Edit tour

Windows Analysis Report
AdobePhotoshop.exe

Overview

General Information

Sample Name:	AdobePhotoshop.exe
Analysis ID:	831162
MD5:	bedbec22f0ae7c2548ce8fd07bfb04ef
SHA1:	753a2ca15710cf7ec16b59abc768a459f451e8e3
SHA256:	797bd80d43c4ef7ab8fde178ca551ad2f9141ca3552ce42c8e96ccc95dc6d3bb
Tags:	exefakeloaderstealer
Infos:

Detection

Score:	12
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Obfuscated command line found

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

Drops PE files

PE file contains sections with non-standard names

Detected potential crypto function

PE / OLE file has an invalid certificate

Found dropped PE file which has not been started or loaded

Uses Microsoft's Enhanced Cryptographic Provider

PE file contains executable resources (Code or Archives)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

AdobePhotoshop.exe (PID: 6108 cmdline: C:\Users\user\Desktop\AdobePhotoshop.exe MD5: BEDBEC22F0AE7C2548CE8FD07BFB04EF)

AdobePhotoshop.tmp (PID: 6088 cmdline: "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe" MD5: C35E48F7A65E98E6DDC5C270B899FF35)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 1.2.AdobePhotoshop.tmp.36f9ed0.1.unpack

Avira: Label: TR/Patched.Ren.Gen3

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Code function: 1_2_10001000 ISCryptGetVersion,		1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Code function: 1_2_10001130 ArcFourCrypt,		1_2_10001130

Source: AdobePhotoshop.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: AdobePhotoshop.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517028042.00000000034E3000.00000002.00000001.01000000.00000007.sdmp, _isdecmp.dll.1.dr
Source:	Binary string: ISADMINLOGGEDONRelease\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp

Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.usertru
Source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/cscasha
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: AdobePhotoshop.exe, 00000000.00000002.513844223.0000000002378000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247193947.0000000002680000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000003.251571715.0000000003470000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.514556832.00000000024A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.haysoft.org%1-k
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: https://jrsoftware.org/
Source: AdobePhotoshop.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: https://jrsoftware.org0
Source: AdobePhotoshop.exe, AdobePhotoshop.tmp.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS05
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247627651.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000000.249756458.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AdobePhotoshop.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247627651.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000000.249756458.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AdobePhotoshop.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: AdobePhotoshop.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: AdobePhotoshop.exe, 00000000.00000000.246912093.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FE75000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe, 00000000.00000003.247627651.00000000028A9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe, 00000000.00000002.513844223.0000000002448000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe	Binary or memory string: OriginalFileName vs AdobePhotoshop.exe

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Code function: 1_2_034E1260		1_2_034E1260
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Code function: 1_2_034E1D20		1_2_034E1D20

Source: AdobePhotoshop.exe

Static PE information: invalid certificate

Source: AdobePhotoshop.tmp.0.dr

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: C:\Users\user\Desktop\AdobePhotoshop.exe

File read: C:\Users\user\Desktop\AdobePhotoshop.exe

Jump to behavior

Source: C:\Users\user\Desktop\AdobePhotoshop.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\AdobePhotoshop.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\AdobePhotoshop.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AdobePhotoshop.exe C:\Users\user\Desktop\AdobePhotoshop.exe
Source: C:\Users\user\Desktop\AdobePhotoshop.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"
Source: C:\Users\user\Desktop\AdobePhotoshop.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\AdobePhotoshop.exe

File created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp

Jump to behavior

Source: AdobePhotoshop.exe

String found in binary or memory: /LOADINF="filename"

Source: classification engine

Classification label: clean12.winEXE@3/4@0/0

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Automated click: OK

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: AdobePhotoshop.exe

Static file information: File size 1894312 > 1048576

Source: AdobePhotoshop.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517028042.00000000034E3000.00000002.00000001.01000000.00000007.sdmp, _isdecmp.dll.1.dr
Source:	Binary string: ISADMINLOGGEDONRelease\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Users\user\Desktop\AdobePhotoshop.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"
Source: C:\Users\user\Desktop\AdobePhotoshop.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"			Jump to behavior

Source: AdobePhotoshop.exe	Static PE information: section name: .didata
Source: AdobePhotoshop.tmp.0.dr	Static PE information: section name: .didata

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AdobePhotoshop.exe	File created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_iscrypt.dll	Jump to dropped file

Source: C:\Users\user\Desktop\AdobePhotoshop.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dll			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp

Code function: 1_2_10001000 ISCryptGetVersion,

1_2_10001000

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	2 System Owner/User Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Software Packing	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AdobePhotoshop.exe	3%	ReversingLabs	Win32.PUA.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmp	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.AdobePhotoshop.tmp.36f9ed0.1.unpack	100%	Avira	TR/Patched.Ren.Gen3		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.haysoft.org%1-k	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://cscasha2.ocsp-certum.com04	0%	URL Reputation	safe
https://sectigo.com/CPS05	0%	Avira URL Cloud	safe
https://jrsoftware.org0	0%	Avira URL Cloud	safe
http://ocsp.usertru	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.haysoft.org%1-k	AdobePhotoshop.exe, 00000000.00000002.513844223.0000000002378000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247193947.0000000002680000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000003.251571715.0000000003470000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.514556832.00000000024A0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.dr	false	URL Reputation: safe	unknown
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	AdobePhotoshop.exe	false		high
https://sectigo.com/CPS0	AdobePhotoshop.exe, AdobePhotoshop.tmp.0.dr	false	URL Reputation: safe	unknown
http://repository.certum.pl/ctnca.cer09	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false		high
http://repository.certum.pl/cscasha2.cer0	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false		high
http://ocsp.sectigo.com0	AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.dr	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false		high
https://www.remobjects.com/ps	AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247627651.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000000.249756458.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AdobePhotoshop.tmp.0.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.dr	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	URL Reputation: safe	unknown
https://www.innosetup.com/	AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247627651.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000000.249756458.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AdobePhotoshop.tmp.0.dr	false	URL Reputation: safe	unknown
http://ocsp.usertru	AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0D	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	URL Reputation: safe	unknown
https://jrsoftware.org0	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
https://jrsoftware.org/	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false		high
https://www.certum.pl/CPS0	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false		high
http://crl.certum.pl/cscasha2.crl0q	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false		high
http://www.certum.pl/CPS0	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false		high
https://sectigo.com/CPS05	AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/cscasha	AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cscasha2.ocsp-certum.com04	AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	831162
Start date and time:	2023-03-21 07:13:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	AdobePhotoshop.exe
Detection:	CLEAN
Classification:	clean12.winEXE@3/4@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 90% (good quality ratio 90%) Quality average: 91.5% Quality standard deviation: 16.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Execution Graph export aborted for target AdobePhotoshop.tmp, PID 6088 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: AdobePhotoshop.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_iscrypt.dll	file.exe	Get hash	malicious	CryptbotV2, MinerDownloader, RedLine, Stealc, Vidar, Xmrig	Browse
	Kn427RgPkj.exe	Get hash	malicious	Cryptbot, RedLine, Stealc, Xmrig	Browse
	BcA8ccoV3k.exe	Get hash	malicious	Nymaim	Browse
	7rSoC1BfML.exe	Get hash	malicious	Amadey, Nymaim, RedLine, SmokeLoader, Stealc, Vidar	Browse
	ZU2R3FIRKH.exe	Get hash	malicious	Nymaim	Browse
	OG2sHQDClg.exe	Get hash	malicious	Nymaim	Browse
	CHK3ZfSC9j.exe	Get hash	malicious	Nymaim	Browse
	file.exe	Get hash	malicious	Nymaim	Browse
	file.exe	Get hash	malicious	Cryptbot, MinerDownloader, RedLine, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Nymaim	Browse
	file.exe	Get hash	malicious	Nymaim	Browse
	file.exe	Get hash	malicious	Nymaim	Browse
	vL0e7nwV98.exe	Get hash	malicious	PrivateLoader, RedLine	Browse
	zAtOGFlwK5.exe	Get hash	malicious	Nymaim, PrivateLoader, RHADAMANTHYS, RedLine, lgoogLoader	Browse
	1AhgFWU7ZJ.exe	Get hash	malicious	Nymaim	Browse
	file.exe	Get hash	malicious	Nymaim	Browse
	file.exe	Get hash	malicious	Nymaim	Browse
	file.exe	Get hash	malicious	Nymaim	Browse
	JdyjkX3Cvq.exe	Get hash	malicious	Nymaim	Browse
	fZQ29wFmJi.exe	Get hash	malicious	Nymaim	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp

Download File

Process:	C:\Users\user\Desktop\AdobePhotoshop.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3248832
Entropy (8bit):	6.374526695886884
Encrypted:	false
SSDEEP:	49152:Zdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjc333vw:qHDYsqiPRhINnq95FoHVBc333o
MD5:	C35E48F7A65E98E6DDC5C270B899FF35
SHA1:	614A308DB5B47D12AB9E3E457C342767BCCEE14B
SHA-256:	0C36B4BB44A2F95A6B1B43549891E40C54E29A89EF0570A7EF9E60A5CD4B48DF
SHA-512:	2A1686B3B26D997B777B21E8F50BE109492616FFB47AEBFC96ED20095F3BF7970D1D8D403FF4301BDFC63E239F034A9107F91577C7406C1641397E550F3752AA
Malicious:	true
Reputation:	low
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,..6......`V,......`,...@..........................`2.......2...@......@....................-.......-..9.......Y...........\|1.......................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc....Y.......Z..."-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: Kn427RgPkj.exe, Detection: malicious, Browse Filename: BcA8ccoV3k.exe, Detection: malicious, Browse Filename: 7rSoC1BfML.exe, Detection: malicious, Browse Filename: ZU2R3FIRKH.exe, Detection: malicious, Browse Filename: OG2sHQDClg.exe, Detection: malicious, Browse Filename: CHK3ZfSC9j.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: vL0e7nwV98.exe, Detection: malicious, Browse Filename: zAtOGFlwK5.exe, Detection: malicious, Browse Filename: 1AhgFWU7ZJ.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: JdyjkX3Cvq.exe, Detection: malicious, Browse Filename: fZQ29wFmJi.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	7.042110181107409
Encrypted:	false
SSDEEP:	768:BD7FEAbd+EDsIOmF+OiR9rikW/F+M9OAriXiRQU:M07sIOYRiPWkWNl9WXil
MD5:	077CB4461A2767383B317EB0C50F5F13
SHA1:	584E64F1D162398B7F377CE55A6B5740379C4282
SHA-256:	8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
SHA-512:	B1FCB0265697561EF497E6A60FCEE99DC5EA0CF02B4010DA9F5ED93BCE88BDFEA6BFE823A017487B8059158464EA29636AAD8E5F9DD1E8B8A1B6EAAAB670E547
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(....................4.. ?...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.470929133092286
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	AdobePhotoshop.exe
File size:	1894312
MD5:	bedbec22f0ae7c2548ce8fd07bfb04ef
SHA1:	753a2ca15710cf7ec16b59abc768a459f451e8e3
SHA256:	797bd80d43c4ef7ab8fde178ca551ad2f9141ca3552ce42c8e96ccc95dc6d3bb
SHA512:	d5498ddbd92e9a80b077119424d51ff4d830a60f5aee868c0d339618eaa104e448281b9ba484a8bd1f18d89ec31ba1862bd89e1e93a4508f4a797475d7e5d3b6
SSDEEP:	24576:Z7FUDowAyrTVE3U5FTd8w8cfRenhAb9hRZaOyKMG0NDU+ExFYG6i5NwImxgYxhvc:ZBuZrEU+/cz9nZ5wDPEzY3ONdmxRbLI
TLSH:	A1959E3BB268653FC46A463F2572933099F7AA51E41E8C1A87E014CCCFE5460DE3B69D
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	c498d8eccce49a44

Static PE Info

General

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6258476F [Thu Apr 14 16:10:23 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	e569e6f445d32ba23766ad67d1e3787f

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Hamill.net
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	3/20/2023 7:42:06 PM 3/20/2024 8:02:06 PM
Subject Chain	CN=Hamill.net
Version:	3
Thumbprint MD5:	D33C0CAD0E7BE3F644996784264BD732
Thumbprint SHA-1:	4BDBA3CCF708FE9787D56A496E725A699CCC587A
Thumbprint SHA-256:	BA71AEB053FBE5C0AFDC7D4381E32648A4C7D8F6A1C94296DBD8E6091EF5764F
Serial:	1167B047543881B048A6BA84E2A7B95C

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B14B8h
call 00007F2E0CC92635h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007F2E0CD35127h
call 00007F2E0CD34C7Ah
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F2E0CCA80D4h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007F2E0CC8D227h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004238ECh]
call 00007F2E0CCA9257h
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F2E0CD351AFh
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F2E0CD3B3CAh
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007F2E0CCA9B4Ch
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xfdc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x23ddc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1cd0e8	0x16c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22f4	0x254	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb39e4	0xb3a00	False	0.34525867693110646	data	6.357635049994181	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	False	0.54443359375	data	5.971425428435973	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.36097935267857145	data	5.048648594372454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xfdc	0x1000	False	0.3798828125	data	5.029087481102678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.7509822285969876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.877162954504408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x23ddc	0x23e00	False	0.3133302482578397	data	5.150053503198692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc75b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0xc7a20	0x9b8	Device independent bitmap graphic, 24 x 48 x 32, image size 2448	English	United States
RT_ICON	0xc83d8	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States
RT_ICON	0xc9500	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States
RT_ICON	0xcbb68	0x4428	Device independent bitmap graphic, 64 x 128 x 32, image size 17408	English	United States
RT_ICON	0xcff90	0x5638	Device independent bitmap graphic, 72 x 144 x 32, image size 22032	English	United States
RT_ICON	0xd55c8	0x9928	Device independent bitmap graphic, 96 x 192 x 32, image size 39168	English	United States
RT_ICON	0xdeef0	0x17b5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0xe06a8	0x775a	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States
RT_STRING	0xe7e04	0x360	data
RT_STRING	0xe8164	0x260	data
RT_STRING	0xe83c4	0x45c	data
RT_STRING	0xe8820	0x40c	data
RT_STRING	0xe8c2c	0x2d4	data
RT_STRING	0xe8f00	0xb8	data
RT_STRING	0xe8fb8	0x9c	data
RT_STRING	0xe9054	0x374	data
RT_STRING	0xe93c8	0x398	data
RT_STRING	0xe9760	0x368	data
RT_STRING	0xe9ac8	0x2a4	data
RT_RCDATA	0xe9d6c	0x10	data
RT_RCDATA	0xe9d7c	0x2c4	data
RT_RCDATA	0xea040	0x2c	data
RT_GROUP_ICON	0xea06c	0x84	data	English	United States
RT_VERSION	0xea0f0	0x584	data	English	United States
RT_MANIFEST	0xea674	0x765	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4541a8
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: AdobePhotoshop.exePID: 6108, Parent PID: 3452

General

Target ID:	0
Start time:	07:14:03
Start date:	21/03/2023
Path:	C:\Users\user\Desktop\AdobePhotoshop.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\AdobePhotoshop.exe
Imagebase:	0x400000
File size:	1894312 bytes
MD5 hash:	BEDBEC22F0AE7C2548CE8FD07BFB04EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: AdobePhotoshop.tmpPID: 6088, Parent PID: 6108

General

Target ID:	1
Start time:	07:14:04
Start date:	21/03/2023
Path:	C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"
Imagebase:	0x400000
File size:	3248832 bytes
MD5 hash:	C35E48F7A65E98E6DDC5C270B899FF35
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: AdobePhotoshop.tmpPID: 6088, Parent PID: 6108COMMON

Non-executed Functions

Function 034E1D20 Relevance: 10.8, Strings: 8, Instructions: 796
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E034E1D20(signed int* __ebx, unsigned int __edx, void* __edi, signed char* __esi) {
				signed int _t485;
				signed char** _t503;
				void* _t506;
				void* _t512;
				signed int _t515;
				signed char** _t517;
				signed int _t521;
				void* _t524;
				signed int _t685;
				signed int* _t686;
				signed int _t847;
				unsigned int _t849;
				signed int _t850;
				signed int _t851;
				void* _t868;
				signed int _t885;
				void* _t886;
				void* _t889;
				signed char* _t893;
				signed char** _t895;
				signed int _t899;
				void* _t902;
				void* _t906;

				L0:
				while(1) {
					L0:
					_t893 = __esi;
					_t886 = __edi;
					_t849 = __edx;
					_t686 = __ebx;
					if(_t899 >= 0xe) {
						goto L50;
					} else {
						goto L48;
					}
					while(1) {
						L48:
						if(__edi == 0) {
							break;
						}
						L49:
						__eax =  *__esi & 0x000000ff;
						__eax = ( *__esi & 0x000000ff) << __cl;
						__edi = __edi - 1;
						__ebp = __ebp + 8;
						 *(__esp + 0x18) = __edi;
						__edx = __edx + __eax;
						__esi = __esi + 1;
						 *(__esp + 0x14) = __esi;
						if(__ebp < 0xe) {
							continue;
						} else {
							goto L50;
						}
						L202:
					}
					L187:
					_t503 =  *(_t906 + 0x48);
					_t503[3] =  *(_t906 + 0x24);
					_t503[4] =  *(_t906 + 0x1c);
					 *_t503 = _t893;
					_t503[1] = _t886;
					_t686[0xe] = _t849;
					_t686[0xf] = _t899;
					if(_t686[0xa] != 0) {
						L190:
						_push( *(_t906 + 0x48));
						_t506 = E034E1810( *((intOrPtr*)(_t906 + 0x28)));
						if(_t506 == 0) {
							goto L193;
						} else {
							L191:
							 *_t686 = 0x1c;
							L192:
							return 0xfffffffc;
						}
					} else {
						L188:
						if( *_t686 >= 0x18) {
							L193:
							_t895 =  *(_t906 + 0x48);
							_t902 =  *((intOrPtr*)(_t906 + 0x38)) - _t895[1];
							_t889 =  *((intOrPtr*)(_t906 + 0x28)) - _t895[4];
							_t895[2] =  &(_t895[2][_t902]);
							_t895[5] =  &(_t895[5][_t889]);
							_t686[7] = _t889 + _t686[7];
							if(_t686[2] != 0) {
								if(_t889 != 0) {
									_push(_t889);
									_t868 = _t895[3] - _t889;
									_push(_t868);
									_push(_t686[6]);
									_t515 = E034E1000();
									_t686[6] = _t515;
									_t895[0xc] = _t515;
								}
							}
							asm("sbb ecx, ecx");
							 *_t686 - 0xb = _t902;
							_t895[0xb] = ( ~(_t686[1]) & 0x00000040) + ((0 |  *_t686 != 0x0000000b) - 0x00000001 & 0x00000080) + _t686[0xf];
							if(_t902 != 0) {
								L198:
								if( *((intOrPtr*)(_t906 + 0x4c)) != 4) {
									L201:
									return  *(_t906 + 0x2c);
								} else {
									goto L199;
								}
							} else {
								L197:
								if(_t889 == 0) {
									L199:
									_t512 =  *(_t906 + 0x2c);
									if(_t512 != 0) {
										L181:
										return _t512;
									} else {
										L200:
										return 0xfffffffb;
									}
								} else {
									goto L198;
								}
							}
						} else {
							L189:
							_t517 =  *(_t906 + 0x48);
							if( *((intOrPtr*)(_t906 + 0x28)) == _t517[4]) {
								goto L193;
							} else {
								goto L190;
							}
						}
					}
					goto L202;
					L50:
					_t850 = _t849 >> 5;
					_t686[0x18] = (_t849 & 0x0000001f) + 0x101;
					_t851 = _t850 >> 5;
					_t686[0x19] = (_t850 & 0x0000001f) + 1;
					_t849 = _t851 >> 4;
					_t899 = _t899 - 0xe;
					_t686[0x17] = (_t851 & 0x0000000f) + 4;
					 *(_t906 + 0x10) = _t849;
					if(_t686[0x18] > 0x11e) {
						L64:
						( *(_t906 + 0x48))[6] = "too many length or distance symbols";
						goto L178;
					} else {
						L51:
						if(_t686[0x19] > 0x1e) {
							goto L64;
						} else {
							L52:
							_t686[0x1a] = 0;
							 *_t686 = 0x10;
							L53:
							if(_t686[0x1a] >= _t686[0x17]) {
								L59:
								if(_t686[0x1a] < 0x13) {
									L60:
									do {
										L61:
										 *((short*)(_t686 + 0x70 + ( *(0x34e3900 + _t686[0x1a] * 2) & 0x0000ffff) * 2)) = 0;
										_t885 = _t686[0x1a] + 1;
										_t686[0x1a] = _t885;
									} while (_t885 < 0x13);
								}
								L62:
								_t521 =  &(_t686[0x14c]);
								_t686[0x1b] = _t521;
								_t686[0x13] = _t521;
								_t686[0x15] = 7;
								_t524 = E034E2980(0,  &(_t686[0x1c]), 0x13,  &(_t686[0x1b]),  &(_t686[0x15]),  &(_t686[0xbc]));
								_t849 =  *(_t906 + 0x10);
								 *(_t906 + 0x2c) = _t524;
								if(_t524 == 0) {
									L65:
									_t686[0x1a] = 0;
									 *_t686 = 0x11;
									goto L66;
								} else {
									L63:
									( *(_t906 + 0x48))[6] = "invalid code lengths set";
									L178:
									 *_t686 = 0x1b;
									while(1) {
										L179:
										_t485 =  *_t686;
										if(_t485 > 0x1c) {
											break;
										}
										L1:
										switch( *((intOrPtr*)(_t485 * 4 +  &M034E28A0))) {
											case 0:
												L2:
												if(_t686[2] != 0) {
													L4:
													__eflags = _t899 - 0x10;
													if(_t899 >= 0x10) {
														L7:
														_t495 = ((_t849 & 0x000000ff) << 8) + (_t849 >> 8);
														__eflags = _t495 % 0x1f;
														if(_t495 % 0x1f == 0) {
															L9:
															_t698 =  *(_t906 + 0x10);
															__eflags = (_t698 & 0x0000000f) - 8;
															if((_t698 & 0x0000000f) == 8) {
																L11:
																_t699 = _t698 >> 4;
																 *(_t906 + 0x10) = _t699;
																_t701 = (_t699 & 0x0000000f) + 8;
																_t899 = _t899 - 4;
																__eflags = _t701 - _t686[9];
																if(_t701 <= _t686[9]) {
																	L13:
																	_t899 = 0;
																	_push(0);
																	_push(0);
																	_push(0);
																	_t686[5] = 1 << _t701;
																	_t502 = E034E1000();
																	_t686[6] = _t502;
																	( *(_t906 + 0x48))[0xc] = _t502;
																	 *_t686 =  !( *(_t906 + 0x10) >> 8) & 0x00000002 | 0x00000009;
																	 *(_t906 + 0x10) = 0;
																	_t849 = 0;
																} else {
																	L12:
																	( *(_t906 + 0x48))[6] = "invalid window size";
																	_t849 =  *(_t906 + 0x10);
																	goto L178;
																}
															} else {
																L10:
																_t849 =  *(_t906 + 0x10);
																( *(_t906 + 0x48))[6] = "unknown compression method";
																goto L178;
															}
														} else {
															( *(_t906 + 0x48))[6] = "incorrect header check";
															_t849 =  *(_t906 + 0x10);
															goto L178;
														}
														goto L179;
													} else {
														while(1) {
															L5:
															__eflags = _t886;
															if(_t886 == 0) {
																goto L187;
															}
															L6:
															_t519 = ( *_t893 & 0x000000ff) << _t899;
															_t886 = _t886 - 1;
															_t899 = _t899 + 8;
															 *(_t906 + 0x18) = _t886;
															_t849 = _t849 + _t519;
															_t893 =  &(_t893[1]);
															__eflags = _t899 - 0x10;
															 *(_t906 + 0x10) = _t849;
															 *(_t906 + 0x14) = _t893;
															if(_t899 < 0x10) {
																continue;
															} else {
																goto L7;
															}
															goto L202;
														}
														goto L187;
													}
												} else {
													 *_t686 = 0xc;
													goto L179;
												}
												goto L202;
											case 1:
												goto L180;
											case 2:
												L14:
												__eflags = __ebp - 0x20;
												if(__ebp >= 0x20) {
													L17:
													__edx = __edx & 0x0000ff00;
													__edx = __edx << 0x10;
													__ecx = (__edx & 0x0000ff00) + (__edx << 0x10);
													__eax = 0;
													__ecx = (__edx & 0x0000ff00) + (__edx << 0x10) << 8;
													__edx = __edx >> 0x18;
													__eax = __ecx + __edx;
													__ecx =  *(__esp + 0x48);
													__ebp = 0;
													__eflags = 0;
													__ebx[6] = __eax;
													 *( *(__esp + 0x48) + 0x30) = __eax;
													 *(__esp + 0x10) = 0;
													 *__ebx = 0xa;
													__edx = 0;
													goto L18;
												} else {
													while(1) {
														L15:
														__eflags = __edi;
														if(__edi == 0) {
															goto L187;
														}
														L16:
														__eax =  *__esi & 0x000000ff;
														__ecx = __ebp;
														__eax = ( *__esi & 0x000000ff) << __cl;
														__edi = __edi - 1;
														__ebp = __ebp + 8;
														 *(__esp + 0x18) = __edi;
														__edx = __edx + __eax;
														__esi = __esi + 1;
														__eflags = __ebp - 0x20;
														 *(__esp + 0x10) = __edx;
														 *(__esp + 0x14) = __esi;
														if(__ebp < 0x20) {
															continue;
														} else {
															goto L17;
														}
														goto L202;
													}
													goto L187;
												}
												goto L202;
											case 3:
												L18:
												__eax = __ebx[3];
												__eflags = __ebx[3];
												if(__ebx[3] == 0) {
													L182:
													__eax =  *(__esp + 0x48);
													__ecx =  *(__esp + 0x24);
													 *(__eax + 0xc) =  *(__esp + 0x24);
													__ecx =  *(__esp + 0x1c);
													 *(__eax + 4) = __edi;
													 *__eax = __esi;
													_pop(__edi);
													 *(__eax + 0x10) = __ecx;
													_pop(__esi);
													__ebx[0xf] = __ebp;
													_pop(__ebp);
													__ebx[0xe] = __edx;
													__eax = 2;
													_pop(__ebx);
													__esp = __esp + 0x34;
													return 2;
												} else {
													L19:
													_push(0);
													_push(0);
													_push(0);
													__eax = E034E1000();
													__edx =  *(__esp + 0x48);
													__ebx[6] = __eax;
													 *( *(__esp + 0x48) + 0x30) = __eax;
													__edx =  *(__esp + 0x10);
													 *__ebx = 0xb;
													goto L20;
												}
												goto L202;
											case 4:
												L20:
												__eflags =  *((intOrPtr*)(__esp + 0x4c)) - 5;
												if( *((intOrPtr*)(__esp + 0x4c)) == 5) {
													goto L187;
												} else {
													goto L21;
												}
												goto L202;
											case 5:
												L21:
												__eax = __ebx[1];
												__eflags = __eax;
												if(__eax == 0) {
													L23:
													__eflags = __ebp - 3;
													if(__ebp >= 3) {
														L27:
														__ecx = __edx;
														__edx = __edx >> 1;
														__ecx = __ecx & 0x00000001;
														__eax = __edx;
														__eax = __edx & 0x00000003;
														__ebp = __ebp - 1;
														__eflags = __eax - 3;
														__ebx[1] = __ecx;
														if(__eax > 3) {
															L33:
															__edx = __edx >> 2;
															 *(__esp + 0x10) = __edx;
															__ebp = __ebp - 2;
														} else {
															L28:
															switch( *((intOrPtr*)(__eax * 4 +  &M034E2914))) {
																case 0:
																	L29:
																	__edx = __edx >> 2;
																	 *__ebx = 0xd;
																	 *(__esp + 0x10) = __edx;
																	__ebp = __ebp - 2;
																	goto L179;
																case 1:
																	L30:
																	__edx = __edx >> 2;
																	__ebx[0x13] = 0x34e3080;
																	__ebx[0x15] = 9;
																	__ebx[0x14] = 0x34e3880;
																	__ebx[0x16] = 5;
																	 *__ebx = 0x12;
																	 *(__esp + 0x10) = __edx;
																	__ebp = __ebp - 2;
																	goto L179;
																case 2:
																	L31:
																	__edx = __edx >> 2;
																	 *__ebx = 0xf;
																	 *(__esp + 0x10) = __edx;
																	__ebp = __ebp - 2;
																	goto L179;
																case 3:
																	L32:
																	__eax =  *(__esp + 0x48);
																	 *(__eax + 0x18) = "invalid block type";
																	 *__ebx = 0x1b;
																	goto L33;
															}
														}
														goto L179;
													} else {
														L24:
														while(1) {
															L25:
															__eflags = __edi;
															if(__edi == 0) {
																goto L187;
															}
															L26:
															__eax =  *__esi & 0x000000ff;
															__ecx = __ebp;
															__eax = ( *__esi & 0x000000ff) << __cl;
															__edi = __edi - 1;
															__ebp = __ebp + 8;
															 *(__esp + 0x18) = __edi;
															__edx = __edx + __eax;
															__esi = __esi + 1;
															__eflags = __ebp - 3;
															 *(__esp + 0x14) = __esi;
															if(__ebp < 3) {
																continue;
															} else {
																goto L27;
															}
															goto L202;
														}
														goto L187;
													}
												} else {
													L22:
													__ebp = __ebp & 0x00000007;
													__edx = __edx >> __cl;
													__ebp = __ebp - (__ebp & 0x00000007);
													 *__ebx = 0x18;
													 *(__esp + 0x10) = __edx;
													goto L179;
												}
												goto L202;
											case 6:
												L34:
												__ebp = __ebp & 0x00000007;
												__edx = __edx >> __cl;
												__ebp = __ebp - (__ebp & 0x00000007);
												__eflags = __ebp - 0x20;
												 *(__esp + 0x10) = __edx;
												if(__ebp >= 0x20) {
													L38:
													__ecx = __edx;
													__eax = __edx;
													__ecx =  !__edx;
													__eax = __edx & 0x0000ffff;
													__ecx =  !__edx >> 0x10;
													__eflags = __eax -  !__edx >> 0x10;
													if(__eax ==  !__edx >> 0x10) {
														L40:
														__ebp = 0;
														__eflags = 0;
														__ebx[0x10] = __eax;
														 *(__esp + 0x10) = 0;
														 *__ebx = 0xe;
														__edx = 0;
														goto L41;
													} else {
														L39:
														__eax =  *(__esp + 0x48);
														 *(__eax + 0x18) = "invalid stored block lengths";
														goto L178;
													}
												} else {
													L35:
													while(1) {
														L36:
														__eflags = __edi;
														if(__edi == 0) {
															goto L187;
														}
														L37:
														__eax =  *__esi & 0x000000ff;
														__ecx = __ebp;
														__eax = ( *__esi & 0x000000ff) << __cl;
														__edi = __edi - 1;
														__ebp = __ebp + 8;
														 *(__esp + 0x18) = __edi;
														__edx = __edx + __eax;
														__esi = __esi + 1;
														__eflags = __ebp - 0x20;
														 *(__esp + 0x10) = __edx;
														 *(__esp + 0x14) = __esi;
														if(__ebp < 0x20) {
															continue;
														} else {
															goto L38;
														}
														goto L202;
													}
													goto L187;
												}
												goto L202;
											case 7:
												L41:
												__ecx = __ebx[0x10];
												__eflags = __ecx;
												 *(__esp + 0x20) = __ecx;
												if(__ecx == 0) {
													goto L122;
												} else {
													L42:
													__eflags = __ecx - __edi;
													if(__ecx > __edi) {
														__ecx = __edi;
														 *(__esp + 0x20) = __ecx;
													}
													__eax =  *(__esp + 0x1c);
													__eflags = __ecx - __eax;
													if(__ecx > __eax) {
														__ecx = __eax;
														 *(__esp + 0x20) = __ecx;
													}
													__eflags = __ecx;
													if(__ecx == 0) {
														goto L187;
													} else {
														L47:
														__esi =  *(__esp + 0x14);
														__edi =  *(__esp + 0x24);
														__eax = __ecx;
														__ecx = __ecx >> 2;
														__eax = memcpy( *(__esp + 0x24), __esi, __ecx << 2);
														__edi = __esi + __ecx;
														__edi = __esi + __ecx + __ecx;
														__ecx = 0;
														__ecx = __eax;
														__eax =  *(__esp + 0x20);
														__ecx = __ecx & 0x00000003;
														__eax = memcpy(__edi, __esi, __ecx);
														__esi + __ecx = __esi + __ecx + __ecx;
														__ecx = 0;
														__esi =  *(__esp + 0x18);
														__ecx =  *(__esp + 0x14);
														__edi =  *(__esp + 0x1c);
														__esi =  *(__esp + 0x18) - __eax;
														 *(__esp + 0x18) =  *(__esp + 0x18) - __eax;
														__esi =  *(__esp + 0x24);
														__ecx =  *(__esp + 0x14) + __eax;
														 *(__esp + 0x14) =  *(__esp + 0x14) + __eax;
														__ecx = __ebx[0x10];
														__edi =  *(__esp + 0x1c) - __eax;
														__esi =  *(__esp + 0x24) + __eax;
														__ecx = __ebx[0x10] - __eax;
														 *(__esp + 0x1c) =  *(__esp + 0x1c) - __eax;
														__edi =  *(__esp + 0x18);
														 *(__esp + 0x24) =  *(__esp + 0x24) + __eax;
														__esi =  *(__esp + 0x14);
														__ebx[0x10] = __ebx[0x10] - __eax;
														goto L179;
													}
												}
												goto L202;
											case 8:
												goto L0;
											case 9:
												goto L53;
											case 0xa:
												L66:
												__eflags = _t686[0x1a] - _t686[0x19] + _t686[0x18];
												if(_t686[0x1a] >= _t686[0x19] + _t686[0x18]) {
													L97:
													__eflags =  *_t686 - 0x1b;
													if( *_t686 == 0x1b) {
														goto L179;
													} else {
														L98:
														_t527 =  &(_t686[0x14c]);
														_t686[0x1b] = _t527;
														_t686[0x13] = _t527;
														_t686[0x15] = 9;
														_t529 = E034E2980(1,  &(_t686[0x1c]), _t686[0x18],  &(_t686[0x1b]),  &(_t686[0x15]),  &(_t686[0xbc]));
														__eflags = _t529;
														 *(_t906 + 0x2c) = _t529;
														if(_t529 == 0) {
															L102:
															_t686[0x14] = _t686[0x1b];
															_t686[0x16] = 6;
															_t532 = E034E2980(2, _t686 + 0x70 + _t686[0x18] * 2, _t686[0x19],  &(_t686[0x1b]),  &(_t686[0x16]),  &(_t686[0xbc]));
															__eflags = _t532;
															_t849 =  *(_t906 + 0x10);
															 *(_t906 + 0x2c) = _t532;
															if(_t532 == 0) {
																L104:
																 *_t686 = 0x12;
																goto L105;
															} else {
																L103:
																( *(_t906 + 0x48))[6] = "invalid distances set";
																goto L178;
															}
														} else {
															L99:
															_t849 =  *(_t906 + 0x10);
															( *(_t906 + 0x48))[6] = "invalid literal/lengths set";
															goto L178;
														}
													}
												} else {
													do {
														L67:
														_t638 =  *((intOrPtr*)(_t686[0x13] + ((0x00000001 << _t686[0x15]) - 0x00000001 & _t849) * 4));
														__eflags = (_t638 & 0x000000ff) - _t899;
														 *(_t906 + 0x3c) = _t638;
														if((_t638 & 0x000000ff) <= _t899) {
															L70:
															_t822 =  *(_t906 + 0x3c) >> 0x10;
															__eflags = _t822 - 0x10;
															if(__eflags >= 0) {
																L75:
																if(__eflags != 0) {
																	L82:
																	__eflags = _t822 - 0x11;
																	_t823 = _t638 & 0x000000ff;
																	 *(_t906 + 0x20) = _t823;
																	if(_t822 != 0x11) {
																		L87:
																		__eflags = _t899 - _t823 + 7;
																		if(_t899 >= _t823 + 7) {
																			L90:
																			_t880 = _t849 >> _t823;
																			 *(_t906 + 0x20) = (_t880 & 0x0000007f) + 0xb;
																			_t849 = _t880 >> 7;
																			__eflags = _t849;
																			_t643 = 0xfffffff9;
																			goto L91;
																		} else {
																			while(1) {
																				L88:
																				__eflags = _t886;
																				if(_t886 == 0) {
																					goto L187;
																				}
																				L89:
																				_t654 = ( *_t893 & 0x000000ff) << _t899;
																				_t823 =  *(_t906 + 0x20);
																				_t886 = _t886 - 1;
																				_t899 = _t899 + 8;
																				_t849 = _t849 + _t654;
																				_t893 =  &(_t893[1]);
																				__eflags = _t899 - _t823 + 7;
																				 *(_t906 + 0x18) = _t886;
																				 *(_t906 + 0x14) = _t893;
																				if(_t899 < _t823 + 7) {
																					continue;
																				} else {
																					goto L90;
																				}
																				goto L202;
																			}
																			goto L187;
																		}
																	} else {
																		L83:
																		__eflags = _t899 - _t823 + 3;
																		if(_t899 >= _t823 + 3) {
																			L86:
																			_t881 = _t849 >> _t823;
																			 *(_t906 + 0x20) = (_t881 & 0x00000007) + 3;
																			_t849 = _t881 >> 3;
																			_t643 = 0xfffffffd;
																			L91:
																			 *(_t906 + 0x30) = 0;
																			_t899 = _t899 + _t643 - _t823;
																			__eflags = _t899;
																			goto L92;
																		} else {
																			while(1) {
																				L84:
																				__eflags = _t886;
																				if(_t886 == 0) {
																					goto L187;
																				}
																				L85:
																				_t661 = ( *_t893 & 0x000000ff) << _t899;
																				_t823 =  *(_t906 + 0x20);
																				_t886 = _t886 - 1;
																				_t899 = _t899 + 8;
																				_t849 = _t849 + _t661;
																				_t893 =  &(_t893[1]);
																				__eflags = _t899 - _t823 + 3;
																				 *(_t906 + 0x18) = _t886;
																				 *(_t906 + 0x14) = _t893;
																				if(_t899 < _t823 + 3) {
																					continue;
																				} else {
																					goto L86;
																				}
																				goto L202;
																			}
																			goto L187;
																		}
																	}
																} else {
																	L76:
																	_t830 = _t638 & 0x000000ff;
																	__eflags = _t899 - _t830 + 2;
																	 *(_t906 + 0x20) = _t830;
																	if(_t899 >= _t830 + 2) {
																		L80:
																		_t664 = _t686[0x1a];
																		_t849 = _t849 >> _t830;
																		_t899 = _t899 - _t830;
																		__eflags = _t664;
																		 *(_t906 + 0x10) = _t849;
																		if(_t664 == 0) {
																			L100:
																			( *(_t906 + 0x48))[6] = "invalid bit length repeat";
																			goto L178;
																		} else {
																			L81:
																			_t667 = (_t849 & 0x00000003) + 3;
																			_t849 = _t849 >> 2;
																			 *(_t906 + 0x30) =  *(_t686 + 0x6e + _t664 * 2) & 0x0000ffff;
																			 *(_t906 + 0x20) = _t667;
																			_t899 = _t899 - 2;
																			L92:
																			 *(_t906 + 0x10) = _t849;
																			__eflags = _t686[0x1a] +  *(_t906 + 0x20) - _t686[0x19] + _t686[0x18];
																			if(_t686[0x1a] +  *(_t906 + 0x20) > _t686[0x19] + _t686[0x18]) {
																				L101:
																				( *(_t906 + 0x48))[6] = "invalid bit length repeat";
																				goto L178;
																			} else {
																				L93:
																				_t649 =  *(_t906 + 0x20);
																				__eflags = _t649;
																				if(_t649 != 0) {
																					L94:
																					 *(_t906 + 0x20) = _t649;
																					_t652 =  *(_t906 + 0x30);
																					do {
																						L95:
																						 *(_t686 + 0x70 + _t686[0x1a] * 2) = _t652;
																						_t686[0x1a] = _t686[0x1a] + 1;
																						_t204 = _t906 + 0x20;
																						 *_t204 =  *(_t906 + 0x20) - 1;
																						__eflags =  *_t204;
																					} while ( *_t204 != 0);
																				}
																				goto L96;
																			}
																		}
																	} else {
																		L77:
																		while(1) {
																			L78:
																			__eflags = _t886;
																			if(_t886 == 0) {
																				goto L187;
																			}
																			L79:
																			_t669 = ( *_t893 & 0x000000ff) << _t899;
																			_t830 =  *(_t906 + 0x20);
																			_t886 = _t886 - 1;
																			_t899 = _t899 + 8;
																			_t849 = _t849 + _t669;
																			_t893 =  &(_t893[1]);
																			__eflags = _t899 - _t830 + 2;
																			 *(_t906 + 0x18) = _t886;
																			 *(_t906 + 0x14) = _t893;
																			if(_t899 < _t830 + 2) {
																				continue;
																			} else {
																				goto L80;
																			}
																			goto L202;
																		}
																		goto L187;
																	}
																}
															} else {
																L71:
																_t834 = _t638 & 0x000000ff;
																__eflags = _t899 - _t834;
																 *(_t906 + 0x20) = _t834;
																if(_t899 >= _t834) {
																	L74:
																	_t849 = _t849 >> _t834;
																	_t899 = _t899 - _t834;
																	 *(_t686 + 0x70 + _t686[0x1a] * 2) =  *((intOrPtr*)(_t906 + 0x3e));
																	 *(_t906 + 0x10) = _t849;
																	_t686[0x1a] = _t686[0x1a] + 1;
																	goto L96;
																} else {
																	while(1) {
																		L72:
																		__eflags = _t886;
																		if(_t886 == 0) {
																			goto L187;
																		}
																		L73:
																		_t675 = ( *_t893 & 0x000000ff) << _t899;
																		_t834 =  *(_t906 + 0x20);
																		_t886 = _t886 - 1;
																		_t899 = _t899 + 8;
																		_t849 = _t849 + _t675;
																		_t893 =  &(_t893[1]);
																		__eflags = _t899 - _t834;
																		 *(_t906 + 0x18) = _t886;
																		 *(_t906 + 0x14) = _t893;
																		if(_t899 < _t834) {
																			continue;
																		} else {
																			goto L74;
																		}
																		goto L202;
																	}
																	goto L187;
																}
															}
														} else {
															while(1) {
																L68:
																__eflags = _t886;
																if(_t886 == 0) {
																	goto L187;
																}
																L69:
																_t677 = ( *_t893 & 0x000000ff) << _t899;
																_t886 = _t886 - 1;
																_t899 = _t899 + 8;
																_t849 = _t849 + _t677;
																_t893 =  &(_t893[1]);
																 *(_t906 + 0x18) = _t886;
																_t638 =  *((intOrPtr*)(_t686[0x13] + ((0x00000001 << _t686[0x15]) - 0x00000001 & _t849) * 4));
																__eflags = (_t638 & 0x000000ff) - _t899;
																 *(_t906 + 0x14) = _t893;
																 *(_t906 + 0x3c) = _t638;
																if((_t638 & 0x000000ff) > _t899) {
																	continue;
																} else {
																	goto L70;
																}
																goto L202;
															}
															goto L187;
														}
														goto L202;
														L96:
														__eflags = _t686[0x1a] - _t686[0x19] + _t686[0x18];
													} while (_t686[0x1a] < _t686[0x19] + _t686[0x18]);
													goto L97;
												}
												goto L202;
											case 0xb:
												L105:
												__eflags = _t886 - 6;
												if(_t886 < 6) {
													L108:
													_t538 =  *((intOrPtr*)(_t686[0x13] + ((0x00000001 << _t686[0x15]) - 0x00000001 & _t849) * 4));
													__eflags = (_t538 & 0x000000ff) - _t899;
													 *(_t906 + 0x3c) = _t538;
													if((_t538 & 0x000000ff) <= _t899) {
														L112:
														__eflags = _t538;
														if(_t538 == 0) {
															L119:
															_t849 = _t849 >> (_t538 & 0x000000ff);
															_t899 = _t899 - (_t538 & 0x000000ff);
															__eflags = _t538;
															 *(_t906 + 0x10) = _t849;
															_t686[0x10] =  *(_t906 + 0x3c) >> 0x10;
															if(_t538 != 0) {
																L121:
																__eflags = _t538 & 0x00000020;
																if((_t538 & 0x00000020) == 0) {
																	L123:
																	__eflags = _t538 & 0x00000040;
																	if((_t538 & 0x00000040) == 0) {
																		L125:
																		_t539 = _t538 & 0x0000000f;
																		__eflags = _t539;
																		_t686[0x12] = _t539;
																		 *_t686 = 0x13;
																		goto L126;
																	} else {
																		L124:
																		( *(_t906 + 0x48))[6] = "invalid literal/length code";
																		goto L178;
																	}
																} else {
																	L122:
																	 *_t686 = 0xb;
																	goto L179;
																}
															} else {
																L120:
																 *_t686 = 0x17;
																goto L179;
															}
														} else {
															L113:
															__eflags = _t538 & 0x000000f0;
															if((_t538 & 0x000000f0) != 0) {
																goto L119;
															} else {
																L114:
																 *(_t906 + 0x20) = _t538 & 0x000000ff;
																 *(_t906 + 0x10) = _t538;
																_t607 =  *(_t686[0x13] + ((((0x00000001 << 0 +  *(_t906 + 0x20)) - 0x00000001 & _t849) >>  *(_t906 + 0x20)) + ( *(_t906 + 0x3c) >> 0x10)) * 4);
																 *(_t906 + 0x3c) = _t607;
																_t803 =  *(_t906 + 0x10) >> 0x00000008 & 0x000000ff;
																__eflags = (_t607 & 0x000000ff) + _t803 - _t899;
																 *(_t906 + 0x20) = _t803;
																if((_t607 & 0x000000ff) + _t803 <= _t899) {
																	L118:
																	_t538 =  *(_t906 + 0x3c);
																	_t849 = _t849 >> _t803;
																	_t899 = _t899 - _t803;
																	__eflags = _t899;
																	goto L119;
																} else {
																	L115:
																	while(1) {
																		L116:
																		__eflags = _t886;
																		if(_t886 == 0) {
																			goto L187;
																		}
																		L117:
																		_t886 = _t886 - 1;
																		_t849 = _t849 + (( *_t893 & 0x000000ff) << _t899);
																		_t893 =  &(_t893[1]);
																		_t899 = _t899 + 8;
																		 *(_t906 + 0x18) = _t886;
																		 *(_t906 + 0x14) = _t893;
																		_t619 =  *(_t686[0x13] + ((((0x00000001 << 0 +  *(_t906 + 0x20)) - 0x00000001 & _t849) >>  *(_t906 + 0x20)) + ( *(_t906 + 0x12) & 0x0000ffff)) * 4);
																		_t803 =  *(_t906 + 0x20);
																		 *(_t906 + 0x3c) = _t619;
																		__eflags = (_t619 & 0x000000ff) + _t803 - _t899;
																		if((_t619 & 0x000000ff) + _t803 > _t899) {
																			continue;
																		} else {
																			goto L118;
																		}
																		goto L202;
																	}
																	goto L187;
																}
															}
														}
													} else {
														L109:
														while(1) {
															L110:
															__eflags = _t886;
															if(_t886 == 0) {
																goto L187;
															}
															L111:
															_t623 = ( *_t893 & 0x000000ff) << _t899;
															_t886 = _t886 - 1;
															_t899 = _t899 + 8;
															_t849 = _t849 + _t623;
															_t893 =  &(_t893[1]);
															 *(_t906 + 0x18) = _t886;
															_t538 =  *(_t686[0x13] + ((0x00000001 << _t686[0x15]) - 0x00000001 & _t849) * 4);
															__eflags = (_t538 & 0x000000ff) - _t899;
															 *(_t906 + 0x14) = _t893;
															 *(_t906 + 0x3c) = 1;
															if((_t538 & 0x000000ff) > _t899) {
																continue;
															} else {
																goto L112;
															}
															goto L202;
														}
														goto L187;
													}
												} else {
													L106:
													__eflags =  *(_t906 + 0x1c) - 0x102;
													if( *(_t906 + 0x1c) < 0x102) {
														goto L108;
													} else {
														L107:
														_t628 =  *(_t906 + 0x48);
														_t628[3] =  *(_t906 + 0x24);
														_t628[4] =  *(_t906 + 0x1c);
														 *_t628 = _t893;
														_t628[1] = _t886;
														_t686[0xe] = _t849;
														_push( *((intOrPtr*)(_t906 + 0x28)));
														_push(_t628);
														_t686[0xf] = _t899;
														E034E1260();
														_t630 =  *(_t906 + 0x48);
														_t893 =  *_t630;
														_t886 = _t630[1];
														_t631 = _t686[0xe];
														_t899 = _t686[0xf];
														 *(_t906 + 0x1c) = _t630[4];
														 *(_t906 + 0x24) = _t630[3];
														 *(_t906 + 0x14) = _t893;
														 *(_t906 + 0x18) = _t886;
														 *(_t906 + 0x10) = _t631;
														_t849 = _t631;
														goto L179;
													}
												}
												goto L202;
											case 0xc:
												L126:
												_t540 = _t686[0x12];
												__eflags = _t540;
												if(_t540 == 0) {
													L131:
													 *_t686 = 0x14;
													goto L132;
												} else {
													L127:
													__eflags = _t899 - _t540;
													if(_t899 >= _t540) {
														L130:
														_t686[0x10] = _t686[0x10] + ((0x00000001 << _t686[0x12]) - 0x00000001 & _t849);
														_t791 = _t686[0x12];
														_t849 = _t849 >> _t791;
														_t899 = _t899 - _t791;
														__eflags = _t899;
														goto L131;
													} else {
														while(1) {
															L128:
															__eflags = _t886;
															if(_t886 == 0) {
																goto L187;
															}
															L129:
															_t597 = ( *_t893 & 0x000000ff) << _t899;
															_t886 = _t886 - 1;
															_t899 = _t899 + 8;
															 *(_t906 + 0x18) = _t886;
															_t849 = _t849 + _t597;
															_t893 =  &(_t893[1]);
															__eflags = _t899 - _t686[0x12];
															 *(_t906 + 0x14) = _t893;
															if(_t899 < _t686[0x12]) {
																continue;
															} else {
																goto L130;
															}
															goto L202;
														}
														goto L187;
													}
												}
												goto L202;
											case 0xd:
												L132:
												_t546 =  *((intOrPtr*)(_t686[0x14] + ((0x00000001 << _t686[0x16]) - 0x00000001 & _t849) * 4));
												__eflags = (_t546 & 0x000000ff) - _t899;
												 *(_t906 + 0x3c) = _t546;
												if((_t546 & 0x000000ff) <= _t899) {
													L135:
													__eflags = _t546 & 0x000000f0;
													if((_t546 & 0x000000f0) != 0) {
														L141:
														_t849 = _t849 >> (_t546 & 0x000000ff);
														_t899 = _t899 - (_t546 & 0x000000ff);
														__eflags = _t546 & 0x00000040;
														 *(_t906 + 0x10) = _t849;
														if((_t546 & 0x00000040) == 0) {
															L143:
															_t547 = _t546 & 0x0000000f;
															__eflags = _t547;
															_t686[0x11] =  *(_t906 + 0x3c) >> 0x10;
															_t686[0x12] = _t547;
															 *_t686 = 0x15;
															goto L144;
														} else {
															L142:
															( *(_t906 + 0x48))[6] = "invalid distance code";
															goto L178;
														}
													} else {
														L136:
														 *(_t906 + 0x20) = _t546 & 0x000000ff;
														 *(_t906 + 0x10) = _t546;
														_t571 =  *(_t686[0x14] + ((((0x00000001 << 0 +  *(_t906 + 0x20)) - 0x00000001 & _t849) >>  *(_t906 + 0x20)) + ( *(_t906 + 0x3c) >> 0x10)) * 4);
														 *(_t906 + 0x3c) = _t571;
														_t776 =  *(_t906 + 0x10) >> 0x00000008 & 0x000000ff;
														__eflags = (_t571 & 0x000000ff) + _t776 - _t899;
														 *(_t906 + 0x20) = _t776;
														if((_t571 & 0x000000ff) + _t776 <= _t899) {
															L140:
															_t546 =  *(_t906 + 0x3c);
															_t849 = _t849 >> _t776;
															_t899 = _t899 - _t776;
															__eflags = _t899;
															goto L141;
														} else {
															L137:
															while(1) {
																L138:
																__eflags = _t886;
																if(_t886 == 0) {
																	goto L187;
																}
																L139:
																_t886 = _t886 - 1;
																_t849 = _t849 + (( *_t893 & 0x000000ff) << _t899);
																_t893 =  &(_t893[1]);
																_t899 = _t899 + 8;
																 *(_t906 + 0x18) = _t886;
																 *(_t906 + 0x14) = _t893;
																_t583 =  *(_t686[0x14] + ((((0x00000001 << 0 +  *(_t906 + 0x20)) - 0x00000001 & _t849) >>  *(_t906 + 0x20)) + ( *(_t906 + 0x12) & 0x0000ffff)) * 4);
																_t776 =  *(_t906 + 0x20);
																 *(_t906 + 0x3c) = _t583;
																__eflags = (_t583 & 0x000000ff) + _t776 - _t899;
																if((_t583 & 0x000000ff) + _t776 > _t899) {
																	continue;
																} else {
																	goto L140;
																}
																goto L202;
															}
															goto L187;
														}
													}
												} else {
													while(1) {
														L133:
														__eflags = _t886;
														if(_t886 == 0) {
															goto L187;
														}
														L134:
														_t587 = ( *_t893 & 0x000000ff) << _t899;
														_t886 = _t886 - 1;
														_t899 = _t899 + 8;
														_t849 = _t849 + _t587;
														_t893 =  &(_t893[1]);
														 *(_t906 + 0x18) = _t886;
														_t546 =  *(_t686[0x14] + ((0x00000001 << _t686[0x16]) - 0x00000001 & _t849) * 4);
														__eflags = (_t546 & 0x000000ff) - _t899;
														 *(_t906 + 0x14) = _t893;
														 *(_t906 + 0x3c) = 1;
														if((_t546 & 0x000000ff) > _t899) {
															continue;
														} else {
															goto L135;
														}
														goto L202;
													}
													goto L187;
												}
												goto L202;
											case 0xe:
												L144:
												_t548 = _t686[0x12];
												__eflags = _t548;
												if(_t548 == 0) {
													L149:
													__eflags = _t686[0x11] - _t686[0xb] -  *(_t906 + 0x1c) +  *((intOrPtr*)(_t906 + 0x28));
													if(_t686[0x11] <= _t686[0xb] -  *(_t906 + 0x1c) +  *((intOrPtr*)(_t906 + 0x28))) {
														L151:
														 *_t686 = 0x16;
														goto L152;
													} else {
														L150:
														( *(_t906 + 0x48))[6] = "invalid distance too far back";
														goto L178;
													}
												} else {
													L145:
													__eflags = _t899 - _t548;
													if(_t899 >= _t548) {
														L148:
														_t686[0x11] = _t686[0x11] + ((0x00000001 << _t686[0x12]) - 0x00000001 & _t849);
														_t763 = _t686[0x12];
														_t849 = _t849 >> _t763;
														_t899 = _t899 - _t763;
														__eflags = _t899;
														 *(_t906 + 0x10) = _t849;
														goto L149;
													} else {
														while(1) {
															L146:
															__eflags = _t886;
															if(_t886 == 0) {
																goto L187;
															}
															L147:
															_t562 = ( *_t893 & 0x000000ff) << _t899;
															_t886 = _t886 - 1;
															_t899 = _t899 + 8;
															 *(_t906 + 0x18) = _t886;
															_t849 = _t849 + _t562;
															_t893 =  &(_t893[1]);
															__eflags = _t899 - _t686[0x12];
															 *(_t906 + 0x14) = _t893;
															if(_t899 < _t686[0x12]) {
																continue;
															} else {
																goto L148;
															}
															goto L202;
														}
														goto L187;
													}
												}
												goto L202;
											case 0xf:
												L152:
												_t550 =  *(_t906 + 0x1c);
												__eflags = _t550;
												if(_t550 == 0) {
													goto L187;
												} else {
													L153:
													_t742 =  *((intOrPtr*)(_t906 + 0x28)) - _t550;
													_t551 = _t686[0x11];
													__eflags = _t551 - _t742;
													if(_t551 <= _t742) {
														L159:
														_t744 =  *(_t906 + 0x24) - _t551;
														__eflags = _t744;
														_t552 = _t686[0x10];
														 *(_t906 + 0x30) = _t744;
														 *(_t906 + 0x34) = _t552;
														goto L160;
													} else {
														L154:
														_t555 = _t551 - _t742;
														_t753 = _t686[0xc];
														__eflags = _t555 - _t753;
														 *(_t906 + 0x20) = _t555;
														if(_t555 <= _t753) {
															_t756 = _t686[0xd] - _t555 + _t686[0xc];
															__eflags = _t756;
															_t552 =  *(_t906 + 0x20);
														} else {
															_t552 = _t555 - _t753;
															 *(_t906 + 0x20) = _t552;
															_t756 = _t686[0xa] + _t686[0xd] - _t552;
														}
														 *(_t906 + 0x30) = _t756;
														_t757 = _t686[0x10];
														__eflags = _t552 - _t757;
														 *(_t906 + 0x34) = _t757;
														if(_t552 > _t757) {
															L158:
															_t552 = _t757;
															L160:
															 *(_t906 + 0x20) = _t552;
														}
													}
													L161:
													_t745 =  *(_t906 + 0x1c);
													__eflags = _t552 - _t745;
													if(_t552 > _t745) {
														_t552 = _t745;
														 *(_t906 + 0x20) = _t552;
													}
													 *(_t906 + 0x1c) = _t745 - _t552;
													_t553 =  *(_t906 + 0x24);
													_t686[0x10] =  *(_t906 + 0x34) - _t552;
													do {
														L164:
														 *_t553 =  *( *(_t906 + 0x30));
														_t553 =  &(_t553[1]);
														 *(_t906 + 0x30) =  *(_t906 + 0x30) + 1;
														_t402 = _t906 + 0x20;
														 *_t402 =  *(_t906 + 0x20) - 1;
														__eflags =  *_t402;
													} while ( *_t402 != 0);
													 *(_t906 + 0x24) = _t553;
													__eflags = _t686[0x10];
													if(_t686[0x10] == 0) {
														 *_t686 = 0x12;
													}
													goto L179;
												}
												goto L202;
											case 0x10:
												L167:
												__eax =  *(__esp + 0x1c);
												__eflags = __eax;
												if(__eax == 0) {
													goto L187;
												} else {
													L168:
													__eax =  *(__esp + 0x24);
													__cl = __ebx[0x10];
													 *__eax = __cl;
													__eax = __eax + 1;
													 *(__esp + 0x24) = __eax;
													 *(__esp + 0x1c) =  *(__esp + 0x1c) - 1;
													 *__ebx = 0x12;
													goto L179;
												}
												goto L202;
											case 0x11:
												L169:
												__eax = __ebx[2];
												__eflags = __eax;
												if(__eax == 0) {
													L184:
													 *__ebx = 0x1a;
													goto L185;
												} else {
													L170:
													__eflags = __ebp - 0x20;
													if(__ebp >= 0x20) {
														L174:
														__eax =  *(__esp + 0x28);
														__eax =  *(__esp + 0x28) -  *(__esp + 0x1c);
														__ecx =  *(__esp + 0x48);
														 *((intOrPtr*)( *(__esp + 0x48) + 0x14)) =  *((intOrPtr*)( *(__esp + 0x48) + 0x14)) + __eax;
														__ebx[7] = __ebx[7] + __eax;
														__eflags = __eax;
														 *(__esp + 0x28) = __eax;
														__ebx[7] = __ebx[7] + __eax;
														if(__eax != 0) {
															__ecx =  *(__esp + 0x24);
															__edx = __ebx[6];
															_push(__eax);
															__ecx = __ecx - __eax;
															__eflags = __ecx;
															_push(__ecx);
															_push(__ebx[6]);
															__eax = E034E1000();
															__ecx =  *(__esp + 0x48);
															__edx =  *(__esp + 0x10);
															__ebx[6] = __eax;
															 *( *(__esp + 0x48) + 0x30) = __eax;
														}
														__eax =  *(__esp + 0x1c);
														 *(__esp + 0x28) =  *(__esp + 0x1c);
														__edx = __edx & 0x0000ff00;
														__edx = __edx << 0x10;
														__ecx = (__edx & 0x0000ff00) + (__edx << 0x10);
														__eax = 0;
														(__edx & 0x0000ff00) + (__edx << 0x10) << 8 = (__edx & 0x0000ff00) + (__edx << 0x10) << 8;
														__eax = __edx;
														__eax = __edx >> 0x18;
														__ecx = ((__edx & 0x0000ff00) + (__edx << 0x10) << 8) + __eax;
														__eflags = ((__edx & 0x0000ff00) + (__edx << 0x10) << 8) + __eax - __ebx[6];
														if(((__edx & 0x0000ff00) + (__edx << 0x10) << 8) + __eax == __ebx[6]) {
															L183:
															__ebp = 0;
															__eflags = 0;
															 *(__esp + 0x10) = 0;
															__edx = 0;
															goto L184;
														} else {
															L177:
															__ecx =  *(__esp + 0x48);
															 *( *(__esp + 0x48) + 0x18) = "incorrect data check";
															goto L178;
														}
													} else {
														L171:
														while(1) {
															L172:
															__eflags = __edi;
															if(__edi == 0) {
																goto L187;
															}
															L173:
															__eax =  *__esi & 0x000000ff;
															__ecx = __ebp;
															__eax = ( *__esi & 0x000000ff) << __cl;
															__edi = __edi - 1;
															__ebp = __ebp + 8;
															 *(__esp + 0x18) = __edi;
															__edx = __edx + __eax;
															__esi = __esi + 1;
															__eflags = __ebp - 0x20;
															 *(__esp + 0x10) = __edx;
															 *(__esp + 0x14) = __esi;
															if(__ebp < 0x20) {
																continue;
															} else {
																goto L174;
															}
															goto L202;
														}
														goto L187;
													}
												}
												goto L202;
											case 0x12:
												L185:
												 *(__esp + 0x2c) = 1;
												goto L187;
											case 0x13:
												L186:
												 *(__esp + 0x2c) = 0xfffffffd;
												goto L187;
											case 0x14:
												goto L192;
										}
									}
									L180:
									_t512 = 0xfffffffe;
									goto L181;
								}
							} else {
								do {
									L54:
									if(_t899 >= 3) {
										goto L58;
									} else {
										L55:
										while(1) {
											L56:
											if(_t886 == 0) {
												goto L187;
											}
											L57:
											_t685 = ( *_t893 & 0x000000ff) << _t899;
											_t886 = _t886 - 1;
											_t899 = _t899 + 8;
											 *(_t906 + 0x18) = _t886;
											_t849 = _t849 + _t685;
											_t893 =  &(_t893[1]);
											 *(_t906 + 0x14) = _t893;
											if(_t899 < 3) {
												continue;
											} else {
												goto L58;
											}
											goto L202;
										}
										goto L187;
									}
									goto L202;
									L58:
									_t849 = _t849 >> 3;
									_t899 = _t899 - 3;
									 *(_t906 + 0x10) = _t849;
									 *((short*)(_t686 + 0x70 + ( *(0x34e3900 + _t686[0x1a] * 2) & 0x0000ffff) * 2)) = 0;
									_t847 = _t686[0x1a] + 1;
									_t686[0x1a] = _t847;
								} while (_t847 < _t686[0x17]);
								goto L59;
							}
						}
					}
					goto L202;
				}
			}

0x034e1d20
0x034e1d20
0x034e1d20
0x034e1d20
0x034e1d20
0x034e1d20
0x034e1d20
0x034e1d23
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1d25
0x034e1d25
0x034e1d27
0x00000000
0x00000000
0x034e1d2d
0x034e1d2d
0x034e1d32
0x034e1d34
0x034e1d35
0x034e1d38
0x034e1d3c
0x034e1d3e
0x034e1d42
0x034e1d46
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1d46
0x034e278a
0x034e278a
0x034e2792
0x034e2799
0x034e279c
0x034e279e
0x034e27a6
0x034e27a9
0x034e27ac
0x034e27c0
0x034e27c8
0x034e27c9
0x034e27d0
0x00000000
0x034e27d2
0x034e27d2
0x034e27d2
0x034e27d8
0x034e27e4
0x034e27e4
0x034e27ae
0x034e27ae
0x034e27b1
0x034e27e7
0x034e27e7
0x034e27fc
0x034e2801
0x034e2807
0x034e280a
0x034e2817
0x034e281a
0x034e281e
0x034e2826
0x034e2827
0x034e2829
0x034e282a
0x034e282b
0x034e2830
0x034e2833
0x034e2833
0x034e281e
0x034e283d
0x034e2856
0x034e2858
0x034e285b
0x034e2861
0x034e2866
0x034e2883
0x034e288e
0x00000000
0x00000000
0x00000000
0x034e285d
0x034e285d
0x034e285f
0x034e2868
0x034e2868
0x034e286e
0x034e2734
0x034e273b
0x034e2874
0x034e2874
0x034e2880
0x034e2880
0x00000000
0x00000000
0x00000000
0x034e285f
0x034e27b3
0x034e27b3
0x034e27b3
0x034e27be
0x00000000
0x00000000
0x00000000
0x00000000
0x034e27be
0x034e27b1
0x00000000
0x034e1d48
0x034e1d4d
0x034e1d58
0x034e1d5e
0x034e1d67
0x034e1d70
0x034e1d73
0x034e1d7b
0x034e1d7e
0x034e1d82
0x034e1e74
0x034e1e78
0x00000000
0x034e1d88
0x034e1d88
0x034e1d8c
0x00000000
0x034e1d92
0x034e1d92
0x034e1d92
0x034e1d99
0x034e1d9f
0x034e1da5
0x034e1e00
0x034e1e0a
0x034e1e0c
0x034e1e10
0x034e1e10
0x034e1e1b
0x034e1e23
0x034e1e26
0x034e1e26
0x034e1e10
0x034e1e2b
0x034e1e2b
0x034e1e34
0x034e1e36
0x034e1e45
0x034e1e53
0x034e1e5a
0x034e1e5e
0x034e1e62
0x034e1e84
0x034e1e84
0x034e1e8b
0x00000000
0x034e1e64
0x034e1e64
0x034e1e68
0x034e271e
0x034e271e
0x034e2724
0x034e2724
0x034e2724
0x034e2729
0x00000000
0x00000000
0x034e19b4
0x034e19b4
0x00000000
0x034e19bb
0x034e19c0
0x034e19cd
0x034e19cd
0x034e19d0
0x034e19f9
0x034e1a06
0x034e1a11
0x034e1a13
0x034e1a29
0x034e1a29
0x034e1a31
0x034e1a33
0x034e1a49
0x034e1a4c
0x034e1a4f
0x034e1a56
0x034e1a59
0x034e1a5c
0x034e1a5e
0x034e1a74
0x034e1a74
0x034e1a7b
0x034e1a7e
0x034e1a7f
0x034e1a80
0x034e1a83
0x034e1a9b
0x034e1a9e
0x034e1aa1
0x034e1aa3
0x034e1aa7
0x034e1a60
0x034e1a60
0x034e1a64
0x034e1a6b
0x00000000
0x034e1a6b
0x034e1a35
0x034e1a35
0x034e1a39
0x034e1a3d
0x00000000
0x034e1a3d
0x034e1a15
0x034e1a19
0x034e1a20
0x00000000
0x034e1a20
0x00000000
0x034e19d2
0x034e19d2
0x034e19d2
0x034e19d2
0x034e19d4
0x00000000
0x00000000
0x034e19da
0x034e19df
0x034e19e1
0x034e19e2
0x034e19e5
0x034e19e9
0x034e19eb
0x034e19ec
0x034e19ef
0x034e19f3
0x034e19f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e19f7
0x00000000
0x034e19d2
0x034e19c2
0x034e19c2
0x00000000
0x034e19c2
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1aae
0x034e1aae
0x034e1ab1
0x034e1ada
0x034e1adc
0x034e1ae4
0x034e1ae7
0x034e1ae9
0x034e1aef
0x034e1af2
0x034e1af7
0x034e1afa
0x034e1afe
0x034e1afe
0x034e1b00
0x034e1b03
0x034e1b06
0x034e1b0a
0x034e1b10
0x00000000
0x034e1ab3
0x034e1ab3
0x034e1ab3
0x034e1ab3
0x034e1ab5
0x00000000
0x00000000
0x034e1abb
0x034e1abb
0x034e1abe
0x034e1ac0
0x034e1ac2
0x034e1ac3
0x034e1ac6
0x034e1aca
0x034e1acc
0x034e1acd
0x034e1ad0
0x034e1ad4
0x034e1ad8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1ad8
0x00000000
0x034e1ab3
0x00000000
0x00000000
0x034e1b12
0x034e1b12
0x034e1b15
0x034e1b17
0x034e273e
0x034e273e
0x034e2742
0x034e2746
0x034e2749
0x034e274d
0x034e2750
0x034e2752
0x034e2753
0x034e2756
0x034e2757
0x034e275a
0x034e275b
0x034e275e
0x034e2763
0x034e2764
0x034e2767
0x034e1b1d
0x034e1b1d
0x034e1b1d
0x034e1b1f
0x034e1b21
0x034e1b23
0x034e1b28
0x034e1b2c
0x034e1b2f
0x034e1b32
0x034e1b36
0x00000000
0x034e1b36
0x00000000
0x00000000
0x034e1b3c
0x034e1b3c
0x034e1b41
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1b47
0x034e1b47
0x034e1b4a
0x034e1b4c
0x034e1b66
0x034e1b66
0x034e1b69
0x034e1b93
0x034e1b93
0x034e1b95
0x034e1b97
0x034e1b9a
0x034e1b9c
0x034e1b9f
0x034e1ba0
0x034e1ba3
0x034e1ba6
0x034e1c1b
0x034e1c1b
0x034e1c1e
0x034e1c22
0x034e1ba8
0x034e1ba8
0x034e1ba8
0x00000000
0x034e1baf
0x034e1baf
0x034e1bb2
0x034e1bb8
0x034e1bbc
0x00000000
0x00000000
0x034e1bc4
0x034e1bc4
0x034e1bc7
0x034e1bce
0x034e1bd5
0x034e1bdc
0x034e1be3
0x034e1be9
0x034e1bed
0x00000000
0x00000000
0x034e1bf5
0x034e1bf5
0x034e1bf8
0x034e1bfe
0x034e1c02
0x00000000
0x00000000
0x034e1c0a
0x034e1c0a
0x034e1c0e
0x034e1c15
0x00000000
0x00000000
0x034e1ba8
0x00000000
0x034e1b6b
0x034e1b6b
0x034e1b70
0x034e1b70
0x034e1b70
0x034e1b72
0x00000000
0x00000000
0x034e1b78
0x034e1b78
0x034e1b7b
0x034e1b7d
0x034e1b7f
0x034e1b80
0x034e1b83
0x034e1b87
0x034e1b89
0x034e1b8a
0x034e1b8d
0x034e1b91
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1b91
0x00000000
0x034e1b70
0x034e1b4e
0x034e1b4e
0x034e1b50
0x034e1b53
0x034e1b55
0x034e1b57
0x034e1b5d
0x00000000
0x034e1b5d
0x00000000
0x00000000
0x034e1c2a
0x034e1c2c
0x034e1c2f
0x034e1c31
0x034e1c33
0x034e1c36
0x034e1c3a
0x034e1c67
0x034e1c67
0x034e1c69
0x034e1c6b
0x034e1c6d
0x034e1c72
0x034e1c75
0x034e1c77
0x034e1c89
0x034e1c89
0x034e1c89
0x034e1c8b
0x034e1c8e
0x034e1c92
0x034e1c98
0x00000000
0x034e1c79
0x034e1c79
0x034e1c79
0x034e1c7d
0x00000000
0x034e1c7d
0x034e1c40
0x00000000
0x034e1c40
0x034e1c40
0x034e1c40
0x034e1c42
0x00000000
0x00000000
0x034e1c48
0x034e1c48
0x034e1c4b
0x034e1c4d
0x034e1c4f
0x034e1c50
0x034e1c53
0x034e1c57
0x034e1c59
0x034e1c5a
0x034e1c5d
0x034e1c61
0x034e1c65
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1c65
0x00000000
0x034e1c40
0x00000000
0x00000000
0x034e1c9a
0x034e1c9a
0x034e1c9d
0x034e1c9f
0x034e1ca3
0x00000000
0x034e1ca9
0x034e1ca9
0x034e1ca9
0x034e1cab
0x034e1cad
0x034e1caf
0x034e1caf
0x034e1cb3
0x034e1cb7
0x034e1cb9
0x034e1cbb
0x034e1cbd
0x034e1cbd
0x034e1cc1
0x034e1cc3
0x00000000
0x034e1cc9
0x034e1cc9
0x034e1cc9
0x034e1ccd
0x034e1cd1
0x034e1cd3
0x034e1cd6
0x034e1cd6
0x034e1cd6
0x034e1cd6
0x034e1cd8
0x034e1cda
0x034e1cde
0x034e1ce1
0x034e1ce1
0x034e1ce1
0x034e1ce3
0x034e1ce7
0x034e1ceb
0x034e1cef
0x034e1cf1
0x034e1cf5
0x034e1cf9
0x034e1cfb
0x034e1cff
0x034e1d02
0x034e1d04
0x034e1d06
0x034e1d08
0x034e1d0c
0x034e1d10
0x034e1d14
0x034e1d18
0x00000000
0x034e1d18
0x034e1cc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1e91
0x034e1e99
0x034e1e9c
0x034e20c2
0x034e20c2
0x034e20c5
0x00000000
0x034e20cb
0x034e20cb
0x034e20cb
0x034e20d4
0x034e20dd
0x034e20ef
0x034e20f5
0x034e20fa
0x034e20fc
0x034e2100
0x034e2136
0x034e213c
0x034e214e
0x034e215f
0x034e2164
0x034e2166
0x034e216a
0x034e216e
0x034e2180
0x034e2180
0x00000000
0x034e2170
0x034e2170
0x034e2174
0x00000000
0x034e2174
0x034e2102
0x034e2102
0x034e2106
0x034e210a
0x00000000
0x034e210a
0x034e2100
0x034e1ea2
0x034e1ea2
0x034e1ea2
0x034e1eb2
0x034e1eb8
0x034e1eba
0x034e1ebe
0x034e1efc
0x034e1f00
0x034e1f03
0x034e1f07
0x034e1f5b
0x034e1f5b
0x034e1fcc
0x034e1fcc
0x034e1fd0
0x034e1fd3
0x034e1fd7
0x034e2021
0x034e2024
0x034e2026
0x034e2051
0x034e2051
0x034e205b
0x034e205f
0x034e205f
0x034e2062
0x00000000
0x034e2028
0x034e2028
0x034e2028
0x034e2028
0x034e202a
0x00000000
0x00000000
0x034e2030
0x034e2035
0x034e2037
0x034e203b
0x034e203c
0x034e203f
0x034e2041
0x034e2045
0x034e2047
0x034e204b
0x034e204f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e204f
0x00000000
0x034e2028
0x034e1fd9
0x034e1fd9
0x034e1fdc
0x034e1fde
0x034e2009
0x034e2009
0x034e2013
0x034e2017
0x034e201a
0x034e2067
0x034e2069
0x034e2071
0x034e2071
0x00000000
0x034e1fe0
0x034e1fe0
0x034e1fe0
0x034e1fe0
0x034e1fe2
0x00000000
0x00000000
0x034e1fe8
0x034e1fed
0x034e1fef
0x034e1ff3
0x034e1ff4
0x034e1ff7
0x034e1ff9
0x034e1ffd
0x034e1fff
0x034e2003
0x034e2007
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e2007
0x00000000
0x034e1fe0
0x034e1fde
0x034e1f5d
0x034e1f5d
0x034e1f5d
0x034e1f63
0x034e1f65
0x034e1f69
0x034e1f99
0x034e1f99
0x034e1f9c
0x034e1f9e
0x034e1fa0
0x034e1fa2
0x034e1fa6
0x034e2116
0x034e211a
0x00000000
0x034e1fac
0x034e1fac
0x034e1fb6
0x034e1fb9
0x034e1fbc
0x034e1fc0
0x034e1fc4
0x034e2073
0x034e2082
0x034e2086
0x034e2088
0x034e2126
0x034e212a
0x00000000
0x034e208e
0x034e208e
0x034e208e
0x034e2092
0x034e2094
0x034e2096
0x034e2096
0x034e209a
0x034e20a0
0x034e20a0
0x034e20a3
0x034e20a8
0x034e20ab
0x034e20ab
0x034e20ab
0x034e20ab
0x034e20a0
0x00000000
0x034e2094
0x034e2088
0x034e1f6b
0x034e1f6b
0x034e1f70
0x034e1f70
0x034e1f70
0x034e1f72
0x00000000
0x00000000
0x034e1f78
0x034e1f7d
0x034e1f7f
0x034e1f83
0x034e1f84
0x034e1f87
0x034e1f89
0x034e1f8d
0x034e1f8f
0x034e1f93
0x034e1f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1f97
0x00000000
0x034e1f70
0x034e1f69
0x034e1f09
0x034e1f09
0x034e1f09
0x034e1f0c
0x034e1f0e
0x034e1f12
0x034e1f3a
0x034e1f3f
0x034e1f41
0x034e1f46
0x034e1f4f
0x034e1f53
0x00000000
0x034e1f14
0x034e1f14
0x034e1f14
0x034e1f14
0x034e1f16
0x00000000
0x00000000
0x034e1f1c
0x034e1f21
0x034e1f23
0x034e1f27
0x034e1f28
0x034e1f2b
0x034e1f2d
0x034e1f2e
0x034e1f30
0x034e1f34
0x034e1f38
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1f38
0x00000000
0x034e1f14
0x034e1f12
0x034e1ec0
0x034e1ec0
0x034e1ec0
0x034e1ec0
0x034e1ec2
0x00000000
0x00000000
0x034e1ec8
0x034e1ecd
0x034e1ed2
0x034e1ed3
0x034e1ed6
0x034e1ee2
0x034e1ee3
0x034e1eea
0x034e1ef0
0x034e1ef2
0x034e1ef6
0x034e1efa
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1efa
0x00000000
0x034e1ec0
0x00000000
0x034e20b1
0x034e20b9
0x034e20b9
0x00000000
0x034e1ea2
0x00000000
0x00000000
0x034e2186
0x034e2186
0x034e2189
0x034e21ed
0x034e21ff
0x034e2205
0x034e2207
0x034e220b
0x034e224c
0x034e224c
0x034e224e
0x034e2310
0x034e2313
0x034e2318
0x034e2321
0x034e2323
0x034e2327
0x034e232a
0x034e2337
0x034e2337
0x034e2339
0x034e2346
0x034e2346
0x034e2348
0x034e235a
0x034e235a
0x034e235a
0x034e235d
0x034e2360
0x00000000
0x034e234a
0x034e234a
0x034e234e
0x00000000
0x034e234e
0x034e233b
0x034e233b
0x034e233b
0x00000000
0x034e233b
0x034e232c
0x034e232c
0x034e232c
0x00000000
0x034e232c
0x034e2254
0x034e2254
0x034e2254
0x034e2256
0x00000000
0x034e225c
0x034e225c
0x034e225f
0x034e2267
0x034e228d
0x034e2297
0x034e229b
0x034e22a3
0x034e22a5
0x034e22a9
0x034e2308
0x034e2308
0x034e230c
0x034e230e
0x034e230e
0x00000000
0x034e22ab
0x034e22ab
0x034e22b0
0x034e22b0
0x034e22b0
0x034e22b2
0x00000000
0x00000000
0x034e22b8
0x034e22c5
0x034e22c6
0x034e22cc
0x034e22cd
0x034e22d0
0x034e22e1
0x034e22f4
0x034e22f7
0x034e22fb
0x034e2304
0x034e2306
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e2306
0x00000000
0x034e22b0
0x034e22a9
0x034e2256
0x034e2210
0x00000000
0x034e2210
0x034e2210
0x034e2210
0x034e2212
0x00000000
0x00000000
0x034e2218
0x034e221d
0x034e2222
0x034e2223
0x034e2226
0x034e2232
0x034e2233
0x034e223a
0x034e2240
0x034e2242
0x034e2246
0x034e224a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e224a
0x00000000
0x034e2210
0x034e218b
0x034e218b
0x034e218b
0x034e2193
0x00000000
0x034e2195
0x034e2195
0x034e2195
0x034e219d
0x034e21a4
0x034e21a7
0x034e21a9
0x034e21ac
0x034e21b3
0x034e21b4
0x034e21b5
0x034e21b8
0x034e21bd
0x034e21c7
0x034e21c9
0x034e21cc
0x034e21cf
0x034e21d2
0x034e21d6
0x034e21da
0x034e21de
0x034e21e2
0x034e21e6
0x00000000
0x034e21e6
0x034e2193
0x00000000
0x00000000
0x034e2366
0x034e2366
0x034e2369
0x034e236b
0x034e23b2
0x034e23b2
0x00000000
0x034e236d
0x034e236d
0x034e236d
0x034e236f
0x034e2396
0x034e23a8
0x034e23ab
0x034e23ae
0x034e23b0
0x034e23b0
0x00000000
0x034e2371
0x034e2371
0x034e2371
0x034e2371
0x034e2373
0x00000000
0x00000000
0x034e2379
0x034e237e
0x034e2380
0x034e2381
0x034e2384
0x034e2388
0x034e238d
0x034e238e
0x034e2390
0x034e2394
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e2394
0x00000000
0x034e2371
0x034e236f
0x00000000
0x00000000
0x034e23b8
0x034e23ca
0x034e23d0
0x034e23d2
0x034e23d6
0x034e2414
0x034e2414
0x034e2416
0x034e24d0
0x034e24d3
0x034e24d8
0x034e24da
0x034e24dc
0x034e24e0
0x034e24f2
0x034e24f9
0x034e24f9
0x034e24fc
0x034e24ff
0x034e2502
0x00000000
0x034e24e2
0x034e24e2
0x034e24e6
0x00000000
0x034e24e6
0x034e241c
0x034e241c
0x034e241f
0x034e2427
0x034e244d
0x034e2457
0x034e245b
0x034e2463
0x034e2465
0x034e2469
0x034e24c8
0x034e24c8
0x034e24cc
0x034e24ce
0x034e24ce
0x00000000
0x034e246b
0x034e246b
0x034e2470
0x034e2470
0x034e2470
0x034e2472
0x00000000
0x00000000
0x034e2478
0x034e2485
0x034e2486
0x034e248c
0x034e248d
0x034e2490
0x034e24a1
0x034e24b4
0x034e24b7
0x034e24bb
0x034e24c4
0x034e24c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e24c6
0x00000000
0x034e2470
0x034e2469
0x034e23d8
0x034e23d8
0x034e23d8
0x034e23d8
0x034e23da
0x00000000
0x00000000
0x034e23e0
0x034e23e5
0x034e23ea
0x034e23eb
0x034e23ee
0x034e23fa
0x034e23fb
0x034e2402
0x034e2408
0x034e240a
0x034e240e
0x034e2412
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e2412
0x00000000
0x034e23d8
0x00000000
0x00000000
0x034e2508
0x034e2508
0x034e250b
0x034e250d
0x034e2558
0x034e2565
0x034e2568
0x034e257a
0x034e257a
0x00000000
0x034e256a
0x034e256a
0x034e256e
0x00000000
0x034e256e
0x034e250f
0x034e250f
0x034e250f
0x034e2511
0x034e2538
0x034e254a
0x034e254d
0x034e2550
0x034e2552
0x034e2552
0x034e2554
0x00000000
0x034e2513
0x034e2513
0x034e2513
0x034e2513
0x034e2515
0x00000000
0x00000000
0x034e251b
0x034e2520
0x034e2522
0x034e2523
0x034e2526
0x034e252a
0x034e252f
0x034e2530
0x034e2532
0x034e2536
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e2536
0x00000000
0x034e2513
0x034e2511
0x00000000
0x00000000
0x034e2580
0x034e2580
0x034e2584
0x034e2586
0x00000000
0x034e258c
0x034e258c
0x034e2590
0x034e2592
0x034e2595
0x034e2597
0x034e25d5
0x034e25d9
0x034e25d9
0x034e25db
0x034e25de
0x034e25e2
0x00000000
0x034e2599
0x034e2599
0x034e2599
0x034e259b
0x034e259e
0x034e25a0
0x034e25a4
0x034e25bb
0x034e25bb
0x034e25be
0x034e25a6
0x034e25a6
0x034e25ae
0x034e25b2
0x034e25b2
0x034e25c2
0x034e25c6
0x034e25c9
0x034e25cb
0x034e25cf
0x034e25d1
0x034e25d1
0x034e25e6
0x034e25e6
0x034e25e6
0x034e25cf
0x034e25ea
0x034e25ea
0x034e25ee
0x034e25f0
0x034e25f2
0x034e25f4
0x034e25f4
0x034e25fa
0x034e2604
0x034e2608
0x034e2610
0x034e2610
0x034e2616
0x034e261c
0x034e261e
0x034e2622
0x034e2622
0x034e2622
0x034e2622
0x034e2628
0x034e262f
0x034e2631
0x034e2637
0x034e2637
0x00000000
0x034e2631
0x00000000
0x00000000
0x034e2642
0x034e2642
0x034e2646
0x034e2648
0x00000000
0x034e264e
0x034e264e
0x034e264e
0x034e2652
0x034e2655
0x034e2657
0x034e2658
0x034e265c
0x034e2660
0x00000000
0x034e2660
0x00000000
0x00000000
0x034e266b
0x034e266b
0x034e266e
0x034e2670
0x034e2772
0x034e2772
0x00000000
0x034e2676
0x034e2676
0x034e2676
0x034e2679
0x034e26a7
0x034e26a7
0x034e26ab
0x034e26af
0x034e26b3
0x034e26b9
0x034e26bb
0x034e26bd
0x034e26c1
0x034e26c4
0x034e26c6
0x034e26ca
0x034e26cd
0x034e26ce
0x034e26ce
0x034e26d0
0x034e26d1
0x034e26d2
0x034e26d7
0x034e26db
0x034e26df
0x034e26e2
0x034e26e2
0x034e26e5
0x034e26e9
0x034e26ef
0x034e26f7
0x034e26fa
0x034e26fc
0x034e2705
0x034e2707
0x034e2709
0x034e270c
0x034e270e
0x034e2711
0x034e276a
0x034e276a
0x034e276a
0x034e276c
0x034e2770
0x00000000
0x034e2713
0x034e2713
0x034e2713
0x034e2717
0x00000000
0x034e2717
0x034e267b
0x034e267b
0x034e2680
0x034e2680
0x034e2680
0x034e2682
0x00000000
0x00000000
0x034e2688
0x034e2688
0x034e268b
0x034e268d
0x034e268f
0x034e2690
0x034e2693
0x034e2697
0x034e2699
0x034e269a
0x034e269d
0x034e26a1
0x034e26a5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e26a5
0x00000000
0x034e2680
0x034e2679
0x00000000
0x00000000
0x034e2778
0x034e2778
0x00000000
0x00000000
0x034e2782
0x034e2782
0x00000000
0x00000000
0x00000000
0x00000000
0x034e19b4
0x034e272f
0x034e272f
0x00000000
0x034e272f
0x034e1da7
0x034e1da7
0x034e1da7
0x034e1daa
0x00000000
0x034e1db0
0x00000000
0x034e1db0
0x034e1db0
0x034e1db2
0x00000000
0x00000000
0x034e1db8
0x034e1dbd
0x034e1dbf
0x034e1dc0
0x034e1dc3
0x034e1dc7
0x034e1dc9
0x034e1dcd
0x034e1dd1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x034e1dd1
0x00000000
0x034e1db0
0x00000000
0x034e1dd3
0x034e1de2
0x034e1de5
0x034e1de8
0x034e1def
0x034e1df7
0x034e1df8
0x034e1dfb
0x00000000
0x034e1da7
0x034e1da5
0x034e1d8c
0x00000000
0x034e1d82

Strings

too many length or distance symbols, xrefs: 034E1E78
invalid distance code, xrefs: 034E24E6
invalid literal/lengths set, xrefs: 034E210A
invalid bit length repeat, xrefs: 034E211A, 034E212A
invalid distance too far back, xrefs: 034E256E
invalid literal/length code, xrefs: 034E234E
invalid distances set, xrefs: 034E2174
invalid code lengths set, xrefs: 034E1E68

Memory Dump Source

Source File: 00000001.00000002.517006583.00000000034E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 034E0000, based on PE: true

Associated: 00000001.00000002.516990289.00000000034E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.517028042.00000000034E3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34e0000_AdobePhotoshop.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-3031085480
Opcode ID: 42e9ee7027dd24925076d15cf3aad91a189cdbfea616228f4d2d017fe470ea84
Instruction ID: 6152ca15bedb405ca282b4366477725cf71662b1b027529b96a63aa2339d6538
Opcode Fuzzy Hash: 42e9ee7027dd24925076d15cf3aad91a189cdbfea616228f4d2d017fe470ea84
Instruction Fuzzy Hash: 5E6258756083458FCB08EF18C89066ABBE5FF88305F084A6EE896CF745E7B4D945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 034E1260 Relevance: 4.2, Strings: 3, Instructions: 415
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E034E1260() {
				intOrPtr* _t160;
				intOrPtr _t161;
				signed char _t173;
				signed int _t174;
				signed int _t178;
				intOrPtr _t189;
				signed int _t194;
				signed char _t196;
				signed char _t197;
				signed int _t198;
				void* _t200;
				void* _t202;
				void* _t203;
				void* _t204;
				void* _t205;
				intOrPtr* _t207;
				signed int _t208;
				unsigned int _t210;
				unsigned int _t211;
				char _t219;
				unsigned int _t223;
				char _t225;
				signed int _t226;
				char _t227;
				unsigned int _t230;
				char _t232;
				signed char _t238;
				signed char _t249;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed char _t267;
				intOrPtr* _t270;
				signed char _t277;
				unsigned int _t289;
				void* _t293;
				void* _t294;
				void* _t295;
				void* _t297;
				void* _t298;
				signed char _t309;
				signed char _t322;
				intOrPtr _t324;
				void* _t325;
				void* _t326;
				void* _t332;
				unsigned int _t333;
				void* _t335;
				void* _t336;
				char* _t338;
				char* _t339;
				char* _t340;
				char* _t341;
				char* _t342;
				intOrPtr* _t343;
				signed char _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t358;
				void* _t360;
				void* _t363;
				void* _t364;
				unsigned int _t365;
				signed int _t367;
				void* _t368;

				_t160 =  *((intOrPtr*)(_t368 + 0x50));
				_t324 =  *_t160 - 1;
				_t343 =  *((intOrPtr*)(_t160 + 0x1c));
				 *((intOrPtr*)(_t368 + 0x30)) =  *((intOrPtr*)(_t160 + 4)) + _t324 - 5;
				_t161 =  *((intOrPtr*)(_t160 + 0x10));
				_t338 =  *((intOrPtr*)(_t160 + 0xc)) - 1;
				 *((intOrPtr*)(_t368 + 0x34)) = _t161 + _t338 - 0x101;
				 *((intOrPtr*)(_t368 + 0x44)) = _t161 -  *(_t368 + 0x54) + _t338;
				 *((intOrPtr*)(_t368 + 0x48)) =  *((intOrPtr*)(_t343 + 0x2c));
				_t251 =  *(_t343 + 0x3c);
				 *((intOrPtr*)(_t368 + 0x28)) =  *((intOrPtr*)(_t343 + 0x28));
				 *((intOrPtr*)(_t368 + 0x2c)) =  *((intOrPtr*)(_t343 + 0x34));
				 *(_t368 + 0x1c) =  *(_t343 + 0x30);
				 *((intOrPtr*)(_t368 + 0x24)) =  *((intOrPtr*)(_t343 + 0x50));
				 *((intOrPtr*)(_t368 + 0x20)) =  *((intOrPtr*)(_t343 + 0x4c));
				_t333 =  *(_t343 + 0x38);
				 *(_t368 + 0x38) = (1 <<  *(_t343 + 0x54)) - 1;
				 *((intOrPtr*)(_t368 + 0x18)) = _t343;
				 *((intOrPtr*)(_t368 + 0x14)) = _t324;
				 *(_t368 + 0x3c) = (1 <<  *(_t343 + 0x58)) - 1;
				do {
					if(_t251 < 0xf) {
						_t326 = _t324 + 1;
						_t254 = _t251 + 8;
						_t335 = _t333 + (( *(_t324 + 1) & 0x000000ff) << _t251);
						_t324 = _t326 + 1;
						 *((intOrPtr*)(_t368 + 0x14)) = _t324;
						_t333 = _t335 + (( *(_t326 + 1) & 0x000000ff) << _t254);
						_t251 = _t254 + 8;
					}
					_t173 =  *( *((intOrPtr*)(_t368 + 0x20)) + ( *(_t368 + 0x38) & _t333) * 4);
					_t267 = _t173 & 0x000000ff;
					 *(_t368 + 0x10) = _t173;
					_t174 = _t173 & 0x000000ff;
					_t333 = _t333 >> _t267;
					_t251 = _t251 - _t267;
					if(_t174 == 0) {
						L7:
						_t338 = _t338 + 1;
						 *_t338 =  *(_t368 + 0x10) >> 0x10;
						L52:
						if(_t324 >=  *((intOrPtr*)(_t368 + 0x30))) {
							L61:
							_t178 = _t251 >> 3;
							_t325 = _t324 - _t178;
							_t252 = _t251 - _t178 * 8;
							_t270 =  *((intOrPtr*)(_t368 + 0x50));
							 *_t270 = _t325 + 1;
							 *((intOrPtr*)(_t270 + 0xc)) = _t338 + 1;
							 *((intOrPtr*)(_t270 + 4)) =  *((intOrPtr*)(_t368 + 0x30)) - _t325 + 5;
							_t189 =  *((intOrPtr*)(_t368 + 0x34)) - _t338 + 0x101;
							 *((intOrPtr*)(_t270 + 0x10)) = _t189;
							 *(_t343 + 0x38) = _t333 & (0x00000001 << _t252) - 0x00000001;
							 *(_t343 + 0x3c) = _t252;
							return _t189;
						}
						goto L53;
					}
					while((_t174 & 0x00000010) == 0) {
						if((_t174 & 0x00000040) != 0) {
							if((_t174 & 0x00000020) == 0) {
								 *( *((intOrPtr*)(_t368 + 0x50)) + 0x18) = "invalid literal/length code";
								L60:
								 *_t343 = 0x1b;
								goto L61;
							}
							 *_t343 = 0xb;
							goto L61;
						}
						 *(_t368 + 0x54) = 1;
						_t249 =  *( *((intOrPtr*)(_t368 + 0x20)) + ((( *(_t368 + 0x54) << _t174) - 0x00000001 & _t333) + ( *(_t368 + 0x10) >> 0x10)) * 4);
						_t322 = _t249 & 0x000000ff;
						 *(_t368 + 0x10) = _t249;
						_t174 = _t249 & 0x000000ff;
						_t333 = _t333 >> _t322;
						_t251 = _t251 - _t322;
						if(_t174 != 0) {
							continue;
						}
						goto L7;
					}
					_t194 = _t174 & 0x0000000f;
					 *(_t368 + 0x54) =  *(_t368 + 0x10) >> 0x10;
					if(_t194 != 0) {
						if(_t251 < _t194) {
							_t358 =  *(_t324 + 1) & 0x000000ff;
							_t324 = _t324 + 1;
							 *((intOrPtr*)(_t368 + 0x14)) = _t324;
							_t333 = _t333 + (_t358 << _t251);
							_t251 = _t251 + 8;
						}
						_t343 =  *((intOrPtr*)(_t368 + 0x18));
						 *(_t368 + 0x54) =  *(_t368 + 0x54) + ((0x00000001 << _t194) - 0x00000001 & _t333);
						_t333 = _t333 >> _t194;
						_t251 = _t251 - _t194;
					}
					if(_t251 < 0xf) {
						_t332 = _t324 + 1;
						_t253 = _t251 + 8;
						_t336 = _t333 + (( *(_t324 + 1) & 0x000000ff) << _t251);
						_t324 = _t332 + 1;
						 *((intOrPtr*)(_t368 + 0x14)) = _t324;
						_t333 = _t336 + (( *(_t332 + 1) & 0x000000ff) << _t253);
						_t251 = _t253 + 8;
					}
					_t196 =  *( *((intOrPtr*)(_t368 + 0x24)) + ( *(_t368 + 0x3c) & _t333) * 4);
					_t277 = _t196 & 0x000000ff;
					 *(_t368 + 0x10) = _t196;
					_t197 = _t196 & 0x000000ff;
					_t333 = _t333 >> _t277;
					_t251 = _t251 - _t277;
					if((_t197 & 0x00000010) != 0) {
						L17:
						_t198 = _t197 & 0x0000000f;
						 *(_t368 + 0x10) =  *(_t368 + 0x10) >> 0x10;
						if(_t251 < _t198) {
							_t350 =  *(_t324 + 1) & 0x000000ff;
							_t324 = _t324 + 1;
							_t351 = _t350 << _t251;
							_t251 = _t251 + 8;
							 *((intOrPtr*)(_t368 + 0x14)) = _t324;
							_t333 = _t333 + _t351;
							if(_t251 < _t198) {
								_t352 =  *(_t324 + 1) & 0x000000ff;
								_t324 = _t324 + 1;
								 *((intOrPtr*)(_t368 + 0x14)) = _t324;
								_t333 = _t333 + (_t352 << _t251);
								_t251 = _t251 + 8;
							}
						}
						_t251 = _t251 - _t198;
						_t349 =  *(_t368 + 0x10) + ((0x00000001 << _t198) - 0x00000001 & _t333);
						_t333 = _t333 >> _t198;
						_t200 = _t338 -  *((intOrPtr*)(_t368 + 0x44));
						 *(_t368 + 0x10) = _t349;
						if(_t349 <= _t200) {
							_t202 = _t338 - _t349;
							do {
								_t203 = _t202 + 1;
								_t339 = _t338 + 1;
								 *_t339 =  *((intOrPtr*)(_t202 + 1));
								_t204 = _t203 + 1;
								_t340 = _t339 + 1;
								 *_t340 =  *((intOrPtr*)(_t203 + 1));
								_t202 = _t204 + 1;
								_t338 = _t340 + 1;
								 *_t338 =  *((intOrPtr*)(_t204 + 1));
								_t289 =  *(_t368 + 0x54) - 3;
								 *(_t368 + 0x54) = _t289;
							} while (_t289 > 2);
							if(_t289 != 0) {
								_t205 = _t202 + 1;
								_t338 = _t338 + 1;
								 *_t338 =  *((intOrPtr*)(_t202 + 1));
								if( *(_t368 + 0x54) > 1) {
									_t338 = _t338 + 1;
									 *_t338 =  *((intOrPtr*)(_t205 + 1));
								}
							}
							goto L51;
						} else {
							_t360 = _t349 - _t200;
							if(_t360 >  *((intOrPtr*)(_t368 + 0x48))) {
								_t207 =  *((intOrPtr*)(_t368 + 0x18));
								 *( *((intOrPtr*)(_t368 + 0x50)) + 0x18) = "invalid distance too far back";
								 *_t207 = 0x1b;
								_t343 = _t207;
								goto L61;
							}
							_t208 =  *(_t368 + 0x1c);
							_t293 =  *((intOrPtr*)(_t368 + 0x2c)) - 1;
							if(_t208 != 0) {
								if(_t208 >= _t360) {
									_t294 = _t293 + _t208 - _t360;
									_t210 =  *(_t368 + 0x54);
									if(_t360 >= _t210) {
										L39:
										_t211 =  *(_t368 + 0x54);
										if(_t211 <= 2) {
											L43:
											if( *(_t368 + 0x54) != 0) {
												_t295 = _t294 + 1;
												_t338 = _t338 + 1;
												 *_t338 =  *((intOrPtr*)(_t294 + 1));
												if( *(_t368 + 0x54) > 1) {
													_t338 = _t338 + 1;
													 *_t338 =  *((intOrPtr*)(_t295 + 1));
												}
											}
											L51:
											_t343 =  *((intOrPtr*)(_t368 + 0x18));
											goto L52;
										}
										_t363 = (0xaaaaaaab * (_t211 - 3) >> 0x20 >> 1) + 1;
										do {
											_t297 = _t294 + 1;
											_t341 = _t338 + 1;
											 *_t341 =  *((intOrPtr*)(_t294 + 1));
											_t298 = _t297 + 1;
											_t342 = _t341 + 1;
											 *_t342 =  *((intOrPtr*)(_t297 + 1));
											_t294 = _t298 + 1;
											_t338 = _t342 + 1;
											_t363 = _t363 - 1;
											 *_t338 =  *((intOrPtr*)(_t298 + 1));
											 *(_t368 + 0x54) =  *(_t368 + 0x54) - 3;
										} while (_t363 != 0);
										_t324 =  *((intOrPtr*)(_t368 + 0x14));
										goto L43;
									}
									 *(_t368 + 0x54) = _t210 - _t360;
									do {
										_t219 =  *((intOrPtr*)(_t294 + 1));
										_t294 = _t294 + 1;
										_t338 = _t338 + 1;
										_t360 = _t360 - 1;
										 *_t338 = _t219;
									} while (_t360 != 0);
									L38:
									_t294 = _t338 -  *(_t368 + 0x10);
									goto L39;
								}
								_t294 = _t293 + _t208 - _t360 +  *((intOrPtr*)(_t368 + 0x28));
								_t364 = _t360 -  *(_t368 + 0x1c);
								_t223 =  *(_t368 + 0x54);
								if(_t364 >= _t223) {
									goto L39;
								}
								 *(_t368 + 0x54) = _t223 - _t364;
								do {
									_t225 =  *((intOrPtr*)(_t294 + 1));
									_t294 = _t294 + 1;
									_t338 = _t338 + 1;
									_t364 = _t364 - 1;
									 *_t338 = _t225;
								} while (_t364 != 0);
								_t226 =  *(_t368 + 0x1c);
								_t365 =  *(_t368 + 0x54);
								_t294 =  *((intOrPtr*)(_t368 + 0x2c)) - 1;
								if(_t226 >= _t365) {
									goto L39;
								}
								 *(_t368 + 0x54) = _t365 - _t226;
								 *(_t368 + 0x40) = _t226;
								_t367 = _t226;
								do {
									_t227 =  *((intOrPtr*)(_t294 + 1));
									_t294 = _t294 + 1;
									_t338 = _t338 + 1;
									_t367 = _t367 - 1;
									 *_t338 = _t227;
								} while (_t367 != 0);
								goto L38;
							}
							_t294 = _t293 +  *((intOrPtr*)(_t368 + 0x28)) - _t360;
							_t230 =  *(_t368 + 0x54);
							if(_t360 >= _t230) {
								goto L39;
							}
							 *(_t368 + 0x54) = _t230 - _t360;
							do {
								_t232 =  *((intOrPtr*)(_t294 + 1));
								_t294 = _t294 + 1;
								_t338 = _t338 + 1;
								_t360 = _t360 - 1;
								 *_t338 = _t232;
							} while (_t360 != 0);
							goto L38;
						}
					} else {
						while((_t197 & 0x00000040) == 0) {
							 *(_t368 + 0x40) = 1;
							_t238 =  *( *((intOrPtr*)(_t368 + 0x24)) + ((( *(_t368 + 0x40) << _t197) - 0x00000001 & _t333) + ( *(_t368 + 0x10) >> 0x10)) * 4);
							_t309 = _t238 & 0x000000ff;
							 *(_t368 + 0x10) = _t238;
							_t197 = _t238 & 0x000000ff;
							_t333 = _t333 >> _t309;
							_t251 = _t251 - _t309;
							if((_t197 & 0x00000010) == 0) {
								continue;
							}
							goto L17;
						}
						 *( *((intOrPtr*)(_t368 + 0x50)) + 0x18) = "invalid distance code";
						goto L60;
					}
					L53:
				} while (_t338 <  *((intOrPtr*)(_t368 + 0x34)));
				goto L61;
			}

0x034e1267
0x034e1274
0x034e1279
0x034e127c
0x034e1283
0x034e128a
0x034e1294
0x034e129b
0x034e12a2
0x034e12a9
0x034e12ac
0x034e12b3
0x034e12ba
0x034e12c1
0x034e12c5
0x034e12d6
0x034e12da
0x034e12e5
0x034e12e9
0x034e12ee
0x034e12f2
0x034e12f5
0x034e12fb
0x034e1300
0x034e1305
0x034e130b
0x034e130e
0x034e1312
0x034e1314
0x034e1314
0x034e1321
0x034e1324
0x034e1327
0x034e132b
0x034e132e
0x034e1330
0x034e1334
0x034e1378
0x034e137c
0x034e1380
0x034e1621
0x034e1625
0x034e1678
0x034e167a
0x034e1684
0x034e1686
0x034e1691
0x034e169b
0x034e16a0
0x034e16ac
0x034e16b5
0x034e16ba
0x034e16bd
0x034e16c2
0x034e16ca
0x034e16ca
0x00000000
0x034e1625
0x034e1336
0x034e133c
0x034e165b
0x034e166a
0x034e1671
0x034e1671
0x00000000
0x034e1671
0x034e165d
0x00000000
0x034e165d
0x034e1347
0x034e1363
0x034e1366
0x034e1369
0x034e136d
0x034e1370
0x034e1372
0x034e1376
0x00000000
0x00000000
0x00000000
0x034e1376
0x034e138e
0x034e1391
0x034e1395
0x034e1399
0x034e139b
0x034e139f
0x034e13a4
0x034e13a8
0x034e13aa
0x034e13aa
0x034e13bf
0x034e13c3
0x034e13c9
0x034e13cb
0x034e13cb
0x034e13d0
0x034e13d6
0x034e13db
0x034e13e0
0x034e13e6
0x034e13e9
0x034e13ed
0x034e13ef
0x034e13ef
0x034e13fc
0x034e13ff
0x034e1402
0x034e1406
0x034e1409
0x034e140b
0x034e140f
0x034e144f
0x034e1456
0x034e145b
0x034e145f
0x034e1461
0x034e1465
0x034e1468
0x034e146a
0x034e146d
0x034e1471
0x034e1475
0x034e1477
0x034e147b
0x034e1480
0x034e1484
0x034e1486
0x034e1486
0x034e1475
0x034e1494
0x034e149f
0x034e14a3
0x034e14ab
0x034e14af
0x034e14b3
0x034e15d7
0x034e15e0
0x034e15e3
0x034e15e4
0x034e15e5
0x034e15ea
0x034e15eb
0x034e15ec
0x034e15f1
0x034e15f2
0x034e15f3
0x034e15f9
0x034e15ff
0x034e15ff
0x034e1607
0x034e160c
0x034e160d
0x034e160e
0x034e1615
0x034e161a
0x034e161b
0x034e161b
0x034e1615
0x00000000
0x034e14b9
0x034e14b9
0x034e14bf
0x034e1637
0x034e163b
0x034e1642
0x034e1648
0x00000000
0x034e1648
0x034e14c9
0x034e14cd
0x034e14d0
0x034e14fe
0x034e1555
0x034e1557
0x034e155d
0x034e1577
0x034e1577
0x034e157e
0x034e15b7
0x034e15bd
0x034e15c2
0x034e15c3
0x034e15c4
0x034e15cb
0x034e15d0
0x034e15d1
0x034e15d1
0x034e15cb
0x034e161d
0x034e161d
0x00000000
0x034e161d
0x034e158e
0x034e1590
0x034e1593
0x034e1594
0x034e1595
0x034e159a
0x034e159b
0x034e159c
0x034e15a5
0x034e15a6
0x034e15aa
0x034e15ab
0x034e15ad
0x034e15ad
0x034e15b3
0x00000000
0x034e15b3
0x034e1561
0x034e1565
0x034e1565
0x034e1568
0x034e1569
0x034e156a
0x034e156b
0x034e156b
0x034e156f
0x034e1575
0x00000000
0x034e1575
0x034e1506
0x034e1508
0x034e150c
0x034e1512
0x00000000
0x00000000
0x034e1516
0x034e1520
0x034e1520
0x034e1523
0x034e1524
0x034e1525
0x034e1526
0x034e1526
0x034e152e
0x034e1532
0x034e1536
0x034e1539
0x00000000
0x00000000
0x034e153d
0x034e1541
0x034e1545
0x034e1547
0x034e1547
0x034e154a
0x034e154b
0x034e154c
0x034e154d
0x034e154d
0x00000000
0x034e1551
0x034e14d8
0x034e14da
0x034e14e0
0x00000000
0x00000000
0x034e14e8
0x034e14f0
0x034e14f0
0x034e14f3
0x034e14f4
0x034e14f5
0x034e14f6
0x034e14f6
0x00000000
0x034e14fa
0x034e1411
0x034e1411
0x034e141e
0x034e143a
0x034e143d
0x034e1440
0x034e1444
0x034e1447
0x034e1449
0x034e144d
0x00000000
0x00000000
0x00000000
0x034e144d
0x034e1650
0x00000000
0x034e1650
0x034e1627
0x034e1627
0x00000000

Strings

invalid distance code, xrefs: 034E1650
invalid distance too far back, xrefs: 034E163B
invalid literal/length code, xrefs: 034E166A

Memory Dump Source

Source File: 00000001.00000002.517006583.00000000034E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 034E0000, based on PE: true

Associated: 00000001.00000002.516990289.00000000034E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.517028042.00000000034E3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34e0000_AdobePhotoshop.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: 38d8da3749491aa2879cca5ab28afc4fa3ca937ae60dd73fe249034d404de918
Instruction ID: f265235f72883c124247f62e0244c0ade908ae44804d6d081ccd4bdc29248ec9
Opcode Fuzzy Hash: 38d8da3749491aa2879cca5ab28afc4fa3ca937ae60dd73fe249034d404de918
Instruction Fuzzy Hash: D0E18D316483858FC708CF2CC59066AFBE1EB85305F184AAEE8D6CB342E775D94ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 10001130 Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001130() {
				signed char _t24;
				signed char _t25;
				intOrPtr _t30;
				signed char _t34;
				intOrPtr _t35;
				char _t37;
				intOrPtr _t41;
				char* _t43;
				char* _t48;
				signed char* _t52;
				void* _t54;

				_t41 =  *((intOrPtr*)(_t54 + 4));
				_t35 =  *((intOrPtr*)(_t54 + 0x10));
				_t24 =  *((intOrPtr*)(_t41 + 0x101));
				_t34 =  *(_t41 + 0x100);
				if(_t35 <= 0) {
					 *(_t41 + 0x100) = _t34;
					 *((char*)(_t41 + 0x101)) = _t24;
					return _t24;
				} else {
					_t52 =  *(_t54 + 0x14);
					 *((intOrPtr*)(_t54 + 0x18)) =  *(_t54 + 0x14) - _t52;
					 *((intOrPtr*)(_t54 + 0x20)) = _t35;
					while(1) {
						_t34 = _t34 + 1;
						_t48 = (_t34 & 0x000000ff) + _t41;
						_t37 =  *_t48;
						_t25 = _t24 + _t37;
						 *(_t54 + 0x14) = _t25;
						_t43 = (_t25 & 0x000000ff) + _t41;
						 *_t48 =  *_t43;
						 *_t43 = _t37;
						if( *((intOrPtr*)(_t54 + 0x1c)) != 0) {
							 *_t52 =  *((0 + _t37 & 0x000000ff) + _t41) ^  *( *((intOrPtr*)(_t54 + 0x18)) + _t52);
						}
						_t52 =  &(_t52[1]);
						_t30 =  *((intOrPtr*)(_t54 + 0x20)) - 1;
						 *((intOrPtr*)(_t54 + 0x20)) = _t30;
						if(_t30 == 0) {
							break;
						}
						_t24 =  *(_t54 + 0x14);
					}
					 *(_t41 + 0x100) = _t34;
					 *((char*)(_t41 + 0x101)) =  *(_t54 + 0x14);
					return _t30;
				}
			}

0x10001130
0x10001134
0x1000113a
0x10001141
0x10001147
0x100011c1
0x100011c7
0x100011ce
0x10001149
0x1000114a
0x10001156
0x1000115a
0x10001164
0x10001164
0x10001169
0x1000116c
0x1000116e
0x10001170
0x10001177
0x1000117e
0x10001186
0x10001188
0x1000119b
0x1000119b
0x100011a2
0x100011a3
0x100011a4
0x100011a8
0x00000000
0x00000000
0x10001160
0x10001160
0x100011b1
0x100011b7
0x100011be
0x100011be

Memory Dump Source

Source File: 00000001.00000002.519241570.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.519233552.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.519275742.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_AdobePhotoshop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001000() {

				return 1;
			}

0x10001005

Memory Dump Source

Source File: 00000001.00000002.519241570.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.519233552.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.519275742.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_AdobePhotoshop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AdobePhotoshop.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp

C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_iscrypt.dll

C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmp

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
AdobePhotoshop.exe

Function 034E1D20 Relevance: 10.8, Strings: 8, Instructions: 796
COMMONCrypto

Function 034E1260 Relevance: 4.2, Strings: 3, Instructions: 415
COMMONCrypto

Function 10001130 Relevance: .1, Instructions: 55
COMMON

Function 10001000 Relevance: .0, Instructions: 2
COMMON