebp - 8) + 0x40) = __eax >> 0x10;
													__edi =  *(__ebp - 0x10);
													__ecx =  *(__ebp - 8);
													 *(__ebp - 4) = __edx;
													__eflags = __al;
													if(__al != 0) {
														L122:
														__eflags = __al & 0x00000020;
														if((__al & 0x00000020) == 0) {
															L124:
															__eflags = __al & 0x00000040;
															if((__al & 0x00000040) == 0) {
																L126:
																__eax = __al & 0x000000ff;
																__eax = __al & 0xf;
																__eflags = __eax;
																 *(__ecx + 0x48) = __eax;
																 *__ecx = 0x13;
																goto L127;
															} else {
																L125:
																__eax =  *(__ebp - 0x14);
																 *(__eax + 0x18) = "invalid literal/length code";
																goto L181;
															}
														} else {
															L123:
															 *__ecx = 0xb;
															goto L182;
														}
													} else {
														L121:
														 *__ecx = 0x17;
														goto L182;
													}
												} else {
													L114:
													__eflags = __al & 0x000000f0;
													if((__al & 0x000000f0) != 0) {
														goto L120;
													} else {
														L115:
														__eax = __eax >> 8;
														__edi = __cl & 0x000000ff;
														 *(__ebp - 0x34) = __eax >> 8;
														__al & 0x000000ff = (__al & 0x000000ff) + __edi;
														1 = 1 << __cl;
														__ecx = __edi;
														__edx = __eax;
														__eax = __eax >> 0x10;
														(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4);
														 *(__ebp - 0x2c) = __edx;
														__ebx = ((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl;
														__ecx =  *(__ebp - 0x30);
														__ebx = (((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl) + __eax;
														__eax =  *( *(__ebp - 0x30) + ((((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl) + __eax) * 4);
														__eax = __eax >> 8;
														__edi = __cl & 0x000000ff;
														__ecx =  *(__ebp - 0x34);
														__ecx = __cl & 0x000000ff;
														__edi = (__cl & 0x000000ff) + __ecx;
														__eflags = (__cl & 0x000000ff) + __ecx - __esi;
														if((__cl & 0x000000ff) + __ecx <= __esi) {
															L119:
															__ebx =  *(__ebp - 0xc);
															__ecx = __dh & 0x000000ff;
															__edx =  *(__ebp - 4);
															__edx =  *(__ebp - 4) >> __cl;
															__esi = __esi - (__dh & 0x000000ff);
															__eflags = __esi;
															goto L120;
														} else {
															L116:
															while(1) {
																L117:
																__eax =  *(__ebp - 0xc);
																__eflags = __eax;
																if(__eax == 0) {
																	goto L190;
																}
																L118:
																__ebx =  *(__ebp - 0x10);
																 *(__ebp - 0xc) = __eax;
																__eax =  *__ebx & 0x000000ff;
																__ecx = __esi;
																__eax = ( *__ebx & 0x000000ff) << __cl;
																 *(__ebp - 0x10) = __ebx;
																__ebx = __dh & 0x000000ff;
																 *(__ebp - 4) =  *(__ebp - 4) + __eax;
																__eax =  *(__ebp - 0x2a) & 0x0000ffff;
																__dl & 0x000000ff = (__dl & 0x000000ff) + __ebx;
																1 = 1 << __cl;
																__ecx = __ebx;
																__esi = __esi + 8;
																(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4);
																((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl = (((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl) + ( *(__ebp - 0x2a) & 0x0000ffff);
																__eax =  *(__ebp - 0x30);
																__eax =  *( *(__ebp - 0x30) + ((((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl) + ( *(__ebp - 0x2a) & 0x0000ffff)) * 4);
																__eax = __eax >> 8;
																__ecx = __cl & 0x000000ff;
																__ecx = (__cl & 0x000000ff) + __ebx;
																__eflags = __ecx - __esi;
																if(__ecx > __esi) {
																	continue;
																} else {
																	goto L119;
																}
																goto L200;
															}
															goto L190;
														}
													}
												}
											} else {
												L110:
												while(1) {
													L111:
													__eflags = __ebx;
													if(__ebx == 0) {
														goto L189;
													}
													L112:
													__eax =  *__edi & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__edi & 0x000000ff) << __cl;
													__ecx =  *(__ebp - 0x30);
													__ebx = __ebx - 1;
													__edi = __edi + 1;
													__edx = __edx + __eax;
													 *(__ebp - 0x34) =  *(__ebp - 0x34) & __edx;
													__esi = __esi + 8;
													__eax =  *( *(__ebp - 0x30) + ( *(__ebp - 0x34) & __edx) * 4);
													__eax = __eax >> 8;
													__ecx = __cl & 0x000000ff;
													 *(__ebp - 0xc) = __ebx;
													 *(__ebp - 4) = __edx;
													 *(__ebp - 0x10) = __edi;
													__eflags = __ecx - __esi;
													if(__ecx > __esi) {
														continue;
													} else {
														goto L113;
													}
													goto L200;
												}
												goto L189;
											}
										} else {
											L107:
											__eflags =  *(__ebp - 0x18) - 0x102;
											if( *(__ebp - 0x18) < 0x102) {
												goto L109;
											} else {
												L108:
												__edi =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x1c);
												 *(__edi + 0xc) =  *(__ebp - 0x1c);
												__eax = __edi;
												__edi =  *(__ebp - 0x18);
												 *(__eax + 4) = __ebx;
												 *(__eax + 0x10) =  *(__ebp - 0x18);
												__edi =  *(__ebp - 0x10);
												 *(__ecx + 0x38) = __edx;
												__edx =  *(__ebp - 0x20);
												__ebx = __eax;
												 *(__ecx + 0x3c) = __esi;
												__ecx = __ebx;
												 *__eax =  *(__ebp - 0x10);
												E00404A00(__ebx,  *(__ebp - 0x20)) =  *(__ebx + 0xc);
												__ecx =  *(__ebp - 8);
												__edi =  *__ebx;
												__edx =  *(__ecx + 0x38);
												__esi =  *(__ecx + 0x3c);
												 *(__ebp - 0x1c) =  *(__ebx + 0xc);
												__eax =  *(__ebx + 0x10);
												__ebx =  *(__ebx + 4);
												 *(__ebp - 0x18) = __eax;
												 *(__ebp - 0x10) = __edi;
												 *(__ebp - 0xc) = __ebx;
												 *(__ebp - 4) = __edx;
												goto L182;
											}
										}
										goto L200;
									case 0xb:
										L127:
										__eax =  *(__ecx + 0x48);
										 *(__ebp - 0x30) = __eax;
										__eflags = __eax;
										if(__eax == 0) {
											L133:
											 *__ecx = 0x14;
											goto L134;
										} else {
											L128:
											__eflags = __esi - __eax;
											if(__esi >= __eax) {
												L132:
												__ecx =  *(__ebp - 0x30);
												1 = 1 << __cl;
												__ecx =  *(__ebp - 8);
												(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __edx;
												 *( *(__ebp - 8) + 0x40) =  *( *(__ebp - 8) + 0x40) + ((0x00000001 << __cl) - 0x00000001 & __edx);
												__ecx =  *(__ebp - 0x30);
												__edx = __edx >> __cl;
												__esi = __esi -  *(__ebp - 0x30);
												__eflags = __esi;
												__ecx =  *(__ebp - 8);
												 *(__ebp - 4) = __edx;
												goto L133;
											} else {
												L129:
												while(1) {
													L130:
													__eflags = __ebx;
													if(__ebx == 0) {
														goto L189;
													}
													L131:
													__eax =  *__edi & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__edi & 0x000000ff) << __cl;
													__ebx = __ebx - 1;
													__edi = __edi + 1;
													__esi = __esi + 8;
													__edx = __edx + __eax;
													 *(__ebp - 0xc) = __ebx;
													 *(__ebp - 4) = __edx;
													 *(__ebp - 0x10) = __edi;
													__eflags = __esi -  *(__ebp - 0x30);
													if(__esi <  *(__ebp - 0x30)) {
														continue;
													} else {
														goto L132;
													}
													goto L200;
												}
												goto L189;
											}
										}
										goto L200;
									case 0xc:
										L134:
										__ecx =  *(__ecx + 0x58);
										1 = 1 << __cl;
										__eax = (1 << __cl) - 1;
										 *(__ebp - 0x34) = (1 << __cl) - 1;
										__eax =  *(__ebp - 8);
										__ecx =  *( *(__ebp - 8) + 0x50);
										 *(__ebp - 0x34) =  *(__ebp - 0x34) & __edx;
										 *(__ebp - 0x30) = __ecx;
										__eax =  *(__ecx + ( *(__ebp - 0x34) & __edx) * 4);
										__eax = __eax >> 8;
										__ecx = __cl & 0x000000ff;
										__eflags = __ecx - __esi;
										if(__ecx <= __esi) {
											L137:
											__eflags = __al & 0x000000f0;
											if((__al & 0x000000f0) != 0) {
												L143:
												__edi =  *(__ebp - 0x10);
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												__edx = __edx >> __cl;
												__esi = __esi - __ecx;
												 *(__ebp - 4) = __edx;
												__eflags = __al & 0x00000040;
												if((__al & 0x00000040) == 0) {
													L145:
													__ebx =  *(__ebp - 8);
													__ecx = __eax;
													__ecx = __eax >> 0x10;
													__eax = __al & 0x000000ff;
													 *(__ebx + 0x44) = __ecx;
													__ecx = __ebx;
													__ebx =  *(__ebp - 0xc);
													__eax = __al & 0xf;
													__eflags = __eax;
													 *(__ecx + 0x48) = __eax;
													 *__ecx = 0x15;
													goto L146;
												} else {
													L144:
													__eax =  *(__ebp - 0x14);
													__ebx =  *(__ebp - 0xc);
													 *(__eax + 0x18) = "invalid distance code";
													L180:
													_t597 =  *(_t663 - 8);
													goto L181;
												}
											} else {
												L138:
												__eax = __eax >> 8;
												__edi = __cl & 0x000000ff;
												 *(__ebp - 0x34) = __eax >> 8;
												__al & 0x000000ff = (__al & 0x000000ff) + __edi;
												1 = 1 << __cl;
												__ecx = __edi;
												__edx = __eax;
												__eax = __eax >> 0x10;
												(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4);
												 *(__ebp - 0x2c) = __edx;
												__ebx = ((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl;
												__ecx =  *(__ebp - 0x30);
												__ebx = (((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl) + __eax;
												__eax =  *( *(__ebp - 0x30) + ((((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl) + __eax) * 4);
												__eax = __eax >> 8;
												__edi = __cl & 0x000000ff;
												__ecx =  *(__ebp - 0x34);
												__ecx = __cl & 0x000000ff;
												__edi = (__cl & 0x000000ff) + __ecx;
												__eflags = (__cl & 0x000000ff) + __ecx - __esi;
												if((__cl & 0x000000ff) + __ecx <= __esi) {
													L142:
													__ecx = __dh & 0x000000ff;
													__edx =  *(__ebp - 4);
													__edx =  *(__ebp - 4) >> __cl;
													__esi = __esi - (__dh & 0x000000ff);
													__eflags = __esi;
													goto L143;
												} else {
													L139:
													while(1) {
														L140:
														__eax =  *(__ebp - 0xc);
														__eflags = __eax;
														if(__eax == 0) {
															goto L190;
														}
														L141:
														__ebx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) = __eax;
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														 *(__ebp - 0x10) = __ebx;
														__ebx = __dh & 0x000000ff;
														 *(__ebp - 4) =  *(__ebp - 4) + __eax;
														__eax =  *(__ebp - 0x2a) & 0x0000ffff;
														__dl & 0x000000ff = (__dl & 0x000000ff) + __ebx;
														1 = 1 << __cl;
														__ecx = __ebx;
														__esi = __esi + 8;
														(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4);
														((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl = (((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl) + ( *(__ebp - 0x2a) & 0x0000ffff);
														__eax =  *(__ebp - 0x30);
														__eax =  *( *(__ebp - 0x30) + ((((0x00000001 << __cl) - 0x00000001 &  *(__ebp - 4)) >> __cl) + ( *(__ebp - 0x2a) & 0x0000ffff)) * 4);
														__eax = __eax >> 8;
														__ecx = __cl & 0x000000ff;
														__ecx = (__cl & 0x000000ff) + __ebx;
														__eflags = __ecx - __esi;
														if(__ecx > __esi) {
															continue;
														} else {
															goto L142;
														}
														goto L200;
													}
													goto L190;
												}
											}
										} else {
											while(1) {
												L135:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L189;
												}
												L136:
												__eax =  *__edi & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__edi & 0x000000ff) << __cl;
												__ecx =  *(__ebp - 0x30);
												__ebx = __ebx - 1;
												__edi = __edi + 1;
												__edx = __edx + __eax;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) & __edx;
												__esi = __esi + 8;
												__eax =  *( *(__ebp - 0x30) + ( *(__ebp - 0x34) & __edx) * 4);
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												 *(__ebp - 0xc) = __ebx;
												 *(__ebp - 4) = __edx;
												 *(__ebp - 0x10) = __edi;
												__eflags = __ecx - __esi;
												if(__ecx > __esi) {
													continue;
												} else {
													goto L137;
												}
												goto L200;
											}
											goto L189;
										}
										goto L200;
									case 0xd:
										L146:
										__eax =  *(__ecx + 0x48);
										 *(__ebp - 0x30) = __eax;
										__eflags = __eax;
										if(__eax == 0) {
											L151:
											 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) -  *(__ebp - 0x18);
											__ebx =  *(__ebp - 0xc);
											__eax =  *((intOrPtr*)(__ecx + 0x2c)) -  *(__ebp - 0x18) +  *(__ebp - 0x20);
											__eflags =  *(__ecx + 0x44) -  *((intOrPtr*)(__ecx + 0x2c)) -  *(__ebp - 0x18) +  *(__ebp - 0x20);
											if( *(__ecx + 0x44) <=  *((intOrPtr*)(__ecx + 0x2c)) -  *(__ebp - 0x18) +  *(__ebp - 0x20)) {
												L153:
												 *__ecx = 0x16;
												goto L154;
											} else {
												L152:
												__eax =  *(__ebp - 0x14);
												 *(__eax + 0x18) = "invalid distance too far back";
												L181:
												 *_t597 = 0x1b;
												goto L182;
											}
										} else {
											L147:
											__eflags = __esi - __eax;
											if(__esi >= __eax) {
												L150:
												__ecx =  *(__ebp - 0x30);
												1 = 1 << __cl;
												__ecx =  *(__ebp - 8);
												(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __edx;
												 *((intOrPtr*)( *(__ebp - 8) + 0x44)) =  *((intOrPtr*)( *(__ebp - 8) + 0x44)) + ((0x00000001 << __cl) - 0x00000001 & __edx);
												__ecx =  *(__ebp - 0x30);
												__edx = __edx >> __cl;
												__esi = __esi -  *(__ebp - 0x30);
												__eflags = __esi;
												__ecx =  *(__ebp - 8);
												 *(__ebp - 4) = __edx;
												goto L151;
											} else {
												while(1) {
													L148:
													__eflags = __ebx;
													if(__ebx == 0) {
														goto L189;
													}
													L149:
													__eax =  *__edi & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__edi & 0x000000ff) << __cl;
													__ebx = __ebx - 1;
													__edi = __edi + 1;
													__esi = __esi + 8;
													__edx = __edx + __eax;
													 *(__ebp - 0xc) = __ebx;
													 *(__ebp - 4) = __edx;
													 *(__ebp - 0x10) = __edi;
													__eflags = __esi -  *(__ebp - 0x30);
													if(__esi <  *(__ebp - 0x30)) {
														continue;
													} else {
														goto L150;
													}
													goto L200;
												}
												goto L189;
											}
										}
										goto L200;
									case 0xe:
										L154:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) == 0) {
											goto L189;
										} else {
											L155:
											 *(__ebp - 0x20) =  *(__ebp - 0x20) -  *(__ebp - 0x18);
											 *(__ebp - 0x34) =  *(__ebp - 0x20) -  *(__ebp - 0x18);
											__eax =  *(__ecx + 0x44);
											__eflags = __eax -  *(__ebp - 0x34);
											if(__eax <=  *(__ebp - 0x34)) {
												L161:
												__ebx =  *(__ebp - 0x1c);
												 *(__ebp - 0x24) =  *(__ebp - 0x1c);
												_t442 = __ebp - 0x24;
												 *_t442 =  *(__ebp - 0x24) - __eax;
												__eflags =  *_t442;
												__eax =  *(__ecx + 0x40);
												 *(__ebp - 0x30) = __eax;
												goto L162;
											} else {
												L156:
												__eax = __eax -  *(__ebp - 0x34);
												__edi =  *(__ecx + 0x30);
												__edx =  *(__ecx + 0x34);
												 *(__ebp - 0x2c) = __eax;
												__eflags = __eax - __edi;
												if(__eax <= __edi) {
													__edx = __edx - __eax;
													__edx = __edx + __edi;
													__eflags = __edx;
												} else {
													__edx = __edx +  *((intOrPtr*)(__ecx + 0x28));
													__eax = __eax - __edi;
													 *(__ebp - 0x2c) = __eax;
													__edx = __edx - __eax;
												}
												__edi =  *(__ecx + 0x40);
												 *(__ebp - 0x24) = __edx;
												 *(__ebp - 0x30) = __edi;
												__eflags = __eax - __edi;
												if(__eax > __edi) {
													L160:
													__eax = __edi;
													L162:
													 *(__ebp - 0x2c) = __eax;
												}
											}
											L163:
											__eax =  *(__ebp - 0x18);
											__edi =  *(__ebp - 0x2c);
											__ebx =  *(__ebp - 0x24);
											__edx =  *(__ebp - 0x1c);
											__eflags = __edi - __eax;
											__edi =  >  ? __eax : __edi;
											 *(__ebp - 0x18) = __eax;
											__eax =  *(__ebp - 0x30);
											__eax =  *(__ebp - 0x30) - __edi;
											 *(__ecx + 0x40) = __eax;
											__ebx =  *(__ebp - 0x24) - __edx;
											do {
												L164:
												__al =  *((intOrPtr*)(__ebx + __edx));
												 *__edx = __al;
												__edx = __edx + 1;
												__edi = __edi - 1;
												__eflags = __edi;
											} while (__edi != 0);
											__eflags =  *(__ecx + 0x40);
											__ebx =  *(__ebp - 0xc);
											__edi =  *(__ebp - 0x10);
											 *(__ebp - 0x1c) = __edx;
											__edx =  *(__ebp - 4);
											if( *(__ecx + 0x40) == 0) {
												 *__ecx = 0x12;
											}
											goto L182;
										}
										goto L200;
									case 0xf:
										L167:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) == 0) {
											goto L189;
										} else {
											L168:
											__edx =  *(__ebp - 0x1c);
											__al =  *(__ecx + 0x40);
											 *(__ebp - 0x1c) =  *(__ebp - 0x1c) + 1;
											 *(__ebp - 0x18) =  *(__ebp - 0x18) - 1;
											 *( *(__ebp - 0x1c)) = __al;
											__edx =  *(__ebp - 4);
											 *__ecx = 0x12;
											goto L182;
										}
										goto L200;
									case 0x10:
										L169:
										__eflags =  *(__ecx + 8);
										if ( *(__ecx + 8) == 0) goto L186;
										__eflags = __bl & __bh;
										 *__eax =  *__eax + __al;
										_t471 = __ebx + 0x287320fe;
										 *_t471 =  *(__ebx + 0x287320fe) + __al;
										__eflags =  *_t471;
									case 0x11:
										L187:
										 *(__ebp - 0x28) = 1;
										goto L189;
									case 0x12:
										L188:
										 *(__ebp - 0x28) = 0xfffffffd;
										goto L189;
									case 0x13:
										goto L195;
								}
							}
							L183:
							return 0xfffffffe;
							L23:
							if(_t656 >= 3) {
								L27:
								_t630 = _t629 >> 1;
								_t597[1] = _t629 & 0x00000001;
								_t560 = _t630 & 0x00000003;
								if(_t560 > 3) {
									L33:
									_t623 = _t630 >> 2;
									 *(_t663 - 4) = _t623;
									_t656 = _t656 - 3;
								} else {
									L28:
									switch( *((intOrPtr*)(_t560 * 4 +  &M00404778))) {
										case 0:
											L29:
											_t623 = _t630 >> 2;
											 *_t597 = 0xd;
											 *(_t663 - 4) = _t623;
											_t656 = _t656 - 3;
											goto L182;
										case 1:
											L30:
											__eax = E004036C0(__eax, __ebx, __ecx, __edx, __esi);
											__edx = __edx >> 2;
											 *__ecx = 0x12;
											 *(__ebp - 4) = __edx;
											__esi = __esi - 3;
											goto L182;
										case 2:
											L31:
											__edx = __edx >> 2;
											 *__ecx = 0xf;
											 *(__ebp - 4) = __edx;
											__esi = __esi - 3;
											goto L182;
										case 3:
											L32:
											__eax =  *(__ebp - 0x14);
											 *__ecx = 0x1b;
											 *(__eax + 0x18) = "invalid block type";
											goto L33;
									}
								}
								goto L182;
							} else {
								while(1) {
									L24:
									if(_t591 == 0) {
										goto L189;
									}
									L25:
									_t590 = ( *_t649 & 0x000000ff) << _t656;
									_t591 = _t591 - 1;
									_t649 =  &(_t649[1]);
									_t656 = _t656 + 8;
									_t629 = _t629 + _t590;
									 *(_t663 - 0xc) = _t591;
									 *(_t663 - 4) = _t629;
									 *(_t663 - 0x10) = _t649;
									if(_t656 < 3) {
										continue;
									} else {
										L26:
										_t597 =  *(_t663 - 8);
										goto L27;
									}
									goto L200;
								}
								goto L189;
							}
							goto L200;
						}
					}
					L184:
					_t603 =  *(_t663 - 0x14);
					_t603[3] =  *(_t663 - 0x1c);
					_t554 = _t603;
					_t554[4] =  *(_t663 - 0x18);
					_t605 =  *(_t663 - 8);
					_t554[1] = _t591;
					_t605[0xf] = _t656;
					 *_t554 = _t649;
					_t605[0xe] = 0;
					return 2;
				}
			}

0x00403974
0x00403974
0x00403974
0x00403974
0x00403974
0x00403974
0x00403977
0x00000000
0x00000000
0x00000000
0x00403980
0x00403980
0x00403982
0x00000000
0x00000000
0x00403988
0x00403988
0x0040398b
0x0040398d
0x0040398f
0x00403990
0x00403991
0x00403994
0x00403996
0x00403999
0x0040399c
0x004039a2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004039a2
0x0040463b
0x0040463b
0x0040463e
0x0040463e
0x00404644
0x00404647
0x0040464e
0x00404654
0x0040465a
0x0040465d
0x00404660
0x00404663
0x00404665
0x00404668
0x00404673
0x00404677
0x0040467e
0x00000000
0x00404680
0x00404680
0x00404680
0x00404686
0x00404691
0x00404691
0x0040466a
0x0040466a
0x0040466d
0x00404692
0x00404695
0x0040469b
0x0040469e
0x004046a1
0x004046a8
0x004046ac
0x004046b7
0x004046bf
0x004046c2
0x004046c2
0x004046ac
0x004046ca
0x004046d9
0x004046dc
0x004046df
0x004046e1
0x004046ed
0x004046f0
0x004046f7
0x0040466f
0x0040466f
0x00404671
0x00000000
0x00000000
0x00000000
0x00000000
0x00404671
0x0040466d
0x00000000
0x004039a4
0x004039c5
0x004039c8
0x004039cd
0x004039d0
0x004039d5
0x004039d8
0x004039da
0x004039e0
0x004039e0
0x004039e4
0x00000000
0x00000000
0x004039ea
0x004039f0
0x004039f8
0x004039fb
0x004039fe
0x00403a01
0x00403a04
0x00403a07
0x00403a0d
0x00403a0d
0x00403a11
0x00000000
0x00000000
0x00403a13
0x00403a15
0x00403a18
0x00403a1a
0x00403a1c
0x00403a1f
0x00403a22
0x004045d8
0x004045d8
0x004045d8
0x004045dd
0x00000000
0x00000000
0x00403881
0x00403881
0x00000000
0x00403888
0x0040388c
0x00403899
0x00403899
0x0040389c
0x004038c4
0x004038d1
0x004038d6
0x004038d8
0x004038db
0x004038ec
0x004038ec
0x004038f3
0x004038f5
0x00403906
0x00403906
0x0040390e
0x00403911
0x00403914
0x00403917
0x0040391a
0x0040391d
0x0040392e
0x0040393f
0x00403944
0x0040394c
0x0040394f
0x00403960
0x00403962
0x00403964
0x00403967
0x0040396a
0x0040396d
0x0040391f
0x0040391f
0x00403922
0x00000000
0x00403922
0x004038f7
0x004038f7
0x004038fa
0x00000000
0x004038fa
0x004038dd
0x004038dd
0x004038e0
0x00000000
0x004038e0
0x00000000
0x004038a0
0x00000000
0x004038a0
0x004038a0
0x004038a0
0x004038a2
0x00000000
0x00000000
0x004038a8
0x004038ad
0x004038af
0x004038b0
0x004038b1
0x004038b4
0x004038b6
0x004038b9
0x004038bc
0x004038bf
0x004038c2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004038c2
0x00000000
0x004038a0
0x0040388e
0x0040388e
0x00000000
0x0040388e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a0d
0x00403a11
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ad3
0x00403ad3
0x00403ad5
0x00403ad8
0x00403ada
0x00403adc
0x00403adf
0x00403ae2
0x00403b08
0x00403b08
0x00403b0a
0x00403b0c
0x00403b14
0x00403b17
0x00403b1a
0x00403b1c
0x00403b1f
0x00403b30
0x00403b30
0x00403b33
0x00403b35
0x00403b38
0x00403b3b
0x00403b3b
0x00403b3d
0x00000000
0x00403b21
0x00403b21
0x00403b21
0x00403b24
0x00000000
0x00403b24
0x00403ae4
0x00403ae4
0x00403ae4
0x00403ae4
0x00403ae6
0x00000000
0x00000000
0x00403aec
0x00403aec
0x00403aef
0x00403af1
0x00403af3
0x00403af4
0x00403af5
0x00403af8
0x00403afa
0x00403afd
0x00403b00
0x00403b03
0x00403b06
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403b06
0x00000000
0x00403ae4
0x00000000
0x00000000
0x00403b43
0x00403b43
0x00403b46
0x00403b48
0x00000000
0x00403b4e
0x00403b4e
0x00403b4e
0x00403b50
0x00403b53
0x00403b56
0x00403b5a
0x00403b5d
0x00403b5f
0x00000000
0x00403b65
0x00403b65
0x00403b65
0x00403b69
0x00403b6b
0x00403b70
0x00403b73
0x00403b76
0x00403b79
0x00403b7c
0x00403b7f
0x00403b81
0x00403b86
0x00403b89
0x00403b8c
0x00000000
0x00403b8c
0x00403b5f
0x00000000
0x00000000
0x00403b94
0x00403b94
0x00403b97
0x00403bc7
0x00403bc9
0x00403bcc
0x00403bd1
0x00403bd4
0x00403bd9
0x00403bdc
0x00403bdd
0x00403be0
0x00403be5
0x00403be8
0x00403beb
0x00403bee
0x00403bf1
0x00403bf8
0x00403bfb
0x00403bfe
0x00403cfb
0x00403cfb
0x00403cfe
0x00000000
0x00403c04
0x00403c04
0x00403c04
0x00403c08
0x00000000
0x00403c0e
0x00403c0e
0x00403c0e
0x00403c15
0x00000000
0x00403c15
0x00403c08
0x00403ba0
0x00000000
0x00403ba0
0x00403ba0
0x00403ba0
0x00403ba2
0x00000000
0x00000000
0x00403ba8
0x00403ba8
0x00403bab
0x00403bad
0x00403baf
0x00403bb0
0x00403bb1
0x00403bb4
0x00403bb6
0x00403bb9
0x00403bbc
0x00403bbf
0x00403bc2
0x00000000
0x00403bc4
0x00403bc4
0x00403bc4
0x00000000
0x00403bc4
0x00000000
0x00403bc2
0x00000000
0x00403ba0
0x00000000
0x00000000
0x00403c1b
0x00403c1b
0x00403c1e
0x00403c21
0x00403c80
0x00403c80
0x00403c84
0x00403c90
0x00403c90
0x00403c93
0x00403c95
0x00403c9d
0x00403ca2
0x00403ca5
0x00403ca5
0x00403cab
0x00403cab
0x00403cae
0x00403cb4
0x00403cb6
0x00403cb9
0x00403cbc
0x00403cbf
0x00403cc4
0x00403cc5
0x00403cc6
0x00403cc7
0x00403cca
0x00403cd0
0x00403cd2
0x00403cd5
0x00403cd7
0x00403cdc
0x00403cdf
0x00403ce2
0x00403ce5
0x00403ce8
0x00403cea
0x00403d0a
0x00403d0a
0x00403d11
0x00000000
0x00403cec
0x00403cec
0x00403cec
0x00403cef
0x00000000
0x00403cef
0x00403c23
0x00403c23
0x00403c23
0x00403c23
0x00403c26
0x00000000
0x00403c28
0x00403c28
0x00403c28
0x00403c28
0x00403c2a
0x00000000
0x00000000
0x00403c30
0x00403c30
0x00403c33
0x00403c35
0x00403c37
0x00403c38
0x00403c39
0x00403c3c
0x00403c3e
0x00403c41
0x00403c44
0x00403c47
0x00403c4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403c4a
0x00000000
0x00403c28
0x00000000
0x00403c4c
0x00403c4c
0x00403c4f
0x00403c52
0x00403c55
0x00403c57
0x00403c5f
0x00403c62
0x00403c67
0x00403c69
0x00403c6c
0x00403c6f
0x00403c72
0x00403c75
0x00403c78
0x00403c7b
0x00403c7b
0x00000000
0x00403c23
0x00000000
0x00000000
0x00403d17
0x00403d17
0x00403d1a
0x00403d1d
0x00403d20
0x00403d23
0x00403d26
0x00403d29
0x00403f70
0x00403f70
0x00403f73
0x00000000
0x00403f79
0x00403f79
0x00403f79
0x00403f7c
0x00403f82
0x00403f88
0x00403f8a
0x00403f8d
0x00403f90
0x00403f91
0x00403f92
0x00403f93
0x00403f96
0x00403f99
0x00403f9c
0x00403fa1
0x00403fa7
0x00403faa
0x00403faf
0x00403fb2
0x00403fb5
0x00403fb8
0x00403fbb
0x00403fbd
0x00403fef
0x00403fef
0x00403ff2
0x00403ff5
0x00403ff7
0x00403ffa
0x00403ffd
0x00403ffe
0x00403fff
0x00404002
0x00404008
0x0040400e
0x00404011
0x00404016
0x0040401b
0x0040401e
0x00404021
0x00404024
0x00404027
0x00404029
0x0040403a
0x0040403a
0x00000000
0x0040402b
0x0040402b
0x0040402b
0x0040402e
0x00000000
0x0040402e
0x00403fbf
0x00403fbf
0x00403fbf
0x00403fc2
0x00403fc5
0x00000000
0x00403fc5
0x00403fbd
0x00403d30
0x00000000
0x00403d30
0x00403d30
0x00403d30
0x00403d33
0x00403d3a
0x00403d3a
0x00403d3d
0x00403d40
0x00403d43
0x00403d46
0x00403d49
0x00403d4b
0x00403d4e
0x00403d50
0x00403d55
0x00403d58
0x00403d5b
0x00403d5e
0x00403d60
0x00403d9b
0x00403d9d
0x00403da0
0x00403da3
0x00403dfd
0x00403dfd
0x00403e01
0x00403e05
0x00403e6d
0x00403e6d
0x00403e71
0x00403e74
0x00403ec0
0x00403ec0
0x00403ec3
0x00403ec6
0x00403ec8
0x00403ef9
0x00403ef9
0x00403efb
0x00403f02
0x00403f05
0x00403f08
0x00403f0b
0x00403f0b
0x00000000
0x00403ed0
0x00000000
0x00403ed0
0x00403ed0
0x00403ed0
0x00403ed2
0x00000000
0x00000000
0x00403ed8
0x00403ed8
0x00403edb
0x00403edd
0x00403edf
0x00403ee2
0x00403ee3
0x00403ee4
0x00403ee6
0x00403ee9
0x00403eec
0x00403eef
0x00403ef2
0x00403ef5
0x00403ef7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ef7
0x00000000
0x00403ed0
0x00403e76
0x00403e76
0x00403e76
0x00403e79
0x00403e7c
0x00403e7e
0x00403ea9
0x00403ea9
0x00403eab
0x00403eb2
0x00403eb5
0x00403eb8
0x00403ebb
0x00403f0e
0x00403f0e
0x00403f0e
0x00403f10
0x00000000
0x00403e80
0x00403e80
0x00403e80
0x00403e80
0x00403e82
0x00000000
0x00000000
0x00403e88
0x00403e88
0x00403e8b
0x00403e8d
0x00403e8f
0x00403e92
0x00403e93
0x00403e94
0x00403e96
0x00403e99
0x00403e9c
0x00403e9f
0x00403ea2
0x00403ea5
0x00403ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ea7
0x00000000
0x00403e80
0x00403e7e
0x00403e07
0x00403e07
0x00403e07
0x00403e0a
0x00403e0d
0x00403e10
0x00403e12
0x00403e3d
0x00403e3d
0x00403e40
0x00403e42
0x00403e44
0x00403e47
0x00403e4a
0x00403e4c
0x00403fd1
0x00403fd1
0x00403fd4
0x00000000
0x00403e52
0x00403e52
0x00403e52
0x00403e59
0x00403e5c
0x00403e5f
0x00403e62
0x00403e65
0x00403f17
0x00403f17
0x00403f1a
0x00403f1d
0x00403f20
0x00403f23
0x00403f26
0x00403f29
0x00403f2c
0x00403f2f
0x00403f31
0x00403fe0
0x00403fe0
0x00403fe3
0x00000000
0x00403f37
0x00403f37
0x00403f37
0x00403f3a
0x00403f3c
0x00403f3e
0x00403f3e
0x00403f41
0x00403f44
0x00403f44
0x00403f44
0x00403f47
0x00403f4c
0x00403f4f
0x00403f4f
0x00403f4f
0x00403f52
0x00403f55
0x00403f55
0x00403f58
0x00403f58
0x00000000
0x00403f58
0x00403f31
0x00403e14
0x00403e14
0x00403e14
0x00403e14
0x00403e16
0x00000000
0x00000000
0x00403e1c
0x00403e1c
0x00403e1f
0x00403e21
0x00403e23
0x00403e26
0x00403e27
0x00403e28
0x00403e2a
0x00403e2d
0x00403e30
0x00403e33
0x00403e36
0x00403e39
0x00403e3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403e3b
0x00000000
0x00403e14
0x00403e12
0x00403da5
0x00403da5
0x00403da7
0x00403daa
0x00403dad
0x00403db0
0x00403db2
0x00403dd9
0x00403dd9
0x00403ddc
0x00403de3
0x00403de5
0x00403de7
0x00403dea
0x00403def
0x00403df2
0x00403df5
0x00000000
0x00403db4
0x00403db4
0x00403db4
0x00403db4
0x00403db6
0x00000000
0x00000000
0x00403dbc
0x00403dbc
0x00403dbf
0x00403dc1
0x00403dc3
0x00403dc4
0x00403dc5
0x00403dc8
0x00403dcb
0x00403dce
0x00403dd1
0x00403dd4
0x00000000
0x00403dd6
0x00403dd6
0x00403dd6
0x00000000
0x00403dd6
0x00000000
0x00403dd4
0x00000000
0x00403db4
0x00403db2
0x00403d62
0x00403d62
0x00403d62
0x00403d62
0x00403d64
0x00000000
0x00000000
0x00403d6a
0x00403d6a
0x00403d6d
0x00403d6f
0x00403d71
0x00403d74
0x00403d75
0x00403d76
0x00403d7b
0x00403d7d
0x00403d80
0x00403d85
0x00403d88
0x00403d8b
0x00403d8e
0x00403d91
0x00403d94
0x00403d97
0x00403d99
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d99
0x00000000
0x00403d62
0x00000000
0x00403f5b
0x00403f5b
0x00403f5e
0x00403f61
0x00403f64
0x00403f67
0x00403f67
0x00000000
0x00403d30
0x00000000
0x00000000
0x00404040
0x00404040
0x00404043
0x004040a1
0x004040a1
0x004040a9
0x004040ab
0x004040ac
0x004040af
0x004040b2
0x004040b8
0x004040ba
0x004040bd
0x004040c2
0x004040c5
0x004040c8
0x004040ca
0x00404106
0x00404106
0x00404108
0x004041c1
0x004041c1
0x004041c6
0x004041c9
0x004041cc
0x004041ce
0x004041d2
0x004041d5
0x004041d8
0x004041db
0x004041de
0x004041e1
0x004041e3
0x004041f0
0x004041f0
0x004041f2
0x004041ff
0x004041ff
0x00404201
0x00404212
0x00404212
0x00404215
0x00404215
0x00404218
0x0040421b
0x00000000
0x00404203
0x00404203
0x00404203
0x00404206
0x00000000
0x00404206
0x004041f4
0x004041f4
0x004041f4
0x00000000
0x004041f4
0x004041e5
0x004041e5
0x004041e5
0x00000000
0x004041e5
0x0040410e
0x0040410e
0x0040410e
0x00404110
0x00000000
0x00404116
0x00404116
0x00404118
0x0040411b
0x0040411e
0x00404124
0x0040412b
0x0040412d
0x0040412f
0x00404131
0x00404135
0x00404138
0x0040413b
0x0040413d
0x00404140
0x00404142
0x00404147
0x0040414a
0x0040414d
0x00404150
0x00404153
0x00404155
0x00404157
0x004041b4
0x004041b4
0x004041b7
0x004041ba
0x004041bd
0x004041bf
0x004041bf
0x00000000
0x00404160
0x00000000
0x00404160
0x00404160
0x00404160
0x00404163
0x00404165
0x00000000
0x00000000
0x0040416b
0x0040416b
0x0040416f
0x00404172
0x00404175
0x00404177
0x0040417a
0x0040417d
0x00404180
0x00404183
0x0040418a
0x00404191
0x00404193
0x00404195
0x00404199
0x0040419e
0x004041a0
0x004041a3
0x004041a8
0x004041ab
0x004041ae
0x004041b0
0x004041b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004041b2
0x00000000
0x00404160
0x00404157
0x00404110
0x004040d0
0x00000000
0x004040d0
0x004040d0
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d8
0x004040d8
0x004040db
0x004040dd
0x004040df
0x004040e2
0x004040e3
0x004040e4
0x004040e9
0x004040eb
0x004040ee
0x004040f3
0x004040f6
0x004040f9
0x004040fc
0x004040ff
0x00404102
0x00404104
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404104
0x00000000
0x004040d0
0x00404045
0x00404045
0x00404045
0x0040404c
0x00000000
0x0040404e
0x0040404e
0x0040404e
0x00404051
0x00404054
0x00404057
0x00404059
0x0040405c
0x0040405f
0x00404062
0x00404065
0x00404068
0x0040406b
0x0040406d
0x00404070
0x00404072
0x00404079
0x0040407c
0x0040407f
0x00404081
0x00404084
0x00404087
0x0040408a
0x0040408d
0x00404090
0x00404093
0x00404096
0x00404099
0x00000000
0x00404099
0x0040404c
0x00000000
0x00000000
0x00404221
0x00404221
0x00404224
0x00404227
0x00404229
0x00404274
0x00404274
0x00000000
0x0040422b
0x0040422b
0x0040422b
0x0040422d
0x00404254
0x00404254
0x0040425c
0x0040425e
0x00404262
0x00404264
0x00404267
0x0040426a
0x0040426c
0x0040426c
0x0040426e
0x00404271
0x00000000
0x00404230
0x00000000
0x00404230
0x00404230
0x00404230
0x00404232
0x00000000
0x00000000
0x00404238
0x00404238
0x0040423b
0x0040423d
0x0040423f
0x00404240
0x00404241
0x00404244
0x00404246
0x00404249
0x0040424c
0x0040424f
0x00404252
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404252
0x00000000
0x00404230
0x0040422d
0x00000000
0x00000000
0x0040427a
0x0040427a
0x00404282
0x00404284
0x00404285
0x00404288
0x0040428b
0x00404291
0x00404293
0x00404296
0x0040429b
0x0040429e
0x004042a1
0x004042a3
0x004042db
0x004042db
0x004042dd
0x0040438e
0x0040438e
0x00404393
0x00404396
0x00404399
0x0040439b
0x0040439d
0x004043a0
0x004043a2
0x004043b6
0x004043b6
0x004043b9
0x004043bb
0x004043be
0x004043c1
0x004043c4
0x004043c6
0x004043c9
0x004043c9
0x004043cc
0x004043cf
0x00000000
0x004043a4
0x004043a4
0x004043a4
0x004043a7
0x004043aa
0x004045cf
0x004045cf
0x00000000
0x004045cf
0x004042e3
0x004042e3
0x004042e5
0x004042e8
0x004042eb
0x004042f1
0x004042f8
0x004042fa
0x004042fc
0x004042fe
0x00404302
0x00404305
0x00404308
0x0040430a
0x0040430d
0x0040430f
0x00404314
0x00404317
0x0040431a
0x0040431d
0x00404320
0x00404322
0x00404324
0x00404384
0x00404384
0x00404387
0x0040438a
0x0040438c
0x0040438c
0x00000000
0x00404326
0x00404326
0x00404330
0x00404330
0x00404330
0x00404333
0x00404335
0x00000000
0x00000000
0x0040433b
0x0040433b
0x0040433f
0x00404342
0x00404345
0x00404347
0x0040434a
0x0040434d
0x00404350
0x00404353
0x0040435a
0x00404361
0x00404363
0x00404365
0x00404369
0x0040436e
0x00404370
0x00404373
0x00404378
0x0040437b
0x0040437e
0x00404380
0x00404382
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404382
0x00000000
0x00404330
0x00404324
0x004042a5
0x004042a5
0x004042a5
0x004042a5
0x004042a7
0x00000000
0x00000000
0x004042ad
0x004042ad
0x004042b0
0x004042b2
0x004042b4
0x004042b7
0x004042b8
0x004042b9
0x004042be
0x004042c0
0x004042c3
0x004042c8
0x004042cb
0x004042ce
0x004042d1
0x004042d4
0x004042d7
0x004042d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004042d9
0x00000000
0x004042a5
0x00000000
0x00000000
0x004043d5
0x004043d5
0x004043d8
0x004043db
0x004043dd
0x00404427
0x0040442a
0x0040442d
0x00404430
0x00404433
0x00404436
0x00404447
0x00404447
0x00000000
0x00404438
0x00404438
0x00404438
0x0040443b
0x004045d2
0x004045d2
0x00000000
0x004045d2
0x004043df
0x004043df
0x004043df
0x004043e1
0x00404407
0x00404407
0x0040440f
0x00404411
0x00404415
0x00404417
0x0040441a
0x0040441d
0x0040441f
0x0040441f
0x00404421
0x00404424
0x00000000
0x004043e3
0x004043e3
0x004043e3
0x004043e3
0x004043e5
0x00000000
0x00000000
0x004043eb
0x004043eb
0x004043ee
0x004043f0
0x004043f2
0x004043f3
0x004043f4
0x004043f7
0x004043f9
0x004043fc
0x004043ff
0x00404402
0x00404405
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404405
0x00000000
0x004043e3
0x004043e1
0x00000000
0x00000000
0x0040444d
0x0040444d
0x00404451
0x00000000
0x00404457
0x00404457
0x0040445a
0x0040445d
0x00404460
0x00404463
0x00404466
0x00404499
0x00404499
0x0040449c
0x0040449f
0x0040449f
0x0040449f
0x004044a2
0x004044a5
0x00000000
0x00404468
0x00404468
0x00404468
0x0040446b
0x0040446e
0x00404471
0x00404474
0x00404476
0x00404484
0x00404486
0x00404486
0x00404478
0x00404478
0x0040447b
0x0040447d
0x00404480
0x00404480
0x00404488
0x0040448b
0x0040448e
0x00404491
0x00404493
0x00404495
0x00404495
0x004044a8
0x004044a8
0x004044a8
0x00404493
0x004044ab
0x004044ab
0x004044ae
0x004044b1
0x004044b4
0x004044b7
0x004044b9
0x004044be
0x004044c1
0x004044c4
0x004044c6
0x004044c9
0x004044d0
0x004044d0
0x004044d0
0x004044d3
0x004044d5
0x004044d6
0x004044d6
0x004044d6
0x004044d9
0x004044dd
0x004044e0
0x004044e3
0x004044e6
0x004044e9
0x004044ef
0x004044ef
0x00000000
0x004044e9
0x00000000
0x00000000
0x004044fa
0x004044fa
0x004044fe
0x00000000
0x00404504
0x00404504
0x00404504
0x00404507
0x0040450a
0x0040450d
0x00404510
0x00404512
0x00404515
0x00000000
0x00404515
0x00000000
0x00000000
0x00404520
0x00404520
0x00404524
0x00404525
0x00404527
0x00404529
0x00404529
0x00404529
0x00000000
0x0040462b
0x0040462b
0x00000000
0x00000000
0x00404634
0x00404634
0x00000000
0x00000000
0x00000000
0x00000000
0x00403881
0x004045e3
0x004045ee
0x00403a2d
0x00403a30
0x00403a59
0x00403a5e
0x00403a60
0x00403a65
0x00403a6b
0x00403ac5
0x00403ac5
0x00403ac8
0x00403acb
0x00403a6d
0x00403a6d
0x00403a6d
0x00000000
0x00403a74
0x00403a74
0x00403a77
0x00403a7d
0x00403a80
0x00000000
0x00000000
0x00403a88
0x00403a88
0x00403a8d
0x00403a90
0x00403a96
0x00403a99
0x00000000
0x00000000
0x00403aa1
0x00403aa1
0x00403aa4
0x00403aaa
0x00403aad
0x00000000
0x00000000
0x00403ab5
0x00403ab5
0x00403ab8
0x00403abe
0x00000000
0x00000000
0x00403a6d
0x00000000
0x00403a32
0x00403a32
0x00403a32
0x00403a34
0x00000000
0x00000000
0x00403a3a
0x00403a3f
0x00403a41
0x00403a42
0x00403a43
0x00403a46
0x00403a48
0x00403a4b
0x00403a4e
0x00403a54
0x00000000
0x00403a56
0x00403a56
0x00403a56
0x00000000
0x00403a56
0x00000000
0x00403a54
0x00000000
0x00403a32
0x00000000
0x00403a30
0x00403a0d
0x004045ef
0x004045ef
0x004045f5
0x004045f8
0x004045fd
0x00404600
0x00404603
0x00404606
0x0040460a
0x0040460d
0x00404619
0x00404619

Strings

invalid block type, xrefs: 00403ABE

Memory Dump Source

Source File: 00000000.00000002.485475697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.485462442.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.485493918.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.485502615.0000000000407000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PmsDView.jbxd

Similarity

API ID:
String ID: invalid block type
API String ID: 0-1830746294
Opcode ID: 2ae76322a9efe12c47e30940beb557ac9b6270af4e148019d7181082ee8deb67
Instruction ID: 91bcb03943487b263922ce39baefe144686bb8b604b193b9dd02dd3d4e9ceb1a
Opcode Fuzzy Hash: 2ae76322a9efe12c47e30940beb557ac9b6270af4e148019d7181082ee8deb67
Instruction Fuzzy Hash: 80516FF1E002159BCB18CF59C9802ADBBF1FF89314F2581BAC959A7381D7798A42DB85

Uniqueness

Uniqueness Score: -1.00%

Function 004031ED, Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 181
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E004031ED(void** __ecx) {
				void* _v8;
				void** _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				wchar_t* _t31;
				signed int _t33;
				void* _t39;
				void* _t43;
				intOrPtr _t53;
				WCHAR* _t72;
				void* _t74;
				void* _t80;
				void* _t83;
				int _t91;
				void* _t92;
				wchar_t* _t94;
				void* _t95;
				intOrPtr* _t97;

				_v12 = __ecx;
				_t94 = wcsstr(GetCommandLineW(), L" /ElevatedInjectInfo=");
				if(_t94 != 0) {
					_t95 = _t94 + 0x2a;
					_t31 = wcschr(_t95, 0x20);
					_pop(_t80);
					if(_t31 != 0) {
						_t33 = _t31 - _t95 >> 1;
						if(_t33 >= 2) {
							_t91 = _t33 + _t33;
							_t3 = _t91 + 2; // 0x74b049f2
							_t72 = HeapAlloc(GetProcessHeap(), 0, _t3);
							_v28 = _t72;
							if(_t72 != 0) {
								memcpy(_t72, _t95, _t91);
								 *((short*)(_t72 + _t91)) = 0;
								_t39 = OpenFileMappingW(4, 0, _t72);
								_v24 = _t39;
								if(_t39 != 0) {
									_t74 = MapViewOfFile(_t39, 4, 0, 0, 0);
									if(_t74 != 0) {
										memcpy(_v12, _t74, 0x20);
										_t92 = E0040342C(_t80);
										_v20 = _t92;
										if(_t92 == 0) {
											L9:
											_t43 = 0;
											L10:
											return _t43;
										}
										_v8 =  *((intOrPtr*)(_t74 + 0x20));
										_v12 =  &(_v12[6]);
										if(E004033DB(_t92,  &(_v12[6])) == 0 || E004033DB(_t92,  &_v8) == 0) {
											goto L9;
										} else {
											_t83 = MapViewOfFile( *_v12, 2, 0, 0, 0);
											_v12 = _t83;
											if(_t83 != 0) {
												_t17 = _t74 + 0x28; // 0x28
												_t97 = _t17;
												_t53 = _t97 +  *(_t74 + 0x24) * 4;
												_v16 = _t53;
												if(_t97 == _t53) {
													L25:
													if(SetEvent(_v8) != 0) {
														UnmapViewOfFile(_v12);
														CloseHandle(_v8);
														CloseHandle(_v20);
														UnmapViewOfFile(_t74);
														CloseHandle(_v24);
														HeapFree(GetProcessHeap(), 0, _v28);
														_t43 = 1;
														goto L10;
													}
													_push(_t83);
													_push(L"0x0068: ");
													L14:
													E004024AA();
													_push(GetLastError());
													E00402443(0x406048);
													goto L9;
												}
												while(E004033DB(_t92,  *_t97 + _t83) != 0) {
													_t83 = _v12;
													_t97 = _t97 + 4;
													if(_t97 != _v16) {
														continue;
													}
													goto L25;
												}
												goto L9;
											}
											_push(_t83);
											_push(L"0x0066: ");
											goto L14;
										}
									}
									_push(_t80);
									_push(L"0x0061: ");
									goto L14;
								}
								_push(_t80);
								_push(L"0x0060: ");
								goto L14;
							}
							_push(_t80);
							E004024AA(L"0x0059: ");
							goto L9;
						}
						_push(_t80);
						E004024AA(L"0x0056: ");
						_push(_t80);
						_push(GetCommandLineW());
						L4:
						E004024AA();
						goto L1;
					}
					_push(_t80);
					_push(L"0x0058: ");
					goto L4;
				}
				L1:
				return 0;
			}

0x00403200
0x0040320c
0x00403212
0x00403218
0x0040321e
0x00403225
0x00403228
0x00403239
0x0040323e
0x00403251
0x00403255
0x00403268
0x0040326a
0x0040326f
0x00403286
0x00403292
0x0040329b
0x004032a1
0x004032a6
0x004032d6
0x004032da
0x004032ea
0x004032f8
0x004032fa
0x004032ff
0x0040327c
0x0040327c
0x0040327e
0x00000000
0x0040327e
0x00403308
0x00403315
0x0040331f
0x00000000
0x00403337
0x00403345
0x00403347
0x0040334c
0x0040335c
0x0040335c
0x0040335f
0x00403362
0x00403367
0x00403387
0x00403392
0x004033a8
0x004033b3
0x004033b8
0x004033bb
0x004033c0
0x004033ce
0x004033d4
0x00000000
0x004033d4
0x00403394
0x00403395
0x004032ae
0x004032ae
0x004032bb
0x004032c1
0x00000000
0x004032c1
0x00403369
0x0040337c
0x0040337f
0x00403385
0x00000000
0x00000000
0x00000000
0x00403385
0x00000000
0x00403369
0x0040334e
0x0040334f
0x00000000
0x0040334f
0x0040331f
0x004032dc
0x004032dd
0x00000000
0x004032dd
0x004032a8
0x004032a9
0x00000000
0x004032a9
0x00403271
0x00403277
0x00000000
0x00403277
0x00403240
0x00403246
0x0040324b
0x0040324e
0x00403230
0x00403230
0x00000000
0x00403230
0x0040322a
0x0040322b
0x00000000
0x0040322b
0x00403214
0x00000000

APIs

GetCommandLineW.KERNEL32( /ElevatedInjectInfo=,74B049F0,00000FE0), ref: 00403203
wcsstr.NTDLL ref: 00403206
wcschr.NTDLL ref: 0040321E
GetCommandLineW.KERNEL32(?,0x0056: ), ref: 0040324C

Part of subcall function 004033DB: DuplicateHandle.KERNEL32(00000000,?,000000FF,0040331D,00000000,00000000,00000002,74B05910,00000000,?,0040331D), ref: 004033F6
Part of subcall function 004033DB: GetLastError.KERNEL32(0000000A,0x0057: ,?,?,0040331D), ref: 0040340D

GetProcessHeap.KERNEL32(00000000,74B049F2,00000000), ref: 0040325B
HeapAlloc.KERNEL32(00000000), ref: 00403262
memcpy.NTDLL(00000000,-0000002A,74B049F0), ref: 00403286
OpenFileMappingW.KERNEL32(00000004,00000000,00000000), ref: 0040329B
GetLastError.KERNEL32(0000000A,0x0068: ), ref: 004032B5
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 004032D4
memcpy.NTDLL(?,00000000,00000020), ref: 004032EA
MapViewOfFile.KERNEL32(?,00000002,00000000,00000000,00000000), ref: 00403343

Part of subcall function 004024AA: memcpy.NTDLL(00000070,?,?,?,00000000,?,004031AC,Z2: ,?,00000003), ref: 004024CD

SetEvent.KERNEL32(?), ref: 0040338A
UnmapViewOfFile.KERNEL32(?), ref: 004033A8
CloseHandle.KERNEL32(?), ref: 004033B3
CloseHandle.KERNEL32(?), ref: 004033B8
UnmapViewOfFile.KERNEL32(00000000), ref: 004033BB
CloseHandle.KERNEL32(?), ref: 004033C0
GetProcessHeap.KERNEL32(00000000,?), ref: 004033C7
HeapFree.KERNEL32(00000000), ref: 004033CE

Strings

0x0068: , xrefs: 00403395
0x0059: , xrefs: 00403272
0x0066: , xrefs: 0040334F
0x0056: , xrefs: 00403241
0x0060: , xrefs: 004032A9
0x0061: , xrefs: 004032DD
/ElevatedInjectInfo=, xrefs: 004031FB
There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00, xrefs: 004032BC
0x0058: , xrefs: 0040322B

Memory Dump Source

Source File: 00000000.00000002.485475697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.485462442.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.485493918.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.485502615.0000000000407000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PmsDView.jbxd

Similarity

API ID: File$HandleHeapView$Closememcpy$CommandErrorLastLineProcessUnmap$AllocDuplicateEventFreeMappingOpenwcschrwcsstr
String ID: /ElevatedInjectInfo=$0x0056: $0x0058: $0x0059: $0x0060: $0x0061: $0x0066: $0x0068: $There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00
API String ID: 3949497227-1963054280
Opcode ID: 41eb43bb2be901fb216f4cacd689767307627a8c72661448e258dec9ecbe8561
Instruction ID: 2cbe89a269ea39e37b6f695197c157fffe9ad396355e0edaa40d8d2b0621fd99
Opcode Fuzzy Hash: 41eb43bb2be901fb216f4cacd689767307627a8c72661448e258dec9ecbe8561
Instruction Fuzzy Hash: 7F51A471A00205BFDF10AFA59D89EAE7F6CEF44355B1100BBF905F32E1DA789E018669

Uniqueness

Uniqueness Score: -1.00%

Function 004033DB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004033DB(void* __ecx, void** __edx) {
				void* _v8;
				void* _t3;
				void* _t10;
				intOrPtr* _t14;

				_t10 = __ecx;
				_push(__ecx);
				_t14 = __edx;
				if( *__edx == 0) {
					L4:
					_t3 = 1;
				} else {
					if(DuplicateHandle(__ecx,  *__edx, 0xffffffff,  &_v8, 0, 0, 2) != 0) {
						 *_t14 = _v8;
						goto L4;
					} else {
						_push(_t10);
						E004024AA(L"0x0057: ");
						E00402443(0x406048, GetLastError(), 0xa);
						_t3 = 0;
					}
				}
				return _t3;
			}

0x004033db
0x004033de
0x004033e0
0x004033e5
0x00403427
0x00403427
0x004033e7
0x004033fe
0x00403425
0x00000000
0x00403400
0x00403400
0x00403406
0x00403419
0x0040341e
0x0040341e
0x004033fe
0x0040342b

APIs

DuplicateHandle.KERNEL32(00000000,?,000000FF,0040331D,00000000,00000000,00000002,74B05910,00000000,?,0040331D), ref: 004033F6

Part of subcall function 004024AA: memcpy.NTDLL(00000070,?,?,?,00000000,?,004031AC,Z2: ,?,00000003), ref: 004024CD

GetLastError.KERNEL32(0000000A,0x0057: ,?,?,0040331D), ref: 0040340D

Strings

0x0057: , xrefs: 00403401
There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00, xrefs: 00403414

Memory Dump Source

Source File: 00000000.00000002.485475697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.485462442.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.485493918.0000000000406000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.485502615.0000000000407000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PmsDView.jbxd

Similarity

API ID: DuplicateErrorHandleLastmemcpy
String ID: 0x0057: $There has been an error starting this application. Error code: \\?\C:\Users\user\Desktop\PmsDView.exe, 0x00E00
API String ID: 4027704721-567715684
Opcode ID: 1c7225a1ba2e4806dbcdd2eba81828e27677a186352f5816f534a36b40fac6fc
Instruction ID: 84322d48e465d312346d6f746afdc6a0d520e98d9552e560a36eee5a9e469d0c
Opcode Fuzzy Hash: 1c7225a1ba2e4806dbcdd2eba81828e27677a186352f5816f534a36b40fac6fc
Instruction Fuzzy Hash: 56F0A770240200BBE7109FA5DD06FA636DCDB09711F60457AF541F62D1D6B89D409769

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PmsDView.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: PmsDView.exe PID: 4852 Parent PID: 5540

General

File Activities

File Opened

File Read

File Attributes Queried

Volume Information Queried

Device IO

Section Activities