MalScore
100/100
MalFamily
Wannacry

inside.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 16/67 Related 2132
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 652.50 KB (668160 bytes)
Compile time: 2014-12-18 19:18:21
MD5: aa2223355ce7eaca08272dab131d0a43
SHA1: cdf5127c15fc497d3427078d27168ed1f702eff1
SHA256: 8fe062fb971a50134728c8ca55a1a7720ccff15c8ea5d0e27639f87714dfc44b
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 4 .text .rsrc .reloc W6L7qrpB
Directories 3 import resource relocation
First submission: 2018-01-01 13:27:01
Last submission: 2018-01-01 13:27:01
Filename detected: - inside.exe (1)
URL file hosting
hXXp://ars-crypter.livehost.fr/inside.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-01-01 10:50:00 [16/67] VirusTotal
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x71934 465408 4c4dd222ff3b25e01e2ccfb7591f4314 575a4335b44863991cac55bb48a882545915d112
.rsrc 0x74000 0x25400 152576 233b0d03b3746d0ca07a861dea21f2bb 5059ec490d3285b7af5a22b4c756636e1e64fb08
.reloc 0x9a000 0xc 512 c5b81258b491103ba50f4df0092ac3e2 a66be1e699381f0ee1ac50e320f39fdda600b84a
W6L7qrpB 0x9c000 0xbd28 48640 6b70cc7f2e471e022fa15106b9974114 8f43f13eda6b8b2aa8015f2d9622fab55f0f9d34
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x96b40 9640 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x990e8 90 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x74220 736 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_MANIFEST 0x99148 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright: Copyright \xa9 2014
Assembly Version: 1.0.0.6
InternalName: InSide Crypter.exe
FileVersion: 1.0.0.6
FileDescription: InSide Crypter
OriginalFilename: InSide Crypter.exe
Translation: 0x0000 0x04b0
ProductVersion: 1.0.0.6
ProductName: InSide Crypter
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
KERNEL32.dll
ntdll.dll
mscoree.dll
IP Found
1.0.0.6
URL(s)
No URL found
InSide Crypter.exe
Profiler detected
Module error
Assembly Version
VarFileInfo
Loop broken
InSide Crypter
InternalName
<Unknown>
1.0.0.6
StringFileInfo
COR_PROFILER
Translation
LegalCopyright
Debugger detected (Managed)
FileVersion
Copyright
VS_VERSION_INFO
000004b0
ProductVersion
FileDescription
OriginalFilename
Broken file
ProductName
COR_ENABLE_PROFILING
2014
Xis
wMgM
Ry^hjuK
QGm@
(XW|[n
IN9a Ynx
.H+h< fD8
S+0
RI K5
_2}r
0 V6
[Gr9
ConfusedByAttribute
1K-
frr+
+7O%)
frr-
{2Y1
82k1&4
tM4
FE-x$"
ResolveEventHandler
NtSetInformationProcess

@Y48[

Z1 |k
S`ui
]@I9
N PT"
+E=7
[AbKqi[
{2{b
>\^]p
1\?p
t`p^
-V%1R
.20C
Qgn%
fkI;n
HFV
CryptoStream
n{o9H
'-D
.gn,
.M[[
*HC]
DkE=
N^SgCS
M=LA
UrT[
7skx
W?]NJ
1uIZ
9W+AI
ZCz
Xcq6l
TJ>
?txp
O\Vn
)(5vY
Q[6gx0
'E$5
-W/`\
;ca.
Vg{'
T :T
n@6|
b~zS
1cG`|
}e]B
P|N
L)l.
spa!%
GetILGenerator
I3*$*
hszO
System.Reflection.Emit
1u&Z
(>|?
L7!Tx
/*n'
Xy%
IOWoD
/@^#
,ELd
h+Xi
R0;/
@t'B
Ay/U
XnXol
V96M
`"3 g
4<fu
oL.&
nw;\K
\_r-P)
OA;U
okwBe/
c@3TeB3
k[6/-
4l\=p
`!ok
&t^Z)
B[4$
ReturnLength
{*ig
^ X7
8! #
eUhv~
U !|
: @
422")@
8BiHF
Fv$g
gkFx
M[sa3
).<!
ZV&>
s?(8
VVIl
AkOi
~|Yl
AppDomain
8+(
:KiC
>jIB
S#.x
get_CurrentDomain
i#,\I.B_Ho
s'U<1F
l=f
RsAw8
W-Vi
||iqq
+Ln0
%"Q.h
7l;))
NtQueryInformationProcess
BWrE
qCp)h[:_
7.}Y'
E.E
(XV~
MemberInfo
b+
|a_b
IR_o
Nsv4
x6h~
t9'`
DP$MK#
U dZ
t<I\o
NrR{f
Ldarg_S
*N<]
? Q@Lo
"B4
ZI"-
Bl _
D(|%
_=a+/8g
n[Q:
LS.*
uk jPD
#Blob
ZRO4
e*eW
&>-fQZ
'+Mr
da.+
XL 3D
!rG"
M'gOW
DAy!
ToUInt32
vLfEE
ZhDb
yj?5
8X}T
lS l
uxC6
B<y(Z
Type
mqT;
{^ma
S(C'@
[4Zr
N~)%:
_b~~
v3:i
V(-=>
X' q
|W'l9:
H " J
Tt~@
YT1!
<wtz
~ :eU:
kK nN
Yq9L
gM/r;c
$DE#
Z1 {
ca$Y
1&k4
"'l[
gvA7&
'/I'
li%9j|.vu
zp[Q
(9vlb
~|3X
TZu;L
a@:w
%|:F
get_Name
CreateDelegate
pzEP6
6~cR3
NXOZ
=08^
seY]
M*i1
HashAlgorithm
|rEd
Eq"'
k=9O
.\2:
OutputDebugString
2Gku
j2Vj
(:WM
Kq4.f{
>V|L
get_FullyQualifiedName
tcyK
V^)E
R(@A
O a
|l/~
U4SSi
cH"D4
p`Wz
A~bV
ij}@
8~#_+*
zWWpH
z&D(
usU/k
=wxS
GetParameters
7fpm
{zmc
d%IyNj
iHD>)
2ziN
];g"
p8X-FtX
]Y=E
+<U>
.text
5gC%
Fj,x
GetString
hObject
B!0%
h [R
:)d GOhy
;s|\
[nyWc
EODAse
p'8f
:D
;a:@^
dnxWE
e_s%
dF:)gI=
x5N(`
*9mT2c[
(i*R_
C#rs
ql.&
vOekG
8eO\
(Os.
GfZd
,
xc0E
?p6C
;-&e
-x6Z
d|8U
7XP:
IsLogging
#~9s
dXcm
l.rv
f-Mm
*]E9,
5OT
bw<_0
7~E_
'v!U
/UbD*
oBan W
~fan
lJfDS
-7 l
eOf/
skyr
%|}B
SO.^
b46;
MP#M
tuumP)
?#>+
mMMj;
^ mL@
~ |?y
:CuIDB
fI3[
J+r\
'5+8
Ma J0
[1M8
?>z S
<TMV#]
`.rsrc
!=scmL\
O -8
qD-(UOAhfb
1
CreateDecryptor
`QQE
47 WV
_>`V
] #j
:K]v9O
kernel32.dll
7dVh
flNewProtect
%{Hbd
$ FF
S`] )
eroY~
ProcessInformationClass
r*k7
ProcessHandle
c,RIj
z75!oR
Q.P)
^KozYF
jf<fQ
f.{r
{g_T^?
B&zH
c&'&Y\l
set_IsBackground
GetTypeFromHandle
%WyuX
AePq
l\Q[
l=4O
:yfu
HbHG
<i ~
#[<X
ywk2*z ,
lBO

lhAY
|K*1
t=Q
<TWgE1\RPR
0k6
1~uk
31r&
Hk6mX
}#eL
-GBE
mg"J
]<8
W4]n_4
R _QVL
j`K8
Ylg,.u
<O>}
*@4-
>X_4
m .7
Q%p2
\>2F
R@9?
Marshal
n$JFg
=o,"
yh
BYT)
rdhJ
O %
ES%i
qGwtO
',,v
get_ParameterType
)(k|
jzVv|
IHYw
f av3
!Nq>
22::t
W54s
GetBytes
7@N8
QFA)|ng
H'rQNL
/FFFt
\?2p
N{~^
xy/`
Cd!I
;vw0n?
YZ>"
VDGEc#
FoT7,b
S`(l@
pWm4eY
5;g(
Write
EU.
.Qnb
WA6Q J
get_Assembly
LA^GW ],N
O^c@
81_51
X9FJ
H'-jp-
zdws Rx
$'oR"s
!<4}
iXBs
wbFu
!~NF
Oe$:
*jdG
^ 6[
csj9
a9Z
D0\Sf<
Y}*K
k5:)
0e/`nZ
[CAI
5iP;
System.IO
dz4M
^nr
dUW
:Vf@wHs&
@8Q ]
5{EJ
l|}M
l +i
Dispose
@"mi[
7&:\M
$WjtjA
e4mUO/H
@g~5
bF`W
Yh^
h_Sm
(c#
!##
)}G]
get_IsStatic
op_Explicit
RuntimeFieldHandle
Read
a et
L\3#
SlaH..-U/$
TA5Eg:,
8<|x
g)Rk
;^Z>@Z>x2
<gdl
[3YXaY^
xr4)
STAThreadAttribute
|e?()
;R#S
;Q:D
IHDR
LU] #'
M8!d
gty%

..i0S
) zh
(\.-
5l :%8
92vF\k
aeQM
}W8'
pN?*
@J9, Z&C
System
rz41l
o;:R
tc_B
y&(o
v4$Q
n#>"
aKG3_
@8a9b/b[
M&Z9
T*Mf
Y~wDN
7S&3
3A!5
Q=8
][?U
JbhU
Ino=@
AxdbB5
Nspz
9ZKdfp
)?ahY
' p
>:
MethodBase
#Strings
?PN5/
#YL1
2fVu
G-@Z
BW6L7qrpB(
pTG
$Nj4G
{f(ps
M=]
CDML
SIbA.h
5tGm
?uwv
InSide Crypter.exe
/ /y
@}Vs|
*UsE
N= %
w=m;7
Environment
'#Wo
IcQy
tq!!
VirtualProtect
6($p
'2s2d
8xLp
HY@f
Dr\N
>_o4
l,=>[l
C[cN
ntdll.dll
| S.
|sOa
KBO5
Lc=x
2 PX
{qvj
W\ra
/A -(
xG9
U}Ga0
V2^4
?1Q2{/
H4_3=
h|VRWx+t<
eLz_
dYTA
1j-t<
get_Position
System.Diagnostics
GetEnvironmentVariable
UUUM
Li1m
xKxX
fDM?
Fd[@1a
3TBT
hEqh5&c
87vQQp^oX[
@^AfW`<
Mu8s
`D5tB$
<c\-
L[!<
0F`
{kV]
`$_
9t.1Ju1q
i/-11
~z|E
u'Xm
sI'Elx
Oaxl
=8Oh
]U u;
} el
7P&e
swn>T+
%6I
TryGetValue
G_Ep
! PJcTl
u Ri
IZA)
i4 c
tx;w|
Q#u~
8<Wr
JW'p
UN{uC!
sJJ|f
:<V
get_UTF8
j N+
/%?C
sMTe
~Rkg
(yS)
Yw\
W#
DJpW4
XZ+p
`,;=
nsD4
kEA|=
TR3L7
4cLl
;bf,
SI s.
@<.=
G}kvl
hQK _Iu8kA
.g!1
J2'
WR-
x;}-)
0Ixe
YN%R
LYlP^
eux}
$Z$f
\,) y}z~%
yg9h
ZeGjE
B+jj
8 [
T303T
PKh}
7V(d
Uk%q+<
d+ v U
BitConverter
Qsn^}
TqP>8
InSide_Crypter.Resources.resources
{e(*.
.XLW6
W$/y
B5(u
(Q T#
DRntO2*
uS\s
)A*E
N;4Eb7*
4Rq$
HQ01
,I~x
V9Q\
+=W|~
1)ze
E6R%
OojL
!], M z. `
_Y^|U
9M i
mxkW
Delegate
\' s
Yb=I
ZYOz
NKyAJ
ParameterInfo
F,rv
'!V
Newobj
=+9N/
Ij\}
Xb+
wP%)<
&s/
Seek
a@29c@2keB3
rfg)
Bi@j
P.B
xR^X
r=g7?[
vldv]R
;-A)V
|10@q
tjcx"
&W<
InSide_Crypter.Form1.resources
fNX+
ILDi
+E.sU
't!S
% -6
S9N.
%KLg
ExVO2@>
!O?~
t&V}
w?j=
!DlW
)~`3
-{*_*
get_Length
9"?
uwXM
76af
A?("
]R zi
XM{s >6/!T{"
GetEntryAssembly
Kb.$
F1K"
SkV%
.S(f
j_T+mdY
x9A\
E>=XO"
X}
iG#)
"ZFI
g*bg
\{24[
,ip?=>
&nz-
)&7L
ValueType
S]_f+j
:,r19jG
Rx; P6!
Xuf+g|
[+2.
Z}yc
V(4N?$V
JD_;
v0J}
-hm$].BS
2y`Y
n,}H
]))_
G3vo
z%_~`
xS!h'
c?B[J;
D?&Q
h GN}w
nPDo
< a"g
T.:a
vUJ;xXM
)ZTk
UB7
| B!
Rt,Y?
U|L X
$ \m
r:sU
%(CP
v (f
(Y}vY
BZ+"
aTvY
_m_
*'~q
) qLC
FWoU
7}CQ
x_9v
}P Q#
UInt32
`19e
d *
QN;i
(T #
kY\l{
T*0 I
Yx7A
U'n*
ILGenerator
9 &ctl=Yf
?q:=
G~m*
AV`5
]7#=
Vs6^n
12yvW
]e01tL
Jd:F
N(CzZ
i$ I=!
Rx#Qp
JV!h
[ExEe RP
rtEx
"x2$
IsDebuggerPresent
>U'm
yR'd
/2Xq
d?3F
?]m}
ftz9
i*Ozv!y
{t *
^Nfn
DynamicMethod
YC S
xny &Vhi
1Feg
k%CvZ


ZcYXw
A$ZRy
ICryptoTransform
(ka\Tw
G<H_o
add_ResourceResolve
i6A
DI+l
T3N+
args
s$n]
?<42
-SF1
Z|1!
6\l/d
As u
-oZc!
!_
t ;F
r+`0
Ub*2~'
pdd~n
System.Security.Cryptography
_.n
gyPj
#}}C
pu-W0
ConstructorInfo
nft\
;!uF
kJ=^
4Y\2
Start
# rC
4|wV
{6Z j
kwztz=zi
]~sZ
8r&Y
XxYk!H?
\NxJ
]]f_
9S+x
j]^W
0wq?
&b*u
VLHX
| I3Z
j/ .bfg
LO.x]
cYD=N
lB8Yy
,Y&[
&9]!
<<Z[*
D IQ
/W0
n,%W
gnT\
H|8$
ZX}f
2> lhBI
" \E
zc ZE
#hm\g%Kif
pHYs
.ctor
!]@P
)IA$\
="8P
M&8lT
K)PR
Ib6gZ
}uq=N
Call
71N
;Ut[
q!6
*]c@
D~jaX/
Uz)L
C,0FO<s
Invoke
,,V)
I4Z)
VE $
xH h
@v"eE
]FZv
~fHi
Sx,{-+
C,J*
v4.0.30319
n];{
eVe]f
w=c
4Q6>
Ol!(
YS;P
oI2/
&,'
`I?1
ml#;
_ 9'cO"
:u]D
8G >6
)f9&
W_D
Module
26dZw
~Kpr%
numBitLevels
Array
t]80
ProcessInformationLength
gLH)^CA
@.reloc
K1$(
,W\y
@F18
F}%OM(
-H./
\;hZG+
r[MT
?,%t
]iP
%&/m
Byte
get_Chars
wge~R?
nJu[
#ULL
CryptoStreamMode
_?)-
\v e<iJ
T?bB
k(cE
X "-
1 'QsQ
AW|J
{W!w`
get_MetadataToken
(i6_
P4(M
h-QR
ZIV~H
6O"M
)6&`
J6iX
gG=5
LgL:
)`R>
[$:^
9hN&
[a0[
z7 z
O92$
ei?H
E4HJ*
%tEXtdate:create
Q*.h
4-~W
{TTl
lpAddress
q4Rn
62Ns|
^o;oh
N33,c
3 Iw
k+HvW
5lnBGe
dhT:P,
Iu(#q
_ h
>&-A,u
ufAD-
add_AssemblyResolve
8nqeC
I_kz|
1S=&
D?s
`-eU
[P'0
6<-{
w1uj'G
-M~D
r)bl5
9YV
=7\9
<5 u
?;I~
Ef8kS
O?"J
nLUl
ReadUInt64
3Tc_
`BO
_vf?
get_FieldType
?ena
t)R'
no 1
gY`0
`:~
}Sqp
Assembly
<m c
mwyx$
LS)J
A?9P
0Iv]
*,eN
Q'?y
]u)~
8if|G
^k8aX
qvW< ;#
- F=
yC5Aa
get_ReturnType
w$i4
=R"(x
'OM{
(Z|+
61r=
giso
<:>X
xK2t
oo.~

Nwe&
1TYI
['<v8
i7vuv
gu;Y bK
(Sk
n&Bk
kYQO
uo?FO
5IVmqD
=<cE
3Ok7
;^$t
~9)yp;
>4=
6YpT9W!
^ &K
JGEu
E:_}
kWg@3^
f%im
}a,_
W"Wxqq
r<B~,
y'Y
o647
"w3
!w-<!)b
.LPE
Oy_e
GI@6
_i-ri
_+U0
P*>ol
ParameterizedThreadStart
v?h$
7}q^=
t>os
/#P%
| ^6x34
5#s*
x;' z
wnxO
C9y|Q
\xM]
Nz_
* oR
c .$(
(10M
p.cbr
C |r
ng k]
ZD=V
7?9~
o$#o
]]u!
n7X,
`67<
t_ZV
x;1.
,ci~
W,J}Y
|o:r
9P
b *w"9-
y_t4
Q9vl
GWY!'-

1Qdw
HE4{
z.@\
*4Q6
fs@m
L|pO
A&z\
GetExecutingAssembly
o?x#
]:oQ(rI
|8Pi
z Z+
!2c
1 #PD
p^~@>d
Hn 2[
AN IDY~
B'_Ub
D$L]
ctkDeV]
~Wni{
]@3,
aOJHuP7
g Wm
Tv+U
u\[}
wZd]
X+9l\@
t8ey<
Dsf5
se*n
\rBw
u> #
%,{8
jW2{
^Mx]
u.?q
ReadByte
&<CcWvs
{<"3
hNAE}Q6
74p(
j)ah
'CL1
%u@80
Hb+
+,_RC
h/Vs
U(57O9
~E9
ReadBytes
(~<[
54B=")%
rJ;V
\B7}
d?{ }
S[+
10E
og\W
hrA^*6'l8
^uQv2E
zSCd
ULv
H)h6
f/~y
f/`,
8QHi
@9_C
RRcA$
ZBDB
eI<F
wJ96
T24B>
k*Jk"i
FF7g"
w2s^
Bwg'
8$Nz
BYe.
h q$
S,J2E
4>Y2
r0 9
iX9F
Tu*G
-6*<
yHg x
O|V=
)c^{v
9;bk
W :cV
RzO>
OQ%f_
[BpN
IndexOf
,~%wm
n5rVY
tTL~m
yN:~;
l#/x
s0Hh
43:vE
^E/ Z5
:AvH
$9S5^F**%
y%o/OIJZ
%Ysv
TUzIl+s
zbG,
]+ d
3JCa&
7m7Y
z4NU
By2?t
?uT
Ytp
ba9#
lE2?
u"1a]d+ }62
F[r#P
> ""
aQ2\
:-f2
FIR:
zfQk
TJE
:Cb)
KxVV
xrC$
/:ep]
\AFf
UnmanagedMemoryStream
a<MxCD
p__6
/Z@gg
1,\]#Q
A" _
o`LF
N4i5j$
_?ov
I[Bi
MulticastDelegate
lF+)=
an[c=zx
*-+J
K.JM
.UAMRN
]~_.
YNrz
EY*_:
W\v%
y7;i>
Y/{]
son=
9<>GF
.cctor
$3J0
x[N+
y||D
mscorlib
O-/q
LSRrs^
[? 0
`TKI{X>
8B('WO
`64.
Y m
r>3/
yYk>
8~**
R!.u`
*6jJ
/$uw
7v.a~#'
}O%C
/:1
?t)
&-+Z
[|Lw
|<1
gN(:
M Y2
|#2j=A
) C=
,)h0
ODe_
AkS a
<aGh
.LoICI
%+V
=?{{t
N/ [J
}:0S
J~'fuQ
$N3!
{yHc#
[6r^G
@P.X'
System.Reflection
kQV+h
@uk?
7o|
8 }W
]ZLu
/(b+
0 5Z
Z]}~
RuntimeTypeHandle
]V(?
y0$f
\*V'17E
PQG
tkUV
_u`
.sB3
<dIcR
m6d0
+nuOKn
^{MY
~l`?
0h 8
UInt64
2u)"B
N,3)~7!@
sender
+`^_
?W/N`
<6t=
|<k-
WEW3
.~[%
Ku0>}
)B7'
My}%
.}XO
[&Z9yd
=PB"
ZhR-
wkP4aF
8sg(
op_Equality
2.Ru
}swk
_d~f/K
gB,6
[J*q/
M1+Mk1
ProcessInformation
8wA~
JwEn+7
G45|
.p4eE
0rzR
XJI1p
-.Ml
nr W
#;n]
{h6`
wY{Q>
jq)T
OZx>
-pqT
?\fd
Kh
:Lf>
V+!.9p
Y4Em
*LF%%J
[Paa
x\Q&
zZLr
Ar_9 V
v`{;
AVy_
]o+mY2n~
iip'f;t
cQ))
*/qU
]@!Ge
#` t
FY9$
O ln
d*JC]Yp
IjWy
FMg(e
202KP
Ok0<
E;7
\ ]>
pg\U
~'i~
8 &l&?-+H
D"\0
Rf |B\
|_J"
lh)
2012-11-20T09:04:43-06:00
bE#Q$
5N8h
#?`2
8=e#^LOtr
N|(>
=}-o~
;%$hp*
Emit
OpCodes
kbW)ke[
QO[.
'!e r
up 'D906
mscoree.dll
!This program cannot be run in DOS mode. $
System.IO.Compression
plK S
)?H1
O?]z
xUdp\
|mi
yP|+
M2tn
%l36qa
uHcd
kAr
j[uZ#
4YGG
D5P)
k)&?
6479
k&tL
o} \H
yF7$
B!fL
EQ%J
:"/
}M&j
%Zrt
t1-G
f,uz^
c.Y#
)8DU
?w~o
~]H~
[Z\<
|,P\
EU Y
X4
Q4&F
[GzL
] du ),
N?m
:7L{
ToPointer
d7@G
o5a
X%)
5-c"
LaQ"
;j)F
X( 9
OD82q
m?lU
HA|Fd
pcp6
awUn%QT
N\_c
lRp@ ;
BSJB
SHA256
*;EF
=H_|
mswgBS*
@qY
W+GO
O-0;
.1!B
get_DeclaringType
<x Dpz
xx9@
op_Inequality
WA@]
%iw
GetManifestResourceStream
K[U=
Mftq
#f u
k[%f
SeekOrigin
1@*22
yj6
xg5PU
|v~5
nG@j
Lu/ L5g
IntPtr
|H8?o|v
thread
Y"du
knfj
~=9F3
XI2!
<kbP
Ij 2
F-R
.1!
e(C
Lq=iI
,3./
:$1By1
g9ot
D33 Rp
;h)FJk
XK8`H
1V v#
(QW:g
HLE6
Q yCK
f3Dq
j~r0
A@[Q
2'~g
mZi2;
n!E`
/ue
ResolveMethod
>}Jr
>[)u
e^ez=
?hCvp
GetCurrentMethod
Callvirt
'stL
Wrw8
cy1y
p(D%o
4i7b<R! b
N5(T
wJ>+
]A6
xoZ6
DO't4O
pQg5.
k C2
:7y=
U.B/
8#5 QZ
BlockCopy
/r(+
p)O<
b_{c
R*J=(
SizeOf
vy"A
iFZ^
lpflOldProtect
tRA vVE
uy~Y[
HYpp
9Fk-
( d)
bv)4&]
BinaryReader
buff
R'c4
BJzS
_u0fm
nhk4E
b5D+
RijndaelManaged
A 7O
}zy~
g#Wmb^
Int32
@ U
B""B
qGIQs
Boolean
\t3
rPB
qHdnEM R
=5(0
sV Z%
FTzpQX
{d^zP;>
.p}w
F{Y3
s' 2e
n@i7
MethodInfo
O>`P
> 57
w\z(
1t1%
5sG
PHC
- &^
2s~B
IDAT<
ReadUInt16
$|Bg
MemoryStream
6{
a7TNo
;;`{Pv
?llGE
LB^uY
fx"*O
ResolveEventArgs
rPjqPFf
V\{
nl;{G
k p11R
z9j-
t/Nt
}M9+
2dPz
_hBc7
XK_v
)|)PR
IDATx
AUb[
qQC1xQC
y{2F
`pdX,
6&b{j,
Create
y#fu
v:suK]
tA/C
+DB}
I=pk-X
8^al
dO0C9
FCXX+
[Y((\
VJ=
QO|"
5po'-
aY.4
BK`g
pEmFm
$q=e
IEND
P9I8
V@q
; Z;
`]r~v#%
+CjtR
@%q'
Confuser v1.9.0.0
?f?^
c 8RS
m?f;
zQ-n
O)x
^~}l
Y L$
PMB9
^%O_d_
afad
Wt#$
ResolveSignature
*q3 X
WxIJ
;1,:
)uA:$e
q-j
"+u
%oVV-
W:Z(
%VtZ
h4Mz
qt3K
KkJ1
!qEW
Y> Bs
Ln1]#
MQ;X
5|tO
nUl
2TO|
QAkUE
F'K
K^t.
SqB+^
k?5Q
/$ 3qcV
O6]?
{3r
4F_w
(b(Rd
lO|W
c\/6
^65
>t+?
6xlq
. CR
! h|
@O}v
~:Ou
d?o"
3coa
N2hC
<=n0
gC5{gJ=
\xHT
yG9Z
!n0{
5E$G
uUHG
{-Yp
Tus>&L
F$ Y
w[OE
BrD-
CAZV!JS]GUZ
#Duu
3zl4]
0g:6
=VU|m
OpCode
y6oZ
Copy
>HCS
System.Text
n0+<B%P
R'm<
@W,& -
LY4-&
yNSc
-3d!
XYjX%
.vLw
ao-
\ FC
n02@
mPD<
?y sz
nG9grI9
4w(m
<]4z2
ReadInt32
f&E,
d l
c2C8
qf{7]i
N? OnB
Kgd>
1H&q
h0AZ
I <x
m]W%Q
.@OtS
iYzu
eB3=kE5nrJ:
E !Nc?
<qvN
_T%w *
x@1$
{=:KK
jXol
()PJ 1y
j+!
&K7R
={ M
V5rNb
{{j r
=|!
kkB!
Ex7!R
w' @r
z7MJP
hKXX
QoqP
`SyA
Kb]Nx
FieldInfo
PE|W
1 8h_
zXb
Iyq@
'~~]
___.netmodule
<% tvun
@xN=
f6 }_V
Y?^P
s vP
$-L8
T`K
;>,8:r
k]E*
7;'P
Lhw^T
String
o=yfUg
wnVB<RT/&
W[Z.
_CorExeMain
U9, Z>1
_&;A A
38g0
-tqS
Q>zu
Z:!
.zc#8s
K=C
l>32
8EP)
UPC0Y6
,5rsu
ToArray
? &`
?N>y
pe?RZ
V|4d
1; V
M/La\V-
RHo
_SJIuQ9
d-*`
jS u
>4~\
_ g# ;
n0FdUm
eIu
m;w'
.:wI6
LoadModule
AB SfE
bRAG{T8
&nr5
}g(~#
?G%
dwSize
&} d
k IH
<c~z?RiF'
i$b^Q<
@2N}!_9
Load
K= t
! py
Attribute
/==m
rG#4
yZL*
k|g[c
w:\fJ/{9i
Sn#Jxye
VQhG%
If2C^
u5
OUwO:a
vPAHyN?
o;z
kP &
n~9$
akc%
n/qpj
Dictionary`2
tOB#rQD
OU]gJ6
(~qY
[;sm6'
D>C|n
O'cm/
%T}G
i>u-
b9|K
)||9t
Vw/,
*B I
X? r
B!;P
0}K!
2`z
eC5.dB4
Mq ,-H`
M3 3U
CloseHandle
N i
K1#u}
'Ro*
ceV0
$g[M
'~b|
cr _i
<O8%
]8<V
eRzf
1 `-r
Vn2l
` 2k
TI2a9
#{}Vo
&ZUS
"1%5
w;q
^d^*B
ZjwC
kJV{
M'LH
Wa>[
Object
XG1&
V32P
rC/5
K.>v 6
k3 Z$
28$0J
RI!QB
CK(<-
+r,U
M)]s
'w|*V]
#/mo
N~|}
>DFj
.[#h
get_IsArray
cHY5
ut2?
7""_n}
M62r'
o\N?{
trVy
9V8C
#Qr'
1c )39&aYPU-
MfL[
S#/8
get_IsAlive
E-}|
eVLI
MOgM
$-Phpu
&J4I-
"mzj
Xr]\
Z(d[
Hf +
Yt[94
}gaf
hUAE
h!wd
KCOg
S B
CO`go
y~`D
8'UnyY
diH5
2z^o
bH@EyL3
5 m
K"A,
J>dz
ReadUInt32
lIRm
2Zs<
gBG\
VN3~
[IV_
zM
; __n4aj
}-"
mXcq
qeD*>
aDY9?%&
O&e_
&Ss)
('V@y
;F1
Stream
:@Uvc
l R_V
"YG#
eQRdd
_%S\
37?O
t=V
E~Vh~
#( U
8F`X}
/(C
5i9
Z'D'
/~x~v
Y)I.
K< :
&L$L,f
Fw{S
<4@i&<
GetFieldFromHandle
b<Rg
Xn(q
g#F
p to
tU,f
UJ t
#}}wDi(g
{3g_
nLew
aKh 6
;a#'
snbqw
7}tQ
e=k0S
52
'_t<
jR-rn>
2>!&
get_IsAttached
njHs
SNq
8"SG^
B#b+
FailFast
H)*z
1ov)
mXI=
r{yZ
=X.}
E^ j
7^}5
-W!V=
3Dh
,OWm8I|
SHA512
@YX
Mn]u
J`Hv
"{;&
cMcN
H oRl
MP4^
Hc] %
77j}
l'MY
z9Bh
?Zp0
;TQ@
**AL
XCJE
get_IsInterface
s@:X`
4kt{
System.Threading
6 (A
c'hX
>EOKJ
1]Sp@+
pARE
f=w=u
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
\~W
vB/z
"E`A(A*
4G>$K
8Nqp
C5OJ
O_<9
Y%Jiv
u8w^_
0yZ3
" N?
rojP
K={T
0yZ8
GetHINSTANCE
kZ5
p!+E
Buffer
TE"3
:z\Y@
?v_9
A,yB,
k*B1Z
*$)_f-m
Yp<hn
O;Lg
!Flz
a;-I
e`<g
DFf>
(wObp$
!%oj
6,,Ci
Fop
Debugger
tuey
K}E^
("J"
7~P9
w~Ur
Mu>
Dm5
^E{`M
omW
E>(91>
@qQq*
{T\V
yk"cjS!
InSide Crypter
; %tR
/`q@g
]b$> <
lwRO.
)4k
R.R.
_ )c
McCN
;?|4
pU1Q
L1+
X)\$C
<.ti\
9C4|,n
XA\X
AL$}
4H,[
_I!C
u+tj
E1QZ0
G4/@
oP]4
q4Xf
#xzx
9.mI
~Ldr
U^7?c
XA\`
,K+d
Z2:Y
DBz
Wo?~
!$R)
74,f
fok3
1B'P
\/Nv
set_Item
k$f1
nvO_Es
UE^}ZH
@v{@{
&(%
$]jXXX1
LqFZ
5Iju
~"e;
bv~Dz
Exception
d ;7#
R*i>
x^"
U.wC|
-5iPPc
7/3b
av)c
I{*}
__? n7
Ih-u
Y 7n@}P
)]O>)0FX:*c
YbnI
obK)oeN
<AB;6
$Fb
-GhB
=@)`
HdBg
Castclass
vJ/s4G
ZU`R
SymmetricAlgorithm
m}I$
|@U
V tX
co
Vt]\k8!Ui
25 F
[~g]
?xt]
!v01X
"6RI
@mW B
g0%IP
X.<\
H/[t\
ZHI-
&vfv
Z us
Y.tF .
ToUInt64
TrbrB}
Zz2
&~5#
p;k
j31V/
M6DJX#
a Bf
l'Z=
{Q2b
YW~WK?
FileAccess
L~ O.
IxEm
]3 EoASV
o2^B
z ~R
set_Position
G4F
z#a|
8Z9$
` ag
CompressShell
^=Kv
#Fp9
Wwf_
q=Ni'
System.Runtime.InteropServices
*-1
%jg
q?)3
g+|
pBQ(
)[LX
rs*R
P 4JG$
Math
nAB
L%%S
IK/'L
/j&U
"s mz
G~I
\5^{
Rz3^
|FW;
s'rc
Y:8J` o
9Ty@
System.Runtime.CompilerServices
%tEXtdate:modify
$YL(
Ie v
\i!"
SuppressIldasmAttribute
>;,R
JYeq
m09V#
MBq:
|79Hs\
l{]
G?9~
sXX%
z@ ^L>?=]
:N?q+
g%pK1
E}v
c3LA
Q}^
@$,)0`
H.4
Ps.a
UD6El=-
K9t$
/k\l!
E96;lBC4
6yZzd
mqu"
pg?/
zy`M
ij!U
C=Td
GetManifestResourceNames
X W_c~
p"Z
))X<
i=b
GaOR
~ Z
r!Z
:]~O
eJ1a
w}{e2
"*L#KU-+S
/J7cC
Es43
;x$.o+2
$%vV z
K{&5u
{:(;
IDisposable
h3V
N~A
! Aj
vU7A)H
9[]]
hprz
2012-11-20T08:58:18-06:00w9
7^W[Aj
7g<,U
< l|
+a:&
7GFo
M/!7R6'
{13
pR"M5
CompressionMode
W3t^
#Z t
P.e$
$6Gw
5.u
Yt{>
_^|r
?{<J
}!za,
2bf
E{I
04c_
<Module>
k!/@]
2)O/
/#]%[
U@Z~"
{E6|
^K=;f1
Hkd9
R$ASk
=,Z5
Fo#
N}3r
W`BV
f[X)f]\
v{-^[
ComputeHash
` V]
g\:W
?D;
^>9M`A
ZbG]m]
P]yL
yc0
yjg^
B&0J
Prl=
51 _
b"p~
XkE[W
uQD qL?XuK=
PI%V&
DeflateStream
?/{}
!o#T
)r>m|
* 9t
dje'
*# 8
jmz;Bj)%
w`(C
oRE'
i`I[H#
zf)*
DU)[
#GUID
!HX&wH
55^f
m?3=
`E< HI
Ps"=
s\@fn
bF>EvF1
W'Fp
WR#!
K r
f[IH0&
Z&/N;
e>p9w
BdI*
Zw bb
_>}T
4CX>y
B[_`]
uw?y
ktAj
*D2y
Y/G{
8XON<
INhF
WU!}
r 5~
*(--!I
3h(;
PtDI
6d*Em
L:4E[3(
`faB
kSh}
dfeP
7B0"%
p?Q<
hu7<
lN@'A
y(.I
PTC9 =
vD.O
DN+vj
GDaL
l;r5__K
5$KzXN
Thread
>)UI
]Q _
8_vQo
"%h yp
&^|8
}}I^
=)0>m
SetValue
WE9EpA/
;$l[
Encoding
8V=Z
~YG*
bc]5}
npW[
^QRZc+>~
get_CurrentThread
o+~Y
WP6e
bKGD
K 67~
"`_A2
{ Wo
(~} D r
t-aTs
jXol
w"=3k
get_Module
^ Tmlu*~
{G#2 hx$
Nnre
s{J].
y3Rk
AsY}
Zvj'
tiq&
qy7v
plD\gE
N7J>
]LiC
Z3#H
l<T
\+"c
eVAF
kTGQ
1~Bt
F?/8
w~T\9
1
A.}C
u A 0~
@ip1n
:5`K
oPA<
_uR$
hoCm3L
#X}}/:
C291
M$q^
D<U+Z
X</(
G%8(
Z7 ~Z(
8SMYC
lGH\d(
9XTh
0C5
!s7<
p 8)
0X z
FL?2
GT @
+hn"&J
s XL

n6XYq
4yf?
(!P 2
GHS:
8aRX0
?x]s
nQJ)nQK
xM .
@X=W
Z_CY<>
mS9if
6rO)+
IY b
System.Collections.Generic
lHWJ
]/pxL
mw/f
2)q (
(9-m
8Yxa
B PE
l-'iQ]
QLkl
BU=c#
@^Zj
m|80
uEU%
J-ou
)L)U
m&)m
wEBs.
]ES9_]X
VXa (Q2
Ldarg
e6Zm
'j 87
~/c7
]PL'
xh<|z
FBWi{
\WhI
%wO>
(NXZ
<2&*
#i*
7*&_
ud)UR2
3bu#r
h*N/
0A;T
Ex-W
_?[~
'X 6
hQfG
2/.^
qwx/
G07w"
_Tj[f 2r
H _{@
TRf"
K@0^
PNG
3>>B
w!C=
OWr;
rhPC_\G
Sleep
?ut8
}\Q
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
2018-01-01 13:19:24 2018-01-01 13:19:24

5 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
2018-01-01 13:19:24 2018-01-01 13:19:24

5 Summary items with data

Files

\Device\KsecDD

Read Files

\Device\KsecDD

Write Files

Nothing to display

Delete Files

Nothing to display

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Resolved APIs

rasapi32.dll.RasConnectionNotificationW
sechost.dll.OpenServiceA
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036
rpcrt4.dll.RpcBindingFree

Execute Commands

Nothing to display

Started Services

Nothing to display

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
2018-01-01 13:19:24 2018-01-01 13:19:24

2 HTTP Request(s) detected

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
  • Hostname: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • IP Address: 104.17.38.137
  • Port: 80
  • Count: 1

GET / HTTP/1.1
Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cache-Control: no-cache

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  • Hostname: www.download.windowsupdate.com
  • IP Address: 8.248.93.254
  • Port: 80
  • Count: 1

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

#infosec #automation

TheSystem Itself @ 2018-01-01 13:27:03

Detected family: #Wannacry

TheSystem Itself @ 2018-01-01 13:28:03